How to prevent users authentication to specific Domain Controllers

Posted on 2011-05-03
Last Modified: 2012-05-11
one forest one Domain set up.

I have 30 domain controllers. Mix of Windows 2008 + 2003 Domain controllers 92003 Functional Level). Divided into several sites with subnets

I want to prevent users from authenticating to few Domain Controllers (All AD 2008) temporarily for couple of weeks.We have some issues with a psynch dll not compatible with windows 2008 domain controllers. I dont want users to change password from AD 2008 DCs.

How do I acheive this?

1. I create dummy sites with out subnets and move the Windows 2008 DCs into that site? Are there any concerns here?
2. Do I prevent users changing pwd for Ctrl + Alt+ Del through GPO? this might grey out password change button but when real password expiry happens it will give option to change the password wimdow with new password optin I guess. thsi really not solve the problem.

My goal is to stop users hitting few windows 2008 DCs and prevent changing password from there.

Any thought?
Question by:sirineni
    LVL 2

    Expert Comment

    You can use the lmhosts file to add in a #PRE record specifying the DOMAIN
    and the Server you want to authenticate against. Reboot after changes are

    More information on this is located here:
    LVL 38

    Expert Comment

    by:Adam Brown
    LMHOSTS is a bad way to handle this. You can actually make use of the Domain Controller Weighting and Prioritization system in DNS to configure it so clients either don't use a specific Domain Controller or use it exclusively. There are two ways of doing this.

    1. If you Open DNS, you'll see a Forward Lookup zone called _msdcs.domain.local.
    Expanding that zone allows you to view a view other subordinate zones. The one you want to look at is _dc. In this zone is a list of all your Sites. If you continue to drill down you'll eventually see the SRV records for LDAP and Kerberos. If you doubleclick those you can set the Priority and weight for the service. Setting the Priority to a higher number than the other Domain Controllers in your network will ensure that the server is never used to provide the service you are setting the priority on until all other domain controllers are unavailable. Setting the weight determines which percentage of traffic for the service is handled by the DC.

    2. You can modify the registry settings that the servers use to register themselves in DNS with. This probably the preferrable method, since the above method may rely on the registry setting of the DCs. has information how how this system works and how to configure it.
    LVL 38

    Expert Comment

    If your goal is to prevent from password changes, just go into the user's AD account and select "password Never Expires". That overrides password domain policy.

    Other than that, I don't understand why not bring a these servers off line while work is performed on them. A single server can handle 250 clients pretty well.
    LVL 38

    Expert Comment

    If you need to block clients, then take their IP and create an access control list on the ports needed for authentication, but leave the DNS tab open. What that will do is tell the client that server is off line and it will find a DNS pointer to another server. Basically you are blocking them from authenticating with that specific server using an ACCESS CONTROL LIST to block the IP of that client.
    LVL 38

    Expert Comment

    Sorry for the triple post. I am thinking Cisco routers with the ACL, I should have been thinking an IPsec filter to filter out domain authentication with these IP addresses. You can set up an IPsec filter to block them from AD authenication or authenticating with a certain server.

    Here is a list of ports that Microsoft servers use:
    LVL 24

    Accepted Solution

    You can also use LdapSRVWeight & LdapsrvPriority registry key to make the DC to be used for authentication.
    LVL 26

    Expert Comment

    by:Leon Fester
    Stopping the netlogon service on the W2K8 servers should "disable" them from servicing authentication requests.
    LVL 7

    Assisted Solution

    your idea about

    1)moving the serers to teh dummy site will work. artificailly also give teh site link between teh dumy site and other sites a large number.  do this change from teh 2008 server itself.

    2)Disable automatic site coverage  for the 2008 servers

    3)  disable the registration of the A record (LdapIpAddress) on teh 2008 servers, this way they wil not apear in a nslookup query of just teh domain.

    4) increase teh priority of teh SRV records to an artifically high value e.g. 65535  
    priority: the priority of the target host, lower value means more preferred.  

    give it 10 min to replicate to another server,
    tehn reboot the  verify in DNS that in deed it is registering ONLY in teh dummy site.

    the concern here is that the replication to teh domain controller will not be optimal since it will create the link to the dummy site link ( whic i presume you will link to a real existing site) and as such the 2008 servers will only replicate from here.  if link speeds and bandwidth is not too big a problem you should be able to live with this.

    thsi way the 2008 DC's are still forming part of teh replication an are being kept up to date . stopping teh netlogon service will also stop replication.

    undo the changes once the problem is resolved.

    do note that this will not guarentee NO passowrd changes but there is a very small chance that teh dc can be used (e.g. if none of teh other DC's respond to the user login request)

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Join & Write a Comment

    Many companies are making the switch from Microsoft to Google Apps ( Use this article to learn more about what Google Apps has to offer and to help if you’re planning on migrating to Google Apps. It is …
    User Beware!  This is a rather permanent solution to removing your email from an exchange server.  The only way to truly go back is to have your exchange administrator restore your mailbox from backups.  This is usually the option of last resort.  A…
    Viewers will learn the different options available in the Backstage view in Excel 2013.
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    25 Experts available now in Live!

    Get 1:1 Help Now