banner



How To Change Prefer Dc To Authenticating

The process of a Windows client selecting an Active Directory domain controller isn't too complex only is oftentimes not fully understood.  Permit'southward look at the fashion a member server chooses a DC and how this affects applications.

Why information technology Matters

Windows will optimize connections to the best available domain controller for the following types of situations:

  • Authentication for users logging straight into the server
  • Authentication for users accessing the applications on the server (such equally SharePoint or Exchange)
  • Group policy processing for user accounts and the estimator business relationship
  • Promotion of a member server to a DC

For each of these, it is conspicuously important to endeavour to use a DC that is local to the member server.  For example, you wouldn't want thousands of Exchange authentications to be sent to a DC across the country if a local one is available.

How information technology Works

When a fellow member server or workstation needs to find a domain controller, information technology goes through the following steps:

  1. Query the chief DNS server for the all domain controller SRV records in the domain (These take the format of "_ldap._tcp.mydomain.local")
    1. This volition return an entry for each DC in the domain.  For case, this screenshot shows the lookup upshot for a domain with 2 DCs, named MGLABDC4 and MGLABDC5:
      dc-selection-1.jpg
  2. Select the start DC in DNS result list and connect to it via LDAP
  3. Make up one's mind if the called DC is in the aforementioned site as the member server, based on the data configured in Advertizement Sites & Services
    1. If so, the fellow member server begins using that DC for communications
    2. If not, the DC tells member server what site it is in
      1. Fellow member server sends new DNS query for the list of DCs specifically in its ain site
      2. Member server selects the first DC in DNS result listing and connects to information technology via LDAP
      3. If no DC in the local site is available, connect to any DC in the domain
  4. Cache the name of the local site in the registry to speed upwardly future operations

If the client attempts to contact a DC that's offline, it volition try to contact the next i in the list until all results are exhausted.

Here is a screenshot from a fellow member server showing how the server is preferring the DC in its local site.

A common misconception is that Windows clients will use their configured DNS servers as their primary DCs.  As y'all can see by the above process, this is

non

the case.  The member server will query its configured DNS server to retrieve a list of DCs and and so intelligently cull the correct DC based on the site data.

Commands to Assist

To assistance view and diagnose how a fellow member server is locating its DC, endeavor the following commands

echo %logonserver% - This shows the DC that was used to cosign and log in the current user

nltest /dsgetsite - This shows the AD site that the current server has detected that it'southward in

nltest /dclist: (include the colon at the stop) - This shows the listing of DCs in the current domain, including which site each is in.  In this instance, MGLABDC4 is in the MG-AZ-EASTUS site, and MGLABDC5 is in the MG-AZ-EASTUS2 site.

nslookup -blazon=srv _ldap._tcp.mydomain.local. - This will query the primary DNS server for all domain controller SRV records.  This should return all of the DCs in the domain.  In this case, MGLABDC4 and MGLABDC5 are returned.

nslookup -type=srv _ldap._tcp.mysitename._sites.dc._msdcs.mydomain.local. - This will query the principal DNS server for domain controllers that are registered in "mysitename".  In this example, only MGLABDC4 is in the site that was queried, which matches the data we constitute with nltest /dclist: previously.

Configuration

How do you ensure that all of this happens smoothly?  The single nigh important affair to check is that AD Sites & Services is configured correctly.  You should review and ostend the following points:

  • All of the LAN subnets in the corporate network are divers in Advertising Sites & Services
  • Each of those subnets is configured for the correct AD Site
  • Each site with a significant number of clients has a local DC to authenticate with

If the Windows client's IP address doesn't match to a subnet defined in the AD configuration, it has no mode of finding a the closest DC.  That can atomic number 82 to unoptimized connections and slower logons and AD operations.

For more data, encounter this commodity on Technet or this Microsoft KB article.

Source: https://concurrency.com/blog/may-2018/domain-controller-selection

Posted by: kunkelwhaeld.blogspot.com

0 Response to "How To Change Prefer Dc To Authenticating"

Post a Comment

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel