browsing to AD domain displays sysvol from remote DC

Question

Five-site company connected with low-latency layer 2 or IPSec tunnels, 2 DCs at each site.

I have noticed that browsing to \\domain.tld often displays sysvol/netlogon shares from a remote DC. The reason I can tell is because a couple of the smaller sites have DCs that also run print management; the printer shares are displayed there as well.

Pinging domain.tld from a desktop at the HQ site often resolves to a remote DC's IP address. ipconfig /flushdns then pinging domain.tld again always seems to cause the workstation to resolve the domain name to a different DC, often one at the local site.

To be clear, this isn't causing a problem that I know of, I'm just trying to understand why DNS is behaving this way. %logonserver% seems to always resolve to a local DC regardless of which DC returns my pings for domain.tld.

Latency between sites is sub-10ms and bandwidth is > 50 Mbps synchronous.

Thanks very much for reading!

UPDATE: Round Robin is enabled for each DNS server under DNS -> (right click DNS server name) -> Properties -> Advanced -> "Enable round robin." In addition, in DNS - > (server name) -> Fwd Lookup Zone -> domain.tld, I see name server entries ("same as parent folder") for each domain controller in the forest. There are also A record with name "(same as parent folder)" for each DC. I am thinking this behavior is expected, can anyone verify my assumption is correct?

Answer 1

DNS Round Robin is a load-balancing technique, while DNS Netmask Ordering provides proximity awareness.

Your DNS servers, by default, will use a Class C subnet mask to determine what records are local to a client. Round-robin will then load-balance your clients across those local results.

Without netmask ordering, your DNS server will send any matching A record randomly, regardless if it is a local address to the client. This sounds like what you are experiencing.

So, first we need to make sure Netmask Ordering is enabled on your DNS servers.

1. Open DNS Management Console
2. Right-Click your DNS server and choose Properties.
3. Click the Advanced tab
4. Make sure Enable Netmask Ordering is checked. You can also disable/enable round-robin here, as well.

Next, make sure your LocalNetPriorityNetmask matches your network topology. Your server, by default, will use a class C Netmask. In other words, it will determine which A records are local to a client by comparing the first 3 octets of the two IP addresses. If your sites use a Netmask smaller or larger than 255.255.255.0, an adjustment has to be made.

1. Open an Administrative Command Prompt
2. Issue the following command: Dnscmd /Config /LocalNetPriorityNetMask 0x000000FF to set it back to default. Or adjust the Netmask to meet your needs.

If your site subnet mask is 255.255.0.0 then use a priority mask of 0x0000FFFF. If your site subnet mask is 255.255.255.192 then use a priority mask of 0x0000003F. Make sure you set a mask that covers ALL subnets at the site, so all computers at that site get A records local to that site.

I prefer to use group policy to enforce these settings on all my domain controllers. That can be done by directly modifying the parameters found in the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters

Look for:

• LocalNetPriority to enable/disable Netmask ordering.
• LocalNetPriorityNetmask to set the mask value.

If you modify the registry to set these options, you’ll need to restart your DNS service for the changes to take affect.

More information here: https://support.microsoft.com/en-us/help/842197/description-of-the-netmask-ordering-feature-and-the-round-robin-featur