AskPFEPlat: How Domain Controllers are found across forest trusts
Tom Moser answers a reasonably frequently asked question about cross-organization domain controller location, and shows his work! One key point:
This post is about the a scenario where the subnets in the two forests do not overlap (i.e., client’s IP address from forest A is not covered by any subnet in forest B). This would typically occur in resource forest scenarios with separate networks. For example: federating via trust with Microsoft online services or a trust between a corporate forest and a perimeter forest. Everything you’re about to read below assumes that the client IP from Forest A is not covered by any subnet in Forest B.
(Aside: Overlapping IP ranges is something IP (i.e. The Internet) really wasn’t designed to cope gracefully with. I also had a quick geek-out at how the Hyper-V virtual switch supports mirroring too!
First, let’s talk about how your workstation, or any domain member, finds a domain controller at startup. To demo this, I configured port mirroring on my VMs in Hyper-V and intercepted the entire network conversation on another VM. For the purposes of demonstration, I’ve filtered the traffic to just DNS, LDAP, and Netlogon responses.
)
Detail and commentary are at the original post: How domain controllers are located across trusts.
Posted by Tristan Kington , MSPFE Editor (currently with 800KM more south-ness!)