Home arrow Articles arrow INFO: Fine Tuning Net Logonís SRV Resource Record (RR) registrations
INFO: Fine Tuning Net Logonís SRV Resource Record (RR) registrations Print E-mail

In large branch office deployments it can become necessary to control which Domain Name System (DNS) Resource Records (RR) are registered by Domain Controllers (DC), as well as the weight and priority of these records. This article discusses the settings and methods available for such configurations.

Configuring which DCs register generic SRV records

In large branch office deployments it can become necessary to control which Domain Name System (DNS) Resource Records (RR) are registered by Domain Controllers (DC). There are two main reasons for doing this.
  1. To control which DCs are used when generic lookups are performed, e.g. when a client can’t find a DC in its site, or doesn’t know which site it’s a member of, and asks for any DC.
  2. To control the number of NS and A records registered for the domain itself, e.g. when you have more than 300 DCs running as DNS servers each DC will register the (Same as parent) A record for the zone (domain) and an NS record for the zone.

There are two supported ways of controlling these settings, these are.
  1. Group Policy (Computer Configuration\ Administrative Templates\ System\ Net Logon\ DC Locator DNS Records\ DNS records not registered by the domain controllers)
  2. Editing the registry (HKLM\ SYSTEM\ CurrentControlSet\ Services\ Netlogon\ Parameters\ DnsAvoidRegisterRecords)

The first option, via Group Policy, is the preferred option. However this was introduced with Windows Server 2003 therefore the only available option for Windows 2000 Server is number two.

When modifying either setting, the mnemonic for the appropriate RR and its type must be specified. The following table is a list of the mnemonics that can be used.

Mnemonic

RR Type

RR

(Applies To)

LdapIpAddress

A

DC

Ldap

SRV

_ldap._tcp.

DC

LdapAtSite

SRV

_ldap._tcp.._sites.

DC

Pdc

SRV

_ldap._tcp.pdc._msdcs.

DC

Gc

SRV

_ldap._tcp.gc._msdcs.

GC

GcAtSite

SRV

_ldap._tcp.._sites.gc._msdcs.

GC

DcByGuid

SRV

_ldap._tcp..domains._msdcs.

DC

GcIpAddress

A

_gc._msdcs.

GC

DsaCname

CNAME

._msdcs.

DC

Kdc

SRV

_kerberos._tcp.dc._msdcs.

DC

KdcAtSite

SRV

_kerberos._tcp.dc._msdcs.._sites.

DC

Dc

SRV

_ldap._tcp.dc._msdcs.

DC

DcAtSite

SRV

_ldap._tcp.._sites.dc._msdcs.

DC

Rfc1510Kdc

SRV

_kerberos._tcp.

DC

Rfc1510KdcAtSite

SRV

_kerberos._tcp.._sites.

DC

GenericGc

SRV

_gc._tcp.

GC

GenericGcAtSite

SRV

_gc._tcp.._sites.

GC

Rfc1510UdpKdc

SRV

_kerberos._udp.

DC

Rfc1510Kpwd

SRV

_kpasswd._tcp.

DC

Rfc1510UdpKpwd

SRV

_kpasswd._udp.

DC


To configure which RRs are registered you add the mnemonics of the RRs that you don’t want to be registered to either the GPO settings or registry REG_MULTI_SZ value.

As an example, suppose you only wanted your DCs in your central hub site to register the generic LDAP and Kerberos records, you would do the following:

Note. This example assumes all of your DCs are Windows Server 2003.
  1. Create a new GPO and link it to all sites that contain DCs other than the central site.
  2. Modify the following GPO setting:
    Computer Configuration\ Administrative Templates\ System\ Net Logon\ DC Locator DNS Records\ DNS records not registered by the domain controllers
  3. With the following mnemonics:
    • LdapIpAddress
    • Ldap
    • DcByGuid
    • Kdc
    • Dc
    • Rfc1510Kdc
    • Rfc1510UdpKdc
    • Rfc1510Kpwd
    • Rfc1510UdpKpwd

The result of making this change is that all DCs that do not reside in the central site will only register site-specific records for LDAP, GC and Kerberos.

Fine-tuning auto-site coverage

You can also override the default auto site coverage, or add additional sites that haven’t been covered by auto-site coverage, and specify which sites a particular domain controller or group of domain controllers will cover. The options for this are as follows.
  1. Group Policy
    • Computer Configuration\ Administrative Templates\ System\ Net Logon\ DC Locator DNS Records\ Sites Covered by the DC Locator DNS SRV Records
    • Computer Configuration\ Administrative Templates\ System\ Net Logon\ DC Locator DNS Records\ Sites Covered by the GC Locator DNS SRV Records
    • Computer Configuration\ Administrative Templates\ System\ Net Logon\ DC Locator DNS Records\ Sites Covered by the Application Directory Partition Locator DNS SRV Records
  2. Registry
    • HKLM\ SYSTEM\ CurrentControlSet\ Services\ Netlogon\ Parameters\ SiteCoverage
    • HKLM\ SYSTEM\ CurrentControlSet\ Services\ Netlogon\ Parameters\ GcSiteCoverage


    • Note.The above values are multi-valued string values, and take one or more site names (cn).

Modifying the weight and priority of the SRV records

In addition to being able to control which records are registered, and for which sites, you can also override the default weight and priorities of the records. By default the priority is zero (0) and the weight is one hundred (100). Both settings accept values between 0 and 65535.

The Priority field sets the preference for target hosts. The Windows resolver attempts to connect to the hosts with the lowest priority. By default, all domain controllers are the most desirable in terms of priority. Increasing the priority on certain hosts, such as the Primary Domain Controller Emulator (PDCe) Operations Master (OM) and/ or dedicated bridgehead servers is often recommended, and results in these machines not participating in normal authentication while there are other DCs with a lower priority available.

The weight field is used in addition to the priority field to provide a load balancing mechanism. The probability with which the Windows Resolver randomly selects the host DC is proportional to the weight field’s value. This means that when there are several records with the same [lowest] priority, the higher the weight field value, the more frequently the record will be used. The actual formula used to decide which record to used, is as follows.

LdapSrvWeight / No. of records with the same LdapSrvWeight for DCs of priority


As an example, if there are four SRV records with the same highest priority of 0, then the probability of each server is as follows:

Server

Weight

Probability

SVR-A

50

0.50

SVR-B

25

0.33

SVR-C

25

0.33

SVR-D

25

0.33



The weight and priority values can be configured via GPO (Windows Server 2003) and registry (Windows 2000 and 2003). The GPO settings and registry values are as follows.
  1. Group Policy
    • Computer Configuration\ Administrative Templates\ System\ Net Logon\ DC Locator DNS Records\ Weight Set in the DC Locator DNS SRV Records
    • Computer Configuration\ Administrative Templates\ System\ Net Logon\ DC Locator DNS Records\ Priority Set in the DC Locator DNS SRV Records
  2. Registry
    • HKLM\ SYSTEM\ CurrentControlSet\ Services\ Netlogon\ Parameters\ LdapSrvWeight
    • HKLM\ SYSTEM\ CurrentControlSet\ Services\ Netlogon\ Parameters\ LdapSrvPriority

      Note. The values are DWORDs and the actual data is the weight in decimal form.

Document Information

Author: Paul Williams
Written: 25-07-2007
Version: 1.0
Last updated: 25-07-2007
Last updated by: Paul Williams




Del.icio.us!Technorati!StumbleUpon!Furl!
 
< Prev   Next >