Authentication Control Through AD Sites and Services and DNS
Posted on 2005-04-13
I've read several postings on here saying that the only way to control login authentication in Windows 2000 Server is to use the DNS SRV records in DNS that are set up by site and to set priority for what domain controller that site should look to first for authentication. Our MIS director wants to employ this to keep computers in our various sites from going over wireless links to reach a domain controller (as much as possible). From other postings I've read, I assume the way to do this is to go to:
Forward Lookup zones
Active Directory Integrated Zone name
Default-First-Site-Name (or other site)
then to pick the SRV record for the DC that should be the first one looked for to authentication, and set the priority.
What I don't understand I guess is exactly how the priority works. When I go into the SRV records, each site has records for ldap and kerberos for whatever DC has been put in their site through AD Sites and Services. I'm assuming that the kerberos records will affect login authentication and the ldap records are for Active Directory lookup (not sure if I'm correct there). I need to know, if I set the priority to 1 and leave the rest at zero, does that mean the DC that's set at 1 will be looked to first, then any others with zero will be used (in no particular order) if that one's not available? Or, let's say, if I have 5 DC's in one site, I set them at 5, 4, 3, 2, and 1 for priority, does #5 get looked at first, or #1?
Thanks in advance for the help!