What protocols are used when a machine joins to a windows domain?

windows domain-name-system active-directory

I'm trying to figure out what exactly happens when a machine is added to a domain. Once you type in the domain name: 1) What protocol does the machine use in order to figure out which domain controller to use? 2) How is the domain name looked up? Example: domain is setup as dc=company,dc=com, but the "Windows" domain is COMPA. Some how these names are mapped to each other.

I know that Active Directory and DNS are tightly integrated, but I don't quite understand the details. What is the best source of information on the technical details. Most of what I can find tells you HOW to get things done, but not what happens under the covers.


There is a lot of DNS involved.

Here is the workflow when a workstation is given a NetBIOS name to join (COMPA in your example)

  1. Checks its resolver cache to see if COMPA is already resolved.
  2. Does a DNS lookup for "COMPA" without any domain to see if the DNS Server finds it.
  3. Does a DNS lookup for "COMPA" with the various domains in the DNS Search list.
  4. (if you have it) Does a WINS lookup to see if COMPA exists as a Workgroup or Domain.
  5. Checks the Network Browse List to see if a COMPA domain is visible.

Once it finds a domain controller, it them asks it for it's AD DNS name. Then,

  1. Checks DNS for the SRV records for company.com's domain controllers

Contrast this with the workflow for the DNS style of name (company.com in your example)

  1. Checks DNS for the SRV records for company.com's domain controllers
  2. Queries DNS for the SRV records relating to the Domain's AD Sites

A lot shorter. Once it has identified the domain controllers in the domain, it then uses the credentials supplied by the domaining user to attempt to contact the DC. That can happen over any of the x security protocols AD uses:

  • LanMan (LM)
  • NTLM
  • NTLMv2
  • Kerberos

The exact protocol is negotiated between the workstation and the domain controller. If no common protocol can be agreed to, the workstation can't be domained.


1) What protocol does the machine use in order to figure out which domain controller to use?

DNS. Specifically DNS SRV records.

2) How is the domain name looked up?

You provide the domain name in the domain join process, and windows knows what SRV record queries it needs to issue to get the name/IP of the DC.

After the DC is located, there will be a flurry of other traffic. Some CIFS, some Kerberos, and probably a few others needed to establish the trust relationship, transfer group policy objects, etc. You would likely find it very interesting to fire up Wireshark and do a packet capture of the domain join process. Due to encryption, you won't be able to see the actual packet payloads, but you will be able to see port numbers and relative data volumes.


The domain locator process is essentially the same whether a client computer is joining the domain or logging on to the domain, detailed here:

http://support.microsoft.com/kb/247811

And this article details how DNS supports AD:

http://technet.microsoft.com/en-us/library/cc759550(WS.10).aspx

Related

What does VC9 stand for in PHP version?
Is it possible for an intruder to restart a Linux server remotely (without having internal access)?
How can I configure multiple default gateways on a CISCO Router?
Are computer names guaranteed to be unique within a domain?
Calling LoadLibraryEx on ISAPI filter failed (v4.0.30319)
How to diagnose RAM?
Prevent 'cd' remembering symbolic links traversed
Multiple installers attached to a single GPO?
Remove user from root group
Apache won't start - unable to find IPv4 address of "(none)"
Maximizing TCP connections on HAProxy load balancer
Static error page served by nginx when my application is down