Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Active Directory / Find Domain Controller (Logon Server) You Authenticated to

November 10, 2022 Active DirectoryWindows 10Windows Server 2019

Find Domain Controller (Logon Server) You Authenticated to

Sometimes you may want to find out which domain controller your computer is authenticated to (your Logon Server). This can come in handy when there are issues applying Group Policies or when users complain about slow logons. A user’s computer may be authenticated to a wrong domain controller if the nearest DC is not available, the firewall is blocking access to it, Active Directory sites or subnets are misconfigured, or there are problems with DNS. As a result, a user may get all GPO settings, scripts, etc. from any other DC instead of the nearest one. It may result in slow GPO processing, slow software deployment, etc.

Contents:
  • How to Identify Which DC a Computer is Authenticated to?
  • How Windows Finds the Closest Domain Controller?

How to Identify Which DC a Computer is Authenticated to?

You can detect the domain controller you logged in using some methods:

  • With the command prompt: set log cmd - get logon server
    LOGONSERVER=\\MUN-DC02
  • In the output of the following command: systeminfo | find /i "logon server" find logon server in windows systeminfo
  • From the environment variable: echo %logonserver%
  • You can also get the value of the environment variable using PowerShell: $env:LOGONSERVER get $env:LOGONSERVER - powershell
  • In the output of the command gpresult /r command:
    Group Policy was applied from: MUN-DC02

    gpresult Group Policy was applied from domain controller (logon server)

  • The nltest tool shows the domain controller a computer authenticated to  (user and computer logon servers may sometimes differ). Nltest also allows to check the trust relationship between the computer and the domain controller, and shows the name of the Active Directory site the DC belongs to (Dc Site Name): nltest /DSGETDC:woshub.com nltest DSGETDC
If you logged on to a computer using your local account, the name of your computer will be shown instead of the domain controller name in the LogonServer variable.

If you know the domain controller, you can get user information from the logon DC security logs (for example, the user’s logon history to the domain and other logs).

You can automatically write information on which domain controller a user is authenticated to in the computer description in Active Directory. So, you can quickly get the LogonServer for a specific computer from AD without accessing a computer over the network or locally.

How Windows Finds the Closest Domain Controller?

The NetLogon service is responsible for discovering the LogonServer when Windows is booting. The service must be running:

get-service netlogon

netlogon service in windows used for DC discovery

In a simplified way, the process of finding a domain controller by the Windows client looks like this:

  1. The NetLogon sends a DNS query to get a list of domain controllers (SVR _ldap._tcp.dc._msdcs.domain_ ) at Windows boot;
  2. DNS returns a list of DCs in the domain;
  3. The client sends an LDAP query to the DC to get an AD site by its IP address;
  4. The DC returns the AD site that matches the client’s IP or the closest site (this information is cached in the registry: HKLM\System\CurrentControlSet\Services\Netlogon\Parameters and used at the next logon for a faster search);
  5. The client requests a list of domain controllers on the target site via DNS (under the _ tcp.sitename._sites...); _msdcs and _ldap in microsoft dns used for DC logon server discovery
  6. Windows sends requests to all DCs on the AD site and the first one that responds is used as a LogonServer to perform authentication.
You can switch your computer to another logon server (AD domain controller) manually with the command:

nltest /SC_RESET:WOSHUB\MUN-DC02.woshub.com

nltest - change logon server in windows

Flags: 30 HAS_IP HAS_TIMESERV
Trusted DC Name \\MUN-DC02.woshub.com
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully

If the specified DC is not available, an error will appear:

I_NetLogonControl failed: Status = 1311 0x51f ERROR_NO_LOGON_SERVERS

If neither of the domain controllers is available or the computer is disconnected from the network, the following message appears when a user logs on:

There are currently no logon servers available to service the logon request.

You can log on to such a computer using domain user cached credentials only.

You can find out the closest domain controller according to the site hierarchy, subnet, and weight using the Get-ADDomainController cmdlet from the Active Directory for PowerShell module:

Get-ADDomainController -Discover -NextClosestSite

This will allow you to find the name of the domain controller through which the computer should authenticate. If it differs from the current one, you will have to troubleshoot this.

0 comment
3
Facebook Twitter Google + Pinterest
previous post
How to Install Microsoft Teams Client on Linux
next post
Running PowerShell Startup (Logon) Scripts Using GPO

Related Reading

Zabbix: How to Get Data from PowerShell Scripts

October 27, 2023

Tracking Printer Usage with Windows Event Viewer Logs

October 19, 2023

How to Use Ansible to Manage Windows Machines

September 25, 2023

Installing Language Pack in Windows 10/11 with PowerShell

September 15, 2023

How to View and Change BIOS (UEFI) Settings...

September 13, 2023

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Zabbix: How to Get Data from PowerShell Scripts

    October 27, 2023
  • Tracking Printer Usage with Windows Event Viewer Logs

    October 19, 2023
  • PowerShell: Configure Certificate-Based Authentication for Exchange Online (Azure)

    October 15, 2023
  • Reset Root Password in VMware ESXi

    October 12, 2023
  • How to Query and Change Teams User Presence Status with PowerShell

    October 8, 2023
  • How to Increase Size of Disk Partition in Ubuntu

    October 5, 2023
  • How to Use Ansible to Manage Windows Machines

    September 25, 2023
  • Installing Language Pack in Windows 10/11 with PowerShell

    September 15, 2023
  • Configure Email Forwarding for Mailbox on Exchange Server/Microsoft 365

    September 14, 2023
  • How to View and Change BIOS (UEFI) Settings with PowerShell

    September 13, 2023

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Configure Google Chrome Settings with Group Policy
  • Get-ADUser: Find Active Directory User Info with PowerShell
  • Allow Non-admin Users RDP Access to Windows Server
  • How to Find the Source of Account Lockouts in Active Directory
  • How to Disable or Enable USB Drives in Windows using Group Policy
  • Get-ADComputer: Find Computer Properties in Active Directory with PowerShell
  • Configuring Proxy Settings on Windows Using Group Policy Preferences
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top