Controlling which DC responds in a Site
This section is to understand how to change the Netlogon Registry Data to control SRV weights and priorities, that are referenced in the links above. Be careful when implementing these changes. It MUST be documented so if another DC in the site were to go down, users may experience a delay or worse, an inability to logon, and if the changes made were forgotten, it will be extremely difficult to troubleshoot. To find out which DC logged you in: echo %logonserver% You can also test which DCs are nearest to your workstation in your site (copy nltest.exe from the DC to the workstation’s system32 folder): nltest /sc_query:YourDomainName.com To find the GC your workstation used (copy nltest.exe from the DC to the workstation’s system32 folder): nltest /dsgetdc:your_domain_name.com /GC This is performed altering the default weight and/or priority settings that get registered in the SRV records. The changes are made in the specific DC’s netlogon registry entry. I would suggest to change all your DCs in a Site for more finite control. The reason is it controlled in the netlogon registry entry, is because the netlogon service is the component that registers a DC’s data into their respective SRV folders. When changing them, keep in mind a client will attempt to contact a server with the lowest priority first. If there are more than one server with the same priority, DNS load balancing is used when selecting the target server. If the weights are changed with the same priority, then a server is chosen based a percentage by dividing the weigth by the sum of all weights of all DCs in an AD Site. Let’s say you have 3 DCs: DC01, DC02 and DC03. Weights are assigned as follows: DC01 = 10 DC02 = 20 DC03 = 30 In this example: DC01 will be contacted 1 out of every 6 times (10/(30+20+10)) DC02 will be contacted 2 out of every 6 times (10/30(20/(30+20+10))) DC03 will be contacted 3 out of every 6 times (10/20(30/(30+20+10))) You can use nslookup to find the SRV weights: nslookup q=srv _ldap._tcp.dc01._msdcs.domain.com Then verify the correct SRV records were created based on the registry changes you made: How to verify that SRV DNS records have been created for a domain controller: http://support.microsoft.com/kb/816587In environments with multiple sites / subnets and domain controllers you may be looking for such information really often. There are at least three options to determine which DC was used for authentication of client.
First two possibilities are almost the the same (they are based on the same environment variable). You can either type in and run “echo %logonserver%”or “set l”, but actually & unfortunatelly both of them are not really accurate because of update times for logonserver variable.
Another option, which provides more accurate result is nltest with dsgetdc option.
nltest can be used for various checks – as in the example above, it provides big amount of data about domain authentication:
echo %logonserver%
set l
Another option, which provides more accurate result is nltest with dsgetdc option.
nltest /dsgetdc:adatum.com
nltest can be used for various checks – as in the example above, it provides big amount of data about domain authentication:
- DC used during user authentication process,
- AD Site you are in,
- AD site that DC is in.
