How does a client find it’s Domain Controllers at the right Active Directory site?

What actually happens in the background when a domain client authenticates itself to the domain? How client get the authentication from domain controller. That’s the question for today’s post.

Ok, let’s go into the details. We assume that the computer has already joined the domain.

This is a very simplified representation.

• During the client’s system startup, the logon service (netlogon) starts with the API DsGetDcName.

• The API collects information about the client’s configuration, such as IP-Address.
• Now the client uses netlogon service to query the configured DNS server for DC’s in _LDAP._TCP.dc._msdcs.domainname.
• DNS server returns list of DC’s.
• Client sends an LDAP ping to a DC asking for the site it is in based on the clients IP address (IP address ONLY! The client’s subnet is NOT known to the DC).
• DC returns…

• The client’s site or the site that’s associated with the subnet that most matches the client’s IP (determined by comparing just the client’s IP to the subnet-to-site table Netlogon builds at startup).
• The site that the current domain controller is in.
• A flag (DSClosestFlag=0 or 1) that indicates if the current DC is in the site closest to the client.
• The client decides whether to use the current DC or to look for a closer option.

• Client uses the current DC if it’s in the client’s site or in the site closest to the client as indicated by DSClosestFlag reported by the DC.
• If DSClosestFlag indicates the current DC is not the closest, the client does a site specific DNS query to: _LDAP._TCP.sitename._sites.domainname (_LDAP or whatever service you happen to be looking for) and uses a returned domain controller.

Recommended content

• RODC Installation Guide- Step by step guide to install read only domain controller
• RODC Filtered Attribute Set
• Installing and configuring a RODC in Windows Server-2012
• How to find the GUID of Domain Controller

Guys please don’t forget to like and share the post. You can also share the feedback on below windows techno email id.

If you have any questions feel free to contact us on admin@windowstechno.com also follow us on facebook@windowstechno to get updates about new blog posts.