How do Active Directory domain joined computers (native MS Windows or Linux with winbind) determine the closest password server?

active-directory cluster samba winbind

How do Active Directory domain joined computers (native MS Windows or Linux with winbind) determine the closest password server? This question implies a cluster with 2+ Active Directory servers in different locations.

On Windows there is no apparent option for preference over which Active Directory server will be used to authenticate, etc.

On Linux (with samba/winbind) there is a setting for smb.cfg ("password server") but it is optional (when used in combination with setting "security = ads").


Solution 1:

This goes for windows clients:

In short, the client's Net Logon service (or more accurately, the Domain Controller Locator component of the service) queries the DNS servers SRV records, to find a domain controller within its own site (site information is stored in the domain-joined client's registry).

It then contacts a Domain Controller determined by the SRV records returned by the DNS server.

If the client's IP address matches another active directory site than its own, the Domain Controller redirects the client's request to another Domain Controller, namely one that is either in the same site as the client, one that has site coverage for the client site, or last, if none of the other options apply, a domain controller in the site for which the site link cost from the client's site is lowest.

The default behavior if a domain controller is not available in the same site as the client (or if the client is not in a site) is to select any domain controller. In Windows Vista/2008, Microsoft introduced a new setting, "TryNextClosestSite". This allows clients to... try the next closest site. This setting is not enabled by default.

Enabling Clients to Locate the Next Closest Domain Controller
http://technet.microsoft.com/en-us/library/cc733142%28v=ws.10%29.aspx

Automatic Site coverage for RODC-only sites
http://technet.microsoft.com/en-us/library/cc732322%28WS.10%29.aspx

The process is described more in-depth in this Technet article

Solution 2:

See this article for how site location is determined. http://technet.microsoft.com/en-us/library/cc978016.aspx. This article details the process. I'm not sure why Mathias would point you to the DNS article (DNS is involved but nothing is registered and the query is for the address of a dc). Additionally (and maybe this is a language issue) there is never a referral made, the query is for a list of site specific DCs. its then up to the client to decide if there is a better dc to communicate with.

Related

w1228 romb batt < 24h
AWK and file names with space in it.
Chef stop and start service in sequence
is 8.8.8.8 located on one location [closed]
Listing the routing table takes long time to complete
Time to live exceeded, result after pinging the gateway from host in one subnet
Test if an IP is being used in an internal network without using nmap
Preventing - Large Number of Failed Login Attempts from IP
Should a System Administrator handle office furniture moves,setup and procurement? [closed]
Redirect all http AND https non-www URLS to https://www.example.com via htaccess
How should I remove users from Administrators group without Active Directory?
Having trouble with DNS MX records