Arnaud Jumelet

Blog - Consultant - Sécurité - Identité

Domain Controller Locator : In depth

Domain Controller Locator : In depth

  • Comments 1
  • Likes

When a client computer needs to contact a domain controller for a specific domain, NetLogon service running at the client computer tries to search the nearest Domain Controller by querying the local computer registry for DynamicSiteName.

  Note
If the domain being located is the same as the domain to which the computer is joined and the computer has not physically moved to a different site since the last query, the dynamically determined site name in the registry is the actual site in which the computer is located.

On the other hand, if the site name in the registry is not the current site of the computer (for example, if the computer is portable), the domain controller location process serves to update the site information in the registry.

DC Locator Service uses this DynamicSiteName entry to query DNS Server to find the domain controllers in that site. It appends the site name to the DNS query (SRV Record) and sends it to the DNS Server which in turns sends a response.
DNS must return a list of IP addresses that are sorted by priority and weight.

Client inspects the SRV record and attempts to choose the domain controller with the lowest priority. If servers have the same priority, client randomly chooses SRV records with probability proportional to the weight. The algorithm is defined in RFC 2782.

The client (Netlogon service) sends a datagram to the domain controller chosen in the step before. The datagram is implemented as an LDAP User Datagram Protocol (UDP) search.

The domain controller receives the query, which contains the IP address of the client, and passes it to NetLogon on the domain controller. NetLogon looks up the client IP address in its subnet-to-site mapping table by finding the subnet object that most closely matches the client IP address and then returns the following information:

  • The name of the site in which the current domain controller is located.
  • The name of the site in which the client is located, or the site that most closely matches the client IP address.
  • A bit that indicates whether the found domain controller is located (bit is set) or not located (bit is not set) in the site closest to the client.
  • Other pieces of information that describe the domain controller.


  Note
The site information for the forest is stored in the configuration directory partition in Active Directory, and this information is replicated to all domain controllers in the forest. Included with the configuration information is a list of IP subnets that are associated with a particular site.


The domain controller returns the information to the client.
The client inspects the information to determine whether to try to find a beter domain controller. The decision is made as follows:

  • If the returned domain controller is in the closest site (the returned bit is set), the client uses that domain controller.
  • If the client has already tried to find a domain controller in the site in which the domain controller claims the client is located, the client uses that domain controller.
  • If the domain controller is not in the closest site, the client updates its site information and sends a new DNS query to find a new domain controller in the site. If the second query is successful, the client uses the new domain controller. If the second query fails, the client uses the original domain controller.
  • If the domain that is being queried by a computer is the same as the domain to which the computer is joined, the site in which the computer resides (as reported by a domain controller) is stored in the computer registry. The client stores this site name in the DynamicSiteName registry entry in HKLM\SYSTEM\CurrentControlSet\Services\ Netlogon\Parameters. Therefore, the DsGetSiteName API returns the site in which the computer is located.

To override the dynamic site name value returned, you can fix the SiteName entry.
When a value is present for the SiteName entry, the DynamicSiteName entry is ignored.

REG_SZ

HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters\SiteName

Range :
String


Searching a domain controller at a specific site

If no other site is specified, a locator searches for a domain controller in the Active Directory site at which the client is located, or was last found. If the Active Directory site of the client is not known to the locator when the search begins, it asks a DNS server for the general entries of the domain controllers in the specified domain. It then turns to one of the domain controllers found to determine the Active Directory site which the client belongs to. If the addressed domain controller is not in the same Active Directory site, the locator repeats the DNS request specifying the Active Directory site of the client in order to find a domain controller in its Active Directory site.

If the client does not receive a response from the domain controller of its Active Directory site, or if no domain controller is available at this site, the client returns again to the general list of domain controllers. In this case, the client receives a pseudorandom domain controller in return to its general request.

 

Client with no apparent site

If the client pings a domain controller 2000/2003 and the client IP address cannot be found in the subnet-to-site mapping table, then in this case, the domain controller returns a NULL site name, and the client uses the returned domain controller.

Important
The behavior on Windows Server 2008 domain is not the same.
If a domain member has an IP address that is not linked to a specific site, that computer will be placed in the Default-First-Site-Name site. Every computer that is part of a Windows Server 2008 domain must belong to a site.

Comments
  • Whatg happens in a 2008 domain where there is no default-first-site-name site?

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment