We help IT Professionals succeed at work.

Clients authenticating HO DC instead of Site DC

Help Request:
Hi Support
we have 2 site in AD DS (HO & AWS), i have installed a new DC for AWS Site and associated the AWS subnet
now the machines in my AWS Site are logon to HO DC instead of AWS DC, this increase network latency (as 2 sites are connected through site to site VPN). how can we make sure AWS site clients authenticate AWS DC
Comment
Watch Question

Tom CieslikIT Engineer
CERTIFIED EXPERT
Distinguished Expert 2017

Commented:
To force a client to use a specific domain controller we need only do the following:

Start the registry editor
Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
From the Edit menu select New - DWORD value
Enter a name of NodeType and press ENTER
Double click on the new value and set to 4 (this sets the network to an M-mode/mixed which means it will perform a broadcast before querying name servers for resolution). By default a system is 1 if no WINS servers are configured (B-node/broadcase) or 8 if at least one WINS server is configured (H-node/queries name resolution first then broadcasts)
Double click on the EnableLMHOSTS value and set to 1. If it does not exist select New - DWORD value from the Edit menu and enter a name of EnableLMHOSTS
Close the registry editor
Reboot the machine
The machine is now configured to broadcase for a domain controller on a local subnet and then query a name server. If no domain controllers are found on the WINS server, or WINS is not used it will then search the LMHOSTS file. The next stage is to edit this file.

Check for the LMHOSTS file
C:\>dir %systemroot%\system32\drivers\etc\lmhosts
If the file does not exist copy the sample host file
C:\>copy %systemroot%\system32\drivers\etc\lmhosts.sam %systemroot%\system32\drivers\etc\lmhosts
1 file(s) copied.
Edit the file using edit.exe, don't use notepad.exe
C:\>edit %systemroot%\system32\drivers\etc\lmhosts
Goto the end of the comments and add a new line of the format
<ip address> <name of DC> #PRE #DOM:<domain name> #<comment>
e.g. 200.200.200.50 titanic #PRE #DOM:savilltech #savilltech domain controller
Save the changes to the file and exit edit.exe
Force the machine to reload the LMHOSTS file (or just reboot)
C:\>NBTSTAT -R
Note: The -R must be in capitals, the command is case sensitive
Check the cache
C:\>NBTSTAT -c
At this point the configuration is complete and a reboot is advisable.
Last Knight
CERTIFIED EXPERT
Distinguished Expert 2018
Commented:
Hi Anwar,

I'm not sure why reg/host hacks are being recommended here...all of the native configurations within AD DS allow you do achieve this by default. Think about enormous environments...do you think engineers are using reg/host hacks to direct traffic??? AD DS site topology provides client affinity, meaning that clients located within a specific site will prefer domain controllers in the same site. This is accomplished by a well-designed AD DS site topology, which will allow you to define subnets that can be associated with the Availability Zones within your VPC. These associations help ensure that traffic—such as directory service queries, AD DS replication, and client authentication—uses the most efficient path to a domain controller. They also provide you with granular control over replication traffic.

How many AZs (Availability Zones) do you have setup? Go to AD Sites and Services and assign the subnets to the respective Site Objects. The Sites in AD DS that represent each AZ in your VPC will associate the subnets with those sites ensuring that domain-joined instances will primarily use a domain controller closest to them. This is also a key design configuration for maintaining a highly available AD DS deployment in AWS.

Let me know if you have any other questions!

P.S. if you want more traffic, increase the priority of the question from Low to Medium or High or from Medium to High. There is no negative for doing so...only positives for you!
Blue Street TechLast Knight
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
@Tom Cieslik - Don't you feel this is misleading to propose a hack when by design MSFT functions exactly how the OP wants this to work (they just don't know how to properly set it up)? Future readers are going to erroneously think the only way for a client to authenticate to the most efficient DC is to hack it and force it to do so - they are not actually learning how to setup it up properly so that it will perform the feat natively.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.