Proper AD/DNS setup with hundreds of DCs across hundreds of sites = dc locator?

Tying to find out the best way for AD/DNS setup on hundreds of DCs across hundreds of sites

The are hundreds of subnets and hundreds of sites
for each siote, there is a site-link that includes the remote site and the datacenter (main)
This is setup for all the sites. each with their site linked with DC

Then there is a group policy named branchofficedc assigned to all domain controllers, except the datacenter dcs.

Questions, is the GPO listed below right for a win2003 and win2008 ads domain with dns.
Also should remote ad dns point to theirselves or datacenter primary dns with large amounts of dcs.

Also on the dns forward zone domain.local, what would happen if domain controllers were given full rights/permissions on the zone to create records, would that negate the gpo on remote dcs.

what are the best practice settings for this GPOand is it applicable to win 2008 /r2

also does the
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters]
"DsTombstoneInterval"=dword:0013c680

need to be set on all domain controllers , win 2003, and win 2008

Looked at regedit on remote dc and I didn't see the record...
HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \Netlogon \Parameters
Registry value: DnsAvoidRegisterRecords


Also on the Primary DNS site: should we run
dnscmd <ServerName> /Config <ZoneName> /AllowNSRecordsAutoCreation <IpAddresses>
And exclude remote branches from creating a ns record

running the dnscmd servername /zoneifo domain.local /allownsrecordsautocreation gives rpc null error and no results.


Are you suppose to specify a preferred bridgehead server in sites and services?
Is there only one per forest/domain? will this be the datacenter pdc /dc
all other remote dcs are hub / spoke with sitelinks

Getting DCDIAG Errors listed at bottom
Are these errors expected with on remote/branch Dcs?
Automated Site Coverage by the DC Locator DNS SRV Records Disabled  
DC Locator DNS records not registered by the DCs Enabled  
Mnemonics: LdapIpAddress Ldap DcByGuid Kdc Dc Rfc1510Kdc Rfc1510UdpKdc Rfc1510Kpwd Rfc1510UdpKpwd Gc GcIpAddress GenericGc


GPO on Branch DCs.
What is best practice or which setting needs altered?
Computer Configuration (Enabled)hide
Policieshide
Administrative Templateshide
Policy definitions (ADMX files) retrieved from the local machine.System/Net Logonhide
Policy Setting Comment 
Contact PDC on logon failure Enabled  
Log File Debug Output Level Enabled  
Level: 536936447 
 
Policy Setting Comment 
Netlogon share compatibility Disabled  
Scavenge Interval Enabled  
Seconds: 900 
 
Policy Setting Comment 
Sysvol share compatibility Disabled  

System/Net Logon/DC Locator DNS Recordshide
Policy Setting Comment 
Automated Site Coverage by the DC Locator DNS SRV Records Disabled  
DC Locator DNS records not registered by the DCs Enabled  
Mnemonics: LdapIpAddress Ldap DcByGuid Kdc Dc Rfc1510Kdc Rfc1510UdpKdc Rfc1510Kpwd Rfc1510UdpKpwd Gc GcIpAddress GenericGc 
 
Policy Setting Comment 
Dynamic Registration of the DC Locator DNS Records Enabled  
Force Rediscovery Interval Enabled  
Seconds: 5400 
 
Policy Setting Comment 
Priority Set in the DC Locator DNS SRV Records Enabled  
Priority: 100 
 
Policy Setting Comment 
Refresh Interval of the DC Locator DNS Records Enabled  
Seconds: 1900 
 
Policy Setting Comment 
Sites Covered by the GC Locator DNS SRV Records Disabled  
TTL Set in the DC Locator DNS Records Enabled  
Seconds: 600 
 

Windows Components/AutoPlay Policieshide
Policy Setting Comment 
Turn off Autoplay Enabled  
Turn off Autoplay on: All drives 
 

Preferenceshide
Windows Settingshide
Registryhide
Collection: Registry Wizard Values/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/NTDS/Diagnosticshide
Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Registry item: 24 DS Schemahide
Generalhide
Action Update 
PropertiesHive  
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics 
Value name 24 DS Schema 
Value type REG_DWORD 
Value data 0x0 (0) 

