session in which DC of the domain?

Mario 220 Reputation points
2024-07-20T00:06:46.19+00:00

I have a win2019 member server that is joined to my only domain.

I have two DCs, one 2016, another 2019.

The member server has only one dns pointing to dc2019.

I have 2 users to do what I mention below:

User1 is as local admin on my member server

User 2 is not local admin on my member server

I perform the following test:

I log in with user1 and through nltest /dsgetdc: I see that I am logged in to DC2019!!

I log off, without restarting and I log in with user2, and through nltest /dsgetdc: I see that I am logged in to DC2016!!

My existential doubt is who decides?, at what moment and why? where authenticates and in any case, I see that this authentication is at the user level, and not at the "server level joined to a specific domain and for the entire section since it was turned on."

Is this like that or is it at the request of the best available?

Many questions, many doubts... :(

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,883 questions
0 comments
Accepted answer
  1. Marcin Policht 21,280 Reputation points MVP
    2024-07-20T01:55:57.8166667+00:00

    use nltest /sc_query:domain_name instead.

    This will provide the secure channel between the member server and domain controller that user authentication leverages (at least in a single-domain environment, where computers and users are part of the same AD domain).

    Btw. even nltest /sc_query is not entirely reliable, since it can be renegotiated over time

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Yanhong Liu 7,520 Reputation points Microsoft Vendor
    2024-07-22T08:49:36.3033333+00:00

    Hello,

    Thank you for posting in Q&A forum.

    It seems like you're encountering the dynamics of domain controller selection and user authentication in your Active Directory environment. The following may be helpful with your questions.

    1.Domain Controller Selection: When a member server (or any domain-joined client) needs to authenticate a user, it will contact a domain controller (DC) to verify credentials. The selection of which DC to use can depend on several factors:

    (1) DNS Configuration: The member server typically uses DNS to locate domain controllers. Ensure that DNS settings on the member server point to both DCs in your domain for redundancy.

    (2) Site Awareness: Active Directory Sites and Services configuration determines which DCs are preferred based on network topology and site definitions. DCs in the same site as the member server are preferred.

    (3) Availability and Responsiveness: The member server will choose a DC that responds the quickest and is available.

    2.User Authentication: Once a DC is selected, the user's credentials are validated against the Active Directory database on that DC. This process ensures that the user is authenticated regardless of which member server they log in to, as long as they are accessing resources within the same domain.

    3.Impact of User Privileges: User1 being a local admin on the member server doesn't affect which DC handles authentication. Authentication is always handled by a DC, and the member server's local admin privileges only impact what actions User1 can perform locally on that server.

    4.Verification with nltest: Using nltest /dsgetdc: helps verify which DC the member server is currently using for authentication requests. It's normal to see different DCs being used based on factors like site affinity and load balancing.

    In summary, authentication in Active Directory is primarily user-based and relies on the member server's configuration (DNS settings, site membership) to determine which DC to contact. The server itself doesn't authenticate users locally but relies entirely on domain controllers for this task. If you have specific concerns about authentication behavior or want to enforce DC preference, reviewing DNS settings and site configurations within Active Directory Sites and Services can help optimize and clarify the process.

    I hope the information above is helpful.

    Best Regards,

    Yanhong Liu

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.