Indyrb
asked on
Proper AD/DNS setup with hundreds of DCs across hundreds of sites = dc locator?
Tying to find out the best way for AD/DNS setup on hundreds of DCs across hundreds of sites
The are hundreds of subnets and hundreds of sites
for each siote, there is a site-link that includes the remote site and the datacenter (main)
This is setup for all the sites. each with their site linked with DC
Then there is a group policy named branchofficedc assigned to all domain controllers, except the datacenter dcs.
Questions, is the GPO listed below right for a win2003 and win2008 ads domain with dns.
Also should remote ad dns point to theirselves or datacenter primary dns with large amounts of dcs.
Also on the dns forward zone domain.local, what would happen if domain controllers were given full rights/permissions on the zone to create records, would that negate the gpo on remote dcs.
what are the best practice settings for this GPOand is it applicable to win 2008 /r2
also does the
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\DN S\Paramete rs]
"DsTombstoneInterval"=dwor d:0013c680
need to be set on all domain controllers , win 2003, and win 2008
Looked at regedit on remote dc and I didn't see the record...
HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \Netlogon \Parameters
Registry value: DnsAvoidRegisterRecords
Also on the Primary DNS site: should we run
dnscmd <ServerName> /Config <ZoneName> /AllowNSRecordsAutoCreatio n <IpAddresses>
And exclude remote branches from creating a ns record
running the dnscmd servername /zoneifo domain.local /allownsrecordsautocreatio n gives rpc null error and no results.
Are you suppose to specify a preferred bridgehead server in sites and services?
Is there only one per forest/domain? will this be the datacenter pdc /dc
all other remote dcs are hub / spoke with sitelinks
Getting DCDIAG Errors listed at bottom
Are these errors expected with on remote/branch Dcs?
Automated Site Coverage by the DC Locator DNS SRV Records Disabled
DC Locator DNS records not registered by the DCs Enabled
Mnemonics: LdapIpAddress Ldap DcByGuid Kdc Dc Rfc1510Kdc Rfc1510UdpKdc Rfc1510Kpwd Rfc1510UdpKpwd Gc GcIpAddress GenericGc
GPO on Branch DCs.
What is best practice or which setting needs altered?
The are hundreds of subnets and hundreds of sites
for each siote, there is a site-link that includes the remote site and the datacenter (main)
This is setup for all the sites. each with their site linked with DC
Then there is a group policy named branchofficedc assigned to all domain controllers, except the datacenter dcs.
Questions, is the GPO listed below right for a win2003 and win2008 ads domain with dns.
Also should remote ad dns point to theirselves or datacenter primary dns with large amounts of dcs.
Also on the dns forward zone domain.local, what would happen if domain controllers were given full rights/permissions on the zone to create records, would that negate the gpo on remote dcs.
what are the best practice settings for this GPOand is it applicable to win 2008 /r2
also does the
[HKEY_LOCAL_MACHINE\SYSTEM
"DsTombstoneInterval"=dwor
need to be set on all domain controllers , win 2003, and win 2008
Looked at regedit on remote dc and I didn't see the record...
HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \Netlogon \Parameters
Registry value: DnsAvoidRegisterRecords
Also on the Primary DNS site: should we run
dnscmd <ServerName> /Config <ZoneName> /AllowNSRecordsAutoCreatio
And exclude remote branches from creating a ns record
running the dnscmd servername /zoneifo domain.local /allownsrecordsautocreatio
Are you suppose to specify a preferred bridgehead server in sites and services?
Is there only one per forest/domain? will this be the datacenter pdc /dc
all other remote dcs are hub / spoke with sitelinks
Getting DCDIAG Errors listed at bottom
Are these errors expected with on remote/branch Dcs?
Automated Site Coverage by the DC Locator DNS SRV Records Disabled
DC Locator DNS records not registered by the DCs Enabled
Mnemonics: LdapIpAddress Ldap DcByGuid Kdc Dc Rfc1510Kdc Rfc1510UdpKdc Rfc1510Kpwd Rfc1510UdpKpwd Gc GcIpAddress GenericGc
GPO on Branch DCs.
