6

How do Active Directory domain joined computers (native MS Windows or Linux with winbind) determine the closest password server? This question implies a cluster with 2+ Active Directory servers in different locations.

On Windows there is no apparent option for preference over which Active Directory server will be used to authenticate, etc.

On Linux (with samba/winbind) there is a setting for smb.cfg ("password server") but it is optional (when used in combination with setting "security = ads").

Wesley
  • 32,320
  • 9
  • 80
  • 116
Alex
  • 1,768
  • 4
  • 30
  • 51
  • I always heard DCs should not be clustered. http://msmvps.com/blogs/clusterhelp/archive/2008/02/12/domain-controllers-as-cluster-nodes-bad-idea.aspx – JohnThePro Feb 13 '12 at 15:32
  • I don't think he actually means "clustered" - I think he's a little naive on how AD works. – mfinni Feb 13 '12 at 16:00
  • @mfinni, what should 2 AD servers with replication between them be called if not a cluster? ;) – Alex Feb 23 '12 at 03:34
  • 1
    Alex - when saying "cluster" when referring to windows servers, one is almost always referring to MSCS, Microsoft Clustering Service. Sometimes, maybe NLB, Network Load Balancing. AD is a multi-master directory service, it's not a cluster. – mfinni Feb 23 '12 at 13:54

2 Answers2

16

This goes for windows clients:

In short, the client's Net Logon service (or more accurately, the Domain Controller Locator component of the service) queries the DNS servers SRV records, to find a domain controller within its own site (site information is stored in the domain-joined client's registry).

It then contacts a Domain Controller determined by the SRV records returned by the DNS server.

If the client's IP address matches another active directory site than its own, the Domain Controller redirects the client's request to another Domain Controller, namely one that is either in the same site as the client, one that has site coverage for the client site, or last, if none of the other options apply, a domain controller in the site for which the site link cost from the client's site is lowest.

The default behavior if a domain controller is not available in the same site as the client (or if the client is not in a site) is to select any domain controller. In Windows Vista/2008, Microsoft introduced a new setting, "TryNextClosestSite". This allows clients to... try the next closest site. This setting is not enabled by default.

Enabling Clients to Locate the Next Closest Domain Controller
http://technet.microsoft.com/en-us/library/cc733142%28v=ws.10%29.aspx

Automatic Site coverage for RODC-only sites
http://technet.microsoft.com/en-us/library/cc732322%28WS.10%29.aspx

The process is described more in-depth in this Technet article

Mathias R. Jessen
  • 24,907
  • 4
  • 62
  • 95
  • thank you for this comprehensive answer for the Windows side of things. any idea whether samba/winbind uses the same way? – Alex Feb 13 '12 at 02:41
  • No idea honestly, the locator functionality resides on the client, and I don't have a lot of experience with samba authentication against AD. The functionality in the Domain Controller that enables the request to be redirected to a more feasible DC is not client dependent, so this would (with all probability at least) also be true for *nix clients :-) – Mathias R. Jessen Feb 13 '12 at 02:45
3

See this article for how site location is determined. http://technet.microsoft.com/en-us/library/cc978016.aspx. This article details the process. I'm not sure why Mathias would point you to the DNS article (DNS is involved but nothing is registered and the query is for the address of a dc). Additionally (and maybe this is a language issue) there is never a referral made, the query is for a list of site specific DCs. its then up to the client to decide if there is a better dc to communicate with.

Jim B
  • 23,938
  • 4
  • 35
  • 58