The DC Locator Process, The Logon Process, Controlling Which DC Responds in an AD Site, and SRV Records
Ace Fekay, MVP, MCT, MCTIP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2000/2003, MCSA Messaging
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Original Compilation: 4/2009
Posted/Published 1/3/2009
Note:
This is a compilation of data from various resources. I hope you find it helpful.
Controlling which DC responds in a Site
This section is to understand how to change the Netlogon Registry Data to control SRV weights and priorities, that are referenced in the links above. Be careful when implementing these changes. It MUST be documented so if another DC in the site were to go down, users may experience a delay or worse, an inability to logon, and if the changes made were forgotten, it will be extremely difficult to troubleshoot.
To find out which DC logged you in:
echo %logonserver%
You can also test which DCs are nearest to your workstation in your site (copy nltest.exe from the DC to the workstation's system32 folder):
nltest /sc_query:YourDomainName.com
To find the GC your workstation used (copy nltest.exe from the DC to the workstation's system32 folder):
nltest /dgsgetdc:your_domain_name.com /GC
This is performed altering the default weight and/or priority settings that get registered in the SRV records. The changes are made in the specific DC's netlogon registry entry. I would suggest to change all your DCs in a Site for more finite control. The reason is it controlled in the netlogon registry entry, is because the netlogon service is the component that registers a DC's data into their respective SRV folders.
When changing them, keep in mind a client will attempt to contact a server with the lowest priority first. If there are more than one server with the same priority, DNS load balancing is used when selecting the target server. If the weights are changed with the same priority, then a server is chosen based a percentage by dividing the weigth by the sum of all weights of all DCs in an AD Site.
Let's say you have 3 DCs: DC01, DC02 and DC03. Weights are assigned as follows:
DC01 = 10
DC02 = 20
DC03 = 30
In this example:
DC01 will be contacted 1 out of every 6 times (10/(30+20+10))
DC02 will be contacted 2 out of every 6 times (10/30(20/(30+20+10)))
DC03 will be contacted 3 out of every 6 times (10/20(30/(30+20+10)))
You can use nslookup to find the SRV weights:
nslookup
q=srv
_ldap._tcp.dc01._msdcs.domain.com
Then verify the correct SRV records were created based on the registry changes you made:
How to verify that SRV DNS records have been created for a domain controller:
http://support.microsoft.com/kb/816587
SRV Resource Records
The above section described how to control which DC responds. The reason it works is based on SRV records. Therefore, I thought to provide information regarding SRV records that are associated with this process. This section describes the SRV records used by Active Directory. The following is a quote, however I did not quote the whole article, just what is pertinent to logon and DC locations.
This section was quoted from:
SRV Resource Records
http://technet.microsoft.com/en-us/library/cc961719.aspx
When a Windows 2000 or Windows 2003 domain controller starts up, the Net Logon service uses dynamic updates to register SRV resource records in the DNS database, as described in an Internet Engineering Task Force draft that defines "A DNS RR for specifying the location of services (DNS SRV)." For more information about this draft, see the Internet Engineering Task Force (IETF) link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources. Follow the links to Internet Drafts, and then use a keyword search.
The SRV record is used to map the name of a service (in this case, the LDAP service) to the DNS computer name of a server that offers that service. In a Windows 2000 network, an LDAP resource record locates a domain controller.
A workstation that is logging on to a Windows 2000 domain queries DNS for SRV records in the general form:
_Service._Protocol.DnsDomainName
Active Directory servers offer the LDAP service over the TCP protocol; therefore, clients find an LDAP server by querying DNS for a record of the form:
_ldap._tcp.DnsDomainName
Note:
The service and protocol strings require an underscore (_) prefix to prevent potential collisions with existing names in the namespace.
_msdcs Subdomain
There are possible implementations of LDAP servers other than Windows 2000–based domain controllers. There are also possible implementations of LDAP directory services that employ Global Catalog servers but are not servers that are running Windows 2000. To facilitate locating Windows 2000–based domain controllers, in addition to the standard _Service._Protocol.DnsDomainName format, the Net Logon service registers SRV records that identify the well-known server-type pseudonyms "dc" (domain controller), "gc" (Global Catalog), "pdc" (primary domain controller), and "domains" (globally unique identifier, or GUID) as prefixes in the _msdcs subdomain. This Microsoft-specific subdomain allows location of domain controllers that have Windows 2000–specific roles in the domain or forest, as well as the location by GUID when a domain has been renamed. To accommodate locating domain controllers by server type or by GUID (abbreviated "dctype"), Windows 2000–based domain controllers register SRV records in the following form:
_Service._Protocol.DcType._msdcs.DnsDomainName
The addition of the _msdcs subdomain means that two sets of DNS names can be used to find an LDAP server: DnsDomainName is used to find an LDAP server or Kerberos server that is running TCP (or, in the case of a Kerberos server, either TCP or the User Datagram Protocol [UDP]), and the subdomain _msdcs.DnsDomainName is used to find an LDAP server that is running TCP and also functioning in a particular Windows 2000 role. The name "_msdcs" is reserved for locating domain controllers. The single keyword "_msdcs" was chosen to avoid cluttering the DNS namespace unnecessarily. Other constant, well-known names (pdc, dc, and gc) were kept short to avoid exceeding the maximum length of DnsDomainName.
