I am going to step through the ways to manipulate the domain controller election process to reduce the authentication requests as low as possible. If a domain controller fails the DNS server is then still able to server authentication request.
Why you want Active Directory Integrated DNS (AD DS)
- DNS features multimaster dynamic record replication and better security based on AD DS
- Zones are replicated to any new domain controllers
- DNS and ADDS are replicated together so it simplifies replication planning and implementation
- AD DS user per property replication and there for transmits only the relevant changes making it far more efficient
For more info check out http://technet.microsoft.com/en-us/library/cc726034.aspx
Installing AD DS with DNS
These step will cover adding an additional domain controller with DNS to an existing domain.
- From server manager
- Add roles
- Select Active Directory Domain Services (DNS will be added later)
- Finish the wizard
- Open a command prompt
- Run DCpromo.exe
- Check Use advanced mode installation
- Select to add the domain controller to an existing forest and to an existing domain
- Confirm the correct domain
- On the Select a Site screen choose to use the site that corresponds to the IP of this computer (Later on we will cover to steps if you would like to move to another site)
- On the Additional Domain Controller Options screen select
- DNS server - (the reason why we are doing this)
- Global Catalog (If like me you want this to be a standby domain controller in case of failure)
- When prompted select Replicate data over the network form and exiting domain controller
- Let the wizard choose an appropriate domain controller
- Accept the default folders
- Specify a password for Restore Mode
- Finish the Wizard
Your installation summary should look like this
- Choose not to reboot on completion
You now have to option to complete the steps bellow to reduce it's authentication priority before the server adds itself to DNS, This will prevent clients form latching on to the new server with the default settings.
Configure an additional IP (Optional)
Since DNS queries are made against IP addresses and authentication requests are made against server names you can split the two. Assign and additional IP address to the server. Use this IP only for DNS.
If at a later stage you want to configure a load balanced DNS implementation you can use this spare IP as opposed to having to change your domain controller DNS name
The same goes for when you need to replace your DNS servers. It is much cleaner to simple release the IP on the old server and assign it to the new one.
Note: There can be issues having multiple IP addresses on a domain controller, these deal with Netlogon registering both IPs
How authentication selection works and how to "turn it off"
To drastically reduce the number of requests that the DNS server will have to serve we need to understand how the client determines which AD server to use.
- Netlogon service on client queries registry for DynamicSiteName
- DC Locator service uses the DynamicSiteName to query DNS srv record to find domain controllers in it's site
- DNS returns a list of IP addresses sorted by priority and weight
- Client ispects the SRV record and attempts to choose the lowest priority
- If priorities are the same it randomizes based on the weight
- Netlogon on the client sends datagram to chosen domain controller
- Netlogon on the server replies
There are a few more steps to this but we are mainly interested in steps 2 to 5. You would also notice that steps 1 through 5 is purely DNS.
The order in which to "step down: the amount of authentication request is the reverse of the selection order. this means:
- Decrease weight amount
- Increase the priority
- Manipulate the site
For more info check out http://blogs.technet.com/DomainControllerLocatorInDepth
Manipulating the site selection process
In step 2 DNS is requested to return a list of servers based on the site. We can use this to reduce the chance of our DNS server being selected.
In step 2 If the client's site name does not match the initial domain controller the controller returns the site that most closely matches the client IP address
- To create a DNS isolation site do the following
- Open Active Directory Sites and Services
- Expand Sites
- Right Click - New Site
- Specify a Name and select and existing site
- Find your DNS server - right click - move - select the new site
- Expand Subnet
- Right Click new Subnet
- Specify a network prefix that is significantly different form your normal IP range (172.16.0.0/24)
- Right Click the subnet - properties
- On the General Tab select the new site created earlier.
Manipulating server priority and weight
The SRV records returned by DNS contain the priority and the weight for that requested service. A look at DNS will show the following:
The SRV record for _ldap contains 4 values [LdapSrvPriority][LdapSrvWeight][Port][Server FQDN]
This specifies the priority of the domain controller, the lower the value, the higher priority. The priority determines the order that clients will use to attempt contacting the domain controller.
The default value is 0, making all domain controllers equal. From the image you can see a number of server all wiht the default value.
If there are multiple server with the same priority the server weight is used.
This value specifies the weighted priority. The higher the weight the higher the priority. This determines the probability that a client selects the domain controller. If there are multiple servers with the same weight a formula is used to calculate the probability.
The default value is 100, therefore server that has the weight assigned of 0 should have a very small chance of being selected.
The formula is: LdapSrvWeight / Sum (LdapSrvWeight for DCs of that priority)
Adjusting the values
The alter the default values the server will publish to DNS you need to make two registry changes. Both values are DWORD need to be added to
You can save the following as a .reg file and import the settings. This sets the server to the lowest Priority (65535) and the lowest weight (0)
Windows Registry Editor Version 5.00
After making these changes you will have to reboot the server.
Check the setting from a client machine
To verify that the client machines will get the correct SRV data you can check DNS or you can run the following nslookup on a client machine.
This should return a result as follows
If you want to return the servers for a specific site use
Monitoring authentication requests
NOTE: The steps above do not disable the ability for the server to serve authentication requests, it just drastically reduces the probability of it being chose by a client.
To verify that the DNS server is getting a reduced number of authnetication requests you need to see how many it has received relative to the other domain controllers.
The easiest way to do this seems to be to check the event logs.
- Open the event viewer
- Select Windows Logs - Security
- Right Click - Filter Current Log
- Include only Event ID 4624 (Successful Logon)
- For Logged - select Last Hour
- When the Events are return look at the Number of events.
If you compare this number to other domain controller this should be significantly less.
At this point you should have achieved the design goal of having a server primarily designed for serving DNS requests, making use of the advantages of being a AD DS intergrated DNS server. It will also act as a failover authentication server should the primary domain controllers fail.
Turn off authentication completely (Optional)
To totally prevent or stop authentication against the domain controller you will have to essentially hide the server by preventing netlogon from registering the SRV record in DNS. To do this you need to set the following group policy. The trade off to this is that the server will not be able to serve as a backup authentication server.
- MMC - Add - group Policy Object Editor
- Local Computer
- Computer Configuration
- Adminisrtative Templates
- Net Logon
- DC Locator DNS Record
- Enable DC Locator DNS records Not Registere by the DCs
- Specify the following string for Mnemonics
LdapIpAddress Ldap Gc GcIPAddress Kdc Dc DcByGuid Rfc1510Kdc Rfc1510Kpwd Rfc1510UdpKdc Rfc1510UdpKpwd GenericGc
- Delete all the SRV entries in DNS for this server. Reboot
The Mnemonic string value above turns off generic records. There are few more to add if needed http://support.microsoft.com/kb/306602