Authenticate client against specific Domain Controller

This is actually surprisingly difficult to do.

There are a couple workarounds, namely that you can create a new site for your client(s) and the Domain Controller you want them to use as a logon server, or that you can set the LdapSrvPriority registry setting on your domain controllers to give the highest priority to the DC you want used as the logon server. You can also configure the LdapSrvWeight registry setting on your domain controllers to assign a weighted priority for each one.

Note that editing the registry settings on the domain controllers is a global change that will apply to all clients, not just the one you're testing, just as putting a domain controller in a new site will impact all client authentications as well.

As noted in the linked article, though, these settings will only make your client(s) prefer a given logon server, not force them to use a given logon server, and the complexities of authenticating against a Windows domain mean that your client may switch logon servers partway through the process anyway, so you may be just plain out of luck.


It may be useful to see if detailed GPO logging reveals anything about the issue. It can be enabled with the following reg key. The resulting log file "gpsvc.log" can be found %WINDIR%\debug\usermode.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Diagnostics]
"GPSvcDebugLevel"=dword:00030002

Also, there is a history of articles regarding "Buffer too small" but typically this is logged under event System/LsaSrv/40960. Those problems are usually caused by a user/computer account that belongs to an excessive number of groups, which creates a Kerberos token size problem.