A client that knows its site will request a DC using a DNS query with the following format:
_ldap._tcp.
DCs in this site list will be ordered in random order provided by DNS round robin.
If a client does not know its site, you'll get a DNS query with the following format:
_ldap._tcp.dc._msdcs.
When a client joins the domain using the GUI it does not know its site so you can find that on rebooting it contacts a different DC that doesn't have the domain information for the client.
After a client contacts a DC this information is cached. If this DC is not in the optimal site the cache is flushed after 15 mins and it then tries to find a DC in the same site.
The DC Locator process has been improved with Vista and 2008 so that it has a concept of next closest site. This is not enabled by default and must be done through GPO.
After authentication, the authenticating DC also helps the client find a suitable supplier of \\domain\SYSVOL or \\domain\NETLOGON shares.
It does this by generating 2 lists.
The first is a list of DCs that can offer this share in the client's site (randomly ordered). The second is a list of DCs outside the client site that can offer this share (randomly ordered).
For this reason, the DC being used for authentication need not be the DC being used for SYSVOL information. There is a PreferLogonDC registry entry that can be added to DCs to ensure that the authenticating DC is returned at the top of the list.
No comments:
Post a Comment