• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 773
  • Last Modified:

Client selection of a domain controller

Hopefully simple question, but information on this specific scenario isn't easy to find based on technet and google searches, so here goes:

Let's say you have 2 sites defined in Active Directory, and each of these sites has a dozen or more subnets defined within them.  What mechanism is used for a client to locate a DC for authentication if it lives on a subnet NOT defined in these two sites?  I know that in theory it should be able to authenticate against any responding DC in the enterprise, but I can't remember what mechanism is used when the client is configured with an IP that is not defined in any site.

At one time, a long time ago, I seemed to remember something about determining the closest DC based on hop count.  Is this true?

I've found lots of info on how sites work in AD, but less on how the exception computers (not in any site) locate a DC and authenticate.
0
patriots
Asked:
patriots
2 Solutions
 
abhijitwaikarCommented:
how the exception computers (not in any site) locate a DC and authenticate.
It all depends on how do you assign the preferred, alternet DNS IP's to workstations.

Every DC publish SRV records in DNS, These SRV records describe the types of services that the DC provides. AD-enabled clients search for the appropriate DNS SRV records. The first time when workstation authenticates to its domain it issues the DNS query to DNS serveice it responds back with available DC with list of SRV records in domain then clients select lowest priority SRV record and request DC to authentication or applications.

SRV records perform important role in Active Directory, AD clients and domain controllers use SRV records to determine the IP addresses of domain controllers.

The choice of the DC to authenticate is made via DC Locator process which provides the nearest DCs and SRV records of DCs which allow to choose which is the privileged DC to choose.

Refer:
http://technet.microsoft.com/en-us/library/cc961830.aspx
http://technet.microsoft.com/en-us/library/cc816890(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc794710(WS.10).aspx



0
 
GovvyCommented:
"Clients with No Apparent Site
Sometimes the client pings a domain controller and the client IP address cannot be found in the subnet-to-site mapping table. In this case, the domain controller returns a NULL site name, and the client uses the returned domain controller."

As above it is a random DC: http://technet.microsoft.com/en-us/library/cc978016.aspx
0
 
patriotsAuthor Commented:
nearest DC being whichever one is the closest via hop count I assume right?  What happens if there are two DC's with the same hop count, or same "distance" from the client?

In our situation, there are two DNS servers being handed out to our clients:
Server A is on the LAN, and it is the primary DNS server
Server B is across a high speed WAN link at a DR site, and it is the secondard DNS server
All servers are global catalogs

I'm doing all of this research namely b/c we have some Group Policies that seem to apply rapidly on one computer but not on another.  These computers live on subnets that are not defined in any site, and I'm theorizing that we are getting inconsistent GPO application performance due to clients that live on these subnets not defined in any site.  It seems like these clients could conceivably receive a policy setting from a DC that is not optimally located, thereby causing some "lag" time in applying policies properly.
0
 
GovvyCommented:
You are correct regarding the inconsistency as DC selection in this case would be random
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now