Solved

Understanding when a domain controller is referenced for authentication.

Posted on 2015-01-14
4
80 Views
Last Modified: 2015-06-30
Dear all,
I hope you are all well and can assist.

We have an Active Directory 2003/2008/2012 environment, and are looking at removing many domain controllers from a lot of our AD sites.

What I want to understand is the following...

We want to understand under what circumstances is a domain controller contacted for authentication to a resource.

For example:

1) On logon to a domain, a user presses Ctrl+Alt+Del, enters their username and password, and presses Enter to logon. A domain controller is contacted to authenticate.
2) What other scenarios are there when a domain controller is referenced?
eg.kerberos ticket expiry?

Is a user is logged on to machine A which is part of domain XYZ, and tries to access a network share on server6, which is also part of domain XYZ, will that user need to be authenticated by both server6 and a domain controller when they first try and connect to server6, after having logged on to the domain?

Any help greatly appreciated.

The reason we wish to know this stuff, is to understand what happens if we have users at a site, that currently have a DC on site, and we remove those local DCs.

Will this impact them in terms of the number of times they have to authenticate if for example, they have to connect to member servers that are part of the same domain? The reasoning behind this is to see if it is still a worthwhile thing getting rid of local DCs if they still need to connect to local member servers eg.file and print, or remote member servers.

Thank you.
0
Comment
Question by:Simon336697
4 Comments
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
Comment Utility
When you start client computer and reach ctrl+alt+delete actually lot things happens in background

U must be aware that client subnet is mapped in AD site and services
All added subnets must be added to respective sites so that AD can authenticate clients as appropriate OR client can authenticate with local DC as far as possible in other words

The computer after started networking service, try to contact to preferred DNS server for domain controller SRV records
The preferred DNS server fetch domain controller SRV record and give it to client
Now once request reached to DC, DC will check if client subnet is reporting to which site and if he found latching and sub sequent DC, it will forward that requests to respective Site DC (preferably DC where subnet is latched) and computer get authenticated and grant him TGT (Kerberos Ticket - Ticket granting Ticket)
Yet user is not authenticated
After that you enter username and password and user also get authenticated via same DC as computer

In above scenario, if you removed DC from site, may be client preferred DC is not available in that case, it will try to connect to alternate DNS, AD will try to authenticate client computer via domain controller in nearest site paired in site link as long as it is reachable
If no domain controller is reachable, client will try to logon with previous cached credentials
OR
If this is new user and computer, it will simply tell you that domain controller is not available to service request

Once client got logon it will get Kerberos ticket (TGT) from domain controller
Now if you try to access file server, file server will request client authentication \ service ticket and client will request service ticket  and session key from DC, DC verifies client TGT and grant him service ticket and session key which in turn presented to file server and file server accept this service ticket as authentication and grant him access
Same time this service ticket Is stored on client machine as cache and next time you will be able to access file server with cached ticket

When user reset password, it will get contacted to domain controller
The validity of Kerberos ticket is depends upon what you have set in default domain Kerberos policy
I have tried to explain this in simple way, actually there are lots of encryption \ complexities involved in it.
Here some interesting reading:
http://blogs.technet.com/b/askds/archive/2008/03/06/kerberos-for-the-busy-admin.aspx
http://technet.microsoft.com/en-in/library/cc772815(v=ws.10).aspx
0
 
LVL 1

Author Comment

by:Simon336697
Comment Utility
Hi Mahesh.
Thanks so much for that information.
Very helpful.
0
 
LVL 34

Expert Comment

by:Seth Simmons
Comment Utility
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now