One of the first major tasks a domain member computer has to do when it starts is to locate a domain controller. Generally, this task requires the use of a Domain Name System (DNS) server, which contains records for each domain controller in the domain, and the Locator, a remote procedure call to the computer's local Netlogon service.
When the client computer starts, its Netlogon service starts automatically (in the default configuration). This service implements the DsGetDcName application programming interface (API), which is used to locate a domain controller.
In this context, "client computer" is any computer attempting to contact a domain controller. This definition includes member servers.
The client begins by collecting a number of pieces of information that will be used to locate a domain controller. This information includes the client's local IP address, which is used to determine the client's Active Directory site membership, the desired domain name, and a DNS server address.
Netlogon then queries the configured DNS server. Netlogon retrieves the service resource (SRV) records and host (A) records from DNS that correspond to the domain controllers for the desired domain. The general form for the queried SRV records is _service._protocol.domainname, where service is the domain service, protocol is the TCP/IP protocol, and domainname is the desired Active Directory fully qualified domain name (FQDN). For example, because Active Directory is a Lightweight Directory Access Protocol (LDAP)-compliant directory service, clients query for _ldap._tcp.domainname (or _ldap._tcp.dc._msdcs.domainname when locating the nearest domain controller).
Each domain controller in a domain will register its host name with the SRV record, so the client's query results will be a list of domain controller host names. The client also retrieves the associated A records, providing the client with the IP address of every domain controller in the domain. The client then sends an LDAP search query, via the User Datagram Protocol (UDP), to each domain controller. Each domain controller then responds, indicating that it is operational. The Netlogon service caches all of this information so that finding a domain controller in the future won't require a repeat of this initial process. Instead, the service can simply refer to its cache to find another domain controller.
After the client locates a domain controller, the client uses LDAP to access Active Directory on a domain controller, preferably one in the client's own subnet. The domain controller uses the client's IP address to identify the client's Active Directory site. If the domain controller is not in the closest site, then the domain controller returns the name of the client's site, and the client tries to find a domain controller in that site by querying DNS. If the client has already attempted to find a domain controller in that site, then the client will continue using the current, nonoptimal domain controller.
Once the client finds a domain controller it likes, it caches that domain controller's information, and the client will continue to use that domain controller for future contacts (unless the domain controller becomes unavailable).