|
INFO: Fine Tuning Net Logon’s SRV Resource Record (RR) registrations |
|
|
In large branch office deployments it can become necessary to control which Domain Name System (DNS) Resource Records (RR) are registered by Domain Controllers (DC), as well as the weight and priority of these records. This article discusses the settings and methods available for such configurations.
Configuring which DCs register generic SRV records
In large branch office deployments it can become necessary to control which Domain Name System (DNS) Resource Records (RR) are registered by Domain Controllers (DC). There are two main reasons for doing this.
- To control which DCs are used when generic lookups are performed, e.g. when a client can’t find a DC in its site, or doesn’t know which site it’s a member of, and asks for any DC.
- To control the number of NS and A records registered for the domain itself, e.g. when you have more than 300 DCs running as DNS servers each DC will register the (Same as parent) A record for the zone (domain) and an NS record for the zone.
There are two supported ways of controlling these settings, these are.
- Group Policy (Computer Configuration\ Administrative Templates\ System\ Net Logon\ DC Locator DNS Records\ DNS records not registered by the domain controllers)
- Editing the registry (HKLM\ SYSTEM\ CurrentControlSet\ Services\ Netlogon\ Parameters\ DnsAvoidRegisterRecords)
The first option, via Group Policy, is the preferred option. However this was introduced with Windows Server 2003 therefore the only available option for Windows 2000 Server is number two.
When modifying either setting, the mnemonic for the appropriate RR and its type must be specified. The following table is a list of the mnemonics that can be used.
|
Mnemonic
|
RR Type
|
RR
|
(Applies To)
|
|
LdapIpAddress
|
A
|
|
DC
|
|
Ldap
|
SRV
|
_ldap._tcp.
|
DC
|
|
LdapAtSite
|
SRV
|
_ldap._tcp.._sites.
|
DC
|
|
Pdc
|
SRV
|
_ldap._tcp.pdc._msdcs.
|
DC
|
|
Gc
|
SRV
|
_ldap._tcp.gc._msdcs.
|
GC
|
|
GcAtSite
|
SRV
|
_ldap._tcp.._sites.gc._msdcs.
|
GC
|
|
DcByGuid
|
SRV
|
_ldap._tcp..domains._msdcs.
|
DC
|
|
GcIpAddress
|
A
|
_gc._msdcs.
|
GC
|
|
DsaCname
|
CNAME
|
._msdcs.
|
DC
|
|
Kdc
|
SRV
|
_kerberos._tcp.dc._msdcs.
|
DC
|
|
KdcAtSite
|
SRV
|
_kerberos._tcp.dc._msdcs.._sites.
|
DC
|
|
Dc
|
SRV
|
_ldap._tcp.dc._msdcs.
|
DC
|
|
DcAtSite
|
SRV
|
_ldap._tcp.._sites.dc._msdcs.
|
DC
|
|
Rfc1510Kdc
|
SRV
|
_kerberos._tcp.
|
DC
|
|
Rfc1510KdcAtSite
|
SRV
|
_kerberos._tcp.._sites.
|
DC
|
|
GenericGc
|
SRV
|
_gc._tcp.
|
GC
|
|
GenericGcAtSite
|
SRV
|
_gc._tcp.._sites.
|
GC
|
|
Rfc1510UdpKdc
|
SRV
|
_kerberos._udp.
|
DC
|
|
Rfc1510Kpwd
|
SRV
|
_kpasswd._tcp.
|
DC
|
|
Rfc1510UdpKpwd
|
SRV
|
_kpasswd._udp.
|
DC
|
| |
|
|
|
To configure which RRs are registered you add the mnemonics of the RRs that you don’t want to be registered to either the GPO settings or registry REG_MULTI_SZ value.
As an example, suppose you only wanted your DCs in your central hub site to register the generic LDAP and Kerberos records, you would do the following:
Note. This example assumes all of your DCs are Windows Server 2003.
- Create a new GPO and link it to all sites that contain DCs other than the central site.
