Solved

Client selection of a domain controller

Posted on 2011-09-28
5
750 Views
Last Modified: 2012-05-12
Hopefully simple question, but information on this specific scenario isn't easy to find based on technet and google searches, so here goes:

Let's say you have 2 sites defined in Active Directory, and each of these sites has a dozen or more subnets defined within them.  What mechanism is used for a client to locate a DC for authentication if it lives on a subnet NOT defined in these two sites?  I know that in theory it should be able to authenticate against any responding DC in the enterprise, but I can't remember what mechanism is used when the client is configured with an IP that is not defined in any site.

At one time, a long time ago, I seemed to remember something about determining the closest DC based on hop count.  Is this true?

I've found lots of info on how sites work in AD, but less on how the exception computers (not in any site) locate a DC and authenticate.
0
Comment
Question by:patriots
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 59

Assisted Solution

by:Darius Ghassem
Darius Ghassem earned 100 total points
ID: 36719435
0
 
LVL 10

Accepted Solution

by:
abhijitwaikar earned 150 total points
ID: 36719472
how the exception computers (not in any site) locate a DC and authenticate.
It all depends on how do you assign the preferred, alternet DNS IP's to workstations.

Every DC publish SRV records in DNS, These SRV records describe the types of services that the DC provides. AD-enabled clients search for the appropriate DNS SRV records. The first time when workstation authenticates to its domain it issues the DNS query to DNS serveice it responds back with available DC with list of SRV records in domain then clients select lowest priority SRV record and request DC to authentication or applications.

SRV records perform important role in Active Directory, AD clients and domain controllers use SRV records to determine the IP addresses of domain controllers.

The choice of the DC to authenticate is made via DC Locator process which provides the nearest DCs and SRV records of DCs which allow to choose which is the privileged DC to choose.

Refer:
http://technet.microsoft.com/en-us/library/cc961830.aspx
http://technet.microsoft.com/en-us/library/cc816890(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc794710(WS.10).aspx



0
 
LVL 13

Expert Comment

by:Govvy
ID: 36719473
"Clients with No Apparent Site
Sometimes the client pings a domain controller and the client IP address cannot be found in the subnet-to-site mapping table. In this case, the domain controller returns a NULL site name, and the client uses the returned domain controller."

As above it is a random DC: http://technet.microsoft.com/en-us/library/cc978016.aspx
0
 

Author Comment

by:patriots
ID: 36719580
nearest DC being whichever one is the closest via hop count I assume right?  What happens if there are two DC's with the same hop count, or same "distance" from the client?

In our situation, there are two DNS servers being handed out to our clients:
Server A is on the LAN, and it is the primary DNS server
Server B is across a high speed WAN link at a DR site, and it is the secondard DNS server
All servers are global catalogs

I'm doing all of this research namely b/c we have some Group Policies that seem to apply rapidly on one computer but not on another.  These computers live on subnets that are not defined in any site, and I'm theorizing that we are getting inconsistent GPO application performance due to clients that live on these subnets not defined in any site.  It seems like these clients could conceivably receive a policy setting from a DC that is not optimally located, thereby causing some "lag" time in applying policies properly.
0
 
LVL 13

Expert Comment

by:Govvy
ID: 36815008
You are correct regarding the inconsistency as DC selection in this case would be random
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question