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Registry item: 23 DS RPC Serverhide
Generalhide
Action Update 
PropertiesHive  
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics 
Value name 23 DS RPC Server 
Value type REG_DWORD 
Value data 0x1 (1) 

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Registry item: 22 DS RPC Clienthide
Generalhide
Action Update 
PropertiesHive  
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics 
Value name 22 DS RPC Client 
Value type REG_DWORD 
Value data 0x1 (1) 

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Registry item: 21 Linked-Value Replicationhide
Generalhide
Action Update 
PropertiesHive  
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics 
Value name 21 Linked-Value Replication 
Value type REG_DWORD 
Value data 0x0 (0) 

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Registry item: 20 Group Cachinghide
Generalhide
Action Update 
PropertiesHive  
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics 
Value name 20 Group Caching 
Value type REG_DWORD 
Value data 0x0 (0) 

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Registry item: 19 Inter-site Messaginghide
Generalhide
Action Update 
PropertiesHive  
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics 
Value name 19 Inter-site Messaging 
Value type REG_DWORD 
Value data 0x0 (0) 

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Registry item: 18 Global Cataloghide
Generalhide
Action Update 
PropertiesHive  
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics 
Value name 18 Global Catalog 
Value type REG_DWORD 
Value data 0x0 (0) 

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Registry item: 17 Setuphide
Generalhide
Action Update 
PropertiesHive  
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics 
Value name 17 Setup 
Value type REG_DWORD 
Value data 0x0 (0) 

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Registry item: 16 LDAP Interface Eventshide
Generalhide
Action Update 
PropertiesHive  
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics 
Value name 16 LDAP Interface Events 
Value type REG_DWORD 
Value data 0x0 (0) 

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Registry item: 15 Field Engineeringhide
Generalhide
Action Update 
PropertiesHive  
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics 
Value name 15 Field Engineering 
Value type REG_DWORD 
Value data 0x0 (0) 

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Registry item: 14 Backuphide
Generalhide
Action Update 
PropertiesHive  
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics 
Value name 14 Backup 
Value type REG_DWORD 
Value data 0x0 (0) 

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Registry item: 13 Name Resolutionhide
Generalhide
Action Update 
PropertiesHive  
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics 
Value name 13 Name Resolution 
Value type REG_DWORD 
Value data 0x1 (1) 

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Registry item: 12 Service Controlhide
Generalhide
Action Update 
PropertiesHive  
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics 
Value name 12 Service Control 
Value type REG_DWORD 
Value data 0x0 (0) 

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Registry item: 11 Initialization/Terminationhide
Generalhide
Action Update 
PropertiesHive  
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics 
Value name 11 Initialization/Termination 
Value type REG_DWORD 
Value data 0x0 (0) 

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Registry item: 10 Performance Countershide
Generalhide
Action Update 
PropertiesHive  
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics 
Value name 10 Performance Counters 
Value type REG_DWORD 
Value data 0x0 (0) 

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Registry item: 9 Internal Processinghide
Generalhide
Action Update 
PropertiesHive  
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics 
Value name 9 Internal Processing 
Value type REG_DWORD 
Value data 0x0 (0) 

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Registry item: 8 Directory Accesshide
Generalhide
Action Update 
PropertiesHive  
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics 
Value name 8 Directory Access 
Value type REG_DWORD 
Value data 0x1 (1) 

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Registry item: 7 Internal Configurationhide
Generalhide
Action Update 
PropertiesHive  
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics 
Value name 7 Internal Configuration 
Value type REG_DWORD 
Value data 0x0 (0) 

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Registry item: 6 Garbage Collectionhide
Generalhide
Action Update 
PropertiesHive  
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics 
Value name 6 Garbage Collection 
Value type REG_DWORD 
Value data 0x0 (0) 

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Registry item: 5 Replication Eventshide
Generalhide
Action Update 
PropertiesHive  
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics 
Value name 5 Replication Events 
Value type REG_DWORD 
Value data 0x1 (1) 

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Registry item: 4 MAPI Interface Eventshide
Generalhide
Action Update 
PropertiesHive  
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics 
Value name 4 MAPI Interface Events 
Value type REG_DWORD 
Value data 0x0 (0) 