What is best practice or which setting needs altered?
Computer Configuration (Enabled)hide
Policieshide
Administrative Templateshide
Policy definitions (ADMX files) retrieved from the local machine.System/Net Logonhide
Policy Setting Comment
Contact PDC on logon failure Enabled
Log File Debug Output Level Enabled
Level: 536936447
Policy Setting Comment
Netlogon share compatibility Disabled
Scavenge Interval Enabled
Seconds: 900
Policy Setting Comment
Sysvol share compatibility Disabled
System/Net Logon/DC Locator DNS Recordshide
Policy Setting Comment
Automated Site Coverage by the DC Locator DNS SRV Records Disabled
DC Locator DNS records not registered by the DCs Enabled
Mnemonics: LdapIpAddress Ldap DcByGuid Kdc Dc Rfc1510Kdc Rfc1510UdpKdc Rfc1510Kpwd Rfc1510UdpKpwd Gc GcIpAddress GenericGc
Policy Setting Comment
Dynamic Registration of the DC Locator DNS Records Enabled
Force Rediscovery Interval Enabled
Seconds: 5400
Policy Setting Comment
Priority Set in the DC Locator DNS SRV Records Enabled
Priority: 100
Policy Setting Comment
Refresh Interval of the DC Locator DNS Records Enabled
Seconds: 1900
Policy Setting Comment
Sites Covered by the GC Locator DNS SRV Records Disabled
TTL Set in the DC Locator DNS Records Enabled
Seconds: 600
Windows Components/AutoPlay Policieshide
Policy Setting Comment
Turn off Autoplay Enabled
Turn off Autoplay on: All drives
Preferenceshide
Windows Settingshide
Registryhide
Collection: Registry Wizard Values/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/NTDS/Diagnosticshide
Commonhide
OptionsStop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied No
Apply once and do not reapply No
Registry item: 24 DS Schemahide
Generalhide
Action Update
PropertiesHive
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Value name 24 DS Schema
Value type REG_DWORD
Value data 0x0 (0)
Commonhide
OptionsStop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied No
Apply once and do not reapply No
Registry item: 23 DS RPC Serverhide
Generalhide
Action Update
PropertiesHive
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Value name 23 DS RPC Server
Value type REG_DWORD
Value data 0x1 (1)
Commonhide
OptionsStop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied No
Apply once and do not reapply No
Registry item: 22 DS RPC Clienthide
Generalhide
Action Update
PropertiesHive
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Value name 22 DS RPC Client
Value type REG_DWORD
Value data 0x1 (1)
Commonhide
OptionsStop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied No
Apply once and do not reapply No
Registry item: 21 Linked-Value Replicationhide
Generalhide
Action Update
PropertiesHive
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Value name 21 Linked-Value Replication
Value type REG_DWORD
Value data 0x0 (0)
Commonhide
OptionsStop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied No
Apply once and do not reapply No
Registry item: 20 Group Cachinghide
Generalhide
Action Update
PropertiesHive
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Value name 20 Group Caching
Value type REG_DWORD
Value data 0x0 (0)
Commonhide
OptionsStop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied No
Apply once and do not reapply No
Registry item: 19 Inter-site Messaginghide
Generalhide
Action Update
PropertiesHive
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Value name 19 Inter-site Messaging
Value type REG_DWORD
Value data 0x0 (0)
Commonhide
OptionsStop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied No
Apply once and do not reapply No
Registry item: 18 Global Cataloghide
Generalhide
Action Update
PropertiesHive
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Value name 18 Global Catalog
Value type REG_DWORD
Value data 0x0 (0)
Commonhide
OptionsStop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied No
Apply once and do not reapply No
Registry item: 17 Setuphide
Generalhide
Action Update
PropertiesHive
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Value name 17 Setup
Value type REG_DWORD
Value data 0x0 (0)
Commonhide
OptionsStop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied No
Apply once and do not reapply No
Registry item: 16 LDAP Interface Eventshide
Generalhide
Action Update
PropertiesHive
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Value name 16 LDAP Interface Events
Value type REG_DWORD
Value data 0x0 (0)
Commonhide
OptionsStop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied No
Apply once and do not reapply No
Registry item: 15 Field Engineeringhide
Generalhide
Action Update
PropertiesHive
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Value name 15 Field Engineering
Value type REG_DWORD
Value data 0x0 (0)
Commonhide
OptionsStop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied No
Apply once and do not reapply No
Registry item: 14 Backuphide
Generalhide
Action Update
PropertiesHive
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Value name 14 Backup
Value type REG_DWORD
Value data 0x0 (0)
Commonhide
