none
Finding a Domain Controller

    Question

  • Hi,

    does any one know how to check which domain controller a user PC is connected to and how to force users to authenicate on a specific Domain Controller?

    Thanks,
    Thursday, October 29, 2009 9:48 PM

Answers

  •  1) how do you find out which domain controller a user PC is logged on to?
     2) how do you find out which Domain controller is authenicating a specific PC

    You can easily check from the workstation by opening a command prompt and typing the command SET.  Look at the variable called %LOGONSERVER%.  If you wanted to collect this information and store it centrally such as in a database, then create a login script and write the info to the db.  Alternatively, you can enable auditing on the domain and use the security logs to track this information.


    3) how do you force authentication to a specific Domain Controller?

    Creating Active Directory Sites is the best method to control authentication in a domain.  Within the AD Sites and Services MMC, you create site and subnet objects.  Subnet objects are assigned to sites.  Windows 2000 and later computers are site aware and can look up which DC(s) are available in their site, and use them for authentication.

    Visit my blog: anITKB.com, an IT Knowledge Base.
    • Proposed as answer by [JorgeM] Friday, October 30, 2009 1:55 PM
    • Marked as answer by Joson ZhouModerator Tuesday, November 03, 2009 9:52 AM
    • Edited by [JorgeM] Wednesday, March 03, 2010 3:54 AM
    Friday, October 30, 2009 1:54 PM

All replies

  • I think this is not possible. Correct me If I'm wrong ;). Can you explain why you want this and what you want to archieve with it?

    You can use Active Directory Sites. Site information helps make authentication faster and more efficient. When a client logs on to a domain, it first searches its local site for a domain controller to authenticate against. By establishing multiple sites, you can ensure that clients authenticate against domain controllers nearest to them, reducing authentication latency and keeping traffic off WAN connections.

    See here for more information:
    Sites overview: Active Directory




    Certifications: MCSA 2003 MCSE 2003
    Thursday, October 29, 2009 10:15 PM
  • Hi Kam247 ,

    Thank you for posting in windows server forums,

    In-line to shadowman123 suggestion , can you please tell us what is your forest topology so that we could suggest you

    To check which domain controller a user pc is connected you can use psloggedon utility from sysinternals , find the link below to download the tool

    http://technet.microsoft.com/en-us/sysinternals/bb896649.aspx
    Friday, October 30, 2009 1:14 AM
  • I ask this question because I had a job interview and the guy that interviewed me asked me 1) how do you find out which domain controller a user PC is logged on to 2) how do you find out which Domain controller is authenicating a specific PC 3) how do you force authentication to a specific Domain Controller? To be honest I have never come across this before so just wanted to know for next time.
    Friday, October 30, 2009 9:12 AM
  •  1) how do you find out which domain controller a user PC is logged on to?
     2) how do you find out which Domain controller is authenicating a specific PC

    You can easily check from the workstation by opening a command prompt and typing the command SET.  Look at the variable called %LOGONSERVER%.  If you wanted to collect this information and store it centrally such as in a database, then create a login script and write the info to the db.  Alternatively, you can enable auditing on the domain and use the security logs to track this information.


    3) how do you force authentication to a specific Domain Controller?

    Creating Active Directory Sites is the best method to control authentication in a domain.  Within the AD Sites and Services MMC, you create site and subnet objects.  Subnet objects are assigned to sites.  Windows 2000 and later computers are site aware and can look up which DC(s) are available in their site, and use them for authentication.

    Visit my blog: anITKB.com, an IT Knowledge Base.
    • Proposed as answer by [JorgeM] Friday, October 30, 2009 1:55 PM
    • Marked as answer by Joson ZhouModerator Tuesday, November 03, 2009 9:52 AM
    • Edited by [JorgeM] Wednesday, March 03, 2010 3:54 AM
    Friday, October 30, 2009 1:54 PM
  • Hi Jorge,

    I tried to create a sites and subnet to force the authentication to a specific domain controller sometimes its working but when I restarted the client its still pointing to other domain controller which is not in the same subnet.
    Saturday, January 02, 2010 3:48 PM
  • If both subnets are defined in the same site object, then the client will choose any of the domain controllers in the site regardless of whether or not the DC is in the same subnet.  It is not common to create a site for every subnet unless these subnets are across WAN links.  If all of these subnets are on the Local Area Network, then it really shouldnt matter to you which DC is chosen.  Authentication traffic is not going to clog up your LAN pipes unless you are running shared Ethernet (hubs) and really have hundreds of clients on the same segment.  In addition, it is not a 100% guarantee that the DC in the same subnet will always autthenticate the user.  If that DC is overloaded or it cannot respond in a timely fashion, your client will try another DC in another site.   More diagnosis will be required.

    To control your authentication traffic, you will need to define your Sites first.  Then create your subnet objects and assign them to the specific sites.  If a subnet is not defined, it is automatically assigned to the "First-Default" site that was created (you may have renamed it which is fine). 

    Note:  Keep in mind that sites also create a repication topology for these DCs.  This INTERSITE replication is managed by properties which defines how often the bridgehead DCs will replicate, their replication costs, and schedule. 

    Again, not having your network design and diagrams makes it difficult to help you design your sites, but try to keep things simple with AD design.  The more complex the design, the more difficult it is to maintain and troubleshoot.
    Saturday, January 02, 2010 4:16 PM
  • Hi Jorge,

    Thank you for your response, to explain it clearly my scenario here is my design.

    Site Name: Default-Firsts-Site-Name
    Server Name: Server01 and Server02
    BH: Server01
    Subnet: 192.168.1.0
    GC: Server01

    Site Name: Second-Site
    Server Name: DC01 and DC02
    BH: DC01
    Subnet: 10.10.10.0
    GC: DC01

    My Client01 belongs to subnet 192.168.1.0, when my client01 boots up and I tried to login the account and run the echo %logonserver% sometimes it authenticate to the same site either Server01 or Server02 which is correct, but when I restart several times it authenticate to DC01 which is not the same site with the client01. Same what happen to my CLient02 which is currently belongs to subnet 10.10.10.0. I perform already to clear the DC locator cache I run this comman nltest /dsgetdc:domainname /force to both clients.I configured correctly my AD sites and services properly, i search in the internet about this and saw some threads that you can force client to authenticate to the nearest site or same site via AD sites and services. Any other configuration I might need to perform? Appreciate your response about this.
    Sunday, January 03, 2010 1:14 AM
  • The only last two thoughts that come to mind that I would check on are the following:

    1)  Make 100% sure that you have defined ALL subnet objects in the AD Sites and Services console AND have assigned those subnet objects to the correct site. 
    2) Keep in mind that to log on properly, a GC must be available, otherwise, your client will attempt to locate another GC.  Any reason why all of your DCs are not GCs?  If you only have a single domain in the forest, this configurtion really doesnt add any additional overhead on the DCs.  In a single domain model, there is no conflict by having the GC role on the same server as the Infrastructure Master FSMO role.

    There is no guarantee that your clients will always use the DCs in the same site, but that is what they will attempt to do. 

    As a final check, look at your AD zone in DNS and look at all of the SRV records.  Make sure they are all up to date and correct.  Your clients use DNS to locate all AD services.  (_msdcs zone)
    Sunday, January 03, 2010 9:13 PM