Solved

Understanding when a domain controller is referenced for authentication.

Posted on 2015-01-14
4
83 Views
Last Modified: 2015-06-30
Dear all,
I hope you are all well and can assist.

We have an Active Directory 2003/2008/2012 environment, and are looking at removing many domain controllers from a lot of our AD sites.

What I want to understand is the following...

We want to understand under what circumstances is a domain controller contacted for authentication to a resource.

For example:

1) On logon to a domain, a user presses Ctrl+Alt+Del, enters their username and password, and presses Enter to logon. A domain controller is contacted to authenticate.
2) What other scenarios are there when a domain controller is referenced?
eg.kerberos ticket expiry?

Is a user is logged on to machine A which is part of domain XYZ, and tries to access a network share on server6, which is also part of domain XYZ, will that user need to be authenticated by both server6 and a domain controller when they first try and connect to server6, after having logged on to the domain?

Any help greatly appreciated.

The reason we wish to know this stuff, is to understand what happens if we have users at a site, that currently have a DC on site, and we remove those local DCs.

Will this impact them in terms of the number of times they have to authenticate if for example, they have to connect to member servers that are part of the same domain? The reasoning behind this is to see if it is still a worthwhile thing getting rid of local DCs if they still need to connect to local member servers eg.file and print, or remote member servers.

Thank you.
0
Comment
Question by:Simon336697
4 Comments
 
LVL 36

Accepted Solution

by:
Mahesh earned 500 total points
ID: 40550726
When you start client computer and reach ctrl+alt+delete actually lot things happens in background

U must be aware that client subnet is mapped in AD site and services
All added subnets must be added to respective sites so that AD can authenticate clients as appropriate OR client can authenticate with local DC as far as possible in other words

The computer after started networking service, try to contact to preferred DNS server for domain controller SRV records
The preferred DNS server fetch domain controller SRV record and give it to client
Now once request reached to DC, DC will check if client subnet is reporting to which site and if he found latching and sub sequent DC, it will forward that requests to respective Site DC (preferably DC where subnet is latched) and computer get authenticated and grant him TGT (Kerberos Ticket - Ticket granting Ticket)
Yet user is not authenticated
After that you enter username and password and user also get authenticated via same DC as computer

In above scenario, if you removed DC from site, may be client preferred DC is not available in that case, it will try to connect to alternate DNS, AD will try to authenticate client computer via domain controller in nearest site paired in site link as long as it is reachable
If no domain controller is reachable, client will try to logon with previous cached credentials
OR
If this is new user and computer, it will simply tell you that domain controller is not available to service request

Once client got logon it will get Kerberos ticket (TGT) from domain controller
Now if you try to access file server, file server will request client authentication \ service ticket and client will request service ticket  and session key from DC, DC verifies client TGT and grant him service ticket and session key which in turn presented to file server and file server accept this service ticket as authentication and grant him access
Same time this service ticket Is stored on client machine as cache and next time you will be able to access file server with cached ticket

When user reset password, it will get contacted to domain controller
The validity of Kerberos ticket is depends upon what you have set in default domain Kerberos policy
I have tried to explain this in simple way, actually there are lots of encryption \ complexities involved in it.
Here some interesting reading:
http://blogs.technet.com/b/askds/archive/2008/03/06/kerberos-for-the-busy-admin.aspx
http://technet.microsoft.com/en-in/library/cc772815(v=ws.10).aspx
0
 
LVL 1

Author Comment

by:Simon336697
ID: 40556922
Hi Mahesh.
Thanks so much for that information.
Very helpful.
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40859107
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

OfficeMate Freezes on login or does not load after login credentials are input.
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question