Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2007-07-01) DC Locator Process In W2K, W2K3(R2) And W2K8 – PART 2

Posted by Jorge on 2007-07-01


This is the 2nd part of "DC Locator Process in W2K, W2K3(R2) and W2K8"

Looking at this all, the DC locator process as explained above still applies to Windows Vista and to Windows Server 2008 and later. Are there any differences or additions? Yes, there are!

Basically the client either queries for a DC in the AD site it is in or it queries for a DC in the AD domain it is in. I have always asked myself why the DC locator process did not support following the site topology based on the site cost to find the next closest DC for authentication. The answer to that is unknown to me, but both Windows Vista and Windows Server 2008 provide an additional possibility that exists between "a DC in the AD site" (the closest end) and "a DC in the AD domain" (the far end). The new possibility is "a DC in the next closest site".๐Ÿ˜‰

Both Windows Vista and Windows Server 2008 still use the default behavior W2K, WXP, W2K3(R2) have. For both Windows Vista and Windows Server 2008 to locate a DC in the next closest site, it needs to be enabled explicitly. That can be done by using the following:

  • For WVT/W2K8 and later:
    • GPO setting path: "Computer Configuration\Administrative Templates\System\Net Logon\DC Locator DNS Records"
    • GPO setting: "Try next closest site"
    • GPO setting mode: Enabled

To determine a DC within a set of DC of DCs in the client’s AD site that could authenticate the client:

  • NLTEST /DSGETDC:<FQDN DOMAIN>

To determine a writable DC within a set of DCs in the next closed AD site from the client’s perspective that could authenticate the client:

  • NLTEST /DSGETDC: <FQDN DOMAIN> /WRITABLE /TRY_NEXT_CLOSEST_SITE

Continued in part 3 of the "DC Locator Process in W2K, W2K3(R2) and W2K8"

For additional information, make sure to have a look at:

Additional interesting links:

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

8 Responses to “(2007-07-01) DC Locator Process In W2K, W2K3(R2) And W2K8 – PART 2”

  1. Hello Jorge๐Ÿ™‚

    As usual, very instructive. We have a hub & spoke ad topology.
    Q: if we set DCs in Branch office not to register generic records but allow these records to be registered in hub site, will we have to set also the “Try next closest site” regkey for my windows clients ?
    Are the 2 configurations above (DnsAvoidRegisterRecords
    and Try next closest site) works together better ?

    Thanks,

    Yann

  2. Jorge said

    It depends….on the OS of the clients you have.

    Remember, only Windows Vista (WVT) and Windows Server 2008 (W2K8) domain clients understand the “Try next closest site” concept.

    If you still have W2K, WXP, W2K3 clients letting branch office (writable) DCs NOT register domain wide records is good.

    Remember, although an additional step exists to locate DCs (Try next closest site), it is still possible to query for a (writable) DC that registered the domain-wide SRV records (for example during a domain join). Would you still want some branch office (writable) DC to answer while it would be better to let a datacenter (writable) DC answer? Remember that RODCs only register site-wide SRV records and NO domain-wide.

    Cheers,
    Jorge

  3. Understood !

    Last Q: If i’m right, it is possible to force a client to use a DC instead of an other by altering the DC DNS weight & prority (tell if i’m wrong :)).
    So ,will it be accurate to set the DnsAvoidRegisterRecords key for spoke site and to set DNS weight & prority in order to help spoke clients using DCs in hub site in a faster way ?

    Thanks,

    Yann

  4. Jorge said

    the only way I know to target a specific DC by one or more clients is to put those in the same AD site. Weights and priorities affects all clients within the same site as the DC.

    You would only need to configure branch office DCs to NOT register domain-wide SRV records as I described before. Weights and Priorities has nothing to do with this. What do you mean with “using DCs in hub site in a faster way”. I do not understand what you mean

  5. Hello,

    Oh, I was just thinking about the delay that clients know their DCs are down in their site and the time they fallback to Hub site.
    I thought that to decrease this delay in order for clients to rapidely fallback to hub site, dns weight & priority will help.

    anyway forget it ! :o))

    Many thanks Jorge and have nice day๐Ÿ™‚

    Yann

  6. Jorge said

    the fallback happens automatically, either by using the “try next closest site” concept (although it may not be a HUB site DC, but some other DC that is in a site that has a lower site link cost) or by querying for the DCs that registered the domain-wide records.
    SRV records weight and priorities only work within a certain scope being either the site scope or the domain scope or forest scope, depeding on the type of SRV record.

    DNS SRV records will not help in the fallback as you specify. If you lower the priority value of a SRV record the client by preference will use that record. In the case a hub DC that registered its SRV records in some branch office, it would mean that branch office clients/servers would ALWAYS use the hub DC instead of their branch office DC. Why? Because you configured it to be cheaper. And that configuration is something that should not be done

    cheers,
    Jorge

  7. […] DC Locator Process In W2K, W2K3(R2) And W2K8 โ€“ PART 2 […]

  8. […] DC Locator Process In W2K, W2K3(R2) And W2K8 โ€“ PART 2 […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: