Friday, 29 January 2016

Domain controller discovery process

In Active Directory Domain Services a client / computer uses a process called the 'DC Locator' to firstly identify the site that it is in (by matching up it's subnet with those assosiated with the sites in AD) and seconadly an available domain controller(s) in that site that contains the computer object.

This is done during Windows startup using the 'DsGetSiteName' method and will periodically refresh.

Now when a user hits Ctrl+Alt-Del to logon to ANOTHER domain specific DNS queries are made to identify any available domain controllers that the user of that domain can authneticate against.

You can mimic the process with something like:

nslookup
set type=srv
_ldap._tcp.<Computer Site Name>._sites.dc._msdcs.<User Domain>.int

(where <Computer Site Name> is the current site name of the COMPUTER and <User Domain>.int is the domain name for the USER you are logging in with.)

The query will fail (as the site does not exist for the specified domain) - so a query will now be run omitting the site portion e.g.:

_ldap._tcp.dc._msdcs.<User Domain>.int

Which will return all DC's tied to that domain and could return multiple DC's - hence why it will not always identify the 'closest' DC for that domain!

0 comments:

Post a comment