I was wondering how clients discover their domain controller and what will happen if the DC located near the client is down?
First of all , its all about DNS .. Your machine will boot ,contact DNS asking about couple of Service Records asking about all domain controllers in the domain. At this time , the client doesn’t know even in which AD Site it is located nor does the DNS.
DNS will return all domain controllers to the client ,and by default it will sort the list using subnet mask ordering feature , that is preferring DCs that share the same network ID with the client. This is a DNS feature and it is enabled by default.
The client will contact each DC in the list until it can connect to a one. The DC then validate the client IP and will return back to him his assigned AD Site name. This information will be cached in the client memory.
The client then will go to DNS and asking for domain controllers located in THAT AD site.
Now…if the local domain controller is down, the client will go and try to contact ANY domain controller in the domain. This is bad.
How can we make the client contact a domain controller in the nearest AD site if his local DC is down ?
In the figure below ,suppose that the DC at site C is down, clients in site C will try to randomly pick domain controllers at site A or site B although Site A is the near site.
There is a GPO settings called ( Try next closest site) , when DC at site C is down, clients will prefer domain controllers at site A.If it cannot connect to a domain controller in the nearest site, it will randomly pick any domain controller in the domain.
Last note :
By design , clients will not contact domain controllers in the nearest site if it contains RODCs because it may be considered less secure.This is called (Next Closest Site Filter).
you can modify the filter used by the DC Locator. On Windows Server 2008 DCs, open the registry editor and navigate to HKLM\System\CurrentControlSet\Services\Netlogon\Parameters. Set the NextClosestSiteFilter DWORD value to one of the following:
- 0: No filtering and any site is used.
- 1: Sites that only contain RODCs are filtered but sites that contain a mix of RODCs and writable DCs aren’t filtered.
- 2 (default): Sites that contain any RODCs are filtered.