Joined: 18 Jan 2004
|Posted: 15.5.2020, 05:48 Post subject: Check and force specific DC to authenticate AD clients
|It is common struggle for AD domain admins to sometimes check and see, which DC domain controller actually authenticated AD domain user. Maybe while adding NEW DC to existing domain, and you wanna make sure users will be able to use new domain controller before you decommission old one.
So, how to check, which domain controller DC authenticated specific user?
Simply ON CLIENT open CMD and type:
Code: SET LogonServer
Variable "LOGONSERVER" holds the UNC server name, which authenticated user against and is set fresh upon every user login.
How can you force specific (or NEW) DC to authenticate users?
You can push domain controllers up or down on priority list for authentication servers. By default AD domain uses some internal statistical calculation to point NET Logon service for authentication towards one of domain DC servers.
To manually reorder this authentication priority, you can set WEIGHT or PRIORITY in registry for all servers, and NET LOGON service of clients will obey your override.
So, on ALL servers (or at least on server, which you want to push UP or DOWN on priority list, ADD this registry value:
New DWORD key named: LdapSrvWeight
Higher the value, higher on priority list.
Default value is 64 (hex) or 100 (dec). Max is FFFF (hex).
So, for example, if you would like NEW DC to be higher on priority list, set this value to, for example, 200 (decimal).