Home / server / Questions / 645958
Accepted
BIGmog
Asked: 2014-11-21 14:39:46 +0800 CST

Identify applications that are configured to connect to a specific domain controller

  • 772

I work with a Windows domain that has many domain controllers (DCs). I'm looking to remove some of these, but I know there are some applications that are hard-coded to use a specific domain controller for authentication. I don't know what these applications are however. How can I determine which applications could be set to use a single domain domain controller so I can prevent an outage when that DC goes offline?

active-directory

4 Answers

  1. Best Answer

    Shut down each DC for a couple of days and wait for the screams.

    Seriously, it's the only way.

    Whoever/whatever wants to talk to Active Directory should be able to find a domain controller using the proper process. But some application developers are definitely foolish enough to want a statically-defined DC; well, it's their fault, and they should pay for it.

    But you, as an AD administrator, have absolutely no way of knowing if an application is talking to a specific DC because it actually looked it up the proper way, or because someone configured it statically.

    Sadly, shutting down each DC and checking if anything stops working is the only way.

    • 6

  2. Another method to try to identify those servers might be to run something like Network Monitor on the Domain Controllers and run a capture, filtering for authentication traffic. You could then further filter by the ip addresses of your servers to narrow the displayed results. The trick is going to be determining what authentication traffic is related to your applications. Look for AS Request Cname traffic that contains a username, such as in the screenshot below, and investigate that. Admittedly, I've never had to do this but this is certainly one method I would try.

    enter image description here

    • 2

  3. One thing you could do is remove the A record and the other DNS Mnemonics. This would result in the usual DNS records for a DC not being registered, and not returned for normal authentication or group policy connections. Then run a packet capture to identify where any traffic may be originating from.

    How to optimize the location of a domain controller or global catalog that resides outside of a client's site
    http://support.microsoft.com/kb/306602

    This is typically what is done for a hub-and-spoke topology. For a spoke site, you would not want the DC to register DNS records so that only the clients in that site would connect to it. After you configure this, normal authentication traffic should be minimized for the domain controller.

    • 1
    1. Add new domain controllers in your environment (same OS version or new OS version if you are confident about application compatibility).
    2. Mask the old domain controllers in the DNS, it means remove everything registered by the NetLogon service (well not everything, the GUID records are used for the replication, so we must keep this one).
    3. Wait until the clients' caches expire and TADA! Every LDAP query you see reaching the masked DC, every authentication request is from applications and servers not leveraging the DCLocator and eventually having a hardcoded configuration. Because the hidden domain controllers are still running and replicating, it does not affect the hardcoded applications in using them.

    From: blogs.technet.com/...

    • 0