OptionsStop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied No
Apply once and do not reapply No
Registry item: 13 Name Resolutionhide
Generalhide
Action Update
PropertiesHive
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Value name 13 Name Resolution
Value type REG_DWORD
Value data 0x1 (1)
Commonhide
OptionsStop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied No
Apply once and do not reapply No
Registry item: 12 Service Controlhide
Generalhide
Action Update
PropertiesHive
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Value name 12 Service Control
Value type REG_DWORD
Value data 0x0 (0)
Commonhide
OptionsStop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied No
Apply once and do not reapply No
Registry item: 11 Initialization/Terminationhide
Generalhide
Action Update
PropertiesHive
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Value name 11 Initialization/Termination
Value type REG_DWORD
Value data 0x0 (0)
Commonhide
OptionsStop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied No
Apply once and do not reapply No
Registry item: 10 Performance Countershide
Generalhide
Action Update
PropertiesHive
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Value name 10 Performance Counters
Value type REG_DWORD
Value data 0x0 (0)
Commonhide
OptionsStop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied No
Apply once and do not reapply No
Registry item: 9 Internal Processinghide
Generalhide
Action Update
PropertiesHive
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Value name 9 Internal Processing
Value type REG_DWORD
Value data 0x0 (0)
Commonhide
OptionsStop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied No
Apply once and do not reapply No
Registry item: 8 Directory Accesshide
Generalhide
Action Update
PropertiesHive
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Value name 8 Directory Access
Value type REG_DWORD
Value data 0x1 (1)
Commonhide
OptionsStop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied No
Apply once and do not reapply No
Registry item: 7 Internal Configurationhide
Generalhide
Action Update
PropertiesHive
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Value name 7 Internal Configuration
Value type REG_DWORD
Value data 0x0 (0)
Commonhide
OptionsStop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied No
Apply once and do not reapply No
Registry item: 6 Garbage Collectionhide
Generalhide
Action Update
PropertiesHive
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Value name 6 Garbage Collection
Value type REG_DWORD
Value data 0x0 (0)
Commonhide
OptionsStop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied No
Apply once and do not reapply No
Registry item: 5 Replication Eventshide
Generalhide
Action Update
PropertiesHive
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Value name 5 Replication Events
Value type REG_DWORD
Value data 0x1 (1)
Commonhide
OptionsStop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied No
Apply once and do not reapply No
Registry item: 4 MAPI Interface Eventshide
Generalhide
Action Update
PropertiesHive
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Value name 4 MAPI Interface Events
Value type REG_DWORD
Value data 0x0 (0)
Commonhide
OptionsStop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied No
Apply once and do not reapply No
Registry item: 3 ExDS Interface Eventshide
Generalhide
Action Update
PropertiesHive
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Value name 3 ExDS Interface Events
Value type REG_DWORD
Value data 0x0 (0)
Commonhide
OptionsStop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied No
Apply once and do not reapply No
Registry item: 2 Security Eventshide
Generalhide
Action Update
PropertiesHive
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Value name 2 Security Events
Value type REG_DWORD
Value data 0x1 (1)
Commonhide
OptionsStop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied No
Apply once and do not reapply No
Registry item: 1 Knowledge Consistency Checkerhide
Generalhide
Action Update
PropertiesHive
Key path SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Value name 1 Knowledge Consistency Checker
Value type REG_DWORD
Value data 0x0 (0)
Commonhide
OptionsStop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied No
Apply once and do not reapply No
Collection: Registry Wizard Values/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/NtFrs/Parametershide
Commonhide
OptionsStop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied No
Apply once and do not reapply No
Registry item: Staging Space Limit in KBhide
Generalhide
Action Replace
PropertiesHive HKEY_LOCAL_MACHINE
Key path SYSTEM\CurrentControlSet\Services\NtFrs\Parameters
Value name Staging Space Limit in KB
Value type REG_DWORD
Value data 0xFFFFFFF (268435455)
Commonhide
OptionsStop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied No
Apply once and do not reapply No
Some errors reported in dcdiag, repadmin, and etc includeErrors from repadmin,dcdiag, and etc.
Errors = cant update srv records, ns records, kerbores, , etc...
The dynamic registration of the DNS record '_ldap._tcp.HQ._sites.ForestDnsZones.domain.com. 600 IN SRV 100 100 389 DC02.domain.com.' failed on the following DNS server:
DNS server IP address: 172.16.110.10
Returned Response Code (RCODE): 5
Returned Status Code: 9016
The dynamic registration of the DNS record '_ldap._tcp.Default._sites.gc._msdcs.domain.com. 600 IN SRV 100 100 3268
DCC02.domain.com.' failed on the following DNS server:
DNS server IP address: 172.16.110.10 This is primary DC
Returned Response Code (RCODE): 5
Returned Status Code: 9016
DC forwarders go to 192.168.110.10 which also has a zone called domain.dmz
For computers and users to locate this domain controller, this record must be
registered in DNS.
Also getting
The dynamic registration of the DNS record '_kerberos._tcp.somesite._sites.child.domain.com 600 IN SRV 0 100 88
DC03.child.domain.com.' failed on the following DNS server:
DNS server IP address: ::
Returned Response Code (RCODE): 0
Returned Status Code: 10048
dcdiag /test:dns shows
DNS server: x.x.x.x (anotherDC.domain.com.)
1 test failure on this DNS server
Delegation is broken for the domain domain.com.domain.com. on the
DNS server x.x.x.x
[Error details: 9003 (Type: Win32 - Description: DNS name does not exist.)]
Whats weird is it says domain.com.domain.com twice.
[Broken delegated domain domain.com.domain.com.]
Starting test: kccevent
* The KCC Event log test
An Warning Event occured. EventID: 0x80000495
Time Generated: 08/27/2013 14:24:00
(Event String could not be retrieved)
......................... otherDC failed test kccevent
An Error Event occured. EventID: 0xC000001B
Time Generated: 08/27/2013 14:22:28
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC000001A
Time Generated: 08/27/2013 14:25:20
(Event String could not be retrieved)
190 consecutive failures since 2013-09-03 16:37:13.
Last error: 1722 (0x6ba):
The RPC server is unavailable.
Naming Context: DC=site,DC=domain,DC=local
Source: site-new-york\dc0105
******* WARNING: KCC could not add this REPLICA LINK due to error.
******* 87 CONSECUTIVE FAILURES since 2013-09-04 17:13:24
Last error: 1722 (0x6ba):
The RPC server is unavailable.
REPLICATION-RECEIVED LATENCY WARNING
Some-DC002: Current time is 2013-09-05 16:09:34.
Event String: All domain controllers in the following site that
An Warning Event occured. EventID: 0x8000061E
Time Generated: 09/05/2013 15:56:14
Event String: All domain controllers in the following site that
An Error Event occured. EventID: 0xC000051F
Time Generated: 09/05/2013 15:56:14
Event String: The Knowledge Consistency Checker (KCC) has
An Warning Event occured. EventID: 0x80000749
Source DC anotherdc1 has possible security error (1722). Diagnosing...
No KDC found for domain domain.local in site Sanfran-site (1355, NULL)
Unable to contact a KDC for the source domain in it's own site. This means either there are no available KDC's for this domain in the site, *including* the source DC itself, or we're having network or packet fragmentation issues connecting to it. We'll check packet fragmentation connection to the source DC, make recommendations, and continue.
Warning: The maximum non-fragmentable UDP transfer unit is 1448.
This isn't a sufficient size for successful KDC operation unless all DC's in the enterprise are Windows Server 2003 or better.
Solution: Either configure the network to allow non-fragmented UDP packets of at least 1472 bytes, or install Server 2003 on all DC's in the enterprise and configure the KDC kerberos packet size to 1440.
Unable to verify the machine account
LDAP search failed with error 58,
[WARNING] Failed to query SPN registration on DC
DC59 (unknown) 9 / 10 90 (1722) The RPC server is unavailable.
DC408 (unknown) 8 / 18 44 (1256) The remote system is not available.
Experienced the following operational errors trying to retrieve replication information:
58 - DC58.child.domain.local
Error: DNS server: DC401. IP:192.168.10.11
[Broken delegated domain domain.local.domain.local]
The dynamic registration of the DNS record '_ldap._tcp.Site-Michigan._sites.DomainDnsZones.domain.local. 600 IN SRV 0 100 389 MainDC.domain.local.' failed on the following DNS server:
An Error Event occurred. EventID: 0x000016AD
Time Generated: 09/05/2013 16:14:57
failed because the security database does not contain a trust account Some-Member-Server$' referenced by the specified computer.
The session setup from the computer Some-Member-Server failed to authenticate. The following error occurred:
n Error Event occurred. EventID: 0x0000168E
happens on almost all DCs. from win 2008
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Reason I ask, is I read these a few places. Need clarification on next steps please
In addition to the reasons already given for restricting how domain controllers register their SRV records, when Active Directory-integrated DNS zones are used in large deployments, the storage limitations of attributes will come into play. DNS registrations are stored in multivalued attributes. Active Directory has a limitation for nonlinked, multivalued attributes such that approximately 1,200 values can be saved per object. This limit is different from the limit for linked multivalued attributes, such as groups, that can hold many more values. For small deployments, the Net Logon configuration is optional and optimizes service location. For deployments with more than 1,200 domain controllers, this configuration is mandatory because of the storage limitation for nonlinked, multivalued attributes
If, for example, more than 1,200 domain controllers try to register services for the same domain, this limitation will be reached. If Net Logon is configured correctly (so that branch office domain controllers will register entries only on a per-site level, but not on the domain level), this limitation will be moved from a per-domain level to a per-site level, and thus allows thousands of domain controllers to register services.
To avoid the situation where clients in one branch contact a domain controller in another branch, the Net Logon service on all branch office domain controllers must be configured to publish only site-specific Locator records and not generic domain controller Locator records. With this configuration, only the data center domain controllers publish generic Locator records, in addition to their site-specific records. If this configuration change is made, branch clients that cannot find a domain controller in their own site will find generic domain controller Locator records for only data center domain controllers. To limit the domain controllers that are found by preventing the registration of generic SRV records, you have to configure Net Logon with the policies discussed in the next section.
Group Policy Setting for the Domain Controllers
To prevent Net Logon on a domain controller from attempting dynamic updates of certain DNS records, use the Group Policy snap-in to edit the Default Domain Controllers Policy:
The recommended configuration in a branch office deployment is as follows:
•	For all branch office domain controllers, add all mnemonic entries that do not have “AtSite” as part of the mnemonic, except do not add DsaCname.
•	For data center domain controllers, do not edit the policy setting. Allow the domain controllers to register all records.
http://jaihunt.wordpress.com/tag/srv-records/
In addition to the reasons already given for restricting how domain controllers register their SRV records, when Active Directory-integrated DNS zones are used in large deployments, the storage limitations of attributes will come into play. DNS registrations are stored in multivalued attributes. Active Directory has a limitation for nonlinked, multivalued attributes such that approximately 1,200 values can be saved per object. This limit is different from the limit for linked multivalued attributes, such as groups, that can hold many more values. For small deployments, the Net Logon configuration is optional and optimizes service location. For deployments with more than 1,200 domain controllers, this configuration is mandatory because of the storage limitation for nonlinked, multivalued attributes
If, for example, more than 1,200 domain controllers try to register services for the same domain, this limitation will be reached. If Net Logon is configured correctly (so that branch office domain controllers will register entries only on a per-site level, but not on the domain level), this limitation will be moved from a per-domain level to a per-site level, and thus allows thousands of domain controllers to register services.
To avoid the situation where clients in one branch contact a domain controller in another branch, the Net Logon service on all branch office domain controllers must be configured to publish only site-specific Locator records and not generic domain controller Locator records. With this configuration, only the data center domain controllers publish generic Locator records, in addition to their site-specific records. If this configuration change is made, branch clients that cannot find a domain controller in their own site will find generic domain controller Locator records for only data center domain controllers. To limit the domain controllers that are found by preventing the registration of generic SRV records, you have to configure Net Logon with the policies discussed in the next section.
Group Policy Setting for the Domain Controllers
To prevent Net Logon on a domain controller from attempting dynamic updates of certain DNS records, use the Group Policy snap-in to edit the Default Domain Controllers Policy:
Computer Configuration/Administrative Templates/System/NetLogon/DC Locator DNS Record
DC Locator DNS records not registered by the DCs/VALUE: ENABLED/Mnemonics: LdapIpAddress Ldap Gc GcIPAddress Kdc Dc DcByGuid Rfc1510Kdc Rfc1510Kpwd Rfc1510UdpKdc Rfc1510UdpKpwd GenericGc
In the Group Policy snap-in, the configuration is as follows:
•	Group Policy object: Default Domain Controllers Policy
•	Group Policy snap-in path: Computer Configuration/Administrative Templates/System/NetLogon/DC Locator DNS Record
•	Policy setting to edit: DC Locator DNS records not registered by the DCs
•	VALUE: ENABLED
•	Mnemonics to select: LdapIpAddress Ldap Gc GcIPAddress Kdc Dc DcByGuid Rfc1510Kdc Rfc1510Kpwd Rfc1510UdpKdc Rfc1510UdpKpwd GenericGc
In this value, specify the list of mnemonics corresponding to the DNS records that should not be registered by this domain controller. Table 4.1 shows all available mnemonics:
Table 4.1 Mnemonics Available for Customized DNS Configuration
Mnemonic	Type	DNS Record
Dc	SRV	_ldap._tcp.dc._msdcs.<DnsDomainName>
DcAtSite	SRV	_ldap._tcp.<SiteName>._sites.dc._msdcs.<DnsDomainName>
DcByGuid	SRV	_ldap._tcp.<DomainGuid>.domains._msdcs.<DnsForestName>
Pdc	SRV	_ldap._tcp.pdc._msdcs.<DnsDomainName>
Gc	SRV	_ldap._tcp.gc._msdcs.<DnsForestName>
GcAtSite	SRV	_ldap._tcp.<SiteName>._sites.gc._msdcs.<DnsForestName>
GenericGc	SRV	_gc._tcp.<DnsForestName>
GenericGcAtSite	SRV	_gc._tcp.<SiteName>._sites.<DnsForestName>
GcIpAddress	A	_gc._msdcs.<DnsForestName>
DsaCname	CNAME	<DsaGuid>._msdcs.<DnsForestName>
Kdc	SRV	_kerberos._tcp.dc._msdcs.<DnsDomainName>
KdcAtSite	SRV	_kerberos._tcp.dc._msdcs.<SiteName>._sites.<DnsDomainName>
Ldap	SRV	_ldap._tcp.<DnsDomainName>
LdapAtSite	SRV	_ldap._tcp.<SiteName>._sites.<DnsDomainName>
LdapIpAddress	A	<DnsDomainName>
Rfc1510Kdc	SRV	_kerberos._tcp.<DnsDomainName>
Rfc1510KdcAtSite	SRV	_kerberos._tcp.<SiteName>._sites.<DnsDomainName>
Rfc1510UdpKdc	SRV	_kerberos._udp.<DnsDomainName>
Rfc1510Kpwd	SRV	_kpasswd._tcp.<DnsDomainName>
Rfc1510UdpKpwd	SRV	_kpasswd._udp.<DnsDomainName>
The recommended configuration in a branch office deployment is as follows:
•	For all branch office domain controllers, add all mnemonic entries that do not have “AtSite” as part of the mnemonic, except do not add DsaCname.
•	For data center domain controllers, do not edit the policy setting. Allow the domain controllers to register all records.
http://jaihunt.wordpress.com/tag/srv-records/
ASKER
Also what is the perfered DNS setup on a remote branch.
In dns search order
primary (set to itself or partner in same site? (what if its the only DC in the site?
secondary PDC emulator?, I think all the branch dcs point to the main dns for ns
third 127.0.0.1?
In dns search order
primary (set to itself or partner in same site? (what if its the only DC in the site?
secondary PDC emulator?, I think all the branch dcs point to the main dns for ns
third 127.0.0.1?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
What about this comment:
Reason I ask, is I read these a few places. Need clarification on next steps please
In addition to the reasons already given for restricting how domain controllers register their SRV records, when Active Directory-integrated DNS zones are used in large deployments, the storage limitations of attributes will come into play. DNS registrations are stored in multivalued attributes. Active Directory has a limitation for nonlinked, multivalued attributes such that approximately 1,200 values can be saved per object. This limit is different from the limit for linked multivalued attributes, such as groups, that can hold many more values. For small deployments, the Net Logon configuration is optional and optimizes service location. For deployments with more than 1,200 domain controllers, this configuration is mandatory because of the storage limitation for nonlinked, multivalued attributes
If, for example, more than 1,200 domain controllers try to register services for the same domain, this limitation will be reached. If Net Logon is configured correctly (so that branch office domain controllers will register entries only on a per-site level, but not on the domain level), this limitation will be moved from a per-domain level to a per-site level, and thus allows thousands of domain controllers to register services.
To avoid the situation where clients in one branch contact a domain controller in another branch, the Net Logon service on all branch office domain controllers must be configured to publish only site-specific Locator records and not generic domain controller Locator records. With this configuration, only the data center domain controllers publish generic Locator records, in addition to their site-specific records. If this configuration change is made, branch clients that cannot find a domain controller in their own site will find generic domain controller Locator records for only data center domain controllers. To limit the domain controllers that are found by preventing the registration of generic SRV records, you have to configure Net Logon with the policies discussed in the next section.
Group Policy Setting for the Domain Controllers
To prevent Net Logon on a domain controller from attempting dynamic updates of certain DNS records, use the Group Policy snap-in to edit the Default Domain Controllers Policy:
The recommended configuration in a branch office deployment is as follows:
• For all branch office domain controllers, add all mnemonic entries that do not have “AtSite” as part of the mnemonic, except do not add DsaCname.
• For data center domain controllers, do not edit the policy setting. Allow the domain controllers to register all records.
Reason I ask, is I read these a few places. Need clarification on next steps please
In addition to the reasons already given for restricting how domain controllers register their SRV records, when Active Directory-integrated DNS zones are used in large deployments, the storage limitations of attributes will come into play. DNS registrations are stored in multivalued attributes. Active Directory has a limitation for nonlinked, multivalued attributes such that approximately 1,200 values can be saved per object. This limit is different from the limit for linked multivalued attributes, such as groups, that can hold many more values. For small deployments, the Net Logon configuration is optional and optimizes service location. For deployments with more than 1,200 domain controllers, this configuration is mandatory because of the storage limitation for nonlinked, multivalued attributes
If, for example, more than 1,200 domain controllers try to register services for the same domain, this limitation will be reached. If Net Logon is configured correctly (so that branch office domain controllers will register entries only on a per-site level, but not on the domain level), this limitation will be moved from a per-domain level to a per-site level, and thus allows thousands of domain controllers to register services.
To avoid the situation where clients in one branch contact a domain controller in another branch, the Net Logon service on all branch office domain controllers must be configured to publish only site-specific Locator records and not generic domain controller Locator records. With this configuration, only the data center domain controllers publish generic Locator records, in addition to their site-specific records. If this configuration change is made, branch clients that cannot find a domain controller in their own site will find generic domain controller Locator records for only data center domain controllers. To limit the domain controllers that are found by preventing the registration of generic SRV records, you have to configure Net Logon with the policies discussed in the next section.
