The process that the SG follows for locating a domain controller is the same as the process that a Windows box would follow.
We retrieve a list of DCs from DNS, then do an “LDAP Ping” to determine which one to use. The SG will use the first DC that responds. However, we will not use read only domain controller even though it responds quickest to the ldap ping request.
If you have configured AD “sites”, then the SG will look for a writable DC in its own site first. If no writable DCs in the SG’s site are online, then the SG will try to find a DC from another site that is part of the same domain. The bottom line is that the SG will select a DC the same way that a Windows box will – each will choose the first DC to respond to an LDAP ping, and each will give preference to DCs that are in the local site.
i.e. in /lsa/stats
if domain controller returns this then we will not use it:
(0x287C) GLOBAL_CATALOG KDC READ_ONLY
We will use domain controller with this flag set:
(0x317C) GLOBAL_CATALOG KDC WRITEABLE
Now of course this will lead to latency if the proxy is not using the closest dc and using a dc in a different part of the world.
You can on 22.214.171.124 and above create a preferred and alternate dc to override this behavior i.e. by doing that we won’t use the ldap ping approach if the preferred and alternate dc are available and we will support readable domain controller.