General discussion

Locked

site specific SRV records

By rex.egesi@corpoflondon ·
i need to make clients in a particular AD site use a specific DC for logons. Article ID 306602 from microsoft shows a way of doing this - has anyone tried this? Also if this is done, how can i verify that clients are using that specific DC for logons

This conversation is currently closed to new comments.

6 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by p.j.hutchison In reply to site specific SRV records

No you cannot do that. Clients will use the first or nearest Global Catalog server to authorise to.

You could use Sites and Services to create sites, put a DC into that site and get clients to use that DC on the same site.

There is no advantage of using specific DCs to logon.

Collapse -

by jhayesit In reply to site specific SRV records

i agree, the best way to force them to logon to a DC is by creating sites and adding the DC's to the sites. to check what DC the servers are login on to on the command windows type set logon
However if one DC fails in the local site it will go validate to another site DC no problem.

Collapse -

by BFilmFan In reply to site specific SRV records

The Microsoft article you read is only applicable to AD sites which do not have a domain controller located in them. These sites are often sometimes referred to as "Subnet-only" sites. This solution will not work for sites which contain both clients and domain controllers.

There is a method to "weight" the response of domain controllers within a site. To prevent clients from sending all requests to a single domain controller, the domain controllers are assigned a priority value. Clients always send requests to the domain controller that has the lowest priority value. If more than one domain controller has the same value, the clients randomly choose from the group of domain controllers with the same value. If no domain controllers with the lowest priority value are available, then the clients send requests to the domain controller with the next highest priority.

A domain controller's priority value is stored in its registry. When the domain controller starts, the Net Logon service registers with the DNS server. The priority value is registered with the rest of its DNS information. When a client uses DNS to discover a domain controller, the priority for a given domain controller is returned to the client with the rest of the DNS information. The client uses the priority value to help determine to which domain controller to send requests.

The value is stored in the LdapSrvPriority registry entry. The default value is 0 and it can range from 0 through 65535.

The priority determines the order in which clients contact a domain controller. A value of 0x0 represents the highest priority, and a value of 0xFFFF represents the lowest priority. The highest priority domain controller should be contacted first. Lower priority domain controllers are used only when those with higher priority are not available.

When domain controllers have the same priority value, their priority weight, as specified in the value of the LdapSrvWeight entry is used to determine the ord

Collapse -

by BFilmFan In reply to

When domain controllers have the same priority value, their priority weight, as specified in the value of the LdapSrvWeight entry is used to determine the order in which they are contacted.

The registry key HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\LdapSrvWeight with values running between 0x0?0xFFFF 0x0?0xFFFF and a default value of 0x64 (100) specifies the weight (or weighted priority) of this domain controller. The weight determines the probability that a client contacts the domain controller when it selects from among domain controllers with the same priority. Domain controllers with the highest weight are most likely to be contacted.

Clients contact domain controllers in priority order, as specified by the value of the LdapSrvPriority entry. The highest priority domain controller (the one with the lowest value of LdapSrvPriority) is contacted first.

However, when domain controllers have the same priority value, the Net Logon service selects from among them by using a statistical calculation based on the weight assigned to the domain controller. Domain controllers with the highest weight are most likely to be contacted. This method allocates contact traffic most efficiently.

The following formula calculates the probability that a client contacts a given domain controller:

LdapSrvWeight / Sum (LdapSrvWeight for DCs of that priority)

For example, if three domain controllers are each assigned the highest priority, 0x0, the probability of each being contacted is as follows:

Collapse -

by BFilmFan In reply to

Server Weight Probability
A 3 1/2 (3/6)
B 2 1/3 (2/6)
C 1 1/6

When interpreting priority and weight values, remember that priorities are inverse but weights are positive. That is, for priority, the lowest number (0x0) represents the highest priority. For weights, the highest number represents the highest weight.

When all domain controllers have the same weight, then, by convention, the value of this entry is 0x0.

This entry is used only when it appears in the registry of a domain controller.

Windows 2000 does not add this entry to the registry. You can add it by editing the registry or by using a program that edits the registry.

Net Logon records the value of this entry on the LDAP SRV records that it writes. You can view these records by using Domain Name System (DNS) dynamic update or by viewing the netlogon.dns file (Systemroot\System32\config). Also, if the value of DBFlag is 0x2080FFFF, Net Logon records the LDAP SRV records in its debugging log, Netlogon.log (Systemroot\debug).

To change the priority for DNS SRV records in the registry

1. In the Run dialog box, type regedit, and press ENTER.

2. In the registry editor, navigate to HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

3. Click Edit, click New, and then click DWORD value.

4. For the new value name, type LdapSrvPriority, and press ENTER.

5. Double-click the value name that you just typed to open the Edit DWORD Value dialog box.

6. Enter a value from 0 through 65535. The default value is 0.

7. Choose Decimal as the Base option.

8. Click OK.

9. Click File, and then click Exit to close the registry editor.

Collapse -

by BFilmFan In reply to

As previous commentors had suggested, it is best to create distinct AD sites. I would caution you to test these settings in a lab before introducing them into any production environment.

Back to Windows Forum
6 total posts (Page 1 of 1)  

Related Discussions

Related Forums