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Registry item: 3 ExDS Interface Eventshide
Generalhide
Action Update 
PropertiesHive  
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics 
Value name 3 ExDS Interface Events 
Value type REG_DWORD 
Value data 0x0 (0) 

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Registry item: 2 Security Eventshide
Generalhide
Action Update 
PropertiesHive  
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics 
Value name 2 Security Events 
Value type REG_DWORD 
Value data 0x1 (1) 

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Registry item: 1 Knowledge Consistency Checkerhide
Generalhide
Action Update 
PropertiesHive  
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics 
Value name 1 Knowledge Consistency Checker 
Value type REG_DWORD 
Value data 0x0 (0) 

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Collection: Registry Wizard Values/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/NtFrs/Parametershide
Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Registry item: Staging Space Limit in KBhide
Generalhide
Action Replace 
PropertiesHive HKEY_LOCAL_MACHINE 
Key path SYSTEM\CurrentControlSet\Services\NtFrs\Parameters 
Value name Staging Space Limit in KB 
Value type REG_DWORD 
Value data 0xFFFFFFF (268435455) 

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No  

Open in new window

Some errors reported in dcdiag, repadmin, and etc include
Errors from repadmin,dcdiag, and etc.

Errors = cant update srv records, ns records, kerbores, , etc...

The dynamic registration of the DNS record '_ldap._tcp.HQ._sites.ForestDnsZones.domain.com. 600 IN SRV 100 100 389 DC02.domain.com.' failed on the following DNS server:  

DNS server IP address: 172.16.110.10 
Returned Response Code (RCODE): 5 
Returned Status Code: 9016  

The dynamic registration of the DNS record '_ldap._tcp.Default._sites.gc._msdcs.domain.com. 600 IN SRV 100 100 3268 
DCC02.domain.com.' failed on the following DNS server:



DNS server IP address: 172.16.110.10    This is primary DC

Returned Response Code (RCODE): 5

Returned Status Code: 9016


DC forwarders go to 192.168.110.10 which also has a zone called domain.dmz



For computers and users to locate this domain controller, this record must be
registered in DNS.




Also getting

The dynamic registration of the DNS record '_kerberos._tcp.somesite._sites.child.domain.com 600 IN SRV 0 100 88 
DC03.child.domain.com.' failed on the following DNS server:



DNS server IP address: ::

Returned Response Code (RCODE): 0

Returned Status Code: 10048
 

dcdiag /test:dns shows
            DNS server: x.x.x.x (anotherDC.domain.com.)
               1 test failure on this DNS server
               Delegation is broken for the domain domain.com.domain.com. on the
 DNS server x.x.x.x
 [Error details: 9003 (Type: Win32 - Description: DNS name does not exist.)]

Whats weird is it says domain.com.domain.com twice.


[Broken delegated domain domain.com.domain.com.]

      Starting test: kccevent
         * The KCC Event log test
         An Warning Event occured.  EventID: 0x80000495
            Time Generated: 08/27/2013   14:24:00
            (Event String could not be retrieved)
         ......................... otherDC failed test kccevent

         An Error Event occured.  EventID: 0xC000001B
            Time Generated: 08/27/2013   14:22:28
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC000001A
            Time Generated: 08/27/2013   14:25:20
            (Event String could not be retrieved) 
        190 consecutive failures since 2013-09-03 16:37:13.
        Last error: 1722 (0x6ba):
            The RPC server is unavailable.

Naming Context: DC=site,DC=domain,DC=local

Source: site-new-york\dc0105

******* WARNING: KCC could not add this REPLICA LINK due to error.

******* 87 CONSECUTIVE FAILURES since 2013-09-04 17:13:24

Last error: 1722 (0x6ba):

            The RPC server is unavailable.

REPLICATION-RECEIVED LATENCY WARNING
         Some-DC002:  Current time is 2013-09-05 16:09:34.

Event String: All domain controllers in the following site that

An Warning Event occured.  EventID: 0x8000061E

            Time Generated: 09/05/2013   15:56:14
            Event String: All domain controllers in the following site that

         An Error Event occured.  EventID: 0xC000051F
            Time Generated: 09/05/2013   15:56:14
            Event String: The Knowledge Consistency Checker (KCC) has

         An Warning Event occured.  EventID: 0x80000749

         Source DC anotherdc1 has possible security error (1722).  Diagnosing...
               No KDC found for domain domain.local in site Sanfran-site (1355, NULL)

Unable to contact a KDC for the source domain in it's own site.  This means either there are no available KDC's for this domain in the site, *including* the source DC itself, or we're having network or packet fragmentation issues connecting to it.  We'll check packet fragmentation connection to the source DC, make recommendations, and continue.
                Warning:  The maximum non-fragmentable UDP transfer unit is 1448.
               This isn't a sufficient size for successful KDC operation unless all DC's in the enterprise are Windows Server 2003 or better.
               Solution:  Either configure the network to allow non-fragmented UDP packets of at least 1472 bytes, or install Server 2003 on all DC's in the enterprise and configure the KDC kerberos packet size to 1440.

 Unable to verify the machine account
LDAP search failed with error 58,


[WARNING] Failed to query SPN registration on DC 

DC59             (unknown)        9 /  10   90  (1722) The RPC server is unavailable.
DC408             (unknown)        8 /  18   44  (1256) The remote system is not available. 

Experienced the following operational errors trying to retrieve replication information:
58 - DC58.child.domain.local

Error: DNS server: DC401. IP:192.168.10.11

                  [Broken delegated domain domain.local.domain.local]

The dynamic registration of the DNS record '_ldap._tcp.Site-Michigan._sites.DomainDnsZones.domain.local. 600 IN SRV 0 100 389 MainDC.domain.local.' failed on the following DNS server:  


         An Error Event occurred.  EventID: 0x000016AD

            Time Generated: 09/05/2013   16:14:57


failed because the security database does not contain a trust account Some-Member-Server$' referenced by the specified computer. 

The session setup from the computer Some-Member-Server failed to authenticate. The following error occurred: 
n Error Event occurred.  EventID: 0x0000168E


happens on almost all DCs. from win 2008 

Open in new window

LVL 5
IndyrbAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mike KlineCommented:
You shouldn't need to set any group policies for DNS for the DCs  The remote DCs can point to themselves for primary and remote for secondary.

If you had other DCs in the same site I'd point to another DC for primary and itself for secondary.

You don't have to set DsTombstoneInterval manually, have you turned scavenging on

 DnsAvoidRegisterRecords  would be used if you don't want certain SRV registered, in your case leave it as is.

There is one bridgehead per site and there are load balancing features in 2008 R2

http://technet.microsoft.com/en-us/library/bridgehead_server_selection%28WS.10%29.aspx

Are there firewalls between these sites?

Thanks
Mike
0
David Johnson, CD, MVPOwnerCommented:
Guessing forest/domain functional level is 2003 (is this correct?)
have you split your sites into separate domains (sub domains) i.e.
example.com
   na.example.com
     usa.na.example.com
      ny.usa.na.example.com
      CA.usa.na.example.com
       FL.usa.na.example.com
   eu.example.com
      fr.eu.example.com
      uk.eu.example.com
and split your groups into groups i.e.
       marketing.ny.usa.na.example.com
        sales.ny.usa.na.example.com
????
0
SandeshdubeySenior Server EngineerCommented:
Best practices for DNS client settings on DC and domain members.
http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

How is your dns set is it AD integrated,secondary or primary?What dns gpo you have applied can you elaborate the same?

Dont define the bridgehead server manaully else it will lead to problems.In each site there will be one bridgehead server which is selected automatically.In case one server(BH) goes down and if other server exist it will be automatically promoted as an Bridgehead server.Dont select the preffered bridgehead server manually as there are downside for the same see below link. http://technet.microsoft.com/en-us/library/bridgehead_server_selection(v=ws.10).aspx

Regarding dns scavenging it worth reading this:
http://blogs.technet.com/b/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient.aspx
http://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx

To manny DCs can also be a problem.

Domain controllers # Determining the number of domain controllers you need
http://technet.microsoft.com/en-us/library/cc759623(v=WS.10).aspx
http://social.technet.microsoft.com/wiki/contents/articles/14355.capacity-planning-for-active-directory-domain-services.aspx

How many domain controllers are recommended
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/991d4f68-5178-4c9a-8b7d-8f2b5f53867e

You also need to set Ad sites and services correctly if the network is not fully routed.
http://social.technet.microsoft.com/Forums/en-US/999b1d66-a095-43c5-9c2b-c0239c545ebf/hub-and-spoke-config-in-sites-and-services
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

ZenVenkyArchitectCommented:
In addition to other experts, I would say turn of Firewall (Not Service) and check the connectivity between DCs. As per repadmin log I see that DC58 and DC59 has DNS issues or Firewall blocking AD related ports(1722 RPC). So check on those lines, run DCDiag /test:dns on both the DCs to troubleshoot. Also Check these links for reference.

AD DS Ports

DNS Best Practices
0
IndyrbAuthor Commented:
Reason I ask, is I read these a few places. Need clarification on next steps please

In addition to the reasons already given for restricting how domain controllers register their SRV records, when Active Directory-integrated DNS zones are used in large deployments, the storage limitations of attributes will come into play. DNS registrations are stored in multivalued attributes. Active Directory has a limitation for nonlinked, multivalued attributes such that approximately 1,200 values can be saved per object. This limit is different from the limit for linked multivalued attributes, such as groups, that can hold many more values. For small deployments, the Net Logon configuration is optional and optimizes service location. For deployments with more than 1,200 domain controllers, this configuration is mandatory because of the storage limitation for nonlinked, multivalued attributes
If, for example, more than 1,200 domain controllers try to register services for the same domain, this limitation will be reached. If Net Logon is configured correctly (so that branch office domain controllers will register entries only on a per-site level, but not on the domain level), this limitation will be moved from a per-domain level to a per-site level, and thus allows thousands of domain controllers to register services.


To avoid the situation where clients in one branch contact a domain controller in another branch, the Net Logon service on all branch office domain controllers must be configured to publish only site-specific Locator records and not generic domain controller Locator records. With this configuration, only the data center domain controllers publish generic Locator records, in addition to their site-specific records. If this configuration change is made, branch clients that cannot find a domain controller in their own site will find generic domain controller Locator records for only data center domain controllers. To limit the domain controllers that are found by preventing the registration of generic SRV records, you have to configure Net Logon with the  policies discussed in the next section.
Group Policy Setting for the Domain Controllers
To prevent Net Logon on a domain controller from attempting dynamic updates of certain DNS records, use the Group Policy snap-in to edit the Default Domain Controllers Policy:
Computer Configuration/Administrative Templates/System/NetLogon/DC Locator DNS Record 
DC Locator DNS records not registered by the DCs/VALUE: ENABLED/Mnemonics: LdapIpAddress Ldap Gc GcIPAddress Kdc Dc DcByGuid Rfc1510Kdc Rfc1510Kpwd Rfc1510UdpKdc Rfc1510UdpKpwd GenericGc 
In the Group Policy snap-in, the configuration is as follows:
•&#9;Group Policy object: Default Domain Controllers Policy 
•&#9;Group Policy snap-in path: Computer Configuration/Administrative Templates/System/NetLogon/DC Locator DNS Record 
•&#9;Policy setting to edit: DC Locator DNS records not registered by the DCs
•&#9;VALUE: ENABLED
•&#9;Mnemonics to select: LdapIpAddress Ldap Gc GcIPAddress Kdc Dc DcByGuid Rfc1510Kdc Rfc1510Kpwd Rfc1510UdpKdc Rfc1510UdpKpwd GenericGc 
In this value, specify the list of mnemonics corresponding to the DNS records that should not be registered by this domain controller. Table 4.1 shows all available mnemonics:
Table 4.1   Mnemonics Available for Customized DNS Configuration
Mnemonic&#9;Type&#9;DNS Record
Dc&#9;SRV&#9;_ldap._tcp.dc._msdcs.<DnsDomainName>
DcAtSite&#9;SRV&#9;_ldap._tcp.<SiteName>._sites.dc._msdcs.<DnsDomainName>
DcByGuid&#9;SRV&#9;_ldap._tcp.<DomainGuid>.domains._msdcs.<DnsForestName>
Pdc&#9;SRV&#9;_ldap._tcp.pdc._msdcs.<DnsDomainName>
Gc&#9;SRV&#9;_ldap._tcp.gc._msdcs.<DnsForestName>
GcAtSite&#9;SRV&#9;_ldap._tcp.<SiteName>._sites.gc._msdcs.<DnsForestName>
GenericGc&#9;SRV&#9;_gc._tcp.<DnsForestName>
GenericGcAtSite&#9;SRV&#9;_gc._tcp.<SiteName>._sites.<DnsForestName>
GcIpAddress&#9;A&#9;_gc._msdcs.<DnsForestName>
DsaCname&#9;CNAME&#9;<DsaGuid>._msdcs.<DnsForestName>
Kdc&#9;SRV&#9;_kerberos._tcp.dc._msdcs.<DnsDomainName>
KdcAtSite&#9;SRV&#9;_kerberos._tcp.dc._msdcs.<SiteName>._sites.<DnsDomainName>
Ldap&#9;SRV&#9;_ldap._tcp.<DnsDomainName>
LdapAtSite&#9;SRV&#9;_ldap._tcp.<SiteName>._sites.<DnsDomainName>
LdapIpAddress&#9;A&#9;<DnsDomainName>
Rfc1510Kdc&#9;SRV&#9;_kerberos._tcp.<DnsDomainName>
Rfc1510KdcAtSite&#9;SRV&#9;_kerberos._tcp.<SiteName>._sites.<DnsDomainName>
Rfc1510UdpKdc&#9;SRV&#9;_kerberos._udp.<DnsDomainName>
Rfc1510Kpwd&#9;SRV&#9;_kpasswd._tcp.<DnsDomainName>
Rfc1510UdpKpwd&#9;SRV&#9;_kpasswd._udp.<DnsDomainName>

