Please help me understand the AD login process.

My understanding of logging into Active Directory is either flawed, or not complete. To better my troubleshooting, I need some help understanding what’s happening on a step by step basis. Here's how I think it works. Please feel free to correct any mistakes, misunderstandings or out of order entries on my part.

1. Workstation boots up, queries/contacts a DHCP server to obtain or renew IP address.
2. DHCP acknowledges the request and provides an address, DNS server info, gateway, etc.
3. User gets to the login screen. User keys username/password.
4. Workstation then contacts the provided DNS server to register its address. (Q – Is this where the user sees “Applying Personal Settings?”)
5. DNS server registers the address, and provides a Domain Controller SRV record for contact. (I understand that in an environment where DNS is AD-integrated, the DNS server and DC are typically the same server)
6. Workstation contacts the DC to begin authentication. (Q – Is this where the user sees “Applying Computer Settings?”)
7. Authentication is completed, and policies are applied.
8. Successful login is achieved.

Something about my understanding of this process just doesn’t sit quite right with me. Any help is greatly appreciated. Thanks.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

royal

This is a site I have bookmarked on how the login process works:
http://support.microsoft.com/kb/247811

It's also good to know how Kerberos works:
http://technet2.microsoft.com/WindowsServer/en/library/4a1daa3e-b45c-44ea-a0b6-fe8910f92f281033.mspx?mfr=true

This is a really good article that summarizes the Kerberos authentication process:
http://www.serverwatch.com/tutorials/article.php/2176201

Sie

Just to add a comment here I found this site good for Kerberos

http://learn-networking.com/network-security/how-kerberos-authentication-works

bwcarty

IP addressing and network configuration aren't really part of the AD authentication process and generally happen before the user does anything.

DHCP isn't required, although it generally makes like easier for client computers. A static IP address and manually configured DNS settings work fine.

Here's another good article that explains the login process, including the DNS SRV record query to find the DC. http://searchwindowssecurity.techtarget.com/news/article/0,289142,sid45_gci1010399,00.html#

vsmith3rd

Perhaps I mistyped what I truly sought to learn. I wanted to know the network connection/login process in an Active Directory environment. Including the network connection/login portion that isn't Active Directory specific. I wanted to get a feel for the source of problems during the network connection/login process, in an AD environment. A lot happens in the few seconds it takes to complete a login from boot in AD. The local boot process I know. The network specific process I'm a little in the dark.

I thought that by learning the process, it would be the equivalent of the old proverb teaching a man to fish in one setting, as opposed to feeding a man fish in one setting. The first benefit is longer lasting.

whistler

vsmith3rd wrote:

My understanding of logging into Active Directory is either flawed, or not complete. To better my troubleshooting, I need some help understanding what’s happening on a step by step basis. Here's how I think it works. Please feel free to correct any mistakes, misunderstandings or out of order entries on my part.

1. User boots workstation to get to the login screen.
3. Workstation queries/contacts a DHCP server to obtain or renew IP address. (Q – Does this happen before or after the user keys in user/pass?)
4. DHCP acknowledges and provides address, DNS server info, gateway, etc.
5. Workstation contacts DNS server to register its address. (Q – Is this where the user sees “Applying Personal Settings?”)
6. DNS server registers the address, and provides Domain Controller address for contact. (Q – Does the workstation query for the DC’s SRV record, or does DNS provide SRV on its own?)

2. User keys user/pass.

7. Workstation contacts DC to begin authentication. (Q – Is this where the user sees “Applying Computer Settings?”)
8. Authentication is completed, and policies are applied.
9. Successful login is achieved.

Something about my understanding of this process just doesn’t sit quite right with me. Any help is greatly appreciated. Thanks.

From watching the process and from what I remember learning I made a correction to the order of tasks.

#2 is now between #6 and #7.

If you watch the process when you boot any windows 2000 and up PC the login screen doesn't occur until after the Network and Computer settings screen.

blargoe

1. User boots workstation, windows begins to load.
3. Workstation queries/contacts a DHCP server to obtain or renew IP address.
..a. DHCP acknowledges and provides address, DNS server info, gateway, etc.
..b. DHCP Fails. Go to 7b.
5. Workstation contacts DNS server to register its address.
6. DNS server registers the address
7. Computer attempts to contact domain controller via DNS Query for SRV record.
..a. If successful, the computer is authenticate by the DC and domain policies are applied
..b. If unsuccessful, timeout will occur and computer policies fail to process.
2. Login Prompt. User keys user/pass.
..a. If DC contact was successful, login is authenticated and user policies are applied
..b. If DC is unreachable, workstation logs in with cached credentials and no policies are applied.
9. Successful login is achieved.

shednik

blargoe wrote:

1. User boots workstation, windows begins to load.
3. Workstation queries/contacts a DHCP server to obtain or renew IP address.
..a. DHCP acknowledges and provides address, DNS server info, gateway, etc.
..b. DHCP Fails. Go to 7b.
5. Workstation contacts DNS server to register its address.
6. DNS server registers the address
7. Computer attempts to contact domain controller via DNS Query for SRV record.
..a. If successful, the computer is authenticate by the DC and domain policies are applied
..b. If unsuccessful, timeout will occur and computer policies fail to process.
2. Login Prompt. User keys user/pass.
..a. If DC contact was successful, login is authenticated and user policies are applied
..b. If DC is unreachable, workstation logs in with cached credentials and no policies are applied.
9. Successful login is achieved.

Good description...much how I thought the process was but is now confirmed for me

vsmith3rd

Oh man, I can't thank you guys enough for helping me to get a better detailed understanding of the process. I sometimes see logins hang at "Applying computer settings" and "Applying user settings."

The "...computer settings" I thought would be related to applying policy, but I wasn't sure if it was definitely computer policies or user policies. The "...user settings" I thought to be DNS related, specifically the inability to reach a DNS server.

I must be a geek, because I'm all giddy at getting to the bottom of this. Again, thanks x 1 million.

TechJunky

Great links everyone. I added them to my favorites. Learn something new everyday.

HeroPsycho

vsmith3rd wrote:

Oh man, I can't thank you guys enough for helping me to get a better detailed understanding of the process. I sometimes see logins hang at "Applying computer settings" and "Applying user settings."

The "...computer settings" I thought would be related to applying policy, but I wasn't sure if it was definitely computer policies or user policies. The "...user settings" I thought to be DNS related, specifically the inability to reach a DNS server.

I must be a geek, because I'm all giddy at getting to the bottom of this. Again, thanks x 1 million.

If you're having long delays during those portions of the login, make sure the client has good connectivity to domain controllers, and the domain controllers aren't overloaded. Assuming you've done that, the problem is likely a problem with GPO's. Disable computer or user portions of GPO's which have no settings in those portions. For example, if you make a GPO that only has settings in the user portion, disable the computer portion.

Also, check out the handy Group Policy Diagnostics Best Practices Analyzer:

http://www.microsoft.com/downloads/details.aspx?FamilyId=47F11B02-8EE4-450B-BF13-880B91BA4566&displaylang=en

undomiel

userenv logging also works good as it will give you time stamps to narrow down where things are taking the longest.

blargoe

I'd never seen the GP Best Practices Analyzer, that's looks handy.