- Modify the following GPO setting:
Computer Configuration\ Administrative Templates\ System\ Net Logon\ DC Locator DNS Records\ DNS records not registered by the domain controllers
- With the following mnemonics:
- LdapIpAddress
- Ldap
- DcByGuid
- Kdc
- Dc
- Rfc1510Kdc
- Rfc1510UdpKdc
- Rfc1510Kpwd
- Rfc1510UdpKpwd
The result of making this change is that all DCs that do not reside in the central site will only register site-specific records for LDAP, GC and Kerberos.
Fine-tuning auto-site coverage
You can also override the default auto site coverage, or add additional sites that haven’t been covered by auto-site coverage, and specify which sites a particular domain controller or group of domain controllers will cover. The options for this are as follows.
- Group Policy
- Computer Configuration\ Administrative Templates\ System\ Net Logon\ DC Locator DNS Records\ Sites Covered by the DC Locator DNS SRV Records
- Computer Configuration\ Administrative Templates\ System\ Net Logon\ DC Locator DNS Records\ Sites Covered by the GC Locator DNS SRV Records
- Computer Configuration\ Administrative Templates\ System\ Net Logon\ DC Locator DNS Records\ Sites Covered by the Application Directory Partition Locator DNS SRV Records
- Registry
- HKLM\ SYSTEM\ CurrentControlSet\ Services\ Netlogon\ Parameters\ SiteCoverage
- HKLM\ SYSTEM\ CurrentControlSet\ Services\ Netlogon\ Parameters\ GcSiteCoverage
Note.The above values are multi-valued string values, and take one or more site names (cn).
Modifying the weight and priority of the SRV records
In addition to being able to control which records are registered, and for which sites, you can also override the default weight and priorities of the records. By default the priority is zero (0) and the weight is one hundred (100). Both settings accept values between 0 and 65535.
The Priority field sets the preference for target hosts. The Windows resolver attempts to connect to the hosts with the lowest priority. By default, all domain controllers are the most desirable in terms of priority. Increasing the priority on certain hosts, such as the Primary Domain Controller Emulator (PDCe) Operations Master (OM) and/ or dedicated bridgehead servers is often recommended, and results in these machines not participating in normal authentication while there are other DCs with a lower priority available.
The weight field is used in addition to the priority field to provide a load balancing mechanism. The probability with which the Windows Resolver randomly selects the host DC is proportional to the weight field’s value. This means that when there are several records with the same [lowest] priority, the higher the weight field value, the more frequently the record will be used. The actual formula used to decide which record to used, is as follows.
LdapSrvWeight / No. of records with the same LdapSrvWeight for DCs of priority
As an example, if there are four SRV records with the same highest priority of 0, then the probability of each server is as follows:
|
Server
|
Weight
|
Probability
|
|
SVR-A
|
50
|
0.50
|
|
SVR-B
|
25
|
0.33
|
|
SVR-C
|
25
|
0.33
|
|
SVR-D
|
25
|
0.33
|
| |
|
|
The weight and priority values can be configured via GPO (Windows Server 2003) and registry (Windows 2000 and 2003). The GPO settings and registry values are as follows.
- Group Policy
- Computer Configuration\ Administrative Templates\ System\ Net Logon\ DC Locator DNS Records\ Weight Set in the DC Locator DNS SRV Records
- Computer Configuration\ Administrative Templates\ System\ Net Logon\ DC Locator DNS Records\ Priority Set in the DC Locator DNS SRV Records
- Registry
- HKLM\ SYSTEM\ CurrentControlSet\ Services\ Netlogon\ Parameters\ LdapSrvWeight
- HKLM\ SYSTEM\ CurrentControlSet\ Services\ Netlogon\ Parameters\ LdapSrvPriority
Note. The values are DWORDs and the actual data is the weight in decimal form.
Document Information
Author: Paul Williams
Written: 25-07-2007
Version: 1.0
Last updated: 25-07-2007
Last updated by: Paul Williams |
Articles 
