This article will describe how the domain computer member locate a domain controller. Basically, the first step requires a Domain Name System (DNS) server, which contains records for each domain controller in the domain.

When the computer starts, the NetLogon service will also start automaticaly (on Default configuration). This service will run DsGetDcName application programming interface (API), which is used to locate a domain controller

The NetLogon Service then queries DNS Server for SRV Record and A record of Domain Controllers. The client then sends an LDAP search query using User  Datagram  Protocol  (UDP) to each domain controller.  Each domain controller then responds indicating that is operational.

The Netlogon service caches all of this information so that finding a domain controller in the future won’t require a repeat of this initial process. Instead, the service can simply refer to its cache to find another domain controller.

This sequence below is the details on how the Locator finds a domain controller:

  1. On the client (the computer that is locating the domain controller), the Locator is initiated as an remote procedure call (RPC) to the local Netlogon service. The Locator DsGetDcName application programming interface (API) call is implemented by the Netlogon service.
  2. The client collects the information that is needed to select a domain controller and passes the information to the Netlogon service by using the DsGetDcName call.
  3. The Netlogon service on the client uses the collected information to look up a domain controller for the specified domain in one of two ways:
    • For a DNS name, Netlogon queries DNS by using the IP/DNS-compatible Locator–that is, DsGetDcName calls the DnsQuery call to read the Service Resource (SRV) records and “A” records from DNS after it appends the domain name to the appropriate string that specifies the SRV records.
    • A workstation that is logging on to a Windows-based domain queries DNS for SRV records in the general form:

      _service._protocol.DnsDomainName
      Active Directory servers offer the Lightweight Directory Access Protocol (LDAP) service over the TCP protocol. Therefore, clients find an LDAP server by querying DNS for a record of the form:_ldap._tcp.DnsDomainName
    • For a NetBIOS name, Netlogon performs domain controller discovery by using the Microsoft Windows NT version 4.0-compatible Locator (that is, by using the transport-specific mechanism (for example, WINS).


      In Windows NT 4.0 and earlier, “discovery” is a process for locating a domain controller for authentication in either the primary domain or a trusted domain.
  4. The Netlogon service sends a datagram to the computers that registered the name. For NetBIOS domain names, the datagram is implemented as a mailslot message. For DNS domain names, the datagram is implemented as an LDAP User Datagram Protocol (UDP) search. (UDP is the connectionless datagram transport protocol that is part of the TCP/IP protocol suite. TCP is a connection-oriented transport protocol.)
  5. Each available domain controller responds to the datagram to indicate that it is currently operational and returns the information to DsGetDcName.

    Note that UDP allows a program on one computer to send a datagram to a program on another computer. UDP includes a protocol port number, which allows the sender to distinguish among multiple destinations (programs) on the remote computer.
  6. Each available domain controller responds to the datagram to indicate that it is currently operational and returns the information to DsGetDcName.
  7. The Netlogon service caches the domain controller information so that subsequent requests need not repeat the discovery process. Caching this information encourages consistent use of the same domain controller and a consistent view of Active Directory.

Source: https://support.microsoft.com/en-us/help/247811/how-domain-controllers-are-located-in-windows