How do Active Directory domain joined computers (native MS Windows or Linux with winbind) determine the closest password server?

How do Active Directory domain joined computers (native MS Windows or Linux with winbind) determine the closest password server? This question implies a cluster with 2+ Active Directory servers in different locations.

On Windows there is no apparent option for preference over which Active Directory server will be used to authenticate, etc.

On Linux (with samba/winbind) there is a setting for smb.cfg ("password server") but it is optional (when used in combination with setting "security = ads").


Solution 1:

This goes for windows clients:

In short, the client's Net Logon service (or more accurately, the Domain Controller Locator component of the service) queries the DNS servers SRV records, to find a domain controller within its own site (site information is stored in the domain-joined client's registry).

It then contacts a Domain Controller determined by the SRV records returned by the DNS server.

If the client's IP address matches another active directory site than its own, the Domain Controller redirects the client's request to another Domain Controller, namely one that is either in the same site as the client, one that has site coverage for the client site, or last, if none of the other options apply, a domain controller in the site for which the site link cost from the client's site is lowest.

The default behavior if a domain controller is not available in the same site as the client (or if the client is not in a site) is to select any domain controller. In Windows Vista/2008, Microsoft introduced a new setting, "TryNextClosestSite". This allows clients to... try the next closest site. This setting is not enabled by default.

Enabling Clients to Locate the Next Closest Domain Controller
http://technet.microsoft.com/en-us/library/cc733142%28v=ws.10%29.aspx

Automatic Site coverage for RODC-only sites
http://technet.microsoft.com/en-us/library/cc732322%28WS.10%29.aspx

The process is described more in-depth in this Technet article

Solution 2:

See this article for how site location is determined. http://technet.microsoft.com/en-us/library/cc978016.aspx. This article details the process. I'm not sure why Mathias would point you to the DNS article (DNS is involved but nothing is registered and the query is for the address of a dc). Additionally (and maybe this is a language issue) there is never a referral made, the query is for a list of site specific DCs. its then up to the client to decide if there is a better dc to communicate with.