SRV Records Registered by Net Logon
The list that follows provides the definitions of the names associated with registered SRV records. It also describes the lookup criteria supported by each record and the checks performed by Netlogon as each record is registered. Text in bold type denotes constant record components; text in italic type denotes variable names.
In the descriptions of registered SRV records, DnsDomainName refers to the DNS domain name that is used during creation of the domain controller when the domain tree is joined or created (that is, while the computer is running the Active Directory Installation Wizard). DnsForestName refers to the DNS domain name of the forest root domain.
The following is a list of the owner names of the SRV records that are registered by Net Logon. An owner name is the name of the DNS node to which the resource record pertains.
_ldap._tcp.DnsDomainName.
Allows a client to locate a server that is running the LDAP service in the domain named by DnsDomainName. The server is not necessarily a domain controller — that is, the only assumption that can be made about the server is that it supports the LDAP application programming interface (API). All Windows 2000 Server–based domain controllers register this SRV record (for example, _ldap._tcp.reskit.com.).
_ldap._tcp.SiteName._sites.DnsDomainName.
Allows a client to locate a server that is running the LDAP service in the domain named in DnsDomainName in the site named by SiteName. SiteName is the relative distinguished name of the site object that is stored in the Configuration container in Active Directory. The server is not necessarily a domain controller. All Windows 2000 Server–based domain controllers register this SRV record (for example, _ldap._tcp.charlotte._sites.reskit.com.).
_ldap._tcp.dc._msdcs.DnsDomainName.
Allows a client to locate a domain controller (dc) of the domain named by DnsDomainName. All Windows 2000 Server–based domain controllers register this SRV record.
_ldap._tcp.SiteName._sites.dc._msdcs.DnsDomainName.
Allows a client to locate a domain controller for the domain named by DnsDomainName and in the site named by SiteName. All Windows 2000 Server–based domain controllers register this SRV record.
_ldap._tcp.pdc._msdcs.DnsDomainName.
Allows a client to locate the server that is acting as the primary domain controller (also known as a "PDC") in the mixed-mode domain named in DnsDomainName. Only the PDC emulator master of the domain (the Windows 2000–based domain controller that advertises itself as the primary domain controller to computers that need a primary domain controller) registers this SRV record.
_ldap._tcp.gc._msdcs.DnsForestName.
Allows a client to locate a Global Catalog (gc) server for this forest. Only domain controllers that are functioning as Global Catalog servers for the forest named in DnsForestName register this SRV record (for example, _ldap._tcp.gc._msdcs.reskit.com.).
_ldap._tcp.SiteName._sites.gc._msdcs.DnsForestName.
Allows a client to locate a Global Catalog (gc) server for this forest in the site named in SiteName. Only domain controllers that are serving as Global Catalog servers for the forest named in DnsForestName register this SRV record (for example, _ldap._tcp.charlotte._sites.gc._msdcs.reskit.com.).
_gc._tcp.DnsForestName.
Allows a client to locate a Global Catalog (gc) server for this domain. The server is not necessarily a domain controller. Only a server that is running the LDAP service and functioning as the Global Catalog server for the forest named in DnsForestName registers this SRV record (for example, _gc._tcp.reskit.com.).
Note:
In Windows 2000, a Global Catalog server is a domain controller. Other non-Windows 2000 implementations of directory services can also register servers as Global Catalog servers.
_gc._tcp.SiteName._sites.DnsForestName.
Allows a client to locate a Global Catalog (gc) server for this forest in the site named in SiteName. The server is not necessarily a domain controller. Only a server that is running the LDAP service and functioning as the Global Catalog server for the forest named in DnsForestName registers this SRV record (for example, _gc._tcp.charlotte._sites.reskit.com.).
_ldap._tcp.DomainGuid.domains._msdcs.DnsForestName.
Allows a client to locate a domain controller in a domain on the basis of its GUID. A GUID is a 128-bit number that is automatically generated for referencing objects in Active Directory — in this case, the domain object. This operation is expected to be infrequent; it occurs only when the DnsDomainName of the domain has changed, the DnsForestName is known, and DnsForestName has not also been renamed (for example, _ldap._tcp.4f904480-7c78-11cf-b057-00aa006b4f8f.domains._msdcs.reskit.com.). All domain controllers register this SRV record.
_kerberos._tcp.DnsDomainName.
