If you have a hub and spoke site topology, it may not be a good idea for certain (Or all) spoke dc’s to be advertising, via dns services, the ability to provide authentications services. If you have a remote site with a dc that fails it is usually best that the spoke send its users to the hub for authentication purposes. By default Active Directory (AD) doesn’t act this way. If you would like set up your spokes to only advertised in its own site then you will want to configure a group policy (Windows 2003 and above) to prevent these spoke dc’s from advertising. For machines running Windows 2000 you will need to do a reg hack (KB article defined later).
You will need to create a new group policy and define which DC’s will have read and apply policy. Make sure to remove the authenticated users apply permission otherwise ALL dc’s will have this policy applied once it is link to the Domain Controllers ou.
- Open up Group Policy Management and create a new Policy
- Select this new Policy and click on the Delegation tab
- Select the Advanced button
- Remove the apply permission to the Authenticated users
- Add each DC you would like to apply this policy to and provide read and apply permissions
- Right click on the policy and select Edit
- Computer Configuration / Administrative Templates / System / Net Logon / DC Locator DNS records
- Double click on DC Locator DNS records not registered by the DCs
- Key in the Mnemonics below (Copy and paste)
- Double click on DC Locator DNS records not registered by the DCs
- Computer Configuration / Administrative Templates / System / Net Logon / DC Locator DNS records
- Select the Advanced button
DC DcByGuid Gc GcIpAddress GenericGC Kdc Ldap LdapIpAddress Rfc1510UpdKdc Rfc1510Kpwd Rfc1510UpdKdc Rfc1510UdpKpwd
- See below for Mnemonics definitions
Wait for/or force replication and then from a command prompt on each dc in question key in the following:
- Gpupdate /force
- This will apply the new policy
- Restart theNetLogon service (Or runnetdiag /fix)
- This will update the dns Make sure when you check that you verify on the server this dc is attached to or wait for replication to take place.
The following table was taken from the KB article KB306602
Reference Tables
The following tables contain mnemonics, types, and the owner names of the domain controller locator DNS records that should not be registered by the satellite domain controllers and global catalogs to optimize the domain controller location.
Domain Controller-Specific Records
Collapse this tableExpand this table
| Mnemonic | Type | DNS Record |
| LdapIpAddress | A | <DnsDomainName> |
| Ldap | SRV | _ldap._tcp.<DnsDomainName> |
| DcByGuid | SRV | _ldap._tcp.<DomainGuid>.domains._msdcs.<DnsForestName> |
| Kdc | SRV | _kerberos._tcp.dc._msdcs.<DnsDomainName> |
| Dc | SRV | _ldap._tcp.dc._msdcs.<DnsDomainName> |
| Rfc1510Kdc | SRV | _kerberos._tcp.<DnsDomainName> |
| Rfc1510UdpKdc | SRV | _kerberos._udp.<DnsDomainName> |
| Rfc1510Kpwd | SRV | _kpasswd._tcp.<DnsDomainName> |
| Rfc1510UdpKpwd | SRV | _kpasswd._udp.<DnsDomainName> |
Global Catalog-Specific Records
Collapse this tableExpand this table
| Mnemonic | Type | DNS Record |
| Gc | SRV | _ldap._tcp.gc._msdcs.<DnsForestName> |
| GcIpAddress | A | gc._msdcs.<DnsForestName> |
| GenericGc | SRV | _gc._tcp.<DnsForestName> |