Open in new window


The recommended configuration in a branch office deployment is as follows:
•&#9;For all branch office domain controllers, add all mnemonic entries that do not have “AtSite” as part of the mnemonic, except do not add DsaCname.
•&#9;For data center domain controllers, do not edit the policy setting. Allow the domain controllers to register all records.

http://jaihunt.wordpress.com/tag/srv-records/
0
IndyrbAuthor Commented:
Also what is the perfered DNS setup on a remote branch.

In dns search order
primary (set to itself or partner in same site? (what if its the only DC in the site?
secondary PDC emulator?, I think all the branch dcs point to the main dns for ns
third 127.0.0.1?
0
ZenVenkyArchitectCommented:
For branch office it should point to Preferred as itself if it has DNS role and preferred as PDCe and it is upto you whether you want to keep 127.0.0.1 as third DNS address or not. If there is only one DC then secondary DNS should be blank do not add 127.0.0.1 there.
0
SandeshdubeySenior Server EngineerCommented:
If dns role is configured on server you can poin the dns setting to itself for preffered and other remote site dns as alternate dns setting.You can set the loopback ip address as third alternate but not first.

Note:If loopback IP address (127.0.0.1) is configured as primary dns setting then remove the same and add IP address of Server(assuming dns role is configured on server).If it is set as alternate DNS setting then no problems.See this for more details

DNS: DNS servers on <adapter name> should include the loopback address, but not as the first entry:http://technet.microsoft.com/en-us/library/ff807362(v=ws.10).aspx
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
IndyrbAuthor Commented:
What about this comment:

Reason I ask, is I read these a few places. Need clarification on next steps please

In addition to the reasons already given for restricting how domain controllers register their SRV records, when Active Directory-integrated DNS zones are used in large deployments, the storage limitations of attributes will come into play. DNS registrations are stored in multivalued attributes. Active Directory has a limitation for nonlinked, multivalued attributes such that approximately 1,200 values can be saved per object. This limit is different from the limit for linked multivalued attributes, such as groups, that can hold many more values. For small deployments, the Net Logon configuration is optional and optimizes service location. For deployments with more than 1,200 domain controllers, this configuration is mandatory because of the storage limitation for nonlinked, multivalued attributes
If, for example, more than 1,200 domain controllers try to register services for the same domain, this limitation will be reached. If Net Logon is configured correctly (so that branch office domain controllers will register entries only on a per-site level, but not on the domain level), this limitation will be moved from a per-domain level to a per-site level, and thus allows thousands of domain controllers to register services.


