question

RICK-0238 avatar image
0 Votes"
RICK-0238 asked GaryReynolds-8098 edited

client and active directory

we have multi domain controllers in our organization and I have several questions regarding them:

  1. How can I determine which domain controller is in use when joining a client to domain controller?

  2. if one domain controller is corrupted, how can I prevent client from connecting it when join a client to domain controller?


windows-active-directorywindows-10-network
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thameur-BOURBITA avatar image
0 Votes"
Thameur-BOURBITA answered

Hi,

The client is unable to detect if a reachable Domain controller is healthy or not. because the client identify the Domain controller based on DClocator process.

The client use the DClocator process to identify the closest domain controllers. The client will try to send a ping LDAP to check if the DC is reachable and response to LDAP ping request the client will continue contacting this DC, if it's note the case , it will try first to contact another DC in same site and in the case there is no another Domain controller , it will contact another DC from another site based on site link cost.


dc-locator-process-2



Please don't forget to mark helpful reply as answer

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndreasBaumgarten avatar image
0 Votes"
AndreasBaumgarten answered AndreasBaumgarten commented

Hi @RICK-0238 ,

  1. Simple way: If you ping on the client using the domain name you get an answer from a DC. It's most likely this DC will get the request to join the client to AD.

  2. If the DC is corrupt the DC should answer any request at all because AD service isn't running. Or what do you mean with "DC is corrupted"?


(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten



· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

hello Andreas,

Thank you for your reply. I mean a DC server with svr record in DNS and can be discovered as domain controller from client side but AD related service on the server is not running properly.

0 Votes 0 ·

Hi @RICK-0238 ,

more details how a client discovers a "working"/"not corrupt" DC you can find here:
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/895a7744-aff3-4f64-bcfa-f8c05915d2e9
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/3d71aefb-787e-4d14-9a8a-a70def9e1f6c


(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

0 Votes 0 ·
JaiVerma-7010 avatar image
0 Votes"
JaiVerma-7010 answered JaiVerma-7010 commented

As @AndreasBaumgarten mentioned, Windows Client DC Discovery process only use DCs which are good and healthy, so you should not worry about it.

Domain joining files are saved in C:\Windows\Debug\ directory, you can read the name of the Domain Controller, which was used to join the Domain.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

thank you all for the reply. How can a client determine which DC is good and healthy, what is the process?

0 Votes 0 ·
GaryReynolds-8098 avatar image
0 Votes"
GaryReynolds-8098 answered GaryReynolds-8098 edited

Hi Rick,

The DC discovery processes uses the DsGetDcName API which returns the DC which will be used by subsequent AD functions. You can manually call this function to determine which DC will be returned, have a look at https://nettools.net/dsgetdcname

Gary.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.