AskPFEPlat: How Domain Controllers are found across forest trusts

Tom Moser answers a reasonably frequently asked question about cross-organization domain controller location, and shows his work! One key point:

This post is about the a scenario where the subnets in the two forests do not overlap (i.e., client’s IP address from forest A is not covered by any subnet in forest B). This would typically occur in resource forest scenarios with separate networks. For example: federating via trust with Microsoft online services or a trust between a corporate forest and a perimeter forest. Everything you’re about to read below assumes that the client IP from Forest A is not covered by any subnet in Forest B.

(Aside: Overlapping IP ranges is something IP (i.e. The Internet) really wasn’t designed to cope gracefully with. I also had a quick geek-out at how the Hyper-V virtual switch supports mirroring too!

First, let’s talk about how your workstation, or any domain member, finds a domain controller at startup. To demo this, I configured port mirroring on my VMs in Hyper-V and intercepted the entire network conversation on another VM. For the purposes of demonstration, I’ve filtered the traffic to just DNS, LDAP, and Netlogon responses.


Detail and commentary are at the original post: How domain controllers are located across trusts.

Posted by Tristan Kington, MSPFE Editor (currently with 800KM more south-ness!)

Comments (0)