May 23 2022 08:47 PM
I have 2 Active Directory Sites, the first site (Corporate) has my RW DCs, while the second (DMZ) only has a RoDC.
The two sites are separated by a firewall which allows Domain Traffic (53, 389, etc etc) between my RoDC and my RWDCs. Traffic from other devices in the second site is blocked, so they can only talk to the RoDC (GC, DNS. DHCP).
If I join a device to the domain while it is connected to the Corporate site, the DynamicSiteName registry entry is set to Corporate-Site. I then move to the DMZ and attempt to log in, but it cannot find a DC to authenticate against.
I then change the DynamicSiteName to DMZ-Site, and attempt to log in again, it can find the RoDC, authenticate and everything is happy. I can restart the device and do what I like and all is well.
If I then move the device back to the Corporate-Site. DynamicSiteName gets updated automatically based on the IP address and everything is still happy.
Moving the device back to the DMZ, DynamicSiteName does not get updated, and I am unable to authenticate again until I manually update DynamicSiteName.
Obviously if I set a registry entry of "SiteName" the device can physically move between the Sites, but will always be bound to the DMZ-Site.
If I open up the firewall and allow domain traffic from the client to the RWDCs, the DynamicSiteName is updated and the user can be authenticated correctly.
What am I missing that is stopping the client from detecting the correct site and updating DynamicSiteName from the RoDC when connected to the DMZ?
May 26 2022 04:03 AM
May 26 2022 05:38 PM
May 26 2022 09:55 PM
Jun 01 2022 04:25 AM - edited Jun 24 2022 02:03 AM
Any update ?
Dec 01 2022 11:21 PM
Jan 24 2024 04:35 AM
When a client computer logs on to the domain, the DC Locator service running at the client computer tries to search the nearest Domain Controller by querying the local computer registry for DynamicSiteName. The site name is stored in a registry entry called “DynamicSiteName” at HKLM\System\CurrentControlSet\Services\Netlogon\Parameters key.
DC Locator Service uses this information to query DNS Server to find the domain controllers in that site. It appends the site name to the query. If DynamicSiteName registry entry is not present or this is the first time a client computer is logging on to the domain, the DC Locator service sends out a domain-wide DNS query to find any domain controllers. Based on the subnet information, the DNS Server will return a list of domain controllers in a site closet to the client computer. After receiving response from the DNS Server, the DC Locator stores the Site Name information at the above mentioned registry key. Next time, DC Locator Service doesn’t send a domain-wide DNS query. Instead it uses DynamicSiteName to query the domain controllers in that site only.
If you want your client computers to belong to a specific site each time they log on to the domain, you should create the following registry entry on the local computer:
Hive: HKEY_LOCAL_MACHINE
Key: System\CurrentControlSet\Services\Netlogon\Parameters
Name: SiteName
Type: REG_SZ
Value: <Site>
After adding the above registry entry, the DynamicSiteName value is ignored. DC Locator Service always uses the value stored in SiteName registry entry to query the domain controllers in that site.