Please help me understand the AD login process.

vsmith3rdvsmith3rd Member Posts: 142 ■■■□□□□□□□
My understanding of logging into Active Directory is either flawed, or not complete. To better my troubleshooting, I need some help understanding what’s happening on a step by step basis. Here's how I think it works. Please feel free to correct any mistakes, misunderstandings or out of order entries on my part.

1. Workstation boots up, queries/contacts a DHCP server to obtain or renew IP address.
2. DHCP acknowledges the request and provides an address, DNS server info, gateway, etc.
3. User gets to the login screen. User keys username/password.
4. Workstation then contacts the provided DNS server to register its address. (Q – Is this where the user sees “Applying Personal Settings?”)
5. DNS server registers the address, and provides a Domain Controller SRV record for contact. (I understand that in an environment where DNS is AD-integrated, the DNS server and DC are typically the same server)
6. Workstation contacts the DC to begin authentication. (Q – Is this where the user sees “Applying Computer Settings?”)
7. Authentication is completed, and policies are applied.
8. Successful login is achieved.


Something about my understanding of this process just doesn’t sit quite right with me. Any help is greatly appreciated. Thanks.
Certified Lunatic.

Comments

  • royalroyal Member Posts: 3,353
    This is a site I have bookmarked on how the login process works:
    http://support.microsoft.com/kb/247811

    It's also good to know how Kerberos works:
    http://technet2.microsoft.com/WindowsServer/en/library/4a1daa3e-b45c-44ea-a0b6-fe8910f92f281033.mspx?mfr=true

    This is a really good article that summarizes the Kerberos authentication process:
    http://www.serverwatch.com/tutorials/article.php/2176201
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • SieSie Member Posts: 1,195
    Just to add a comment here I found this site good for Kerberos

    http://learn-networking.com/network-security/how-kerberos-authentication-works
    Foolproof systems don't take into account the ingenuity of fools
  • bwcartybwcarty Member Posts: 422 ■■■□□□□□□□
    IP addressing and network configuration aren't really part of the AD authentication process and generally happen before the user does anything.

    DHCP isn't required, although it generally makes like easier for client computers. A static IP address and manually configured DNS settings work fine.

    Here's another good article that explains the login process, including the DNS SRV record query to find the DC. http://searchwindowssecurity.techtarget.com/news/article/0,289142,sid45_gci1010399,00.html#
    Help eradicate blood cancers with a donation to the Leukemia & Lymphoma Society.
  • vsmith3rdvsmith3rd Member Posts: 142 ■■■□□□□□□□
    Perhaps I mistyped what I truly sought to learn. I wanted to know the network connection/login process in an Active Directory environment. Including the network connection/login portion that isn't Active Directory specific. I wanted to get a feel for the source of problems during the network connection/login process, in an AD environment. A lot happens in the few seconds it takes to complete a login from boot in AD. The local boot process I know. The network specific process I'm a little in the dark.

    I thought that by learning the process, it would be the equivalent of the old proverb teaching a man to fish in one setting, as opposed to feeding a man fish in one setting. The first benefit is longer lasting.
    Certified Lunatic.
  • whistlerwhistler Member Posts: 108
    vsmith3rd wrote:
    My understanding of logging into Active Directory is either flawed, or not complete. To better my troubleshooting, I need some help understanding what’s happening on a step by step basis. Here's how I think it works. Please feel free to correct any mistakes, misunderstandings or out of order entries on my part.

    1. User boots workstation to get to the login screen.
    3. Workstation queries/contacts a DHCP server to obtain or renew IP address. (Q – Does this happen before or after the user keys in user/pass?)
    4. DHCP acknowledges and provides address, DNS server info, gateway, etc.
    5. Workstation contacts DNS server to register its address. (Q – Is this where the user sees “Applying Personal Settings?”)
    6. DNS server registers the address, and provides Domain Controller address for contact. (Q – Does the workstation query for the DC’s SRV record, or does DNS provide SRV on its own?)

    2. User keys user/pass.

    7. Workstation contacts DC to begin authentication. (Q – Is this where the user sees “Applying Computer Settings?”)
    8. Authentication is completed, and policies are applied.
    9. Successful login is achieved.

    Something about my understanding of this process just doesn’t sit quite right with me. Any help is greatly appreciated. Thanks.

    From watching the process and from what I remember learning I made a correction to the order of tasks.

