ryannewington
commented
2 years ago @PrzemyslawKlys
JIT is DC locator aware. First, we try and contact the JIT target computer (over SMB using DsGetDcName) to determine what DC it is actually connected to, if network connectivity allows us. If we get a response, we use that DC for the group member operation.
If we cannot contact the computer directly, we fall back to the DC locator algorithm, and use the IP address to determine the site the computer belongs to, then attempt to find any DC in that site.
If that operation fails, (no subnet mapping, or no DCs in the site), then we fall back to the DC closet to the AMS server.
If you can share the log file for the JIT request operation, we can have a look together as to what is happening. Send it to support at lithnet.io
Ryan
PrzemyslawKlys
When you request JIT the user gets added to a group in AD. That's all great, but this happens near DC. That means that by default other sites get at least 15 minutes delay (unless they have instant replication added). Do you think of any reasons this could be addressed? Such as maybe following the IP Address of the computer, checking which site, and asking specific DC directly? Service Desk agents are complaining that JIT often doesn't work - but this is my guess where the Lithnet is installed next to Azure DC, and before it hits a site where there is other DC - they complain ;)