To avoid the situation where clients in one branch contact a domain controller in another branch, the Net Logon service on all branch office domain controllers must be configured to publish only site-specific Locator records and not generic domain controller Locator records. With this configuration, only the data center domain controllers publish generic Locator records, in addition to their site-specific records. If this configuration change is made, branch clients that cannot find a domain controller in their own site will find generic domain controller Locator records for only data center domain controllers. To limit the domain controllers that are found by preventing the registration of generic SRV records, you have to configure Net Logon with the  policies discussed in the next section.
Group Policy Setting for the Domain Controllers
To prevent Net Logon on a domain controller from attempting dynamic updates of certain DNS records, use the Group Policy snap-in to edit the Default Domain Controllers Policy:
Computer Configuration/Administrative Templates/System/NetLogon/DC Locator DNS Record 
DC Locator DNS records not registered by the DCs/VALUE: ENABLED/Mnemonics: LdapIpAddress Ldap Gc GcIPAddress Kdc Dc DcByGuid Rfc1510Kdc Rfc1510Kpwd Rfc1510UdpKdc Rfc1510UdpKpwd GenericGc 
In the Group Policy snap-in, the configuration is as follows:
•      Group Policy object: Default Domain Controllers Policy 
•      Group Policy snap-in path: Computer Configuration/Administrative Templates/System/NetLogon/DC Locator DNS Record 
•      Policy setting to edit: DC Locator DNS records not registered by the DCs
•      VALUE: ENABLED
•      Mnemonics to select: LdapIpAddress Ldap Gc GcIPAddress Kdc Dc DcByGuid Rfc1510Kdc Rfc1510Kpwd Rfc1510UdpKdc Rfc1510UdpKpwd GenericGc 
In this value, specify the list of mnemonics corresponding to the DNS records that should not be registered by this domain controller. Table 4.1 shows all available mnemonics:
Table 4.1   Mnemonics Available for Customized DNS Configuration
Mnemonic      Type      DNS Record
Dc      SRV      _ldap._tcp.dc._msdcs.<DnsDomainName>
DcAtSite      SRV      _ldap._tcp.<SiteName>._sites.dc._msdcs.<DnsDomainName>
DcByGuid      SRV      _ldap._tcp.<DomainGuid>.domains._msdcs.<DnsForestName>
Pdc      SRV      _ldap._tcp.pdc._msdcs.<DnsDomainName>
Gc      SRV      _ldap._tcp.gc._msdcs.<DnsForestName>
GcAtSite      SRV      _ldap._tcp.<SiteName>._sites.gc._msdcs.<DnsForestName>
GenericGc      SRV      _gc._tcp.<DnsForestName>
GenericGcAtSite      SRV      _gc._tcp.<SiteName>._sites.<DnsForestName>
GcIpAddress      A      _gc._msdcs.<DnsForestName>
DsaCname      CNAME      <DsaGuid>._msdcs.<DnsForestName>
Kdc      SRV      _kerberos._tcp.dc._msdcs.<DnsDomainName>
KdcAtSite      SRV      _kerberos._tcp.dc._msdcs.<SiteName>._sites.<DnsDomainName>
Ldap      SRV      _ldap._tcp.<DnsDomainName>
LdapAtSite      SRV      _ldap._tcp.<SiteName>._sites.<DnsDomainName>
LdapIpAddress      A      <DnsDomainName>
Rfc1510Kdc      SRV      _kerberos._tcp.<DnsDomainName>
Rfc1510KdcAtSite      SRV      _kerberos._tcp.<SiteName>._sites.<DnsDomainName>
Rfc1510UdpKdc      SRV      _kerberos._udp.<DnsDomainName>
Rfc1510Kpwd      SRV      _kpasswd._tcp.<DnsDomainName>
Rfc1510UdpKpwd      SRV      _kpasswd._udp.<DnsDomainName>

Open in new window


The recommended configuration in a branch office deployment is as follows:
•      For all branch office domain controllers, add all mnemonic entries that do not have “AtSite” as part of the mnemonic, except do not add DsaCname.
•      For data center domain controllers, do not edit the policy setting. Allow the domain controllers to register all records.
0
IndyrbAuthor Commented:
Awarding points, still reasearching issue -- thanks for your help EE Experts.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.