How to prevent users authentication to specific Domain Controllers

one forest one Domain set up.

I have 30 domain controllers. Mix of Windows 2008 + 2003 Domain controllers 92003 Functional Level). Divided into several sites with subnets

I want to prevent users from authenticating to few Domain Controllers (All AD 2008) temporarily for couple of weeks.We have some issues with a psynch dll not compatible with windows 2008 domain controllers. I dont want users to change password from AD 2008 DCs.

How do I acheive this?

1. I create dummy sites with out subnets and move the Windows 2008 DCs into that site? Are there any concerns here?
2. Do I prevent users changing pwd for Ctrl + Alt+ Del through GPO? this might grey out password change button but when real password expiry happens it will give option to change the password wimdow with new password optin I guess. thsi really not solve the problem.

My goal is to stop users hitting few windows 2008 DCs and prevent changing password from there.

Any thought?
Who is Participating?
AwinishConnect With a Mentor Commented:
You can also use LdapSRVWeight & LdapsrvPriority registry key to make the DC to be used for authentication.
You can use the lmhosts file to add in a #PRE record specifying the DOMAIN
and the Server you want to authenticate against. Reboot after changes are

More information on this is located here:
Adam BrownSr Solutions ArchitectCommented:
LMHOSTS is a bad way to handle this. You can actually make use of the Domain Controller Weighting and Prioritization system in DNS to configure it so clients either don't use a specific Domain Controller or use it exclusively. There are two ways of doing this.

1. If you Open DNS, you'll see a Forward Lookup zone called _msdcs.domain.local.
Expanding that zone allows you to view a view other subordinate zones. The one you want to look at is _dc. In this zone is a list of all your Sites. If you continue to drill down you'll eventually see the SRV records for LDAP and Kerberos. If you doubleclick those you can set the Priority and weight for the service. Setting the Priority to a higher number than the other Domain Controllers in your network will ensure that the server is never used to provide the service you are setting the priority on until all other domain controllers are unavailable. Setting the weight determines which percentage of traffic for the service is handled by the DC.

2. You can modify the registry settings that the servers use to register themselves in DNS with. This probably the preferrable method, since the above method may rely on the registry setting of the DCs. has information how how this system works and how to configure it.
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

If your goal is to prevent from password changes, just go into the user's AD account and select "password Never Expires". That overrides password domain policy.

Other than that, I don't understand why not bring a these servers off line while work is performed on them. A single server can handle 250 clients pretty well.
If you need to block clients, then take their IP and create an access control list on the ports needed for authentication, but leave the DNS tab open. What that will do is tell the client that server is off line and it will find a DNS pointer to another server. Basically you are blocking them from authenticating with that specific server using an ACCESS CONTROL LIST to block the IP of that client.
Sorry for the triple post. I am thinking Cisco routers with the ACL, I should have been thinking an IPsec filter to filter out domain authentication with these IP addresses. You can set up an IPsec filter to block them from AD authenication or authenticating with a certain server.

Here is a list of ports that Microsoft servers use:
Leon FesterSenior Solutions ArchitectCommented:
Stopping the netlogon service on the W2K8 servers should "disable" them from servicing authentication requests.
FemSteenkampConnect With a Mentor Commented:
your idea about

1)moving the serers to teh dummy site will work. artificailly also give teh site link between teh dumy site and other sites a large number.  do this change from teh 2008 server itself.

2)Disable automatic site coverage  for the 2008 servers

3)  disable the registration of the A record (LdapIpAddress) on teh 2008 servers, this way they wil not apear in a nslookup query of just teh domain.

4) increase teh priority of teh SRV records to an artifically high value e.g. 65535  
priority: the priority of the target host, lower value means more preferred. 

give it 10 min to replicate to another server,
tehn reboot the  verify in DNS that in deed it is registering ONLY in teh dummy site.

the concern here is that the replication to teh domain controller will not be optimal since it will create the link to the dummy site link ( whic i presume you will link to a real existing site) and as such the 2008 servers will only replicate from here.  if link speeds and bandwidth is not too big a problem you should be able to live with this.

thsi way the 2008 DC's are still forming part of teh replication an are being kept up to date . stopping teh netlogon service will also stop replication.

undo the changes once the problem is resolved.

do note that this will not guarentee NO passowrd changes but there is a very small chance that teh dc can be used (e.g. if none of teh other DC's respond to the user login request)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.