Thursday 2 April 2015

Sites, Services and Domain Controllers

One of the things that baffles me is how little Sites and Services is understood and oddly implemented around the place.

I'd recommend giving this a good thorough read through, twice, if you administer AD anywhere - it's one of my most frequently shared links when someone starts talking to me for a couple of reasons of which I'll include a brief summery below...

Sites, Sites, Everywhere... http://blogs.technet.com/b/askds/archive/2011/04/29/sites-sites-everywhere.aspx

1) Automatic Site Coverage

Every domain controller in the forest follows this procedure:

  1. Build a list of target sites — sites that have no domain controllers for this domain (the domain of the current domain controller).
  2. Build a list of candidate sites — sites that have domain controllers for this domain.
  3. For every target site, follow these steps:
  1. Build a list of candidate sites of which this domain is a member. (If none, do nothing.)
  2. Of these, build a list of sites that have the lowest site link cost to the target site. (If none, do nothing.)
  3. If more than one, break ties (reduce this list to one candidate site) by choosing the site with the largest number of domain controllers.
  4. If more than one, break ties by choosing the site that is first alphabetically.
  5. Register target-site-specific SRV records for the domain controllers for this domain in the selected site.

2) DCLocator

  1. Client does a DNS search for DC’s in _LDAP._TCP.dc._msdcs.domainname
  2. DNS server returns list of DC’s.
  3. Client sends an LDAP ping to a DC asking for the site it is in based on the clients IP address (IP address ONLY! The client’s subnet is NOT known to the DC).
  4. DC returns…
    a. The client’s site or the site that’s associated with the subnet that most matches the client’s IP (determined by comparing just the client’s IP to the subnet-to-site table Netlogon builds at startup).
    b. The site that the current domain controller is in.
    c. A flag (DSClosestFlag=0 or 1) that indicates if the current DC is in the site closest to the client.
  5. The client decides whether to use the current DC or to look for a closer option.
    a. Client uses the current DC if it’s in the client’s site or in the site closest to the client as indicated by DSClosestFlag reported by the DC.
    b. If DSClosestFlag indicates the current DC is not the closest, the client does a site specific DNS query to: _LDAP._TCP.sitename._sites.domainname (_LDAP or whatever service you happen to be looking for) and uses a returned domain controller.
3) DNS
The information above DCLocator about DNS records

After understanding all this - designing and spotting potential issues may becomes easier...