Preventing Spoke DC’s from Advertising in the Hub Site for Authentication Availability

Reading Time: 2 minutes

If you have a hub and spoke site topology, it may not be a good idea for certain (Or all) spoke dc’s to be advertising, via dns services, the ability to provide authentications services. If you have a remote site with a dc that fails it is usually best that the spoke send its users to the hub for authentication purposes. By default Active Directory (AD) doesn’t act this way. If you would like set up your spokes to only advertised in its own site then you will want to configure a group policy (Windows 2003 and above) to prevent these spoke dc’s from advertising. For machines running Windows 2000 you will need to do a reg hack (KB article defined later).

You will need to create a new group policy and define which DC’s will have read and apply policy. Make sure to remove the authenticated users apply permission otherwise ALL dc’s will have this policy applied once it is link to the Domain Controllers ou.


  • Open up Group Policy Management and create a new Policy
  • Select this new Policy and click on the Delegation tab
    • Select the Advanced button
      • Remove the apply permission to the Authenticated users
      • Add each DC you would like to apply this policy to and provide read and apply permissions
    • Right click on the policy and select Edit
      • Computer Configuration / Administrative Templates / System / Net Logon / DC Locator DNS records
        • Double click on DC Locator DNS records not registered by the DCs
          • Key in the Mnemonics below (Copy and paste)

DC DcByGuid Gc GcIpAddress GenericGC Kdc Ldap LdapIpAddress Rfc1510UpdKdc Rfc1510Kpwd Rfc1510UpdKdc Rfc1510UdpKpwd

  • See below for Mnemonics definitions



Wait for/or force replication and then from a command prompt on each dc in question key in the following:

  • Gpupdate /force
    • This will apply the new policy
  • Restart theNetLogon service (Or runnetdiag /fix)
    • This will update the dns Make sure when you check that you verify on the server this dc is attached to or wait for replication to take place.



The following table was taken from the KB article KB306602

Reference Tables

The following tables contain mnemonics, types, and the owner names of the domain controller locator DNS records that should not be registered by the satellite domain controllers and global catalogs to optimize the domain controller location.
Domain Controller-Specific Records

Collapse this tableExpand this table

Mnemonic Type DNS Record
LdapIpAddress A <DnsDomainName>
Ldap SRV _ldap._tcp.<DnsDomainName>
DcByGuid SRV _ldap._tcp.<DomainGuid>.domains._msdcs.<DnsForestName>
Kdc SRV _kerberos._tcp.dc._msdcs.<DnsDomainName>
Dc SRV _ldap._tcp.dc._msdcs.<DnsDomainName>
Rfc1510Kdc SRV _kerberos._tcp.<DnsDomainName>
Rfc1510UdpKdc SRV _kerberos._udp.<DnsDomainName>
Rfc1510Kpwd SRV _kpasswd._tcp.<DnsDomainName>
Rfc1510UdpKpwd SRV _kpasswd._udp.<DnsDomainName>

Global Catalog-Specific Records

Collapse this tableExpand this table

Mnemonic Type DNS Record
Gc SRV _ldap._tcp.gc._msdcs.<DnsForestName>
GcIpAddress A gc._msdcs.<DnsForestName>
GenericGc SRV _gc._tcp.<DnsForestName>