We help IT Professionals succeed at work.

Force Windows clients to authenticate to a specific domain controller

12,101 Views
Last Modified: 2018-05-10
Hi Everyone,
I have already found tons of information on how to do this but none of them work. I need our PC's to authenticate to a specific domain controller because the DC that some clients are connecting to, does not work properly.

Good DC - Windows 2003 (Yes, I know it is old)
Faulty DC - Windows 2008 R2.

This is what have I tried
1. Added SiteName (preferred domain controller) to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters on the PC
2. Added <ipadress> <preferred DC> #PRE #DOM:<domain name> to LMHOSTS file on PC
3. Edited the SRV entry (_keberos and _ldap) in DNS on the DC's and restarted the netlogon service and the dns service
4. Added the PC's subnet to AD Sites and Services
5. Edited the registry on the domain controllers. Edited LdapSrvPriority and set to 0 on the preferred DC and 200 for the faulty DC

Yet despite all of these, a PC still points to the faulty PC.
Comment
Watch Question

Shaun VermaakSenior Consultant
CERTIFIED EXPERT
Awarded 2017
Distinguished Expert 2019
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
CERTIFIED EXPERT
Distinguished Expert 2018
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION

Author

Commented:
Shaun, that's an interesting idea. I'm looking through the Windows firewall but I don't see a way to block a specific ip address or computername
Shaun VermaakSenior Consultant
CERTIFIED EXPERT
Awarded 2017
Distinguished Expert 2019

Commented:
You need to use the Advanced Firewall section
SilverwolfSenior Server Engineer
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
MaheshArchitect
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
Brian MurphySenior Information Technology Consultant
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION

Author

Commented:
Thanks Everyone
Brian, I read that the Priority takes precedence over the weight. The weight applies only if they have the same priority. I'll take another look.
Brian MurphySenior Information Technology Consultant
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Also, those are client side settings not domain controller...

Forgot to mention that
Brian MurphySenior Information Technology Consultant
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
No really.  And the setting is on the client not AD Controller.

If you want to assure it does not use that controller you flip the #'s

The priority works by lower # better

The weight is opposite.

If you leave the defaults then it is the combination of the two combined.  

If you have two DC's and both have priority of 10 and weight of 100 and change one to priority 0 there are many scenarios from FSMO roles to Global Catalog and other things that could cause you to hit that server.

The only way I am aware of taking it out of the equation is Priority 100 and Weight 0.

On the clients/workstations.

So if you have a lot of clients you would push this change out to all of them

Author

Commented:
Thanks again Brian, But on the client? Everywhere I've read says to do it on the DC's.

Author

Commented:
I went for the maximum and minimum values possible to make sure the PC selected DC1 but it doesn't

DC1 -  LDAPSrvPriorityt is 0, LDAPSrvWeight is 0
DC2 - LDAPSrvPriority is 65335 and LDAPSrvWeight is 65335

So the PC should select DC1, right? It still selects DC2
Brian MurphySenior Information Technology Consultant
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
I don't recall the ranges allowed but if you keep it simple and just change priority to 100 and weight to 0  - I know that worked for me which was a long time back but I remember others attempting playing around with those #'s and all it took was flipping the defaults

100 and Zero

Restart Netlogon

There might be other steps I'm missing to flush out existing but I would start with that and then logoff and log back on.

And I would remove any changes you made prior.  Like lmosts or anything so we give this a fair chance.

If this doesn't work then it we need to look at nltest and other CMD tools to give us more information.
Brian MurphySenior Information Technology Consultant
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION

Author

Commented:
Higher value means a lower preference
In the registry of the DC that I DON'T want to be authenticated on, I have set the LDAPSrvPriority to 100 and LDAPSrvWeight to 100.
In the registry of the DC that I DO want to be authenticated on, I have set the LDAPSrvPriority to 0 and LDAPSrvWeight to 0.

The client still points to the DC I don't want to be authenticated on.
Brian MurphySenior Information Technology Consultant
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Confirm that changes are applying at this point.

nslookup
set q=SRV
_ldap._tcp.dc._msdcs.<AD_DS_domain_name>

You should see the DC names and the priority and weights

If not, you might need NLTest for that version of OS but basically you enable Netlogon debug which writes to a netlogon.log file.

You cannot modify the DNS records manually but you can modify the netlogon.dns file manually.

The Netlogon.dns file is located at %systemroot%\System32\Config\Netlogon.dns.

I know this works but have not tried it with this scenario where you have 2003 DC and 2008 DC, either way you are running 2003 domain and forest functional level.

Authentication is either Netlogon and DNS or legacy WINS.
Brian MurphySenior Information Technology Consultant
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Setting both values is not recommended.  You don't have to change any value other than the one for the DC you don't want to be used.

Set the Priority to 100, and Weight to 0

Whether by registry or netlogon.dns file

Restart Netlogon

Validate

nslookup
set q=SRV
_ldap._tcp.dc._msdcs.<AD_DS_domain_name>

All your doing is updating the SRV record by making a registry change by way of Netlogon to DNS.

This might require in some cases deleting those records from the msdcs zone first, then make the registry change.

At this point we need to validate that what your doing is taking effect.  

If the SRV records don't reflect the change then simply turning on debug for netlogon should show where this failure is happening when you restart netlogon.  Or, you might just need to delete the default value.  You can change it manually but it won't stay that way.
MaheshArchitect
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
CERTIFIED EXPERT
Distinguished Expert 2018
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION

Author

Commented:
Thanks EVERYONE!
It was a battle trying to accomplish my original aim. I couldn't get it working in a production environment but it worked in a lab environment. After many stressful hours, we decided to throw in the towel and installed a new domain controller for the production side as staff were being affected. I'll assign points to all solutions that helped in my lab environment.

Author

Commented:
Thanks everyone! I learnt a lot from this experience.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions