Windows – What protocols are used when a machine joins to a windows domain

active-directorydomain-name-systemwindows

I'm trying to figure out what exactly happens when a machine is added to a domain. Once you type in the domain name:
1) What protocol does the machine use in order to figure out which domain controller to use?
2) How is the domain name looked up? Example: domain is setup as dc=company,dc=com, but the "Windows" domain is COMPA. Some how these names are mapped to each other.

I know that Active Directory and DNS are tightly integrated, but I don't quite understand the details. What is the best source of information on the technical details. Most of what I can find tells you HOW to get things done, but not what happens under the covers.

Best Answer

There is a lot of DNS involved.

Here is the workflow when a workstation is given a NetBIOS name to join (COMPA in your example)

Checks its resolver cache to see if COMPA is already resolved.
Does a DNS lookup for "COMPA" without any domain to see if the DNS Server finds it.
Does a DNS lookup for "COMPA" with the various domains in the DNS Search list.
(if you have it) Does a WINS lookup to see if COMPA exists as a Workgroup or Domain.
Checks the Network Browse List to see if a COMPA domain is visible.

Once it finds a domain controller, it them asks it for it's AD DNS name. Then,

Checks DNS for the SRV records for company.com's domain controllers

Contrast this with the workflow for the DNS style of name (company.com in your example)

Checks DNS for the SRV records for company.com's domain controllers
Queries DNS for the SRV records relating to the Domain's AD Sites

A lot shorter. Once it has identified the domain controllers in the domain, it then uses the credentials supplied by the domaining user to attempt to contact the DC. That can happen over any of the x security protocols AD uses:

LanMan (LM)
NTLM
NTLMv2
Kerberos

The exact protocol is negotiated between the workstation and the domain controller. If no common protocol can be agreed to, the workstation can't be domained.

Answer

The short answer to your specific question of listing CNAMEs is that you cannot without permission to do zone transfers (see How to list all CNAME records for a given domain?).

That said, if your company's DNS server still supports the ANY query, you can use dig to list the other records by doing:

dig +noall +answer +multiline yourdomain.yourtld any

These ... +noall +answer +multiline ... are strictly optional and are simply output formatting flags to make the output more easily human readable (see dig man page ).

Example

$ dig +noall +answer +multiline bad.horse any

Returns:

bad.horse.              7200 IN A 162.252.205.157
bad.horse.              7200 IN CAA 0 issue "letsencrypt.org"
bad.horse.              7200 IN CAA 0 iodef "mailto:abuse@sandwich.net"
bad.horse.              7200 IN MX 10 mx.sandwich.net.
bad.horse.              7200 IN NS a.sn1.us.
bad.horse.              7200 IN NS b.sn1.us.
bad.horse.              7200 IN SOA a.sn1.us. n.sn1.us. (
                                2017032202 ; serial
                                1200       ; refresh (20 minutes)
                                180        ; retry (3 minutes)
                                1209600    ; expire (2 weeks)
                                60         ; minimum (1 minute)
                                )

Caveats (RFC8482)

Note that, since around 2019, most public DNS servers have stopped answering most DNS ANY queries usefully. For background on that, see: https://blog.cloudflare.com/rfc8482-saying-goodbye-to-any/

If ANY queries do not enumerate multiple records, the only option is to request each record type (e.g. A, CNAME, or MX) individually.

Best Answer

Related Solutions

Windows – How to find what process is holding a file open in Windows

DNS Records – How to List All DNS Records in a Domain Using Dig

Answer

Example

Caveats (RFC8482)

Related Topic