Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


March 2003

Authentication Topology

Configure DNS SRV records to speed authentication
From the March 2003 Edition
of Windows IT Pro
Gil Kirkpatrick
Focus
InstantDoc #37935
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Active Directory (AD) Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!
SideBar    DNS SRV Records

SRV weight. RFC 2782 also provides a load-balancing mechanism of sorts. An SRV record's weight field is an integer that defines which SRV records the client should prefer in its selection process. Although the client randomly selects an SRV record from a set of records with the same priority, the probability that the client will select a particular SRV record is proportional to the weight associated with that record.

To define the weight that the DC will publish with its SRV records, set the DC's HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters registry subkey's LdapSrvWeight entry to a value from 0 to 100. By default, DCs use the value 100, indicating that the likelihood that a client will select that DC is 100 percent.

Suppose you have 5000 clients and two DCs in a site. DC1 is a dual-processor 1.6GHz Pentium 4 Xeon box with 1GB of RAM, and DC2 is a single-processor 800MHz Pentium with 256MB of RAM. Without any manual registry configuration, approximately half the clients will attempt to authenticate with DC1 and the other half will attempt to authenticate with DC2. As you can imagine, DC2 will be severely overloaded. However, if you set the weight on DC1 to 80 and the weight on DC2 to 20, clients will prefer the dual-processor box to the single-processor box by a factor of 4-to-1, as Figure 5 shows.

Configuring the Publication of Generic SRV Records
When a client can't find a DC through site-specific SRV records, it will search generic SRV records. This behavior can create some undesirable results. Consider a hub-and-spoke scenario in which the hub site and each satellite site contain a DC. If a client in a satellite site fails to contact its local DC, the client will search DNS for generic SRV records for a DC in its domain. Because all DCs publish generic records by default, the client might select a DC from anywhere in the network, including another remote satellite site—something you almost certainly don't want to happen.

AD provides a way to disable the publication of individual SRV records so that you can make a DC invisible to clients in other sites or even the DC's own site. This ability gives you great control over which DCs clients will use to authenticate. To control the SRV records that a DC publishes, set the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters registry subkey's DnsAvoidRegisterRecords value to a list of mnemonics (separated by spaces) that correspond to the SRV record you want to inhibit. Table 1 shows the available mnemonics and corresponding SRV records.

Consider our hub-and-spoke example: a simple network with a hub in Denver and satellite offices in Scottsdale, San Antonio, and Albuquerque, New Mexico. By default, a client in Scottsdale (i.e., WSSC1) will select the Scottsdale DC (i.e., DCSC1) for authentication. But suppose DCSC1 is down. Ideally, we'd like WSSC1 to fail over to a DC in the Denver hub site. But by default, WSSC1 will simply search the network's generic SRV records, with a good chance of selecting a DC in one of the other satellite sites (i.e., DCSA1 or DCAL1). The solution is to make the DCs in the satellite sites invisible to clients outside each site. In this example, you would disable the publication of all generic records for the DCs in the satellite sites so that clients from other sites won't select them. Specifically, for DCSC1, DCSA1, and DCAL1, set the DnsAvoidRegisterRecords value to include the following mnemonics: Dc, DcByGuid, Gc, GcIpAddress, GenericGc, Kdc, Ldap, LdapIpAddress, Rfc1510Kdc, Rfc1510Kpwd, Rfc1510UdpKdc, and Rfc1510UdpKpwd.

Here's another interesting scenario: Suppose you want to dedicate a DC at some central site for hot backup purposes only. You want the DC to sit there, replicating with the other DCs in the domain, but doing nothing else. In fact, you want to make the DC invisible both inside and outside its site. To do so, set all the mnemonics except DcByGuid, which controls publication of the SRV record that other DCs use to find replication partners.

Speeding Things Up
When you understand how the DC Locator mechanism works, how it depends completely on DCs' SRV records, and how you can control the way in which DCs publish those records, you can optimize your authentication topology to provide the fastest possible logons and directory lookups for your users. Your users—and your Help desk personnel—will thank you.

End of Article

   Previous  1  2  3  [4]  Next  


Reader Comments
This article provides an excellent look at the AD authentication process from a DNS point of view, especially from a multiple site, hub & spoke point of view.

Andy Schan February 27, 2003

Great article!
One technical issue:
'To do so, set all the mnemonics except DcByGuid, which controls publication of the SRV record that other DCs use to find replication partners.'
But isn't rather DsaCname needed? At least my test showed you can't do without it, whilst not registering DcByGuid is common practice.

Ben Meijer July 15, 2003

Gil Kirkpatrick's "Authentication Topology" (March 2003, http://www.winnetmag.com, InstantDoc ID 37935) was a great article. I am planning to use the ability to hide a domain controller (DC) from everyone (except for replication with the globally unique identifier—GUID—CNAME) to implement a replication site for disaster recovery. The article came in very handy.

Jesse Sutela January 15, 2004

You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor? Register now




Top Viewed ArticlesView all articles
WinInfo Short Takes: Week of November 9, 2009

An often irreverent look at some of the week's other news, including some more Windows 7 sales momentum, some Sophos stupidity, Microsoft's cloud computing self-loathing, more whining from the browser makers, Zoho's "Fake Office," and much, much more ...

Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

Windows 7 Sets Sales Record

Microsoft CEO Steve Ballmer described Windows 7's first ten days of sales as "fantastic" while in Japan yesterday. ...
Active Directory (AD) Whitepapers Meeting Compliance Objectives in SharePoint

Email Controls and Regulatory Compliance
Related Events WinConnections and Microsoft® Exchange Connections

Check out our list of Free Email Newsletters!
Active Directory (AD) eBooks The Essentials Series: Active Directory 2008 Operations

Keeping Your Business Safe from Attack: Monitoring and Managing Your Network Security

Windows 2003: Active Directory Administration Essentials
Related Active Directory (AD) Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
EMC SAN vs. DAS Exchange 2007 Calculator
Calculate your savings now!

Let Your Users Reset Their Own Passwords: Free Download
Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.


Disaster Recovery Strategies – Tips and Tricks
Determine how you can achieve your DR objectives as simply and cost-effectively as possible.

Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide
Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!

Migration, Virtualization, Availability, and Desktop Management
Realize the importance of a workload optimization strategy...it can affect your bottom line!

Deep Dive into VMware vSphere, eLearning Series
Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc. Terms of Use | Privacy Statement