• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 359
  • Last Modified:

Stop specific AD server processing logons

I have 5 domain controllers:

3 x Windows Server 2008
2 x Windows Server 2003
The FSMO roles are split between the 2008 servers.

How can I safely ensure the three 2008 servers take priority over the 2003 servers for processing logons?  

I could just demote and decommission the 2003 servers but we rely on them for DNS as various systems still point to them.

A google search showed that someone disabled the netlogon service to achieve this and others disabled the Active Directory services.  But I still need them to function as DNS servers and our zones are AD-integrated.
  • 2
1 Solution
WBC2013Author Commented:
WBC2013Author Commented:
I've increased the priority values for 1 on the SRV records for the older servers.  

To test this I've logged on and off 10 times and only once did I get an older server processing the request.

Does anyone have experience of doing this a better way?    (We only have 1 AD site and subnet)
Cliff GaliherCommented:
Seems a rather strange requirement. I see no benefit to preventing them from processing logons.

But if that is what you truly desire, I'd still demote them and then, using the DNS role, make them secondary DNS servers. That way it wouldn't break your DNS references, but would solve the login change you want in a graceful and supported way.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now