Q&A: Logon Process with Windows


How is the Windows logon process working? How is a failover realized?


In ActiveDirectory (AD) environments all Domain Controllers (DCs) provide logon services. However, some dedicated services can not be distributed among multiple servers. These special services with in ActiveDirectory Domain are called “FSMO roles”.

A user on a Windows client computer will be authenticated in the following steps:
Note: The following steps are a rough guide. Some details may be left out.

Step 1 - DC Locator Process

The client asks the nameserver for the DCs service records (SRV) an gets back a list of DC names.

The clients searches for as SRV record with ldap service: _ldap._tcp.dc._msdcs.domain.com and gets back a list of names of the configured DCs.
You can verify the results for your domain as follows:

_ldap._tcp.dc._msdcs.multi.ucs has SRV record 0 100 389 backup.multi.ucs.
_ldap._tcp.dc._msdcs.multi.ucs has SRV record 0 100 389 slave.multi.ucs.
_ldap._tcp.dc._msdcs.multi.ucs has SRV record 0 100 389 master.multi.ucs.

Step 2 - DNS Resolution

The Windows client now picks randonmly (more or less) an entry from step 1 and asks the nameserver for the IP address of the server (A or AAAA record).
Check this way:

root@master:~# host backup.multi.ucs
backup.multi.ucs has address

Step 3 - LDAP Ping

Now the client sends a “ldap ping” through DNS to the selected IP address and waits for response. If it gets the response it assumes the server is up and uses this server as %LOGONSERVER% for all further communication.

Step 4 - Authenticate

Now the client authenticates the user with the credentials given by the user.

Step 5 - Get GPOs

The GPOs are then fetched. Please consider they are fetched from the server with the FSMO role “PDCEmulator”. So the client accesses the share “SYSVOL” on the server with this FSMO role (in UCS by default the master).

Step 6 - Finalize Logon

When GPOs are applied the user profile (if roaming profile) is synced. After this, the logon procedure is finished.