Wow. Great post. I never saw that paper from Gil. I knew there was a reason I liked him. :oP
Thanks for that Bob. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, February 03, 2004 2:36 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] logon server discovery joe <mailto:[EMAIL PROTECTED]> wrote: > No one seems to be jumping on this with any authoritative answers, I > was hoping Guido or Dean would nail it as I was looking to learn > something. :o) I'm hardly authoritative but what I've picked up on the subject :-) Blatantly plagiarized from Gil's awesome March 2003 Authentication Topology paper- http://www.winnetmag.com/Articles/Index.cfm?ArticleID=37935 or http://www.netpro.com/forum/files/Authentication_Topology.pdf The DNS service responds with a list of SRV records that correspond to all the DCs in the client's domain. The client takes the records with the lowest-priority value and issues an AD ping (which is actually an LDAP-over-UDP query) to each DC in turn. If a DC doesn't respond within a tenth of a second, the client tries the next DC, and so on, until a DC responds. When a DC receives an AD ping from a client, the DC calculates two crucial pieces of information before sending a response. First, the DC determines the site closest to the client; to do so, the DC compares the IP address in the request packet with an in-memory data structure that contains the site and subnet associations defined in AD's site objects. The DC also determines whether it's in the site closest (from an IP topology point of view) to the client's site. The DC sends this information and the name of the responding DC's site in a UDP response to the client. When the client receives this response, it determines whether the responding DC is in the site closest to its site. If so, the client saves the returned client site name in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters registry subkey's DynamicSiteName entry and uses that DC for further domain-authentication requests. If the DC response indicates that the DC isn't in the site closest to the client's site, the client returns to DNS to find a DC in the closest site. This time, because the client knows its site name, it queries DNS for _ldap SRV records in the _tcp.sitename.sites.dc._msdcs.domainname domain. DNS responds with a list of SRV records for DCs in the specified site. The client again selects those SRV records with the lowest priority and issues AD pings to each in turn until one responds within a tenth of a second. Sean Deuby had a related article in the December 2003 issue I've been reading over the weekend- Designing for DC Failover- How to create the best AD site topology possible http://www.winnetmag.com/Windows/Article/ArticleID/40718/40718.html As far as the timeout value, he repeats the 100ms value for W2K and goes on to say that in 2003 the client waits 400ms between queries for the first 5 DC's, then 200ms between the next 5 then 100ms for the remaining DC's in the list. He further explains the various site coverage scenarios quite well in the article. Between the two articles the subjects are covered very handsomely... > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner > Sent: Monday, February 02, 2004 8:33 AM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] logon server discovery > > As we all know to death by now, local logon server discovery is by > determination of the DNS RR's for a DC in a computers own site. > > qu. how does the client resolve the scenario of a response not being > received in a timely fashion. ? > > what is the timeout value for a client not to receive a response from > a local DC before it then goes "elsewhere" ? > > have read about concept of an AD "ping" - does this use ICMP ? > > GT > > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
