Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2005-12-07) Which DCs Are Used When Promoting A Server To A DC?

Posted by Jorge on 2005-12-07


When running DCPROMO on a server to promote it to DC two possibilities exist what query is used by the server to locate a DC…
 
–> The server is a STAND ALONE SERVER and is going to be promoted to a DC:
In this case the server does not know to which site it belongs so it will query for a list of DCs in the domain the server is promoted into. The query it makes is:
     Queries
          _ldap._tcp.dc._msdcs.ADCORP.LAN: type SRV, class IN
               Name: _ldap._tcp.dc._msdcs.ADCORP.LAN
               Type: SRV (Service location)
               Class: IN (0x0001)
 
–> The server is a MEMBER SERVER and is going to be promoted to a DC:

In this case the server does know to which site it belongs so it will query for a list of DCs in the same site the server is in for the domain the server is promoted into. The query it makes is:

     Queries
          _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ADCORP.LAN: type SRV, class IN
               Name: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ADCORP.LAN
               Type: SRV (Service location)
               Class: IN (0x0001)
THE FIRST CASE…..
When querying for a list of DCs for a certain domain it queries for "_ldap._tcp.dc._msdcs.ADCORP.LAN". By default ALL DCs in a certain domain register domain wide records for the domain they belong to and site wide records for the site they belong to. In environments with HUB locations and branch office locations the DCs in the branch office locations are often configured to NOT register domain wide records. These will only register site wide records for the site they belong to. This prevents some user or computer in the domain being authenticated by a DC in another branch office location when it asks for a list of DCs in the domain. This way the list will only contain the DCs in the HUB locations.
For the branch office DCs (when W2K3) this can be configured by the GPO setting:
"MACHINE" -> "Administrative TemplatesSystemNet LogonDC Locator DNS Records" -> "DC Locator DNS records not registered by the DCs"
For additional information see also:
 
THE SECOND CASE…
In this case it knows the site it belongs to and queries for "_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ADCORP.LAN". If that site already contains DCs those DCs will be used. If the site does exist in AD but no DCs exist yet in that site for the domain the server is promoted into, the DCs in the nearest site (according to the site link cost) will cover this site automatically. From time to time DCs check the site topology and also check if sites exist with no DCs. If that is the case DCs will determine if that site should be covered or not by those DCs.
For additional information see also:
 

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

11 Responses to “(2005-12-07) Which DCs Are Used When Promoting A Server To A DC?”

  1. and for the bonus prize: how do you force the source DC when promoting?

  2. Hmmm… let me see….

    thinking…thinking…thinking…thinking…thinking…thinking…thinking…

    using a DCPROMO ANSWER FILE?

    ;-))

  3. ahh… you’re no fun, Jorge😉

  4. maybe it would be interesting they enhanced DCPROMO…

    DCPROMO /source: and if source is not specify then query for DCs in domain or site depending on the situation

  5. Nice description! I have always used a dcpromo answer file because it seemed to randomly pick a DC to source from.

  6. Jorge,

    on the same line, can I force clients to choose local DC for account creation, thru DNS or any registry tweak.

    I know, about netdom.exe allows you to pinpoint DC to join, but I was looking for anything related to registry or DNS setting.

    Appreciate your quest for knowledge and its sharing.

    Cheers,
    Kamlesh

  7. it depends on the tool you use if you can target a DC or not. You could also script it to target a certain DC.
    One of the tools I know of is ADMOD from joeware.

    If you want to use the GUI (ADUC), just target ADUC to that DC or start ADUC from the command line with the targeted DC…

    To start Active Directory Users and Computers focused on server1, type:
    dsa.msc /server=server1.domain1

  8. Jorge,

    If I was not clear enough, my apologies,

    I am talking about when client join to domain, just like you described for servers.

    That client also do the same query to find DC of domain to be joined, and create account there and continue joining process.

    Now here issue is that, client will choose any random DC to create account on, we have more than 20 DCs with replication delay of around 3 hours end to end. So in this case if client connect to remote DC and creates account there, it will be long before its own site DC will have client account with it.

    This is also more troublesome in the case, I want to refresh the machine using Ghost, I will delete its account in local DC and after Ghost restore it will try to join the domain by connecting to any random DC, and in this case, remote DC might/might not have account depending on replication reached it in time.

    So one of the solution,we use it to use netdom.exe to join machines to domain, where at the command line we can target specific DC for joining process.
    this is the command we use,
    where,
    DOM = Domain to join
    DOMDC1 = nearest DC for that computer
    DOMsiteadmin = account with rights to join computer to domain

    netdom.exe /join %computername% /domain:DOMDOMDC1 /UD:DOMsiteadmin /PD:* /OU:%OU-2-CREATE-ACCOUNT-IN% /Reboot

  9. Hi Kamlesh,

    Ahh, now I understand what you mean.

    No matter what you choose, you need to “tweak it” (or guide it).

    What you could to automate it somehow is to write a script that:
    * Checks the subnet the client is in
    * Checks to what site that subnet belongs
    * Get a DC from that site using DNS
    * Use the DC that is returned for netdom

    jorge

  10. Hi Jorge,

    That is exactly the thing machine itself should be doing automatically🙂

    Machine already has all the things it requires to find out nearest DC, even if it is not part of domain. It already does that when machine restart in domain.

    Machine can use privileged username and password given in joining process to get the required info for site and subnet mappings.

    I just doesn’t know why it wouldn’t do that?

    Cheers,
    Kamlesh

  11. This will be an easy answer…

    By design! ;-))

    There is a reason for that…

    At the moment you enter credentials it does not know anything from the domain/forest structure.

    To learn more about the domain/forest structure (as in sites, subnets, DCs, etc) it needs to contact a DC. To contact a DC it needs to query DNS and ask for one, but it only knows the domain name and nothing else.

    I would be interesting if it did:
    * Question to DNS: Give me a DC for domain X
    * Question to DC for domain X: give me a DC for Domain X that covers subnet a.b.c.d
    * Question to DC for domain X that covers subnet a.b.c.d: create a computer account

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: