I believe it is correct to say that users and computers are treated as equal principals with respect to Active Directory. Both users and computers have passwords, and both users and computers are required to logon to the domain independently.
I understand that the NetLogon service, which starts automatically, is responsible for logging a computer on to the domain at startup. At that time, NetLogon uses some domain controller locator logic via DNS lookups to help it locate a domain controller.
If the computer had logged on to the domain before and already knows to which site it belongs, it can start with a site-specific DNS query to locate a DC, failing back to a more general one if it has to.
Please correct me if I'm wrong in any of my assumptions thus far.
So does a user, when logging in to a computer, have a separate DC locator process when he/she logs on to a computer? Or does the user use whatever the computer already came up with when it logged on? Would it be possible for a computer and a user logged on to that computer to have different authenticating DCs?
Best Answer
User Authentication to AD is handled by the Computer, so it will use the computer's idea of AD state to handle the authentication process. A good example of this is with Sites.
Thinking of it another way, a user inherits locality from the machine they're logging in on.
It is possible for the user to log in against a different DC than the one the computer logged into, especially if the Site they're in has more than one DC in it. This is why you have to capture the security logs of all DCs in a Site to have an accurate idea of who logged into what, where.