How does a client find it’s Domain Controllers at the right Active Directory site?

What actually happens in the background when a domain client authenticates itself to the domain? How client get the authentication from domain controller. That’s the question for today’s post.

Ok, let’s go into the details. We assume that the computer has already joined the domain.

This is a very simplified representation.

  • During the client’s system startup, the logon service (netlogon) starts with the API DsGetDcName.
Netlogon Service

  • The API collects information about the client’s configuration, such as IP-Address.
  • Now the client uses netlogon service to query the configured DNS server for DC’s in _LDAP._TCP.dc._msdcs.domainname.
  • DNS server returns list of DC’s.
  • Client sends an LDAP ping to a DC asking for the site it is in based on the clients IP address (IP address ONLY! The client’s subnet is NOT known to the DC).
  • DC returns…
  • The client’s site or the site that’s associated with the subnet that most matches the client’s IP (determined by comparing just the client’s IP to the subnet-to-site table Netlogon builds at startup).
  • The site that the current domain controller is in.
  • A flag (DSClosestFlag=0 or 1) that indicates if the current DC is in the site closest to the client.
  • The client decides whether to use the current DC or to look for a closer option.
  • Client uses the current DC if it’s in the client’s site or in the site closest to the client as indicated by DSClosestFlag reported by the DC.
  • If DSClosestFlag indicates the current DC is not the closest, the client does a site specific DNS query to: _LDAP._TCP.sitename._sites.domainname (_LDAP or whatever service you happen to be looking for) and uses a returned domain controller.

If you have any questions feel free to contact us on also follow us on facebook@windowstechno to get updates about new blog posts.

How useful was this post?

Click on a star to rate it!

Leave a Reply