IIS: Change Default Domain Controller For Windows Authentication

Question

Please bear with me, I am a software developer and know little of Active Directory and Windows Server domains.

I am running a .NET MVC intranet application on IIS (Windows Server 2016 Standard) that uses Windows Authentication (Negotiate, NTLM, in that order). Our domain uses multiple domain controllers (I have read through this answer to check why multiple DC's are required and that there is no longer any concept of "Primary" and "Backup" DC). Yesterday, during some migrations of domain controllers, our users were not able to authenticate to the application. I was told that at the time of the authentication issues, the "default" domain controller which is used by IIS / the application was down for some time during the migration process, and that IIS was not contacting any other DC in the domain.

There is no hardcoded IP address or hostname for a domain controller in our application. So how does IIS / the application determine which DC it has to use for the Windows Authentication?

Can I change or configure the IP address somewhere in the application or in IIS? And most importantly, can I configure an IP / hostname of any other DC to use as backup so that this will not occur again in the future?

I have asked this question on Stacked Overflow before, and I was told that this has nothing to do with programming and was redirected to Server Fault. So I assume I cannot solve anything codewise. While I am not an AD expert / domain administrator, I am still open for new knowledge and gaining experience in this field. It is going to help my development career in future cases for sure.

If you need more information, feel free to ask.

Thank you in advance.

Answer 1

That's a great question and I'm not 100% sure how IIS does it but here's some information which may steer you.

Generally Active Directory DCs in a site are selected based on the Sites and Services configuration. A client will attempt to query the domain with a DNS resolution to domain.com. Since all DCs on a domain generally serve as round-robin NS records on the domain DNS, a random DC will be selected and pinged. That DC will then check sites and services for the subnet list and match the client to a site assigned to that subnet. Once the site is selected, there's generally at least two DCs that can be selected from. I'm not certain how a particular DC in a site is selected but I would assume this is based on load or round-robin. Once a system pulls that DC from this process, it tends to stick with that DC for future authentication until an error occurs and forces it to a new one. This may be the problem you're experiencing. IIS loaded with a particular DC and even though that DC was no longer available, it was still attempting to query it. A reset of the process or web server would have cleared that cached authentication.

It would surprise me that Microsoft wouldn't have a more robust fail-over method however it seems lots of other folks have seen similar issues: https://community.spiceworks.com/topic/407295-webserver-with-domain-authentication-doesn-t-failover-when-one-dc-is-gone

I would double check that your IIS server is set to utilize several DCs as DNS sources and your Sites and Services subnets and sites have been set up correctly. I would also investigate the various authentication methods IIS is set to use and see if another one more closely meets your needs.

Double check that the other DCs are actually online and running correctly as well. I've run into situations where I assumed all DCs in a site were functioning correctly but was proven wrong when rebooting a single one caused the site to fail. Perhaps the C: drive is full, or services didn't start correctly. A common issue is that a DC is set to use itself as primary DNS and AD starts before the DNS service, causing DNS and AD on it to fail. The fix is to point DCs to its peers as primaries.