Allows a client to locate a server that is running the Kerberos KDC service for the domain that is named in DnsDomainName. The server is not necessarily a domain controller. All Windows 2000 Server–based domain controllers that are running an RFC 1510–compliant Kerberos KDC service register this SRV record.
_kerberos._udp.DnsDomainName.
Same as _kerberos._tcp.DnsDomainName, except that UDP is implied.
_kerberos._tcp.SiteName._sites.DnsDomainName.
Allows a client to locate a server that is running the Kerberos KDC service for the domain that is named in DnsDomainName and is also in the site named in SiteName. The server is not necessarily a domain controller. All Windows 2000 Server–based domain controllers that are running an RFC 1510–compliant Kerberos KDC service register this SRV record.
_kerberos._tcp.dc._msdcs.DnsDomainName.
Allows a client to locate a domain controller that is running the Windows 2000 implementation of the Kerberos KDC service for the domain named in DnsDomainName. All Windows 2000 Server–based domain controllers that are running the KDC service (that is, that implement a public key extension to the Kerberos v5 protocol Authentication Service Exchange subprotocol) register this SRV record.
_kerberos.tcp.SiteName._sites.dc._msdcs.DnsDomainName.
Allows a client to locate a domain controller that is running the Windows 2000 implementation of the Kerberos KDC service for the domain that is named in DnsDomainName and that is also in the site named in SiteName. All Windows 2000 Server–based domain controllers that are running the KDC service (that is, that implement a public key extension to the Kerberos protocol Authentication Service Exchange subprotocol) register this SRV record.
_kpasswd._tcp.DnsDomainName.
Allows a client to locate a Kerberos Password Change server for the domain. All servers that provide the Kerberos Password Change service (which includes all Windows 2000–based domain controllers) register this name. This server at least conforms to "Kerberos Change Password Protocol." (For more information about this draft, see the Microsoft Platform SDK link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources. Use a keyword search to locate the draft.) The server is not necessarily a domain controller. All Windows 2000 Server–based domain controllers that are running an RFC 1510–compliant Kerberos KDC service register this SRV record.
_kpasswd._udp.DnsDomainName.
Same as _kpasswd._tcp.DnsDomainName, except that UDP is implied.
If multiple domain controllers have the same criteria, multiple records exist with the same owner name. A client that is looking for a domain controller with specific criteria would receive all the applicable records from the DNS server. The client would pick one of the returned records to select a domain controller, as described in "A DNS RR for specifying the location of services (DNS SRV)." For more information about this draft, see the Internet Engineering Task Force (IETF) link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources. Follow the links to Internet Drafts, and then use a keyword search.
For information about the Kerberos v5 authentication protocol and Kerberos subprotocol extensions, see "Authentication" in this book.
Host Records for Non-SRV-Aware Clients
Net Logon registers the following DNS A records for the use of LDAP clients that do not support DNS SRV records (that is, that are "non-SRV-aware"). The Locator does not use these records.
The following owner names of A (host) records are registered by Net Logon:
DnsDomainName.
Allows a non-SRV-aware client to locate any domain controller in the domain by looking up an A record. A name in this form is returned to the LDAP client through an LDAP referral. (For more information about LDAP referrals, see "LDAP Referrals" later in this chapter.) A non-SRV-aware client looks up the name; an SRV-aware client looks up the appropriate SRV resource record.
gc._msdcs.DnsForestName.
Allows a non-SRV-aware client to locate any Global Catalog server in the forest by looking up an A record. A name in this form is returned to the LDAP client through an LDAP referral. A non-SRV-aware client looks up this name; an SRV-aware client looks up the appropriate SRV resource record.
Netlogon also registers a DNS CNAME (alias) record for use by Active Directory replication. The Locator does not use this record.
The owner name of the CNAME record is:
DsaGuid._msdcs.DnsForestName.
Allows a client to locate any domain controller in the forest by looking up an A record. The only information that is known about the domain controller is the GUID of the directory system agent (also known as the "DSA") object for the domain controller and the name of the forest in which the domain controller is located. This record is used to facilitate renaming a domain controller.
Other SRV Record Content
The following information is also included in an SRV record:
Priority The priority of the server. Clients attempt to contact the server with the lowest priority.
Weight A load-balancing mechanism that is used when selecting a target host from those that have the same priority. Clients randomly choose SRV records that specify target hosts to be contacted, with probability proportional to the weight.
Port Number
The port where the server is listening for this service.
Target
The fully qualified domain name of the host computer.