Group Policy Setting for the Domain Controllers
To prevent Net Logon on a domain controller from attempting dynamic updates of certain DNS records, use the Group Policy snap-in to edit the Default Domain Controllers Policy:
Computer Configuration/Administrative Templates/System/NetLogon/DC Locator DNS Record
DC Locator DNS records not registered by the DCs/VALUE: ENABLED/Mnemonics: LdapIpAddress Ldap Gc GcIPAddress Kdc Dc DcByGuid Rfc1510Kdc Rfc1510Kpwd Rfc1510UdpKdc Rfc1510UdpKpwd GenericGc
In the Group Policy snap-in, the configuration is as follows:
• Group Policy object: Default Domain Controllers Policy
• Group Policy snap-in path: Computer Configuration/Administrative Templates/System/NetLogon/DC Locator DNS Record
• Policy setting to edit: DC Locator DNS records not registered by the DCs
• VALUE: ENABLED
• Mnemonics to select: LdapIpAddress Ldap Gc GcIPAddress Kdc Dc DcByGuid Rfc1510Kdc Rfc1510Kpwd Rfc1510UdpKdc Rfc1510UdpKpwd GenericGc
In this value, specify the list of mnemonics corresponding to the DNS records that should not be registered by this domain controller. Table 4.1 shows all available mnemonics:
Table 4.1 Mnemonics Available for Customized DNS Configuration
Mnemonic Type DNS Record
Dc SRV _ldap._tcp.dc._msdcs.<DnsDomainName>
DcAtSite SRV _ldap._tcp.<SiteName>._sites.dc._msdcs.<DnsDomainName>
DcByGuid SRV _ldap._tcp.<DomainGuid>.domains._msdcs.<DnsForestName>
Pdc SRV _ldap._tcp.pdc._msdcs.<DnsDomainName>
Gc SRV _ldap._tcp.gc._msdcs.<DnsForestName>
GcAtSite SRV _ldap._tcp.<SiteName>._sites.gc._msdcs.<DnsForestName>
GenericGc SRV _gc._tcp.<DnsForestName>
GenericGcAtSite SRV _gc._tcp.<SiteName>._sites.<DnsForestName>
GcIpAddress A _gc._msdcs.<DnsForestName>
DsaCname CNAME <DsaGuid>._msdcs.<DnsForestName>
Kdc SRV _kerberos._tcp.dc._msdcs.<DnsDomainName>
KdcAtSite SRV _kerberos._tcp.dc._msdcs.<SiteName>._sites.<DnsDomainName>
Ldap SRV _ldap._tcp.<DnsDomainName>
LdapAtSite SRV _ldap._tcp.<SiteName>._sites.<DnsDomainName>
LdapIpAddress A <DnsDomainName>
Rfc1510Kdc SRV _kerberos._tcp.<DnsDomainName>
Rfc1510KdcAtSite SRV _kerberos._tcp.<SiteName>._sites.<DnsDomainName>
Rfc1510UdpKdc SRV _kerberos._udp.<DnsDomainName>
Rfc1510Kpwd SRV _kpasswd._tcp.<DnsDomainName>
Rfc1510UdpKpwd SRV _kpasswd._udp.<DnsDomainName>
The recommended configuration in a branch office deployment is as follows:
• For all branch office domain controllers, add all mnemonic entries that do not have “AtSite” as part of the mnemonic, except do not add DsaCname.
• For data center domain controllers, do not edit the policy setting. Allow the domain controllers to register all records.
ASKER
Awarding points, still reasearching issue -- thanks for your help EE Experts.
have you split your sites into separate domains (sub domains) i.e.
example.com
na.example.com
usa.na.example.com
ny.usa.na.example.com
CA.usa.na.example.com
FL.usa.na.example.com
eu.example.com
fr.eu.example.com
uk.eu.example.com
and split your groups into groups i.e.
marketing.ny.usa.na.exampl
sales.ny.usa.na.example.co
????