Nearest domain controller
In this blog post, we will talk about how clients discover domain controllers, and even how to connect to the nearest domain controller. We will also talk about what nearest means in this context.
I was wondering how clients discover their domain controller, and what will happen if the DC located near the client is down.
First, it’s all about DNS. Your machine will boot, contact DNS asking about couple of service records, and get a list of all domain controllers in the domain. Now, the client doesn’t know even in which AD Site it is located, nor does the DNS.
DNS will return all domain controllers to the client, and by default it will sort the list using subnet mask ordering feature, that is preferring DCs that share the same network ID with the client. This is a DNS feature and it is enabled by default.
The client will contact each DC in the list until it can connect to one of the domain controllers. The DC then validate the client IP and will return to him his assigned AD Site name. This information will be cached in the client memory. After that, it is matter of the client going to DNS, asking for domain controllers located in that AD site.
Now, if the local domain controller is down, the client will go and try to contact any domain controller in the domain. This is something that makes sense from functionality perspective, but does not play well in large network.
If you have a large network and many domain controllers with complex topology, chances are you already invested time planning your physical layout of yor active directory, and you already configured AD sites and AD site links.
Saying that, and assuming you have your physical structure of active directory already in place, how can we make a client contact a domain controller in the nearest AD site if his local DC is down?
In the figure below, suppose that the DC at site C is down, clients in site C will try to randomly pick domain controllers at site A or site B although Site A is the near site.
Image may be NSFW.
Clik here to view.
To help IT admins located the nearest domain controller, there is a GPO settings called Try next closest site. When DC at site C is down, clients will prefer domain controllers at site A. If it cannot connect to a domain controller in the nearest site, it will randomly pick any domain controller in the domain.
By design, clients will not contact domain controllers in the nearest site if it contains RODCs because it may be considered less secure. This is called Next Closest Site Filter.
you can modify the filter used by the DC Locator. On Windows Server 2008 DCs, open the registry editor and navigate to :
HKLM\System\CurrentControlSet\Services\Netlogon\Parameters.
Set the NextClosestSiteFilter DWORD value to one of the following:
- 0: No filtering and any site is used.
- 1: Sites that only contain RODCs are filtered but sites that contain a mix of RODCs and writable DCs aren’t filtered.
- 2 (default): Sites that contain any RODCs are filtered.
Now, you can easily configure your network so that the nearest domain controller is always picked up by your clients.
References
The post How clients discover nearest domain controller – DC Locator appeared first on Ammar Hasayen.