Windows – How does a client system in an Active Directory network find in which site it resides

active-directorywindows

As I was putting together a presentation for beginning Windows administration, I was struck with a question that I'm amazed I haven't asked sooner.

I know that:

AD is logically setup in sites to aid in replication and decreasing the latency of domain-necessary communications between client computers and domain services.
Sites are defined by the subnets applied to them
the _msdcs subdomain contains a hierarchy of SRV records for general lookup (_tcp) and for site-specific lookup (_sites)
Computers somehow know what site they are in, or the domain controller decides transparently in some magic of DNS… or does it?

This blog post hints that client computers in an AD network can "know" what site they are a member of. My question is, if this is the case, how do they find it out?

If the client itself doesn't know, how does the DC aid the machine in the process of selecting the closest AD services to that client computer?

Best Answer

The answer is that the first time a client ever authenticates to Active Directory, it doesn't know what site it is in.

When first joining the domain, the client makes general DNS and LDAP queries and gets a list of all the domain controllers in the domain, and it goes down the list, trying LDAP binds, and the first successful DC that it binds to - that is the first DC it authenticates with.

After the client has joined the domain, Active Directory will tell the client which site it belongs to. Active Directory knows this because the administrator has put the IP subnet of the client in AD Sites & Services and associated it to a Site.

Active Directory tells the client what its AD site is, and the client stores that in its own registry in the HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DynamicSiteName registry value. That way, the next time the client boots up, it knows what site-specific DNS query to make so that it gets only the DCs that are in that site.

Of course the full behavior is documented in KB247811, but if you want to see it for yourself, you could run Wireshark or NetMon and do a packet trace, and then join a domain while the trace is running. You will see the exact sequence of DNS queries and LDAP binds. Subsequent DNS queries and LDAP binds are made to the site-specific sub-zones because the client has been told by AD what site it belongs to.

The Netlogon service will periodically refresh its AD site info, so if you move to a different network, your client will get its new site automatically. This can be adjusted in the HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\SiteNameTimeout registry value. (Link)

Best Answer

Related Solutions

Ldap – Finding closest Domain Controller through LDAP

Active Directory – How to Find Name of Active Directory Domain Controller

Related Topic