The following example illustrates the combined information that is contained in A resource records and SRV resource records. A domain controller named Phoenix in the domain reskit.com has an IP address of 157.55.81.157. It registers the following A records and SRV records with DNS:
phoenix.reskit.com A 157.55.81.157
_ldap._tcp.reskit.com SRV 0 0 389 phoenix.reskit.com
_kerberos._tcp.reskit.com SRV 0 0 88 phoenix.reskit.com
_ldap._tcp.dc._msdcs.reskit.com SRV 0 0 389 phoenix.reskit.com
_kerberos._tcp.dc._msdcs.reskit.com SRV 0 0 88 phoenix.reskit.com.
When the appropriate SRV records and A records are in place, a DNS lookup of _ldap._tcp.dc._msdcs.reskit.com returns the names and addresses of all domain controllers in the domain.
For more information about A records, SRV records, DNS, and dynamic updates, see "Introduction to DNS" and "Windows 2000 DNS" in the TCP/IP Core Networking Guide.
If the DCs are in a truly configured "Site", then to change the priority and weights, you must change the registry entries under the Netlogon key. Once changed, then it will register that info into DNS.
I hope you've found this blog useful. If you have any comments or corrections, please let me know.
Related Links and Resources
DC Locator Process in W2K, W2K3(R2) and W2K8 - PART 1, Part 2, Part 3, and Which DCs are used when promoting a server to a DC?
http://blogs.dirteam.com/blogs/jorge/search.aspx?q=locator&p=1
http://blogs.dirteam.com/blogs/jorge/search.aspx?q=locator&p=2
http://blogs.dirteam.com/blogs/jorge/search.aspx?q=locator&p=3
Local Logon Process for Windows 2000
http://support.microsoft.com/?kbid=231789
Logon and Authentication Technologies
http://technet.microsoft.com/en-us/library/cc780455.aspx
Active Directory SRV Records
http://www.petri.co.il/active_directory_srv_records.htm
How to reconfigure an _msdcs subdomain to a forest-wide DNS application directory partition when you upgrade from Windows 2000 to Windows Server 2003
http://support.microsoft.com/?id=817470
How to optimize the location of a domain controller or global catalog that resides outside of a client's site
http://support.microsoft.com/default.aspx?kbid=306602
Change the weight for DNS SRV records in the registry
http://technet.microsoft.com/en-us/library/cc778225(WS.10).aspx
Change the priority for DNS SRV records in the registry
http://technet.microsoft.com/en-us/library/cc781155(WS.10).aspx
Authentication Topology - Configure DNS SRV records to speed authentication (may have to registry to read the whole article):
http://www.windowsitpro.com/Articles/Index.cfm?ArticleID=37935&pg=4
More info on how it actually works:
http://technet2.microsoft.com/WindowsServer/en/library/9d62e91d-75c3-4a77-ae93-a8804e9ff2a11033.mspx?mfr=true
How Interactive Logon Works
http://technet.microsoft.com/en-us/library/cc780332.aspx
How Domain Controllers Are Located in Windows XP
http://support.microsoft.com/kb/314861
Logon Process for Active Directory Domain User Account With a Windows NT 4.0 Computer Account (non-DNS, non-Kerberos)
http://support.microsoft.com/kb/319494
Directory Service Functions
http://msdn.microsoft.com/en-us/library/ms675900(VS.85).aspx
AD Cookbook by Robie Allen and Laura E. Hunter
http://books.google.com/booksid=AUx3jzI4DI8C&pg=PA106&lpg=PA106&dq=netlogon+srv+weight&source=bl&ots=ibZbfuSOoB&sig=k1ZVAX3ePERu9i9DXnSxjft8v9Y&hl=en&ei=r8mkScbzJNKgtwfn1ODMBA&sa=X&oi=book_result&resnum=1&ct=result#PPA105,M1
JSI Tip 4527. How can I manage which Windows 2000 domain controller a client contacts? (WIndows 2000 & 2003 are the same):
http://windowsitpro.com/article/articleid/75836/jsi-tip-4527-how-can-i-manage-which-windows-2000-domain-controller-a-client-contacts.html
DC SiteCoverage
http://technet.microsoft.com/en-us/library/cc937924.aspx
Reducing the workload on the PDC emulator master (allows making Netlogon registry changes with SRV weights and priorities so the PDC Emulator doesn't process all logon requests).
http://technet.microsoft.com/en-us/library/cc787370(WS.10).aspx
Change the Priority for DNS SRV Records in the Registry (This applies to all versions of Windows):
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/opsguide/part2/adogdapb.mspx#EMPAC
Change the Weight for DNS SRV Records in the Registry (This applies to all versions of Windows):
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/opsguide/part2/adogdapb.mspx#EWIAE
Appendix B - Active Directory General Procedures Reference (This applies to all versions of Windows):
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/opsguide/part2/adogdapb.mspx
How DNS Support for Active Directory Works
http://technet.microsoft.com/en-us/library/cc759550.aspx
Reducing the workload on the PDC emulator master
http://technet.microsoft.com/en-us/library/cc787370.aspx
Ace Fekay