I hope you are all well and can assist.
We have an Active Directory 2003/2008/2012 environment, and are looking at removing many domain controllers from a lot of our AD sites.
What I want to understand is the following...
We want to understand under what circumstances is a domain controller contacted for authentication to a resource.
1) On logon to a domain, a user presses Ctrl+Alt+Del, enters their username and password, and presses Enter to logon. A domain controller is contacted to authenticate.
2) What other scenarios are there when a domain controller is referenced?
eg.kerberos ticket expiry?
Is a user is logged on to machine A which is part of domain XYZ, and tries to access a network share on server6, which is also part of domain XYZ, will that user need to be authenticated by both server6 and a domain controller when they first try and connect to server6, after having logged on to the domain?
Any help greatly appreciated.
The reason we wish to know this stuff, is to understand what happens if we have users at a site, that currently have a DC on site, and we remove those local DCs.
Will this impact them in terms of the number of times they have to authenticate if for example, they have to connect to member servers that are part of the same domain? The reasoning behind this is to see if it is still a worthwhile thing getting rid of local DCs if they still need to connect to local member servers eg.file and print, or remote member servers.