Windows Hello for Business DC Locator Process

Broonster 46 Reputation points
2022-04-28T03:10:21.09+00:00

Hi There,

I know how the standard DC locator process works for a client trying to find its closest DC but how does a WHfB client find a DC that is Server 2016 or higher when you have a mixture of Server 2012 R2 and 2016/19?

Cheers

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,924 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Limitless Technology 39,661 Reputation points
    2022-04-28T16:40:30.55+00:00

    Hello

    Thank you for your question and reaching out.

    I can understand you wish know more about how DC locator works for 2016 and 2019 server.

    By default, DC Locator does not consider any site that contains a read-only domain controller (RODC) when it determines the next closest site. In addition, when the client gets a response from a domain controller that runs a version earlier than Windows Server 2008, the DC Locator behavior is the same as when then setting is not enabled.

    For example, assume that a site topology has four sites with the site link values in the following illustration. In this example, all the domain controllers are writable domain controllers that run Windows Server 2008 or newer.

    Below is reference article from Microsoft which is applicable for Windows 2016 , 2019 and 2022 server.

    https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/enabling-clients-to-locate-the-next-closest-domain-controller

    -------------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments

  2. Broonster 46 Reputation points
    2022-04-29T07:17:18.297+00:00

    Thanks but that's not what I'm asking. I'm asking how a Windows Hello for Business client finds domain controllers that are running on Server 2106 or above. When using key trust with WHfB you must have at least one DC that runs 2016 or above so if you have an environment with a mixture of 2012R2 and 2016/19 DCs how does the client find a supporting DC?

    0 comments No comments

  3. Telmo Terencio 1 Reputation point
    2022-06-03T13:55:06.043+00:00

    DC Locator will be called with a DS_10 flag (DS_10 = 2016)

    C:\WINDOWS\system32>nltest /dsgetdc: /DS_10
    DC: \<DC>
    Address: \<address>
    Dom Guid: <Dom GUID>
    Dom Name: <Domain>
    Forest Name: <Forest>
    Dc Site Name: <site>
    Our Site Name: <site>
    Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_FOREST CLOSE_SITE FULL_SECRET WS DS_8 DS_9 DS_10 KEYLIST
    The command completed successfully

    Cheers

    0 comments No comments

  4. Broonster 46 Reputation points
    2022-06-04T04:03:18.637+00:00

    Thanks for that.

    So if the nltest /dsgetdc: /DS_10 command doesn't find a 2016+ DC in the same site does it just return a random 2016+ DC? We have about 150 DCs in about 70 sites but currently only about 15 of them are 2016+.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.