    #2 is now between #6 and #7.

    If you watch the process when you boot any windows 2000 and up PC the login screen doesn't occur until after the Network and Computer settings screen.
  • blargoeblargoe Self-Described Huguenot NC, USAMember Posts: 4,174 ■■■■■■■■■□
    1. User boots workstation, windows begins to load.
    3. Workstation queries/contacts a DHCP server to obtain or renew IP address.
    ..a. DHCP acknowledges and provides address, DNS server info, gateway, etc.
    ..b. DHCP Fails. Go to 7b.
    5. Workstation contacts DNS server to register its address.
    6. DNS server registers the address
    7. Computer attempts to contact domain controller via DNS Query for SRV record.
    ..a. If successful, the computer is authenticate by the DC and domain policies are applied
    ..b. If unsuccessful, timeout will occur and computer policies fail to process.
    2. Login Prompt. User keys user/pass.
    ..a. If DC contact was successful, login is authenticated and user policies are applied
    ..b. If DC is unreachable, workstation logs in with cached credentials and no policies are applied.
    9. Successful login is achieved.
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
  • shednikshednik Member Posts: 2,005
    blargoe wrote:
    1. User boots workstation, windows begins to load.
    3. Workstation queries/contacts a DHCP server to obtain or renew IP address.
    ..a. DHCP acknowledges and provides address, DNS server info, gateway, etc.
    ..b. DHCP Fails. Go to 7b.
    5. Workstation contacts DNS server to register its address.
    6. DNS server registers the address
    7. Computer attempts to contact domain controller via DNS Query for SRV record.
    ..a. If successful, the computer is authenticate by the DC and domain policies are applied
    ..b. If unsuccessful, timeout will occur and computer policies fail to process.
    2. Login Prompt. User keys user/pass.
    ..a. If DC contact was successful, login is authenticated and user policies are applied
    ..b. If DC is unreachable, workstation logs in with cached credentials and no policies are applied.
    9. Successful login is achieved.

    Good description...much how I thought the process was but is now confirmed for me :)
  • vsmith3rdvsmith3rd Member Posts: 142 ■■■□□□□□□□
    Oh man, I can't thank you guys enough for helping me to get a better detailed understanding of the process. I sometimes see logins hang at "Applying computer settings" and "Applying user settings."

    The "...computer settings" I thought would be related to applying policy, but I wasn't sure if it was definitely computer policies or user policies. The "...user settings" I thought to be DNS related, specifically the inability to reach a DNS server.

    I must be a geek, because I'm all giddy at getting to the bottom of this. Again, thanks x 1 million.
    Certified Lunatic.
  • TechJunkyTechJunky Member Posts: 881
    Great links everyone. I added them to my favorites. Learn something new everyday.
  • HeroPsychoHeroPsycho Inactive Imported Users Posts: 1,940
    vsmith3rd wrote:
    Oh man, I can't thank you guys enough for helping me to get a better detailed understanding of the process. I sometimes see logins hang at "Applying computer settings" and "Applying user settings."

    The "...computer settings" I thought would be related to applying policy, but I wasn't sure if it was definitely computer policies or user policies. The "...user settings" I thought to be DNS related, specifically the inability to reach a DNS server.

    I must be a geek, because I'm all giddy at getting to the bottom of this. Again, thanks x 1 million.

    If you're having long delays during those portions of the login, make sure the client has good connectivity to domain controllers, and the domain controllers aren't overloaded. Assuming you've done that, the problem is likely a problem with GPO's. Disable computer or user portions of GPO's which have no settings in those portions. For example, if you make a GPO that only has settings in the user portion, disable the computer portion.

    Also, check out the handy Group Policy Diagnostics Best Practices Analyzer:

    http://www.microsoft.com/downloads/details.aspx?FamilyId=47F11B02-8EE4-450B-BF13-880B91BA4566&displaylang=en
    Good luck to all!
  • undomielundomiel Member Posts: 2,818
    userenv logging also works good as it will give you time stamps to narrow down where things are taking the longest.
    Jumping on the IT blogging band wagon -- http://www.jefferyland.com/
  • blargoeblargoe Self-Described Huguenot NC, USAMember Posts: 4,174 ■■■■■■■■■□
    I'd never seen the GP Best Practices Analyzer, that's looks handy.
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
Sign In or Register to comment.