what you could do is: * make sure only the main central hub registers domain wide and site wide DC locator records * make sure regional hubs only register site wide DC locator records and NOT domain wide DC locator records * make sure remote offices only register site wide DC locator records and NOT domain wide DC locator records * Leave the priority of the central hub DCs as is * Configure a higher priority value for regional hub DCs * Leave the priority of the remote site DCs as is * Configure regional hub DCs to additionally cover the corresponding lower remote sites This way: * If regional hub DCs fail clients/servers go to the main central hub when these query for DCs in the domain * If remote site DCs fail clients/servers will first go to the corresponding upper regional hub as these also cover the remote site and second these will go to the main central hub when these query for DCs in the domain This configuration could be realized using GPOs with group filtering or SUB OUs below to the Domain Controllers OU (one OU with DCs, all remote sites, that do not register domain wide DC locator records AND one OU per regional hub with DCs that do not register domain wide DC locator records, have a highher priority for the SRV RR and additionally cover the lower remote site) or site GPOs using WMI filtering or a combination of the what is mentioned Cheers, Jorge
________________________________ From: [EMAIL PROTECTED] on behalf of Kamlesh Parmar Sent: Sat 2005-12-31 13:57 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DNS SRV records 1) AFAIK, Site is a active directory specific concept, and AD is Directory (LDAP), Authentication server (Kerberos) etc. These services are published by AD in DNS thru SRV records in _sites._msdcs for each site and it covers them all... (LDAP,DC,GC,Kerberos,Kpassword) so I was curious what applications would actually just read sitename from AD and look for a service not offered by DC in that site? AD based distributed applications (other than exchange) ? 2) DNS priorities, I know by default, its only possible per DC basis thru registry. I was hoping it was more customizable, even if it was not officially documented. Basically we do have hub and spoke stuff. We have central hub and then at its spokes regional hubs and at their spoke individual remote sites. (This is highly simplified, as there are load balancing links across regions, away from central hub, so I would say its a mash between center and regional sites and than hub and spokes at region and remote sites) Now, in case of DC failure at remote site, clients would go to any regional or Central hub DC, and not necessarily its nearest regional hub DC. With priority only per DC basis, I would have to create mess of priorities to achieve what I want. And it would be complex. One solution I thought was to publish regional hub DCs in their spoke DCs with lower priority This would surely give me some control, on where remote sites go for authentication. But this would not help cover DC failure at region level. Basically, I want to totally control the list of DCs referred to clients at each site and in what order they are referred. So, per DC per Site priority setting would have been ideal. I am open to other possible solutions. -- Kamlesh On 12/31/05, Almeida Pinto, Jorge de <[EMAIL PROTECTED]> wrote: "_sites.dc._msdcs.DNSDomainName" is for locating a DC (hence the _msdcs) that hosts a certain service in a certain site "_sites.DnsDomainName" is for locating a SERVER (does not need to be a DC) that hosts a certain service in a certain site for more info on service resource records see: http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/distrib/dsbc_nar_sdns.asp DNS priorities are on a per DC basis, and not on a per DC per site basis. It is not possible to configure a different priority for the same DC covering another site. Why do you want to do that? if clients cannot find a DC in a site by querying for _ldap._tcp.SiteName._sites.DnsDomainName the client will search for a DC in the domain by querying for _ldap._tcp.dc._msdcs.DnsDomainName If you have a hub-and-spoke site topology it is OK to configure all spoke DCs (branches) NOT to register domain wide DC locator records and only let HUB DCs register those records Jorge ________________________________ From: [EMAIL PROTECTED] on behalf of Kamlesh Parmar Sent: Fri 2005-12-30 22:42 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS SRV records >From my limited knowledge of how AD uses SRV records, I have two queries. 1) Why we need separate _sites.DnsDomainName child domain when we have _sites.dc._msdcs.DNSDomainName child domain populated? And I guess that only later is used by clients to find the site specific DC for authentication. Which other applications would need site specific but generic SRV records (former ones) ?? 2) How to publish DC1 in site1 into remote site site2 with different priority than its own site site1? i.e. DC1 site1 priority=0 DC1 site2 priority=10 DC2 site1 priority=10 DC2 site2 priority=0 By the way, Happy New Year to you all. -- Kamlesh ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Be the change you want to see in the World" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Be the change you want to see in the World" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<<winmail.dat>>