Hello,
Thank you for posting in Q&A forum.
It seems like you're encountering the dynamics of domain controller selection and user authentication in your Active Directory environment. The following may be helpful with your questions.
1.Domain Controller Selection: When a member server (or any domain-joined client) needs to authenticate a user, it will contact a domain controller (DC) to verify credentials. The selection of which DC to use can depend on several factors:
(1) DNS Configuration: The member server typically uses DNS to locate domain controllers. Ensure that DNS settings on the member server point to both DCs in your domain for redundancy.
(2) Site Awareness: Active Directory Sites and Services configuration determines which DCs are preferred based on network topology and site definitions. DCs in the same site as the member server are preferred.
(3) Availability and Responsiveness: The member server will choose a DC that responds the quickest and is available.
2.User Authentication: Once a DC is selected, the user's credentials are validated against the Active Directory database on that DC. This process ensures that the user is authenticated regardless of which member server they log in to, as long as they are accessing resources within the same domain.
3.Impact of User Privileges: User1 being a local admin on the member server doesn't affect which DC handles authentication. Authentication is always handled by a DC, and the member server's local admin privileges only impact what actions User1 can perform locally on that server.
4.Verification with nltest: Using nltest /dsgetdc: helps verify which DC the member server is currently using for authentication requests. It's normal to see different DCs being used based on factors like site affinity and load balancing.
In summary, authentication in Active Directory is primarily user-based and relies on the member server's configuration (DNS settings, site membership) to determine which DC to contact. The server itself doesn't authenticate users locally but relies entirely on domain controllers for this task. If you have specific concerns about authentication behavior or want to enforce DC preference, reviewing DNS settings and site configurations within Active Directory Sites and Services can help optimize and clarify the process.
I hope the information above is helpful.
Best Regards,
Yanhong Liu
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.