How exactly the DC Locator process works on Azure AD Joined devices?

Question

How exactly the DC Locator process works on Azure AD Joined devices?

Ernesto Mayol 16

Hello,

We currently have Azure AD Joined devices, using hybrid identity for the users via Windows Hello for Business Certificate Trust. This setup allows users to SSO to applications federated to Azure AD using PRT, while also supporting SSO to legacy applications on premises that just support Kerberos/NTLM.

What I am looking to understand is how exactly does the DCLocator process works on Azure AD joined devices when there is a need to talk to a DC (e.g. get a TGT or TGS). The following article describes the process very well for AD joined devices, but what about AAD when there is no concept of site? Any articles that can describe how this works? Does the machine just do a DNS query to the domain to get any DC on the domain? Any referenced documentation will also be appreciated.

[https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/enabling-clients-to-locate-the-next-closest-domain-controller

Thameur-BOURBITA 36,261 Reputation points Moderator

2023-01-19T10:13:10.5833333+00:00

Just checking if there a update.
Stephen Cooper 11 Reputation points

2023-11-06T14:41:26.2833333+00:00

Hello,

On a similar theme, I've got a bit of an issue hitting on-prem services from an AADJ device using the Global Secure Access client (specifically obtaining a TGT). I can work around it by binding to a DC with KLIST for example, but obviously its not really a legitimate/scalable solution. Interested to know how others are accommodating hybrid user identities and born in the cloud device IDs with GSA/Entra PA.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

1 answer

Your answer

Thameur-BOURBITA 36,261 Reputation points Moderator

2023-01-19T10:13:10.5833333+00:00

Just checking if there a update.
Stephen Cooper 11 Reputation points

2023-11-06T14:41:26.2833333+00:00

Hello,

On a similar theme, I've got a bit of an issue hitting on-prem services from an AADJ device using the Global Secure Access client (specifically obtaining a TGT). I can work around it by binding to a DC with KLIST for example, but obviously its not really a legitimate/scalable solution. Interested to know how others are accommodating hybrid user identities and born in the cloud device IDs with GSA/Entra PA.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Answer 1

Hi,

The Dclocator process let windows client to identify the closest doain controller based on its IP address and the sites and services configuration in active directory.
If you want force your device to contact one of your closest domain controller , you have to add its subnet in the closest AD site.

The image below explain the dclocator process and how a client can identify the closest domain controller:

AD client DC locator steps

Please don't forget to accept helpful reply as answer in order to close your thread and help community to identify the correct answer

Share via

How exactly the DC Locator process works on Azure AD Joined devices?

1 answer

Your answer