Share via

How the NextClosestSiteFilter Works

  • Article

Based on work by Jairo Cadena

An Active Directory MVP recently asked for additional details about the NextClosestSiteFilter registry setting. That led to an explanation provided by Jairo Cadena of the Active Directory product group. Since it was such an excellent explanation I thought I would share it here.

The NextClosestSiteFilter is a registry setting that DC Locator uses to filter sites that have read-only domain controllers when NextClosestSite is enabled. For background information, see http://technet.microsoft.com/en-us/library/dd736918(WS.10).aspx.

The following is Jairo’s explanation of how they work together.

The NextClosestSiteFilter setting is used by the domain controller (DC) when it creates the site map in memory, which contains the sites with their respective next closest sites. This information is passed to the client through the LDAP ping.

 

To illustrate the NextClosestSiteFilter feature, see the following diagram (we apparently cannot provide images in the wiki yet so I will sketch out the following simple ring site topology. Sites are named PDC Site, RODC Site, Client Site. Cost between PDC Site and RODC Site is 100, between PDC Site and Client Site is 100, but between Client Site and RODC Site cost is 50.

 

The NextClosestSite is a client-side setting, whereas the NextClosestSiteFilter is a server-side setting. This table describes the values for this setting.

 
HKLM\System\CurrentControlSet\Services\Netlogon\Parameters
DWORD: NextClosestSiteFilter

Value Description
0 DC Locator does not apply NextClosestSiteFilter.
1 DC Locator filters sites that contain only RODCs. If an RODC is deployed in the same site as a writeable domain controller, DC Locator considers it as the possible next closest site.
2 (default) DC Locator filters sites that contain at least one RODC. Even if a writeable domain controller is deployed in the same site as an RODC, DC Locator does not consider the site as the possible next closest site.

 

 PDC Site

    PDC

     |             \

     |              100

     |                    \           

   100                       Client Site

     |                      ReplDC      Client             

     |                      /              

     |                 50  

RODC Site     /

   RODC

If ReplDC does not meet a DC Locator client request that has TRY_NEXT_CLOSEST_SITE_FLAG flag (for example the client is requesting a GTimeServ and ReplDC is not one) ReplDC will be returned by DNS to the client as a DC in its site and the client will LDAP-ping ReplDC. ReplDC will tell the client that it is not a GTimeServ and will tell the client that its next closest site is the PDC-Site if NextClosestSiteFilter is not set in *ReplDC* or it has a value of 2. If NextClosestSiteFilter is set to 0 in *ReplDC* then the RODC-Site will be returned as next closest site to the client. Then the DC Locator client piece on the client will do a site specific query to DNS to get a DC that satisfies the original DC Locator call.

The interesting case is when the client does not have any DC (same setup as before but in the case ReplDC and PDC are both in PDC Site and Client Site has No DC, only Client computer)

     PDC Site

 ReplDC   PDC

     |             \

     |              100

     |                    \           

   100                       Client Site

     |                           Client             

     |                      /              

     |                 50  

RODC Site     /

   RODC

 

In this case, DC Locator in the client will query DNS for global records (as there are no DCs in Client-Site) and any writable DC (or any RODC registering global records i.e. the RODC RegisterSiteSpecificRecordsOnly registry setting is set to 0) will be LDAP-pinged by the client. This pinged DC will tell the client what site is the closest (if TRY_NEXT_CLOSEST_SITE flag is in the original DC Locator call). The result of what site is the closest depends on the value of NextClosestSiteFilter on the DC that is pinged. In this case if there are different values for this setting on DCs that register global records in DNS, then the response may be different each time.

 

One quick test that one can do to visualize this behavior on the DC is:

  1.  On a DC enable NetLogon logging with SITE scope : i.e. nltest.exe /dbflag:0x2802FFFF
  2. Go to the registry and change the value of NextClosestSiteFilter to 0 (to take into account RODC sites)
  3. If there are sites with RODCs you can see the entry on %SystemRoot%\Debug\NetLogon.log
  4. After changing it to 2 or removing the setting on the DC you can see in NetLogon.log that RODC sites are ignored, which is the default value)

 

When we have images available I will update this article with site topology images and snips from the netlogon logs.