Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Understanding when a domain controller is referenced for authentication.

Posted on 2015-01-14
4
Medium Priority
?
100 Views
Last Modified: 2015-06-30
Dear all,
I hope you are all well and can assist.

We have an Active Directory 2003/2008/2012 environment, and are looking at removing many domain controllers from a lot of our AD sites.

What I want to understand is the following...

We want to understand under what circumstances is a domain controller contacted for authentication to a resource.

For example:

1) On logon to a domain, a user presses Ctrl+Alt+Del, enters their username and password, and presses Enter to logon. A domain controller is contacted to authenticate.
2) What other scenarios are there when a domain controller is referenced?
eg.kerberos ticket expiry?

Is a user is logged on to machine A which is part of domain XYZ, and tries to access a network share on server6, which is also part of domain XYZ, will that user need to be authenticated by both server6 and a domain controller when they first try and connect to server6, after having logged on to the domain?

Any help greatly appreciated.

The reason we wish to know this stuff, is to understand what happens if we have users at a site, that currently have a DC on site, and we remove those local DCs.

Will this impact them in terms of the number of times they have to authenticate if for example, they have to connect to member servers that are part of the same domain? The reasoning behind this is to see if it is still a worthwhile thing getting rid of local DCs if they still need to connect to local member servers eg.file and print, or remote member servers.

Thank you.
0
Comment
Question by:Simon336697
4 Comments
 
LVL 38

Accepted Solution

by:
Mahesh earned 2000 total points
ID: 40550726
When you start client computer and reach ctrl+alt+delete actually lot things happens in background

U must be aware that client subnet is mapped in AD site and services
All added subnets must be added to respective sites so that AD can authenticate clients as appropriate OR client can authenticate with local DC as far as possible in other words

The computer after started networking service, try to contact to preferred DNS server for domain controller SRV records
The preferred DNS server fetch domain controller SRV record and give it to client
Now once request reached to DC, DC will check if client subnet is reporting to which site and if he found latching and sub sequent DC, it will forward that requests to respective Site DC (preferably DC where subnet is latched) and computer get authenticated and grant him TGT (Kerberos Ticket - Ticket granting Ticket)
Yet user is not authenticated
After that you enter username and password and user also get authenticated via same DC as computer

In above scenario, if you removed DC from site, may be client preferred DC is not available in that case, it will try to connect to alternate DNS, AD will try to authenticate client computer via domain controller in nearest site paired in site link as long as it is reachable
If no domain controller is reachable, client will try to logon with previous cached credentials
OR
If this is new user and computer, it will simply tell you that domain controller is not available to service request

Once client got logon it will get Kerberos ticket (TGT) from domain controller
Now if you try to access file server, file server will request client authentication \ service ticket and client will request service ticket  and session key from DC, DC verifies client TGT and grant him service ticket and session key which in turn presented to file server and file server accept this service ticket as authentication and grant him access
Same time this service ticket Is stored on client machine as cache and next time you will be able to access file server with cached ticket

When user reset password, it will get contacted to domain controller
The validity of Kerberos ticket is depends upon what you have set in default domain Kerberos policy
I have tried to explain this in simple way, actually there are lots of encryption \ complexities involved in it.
Here some interesting reading:
http://blogs.technet.com/b/askds/archive/2008/03/06/kerberos-for-the-busy-admin.aspx
http://technet.microsoft.com/en-in/library/cc772815(v=ws.10).aspx
0
 
LVL 1

Author Comment

by:Simon336697
ID: 40556922
Hi Mahesh.
Thanks so much for that information.
Very helpful.
0
 
LVL 36

Expert Comment

by:Seth Simmons
ID: 40859107
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

963 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question