what you could do is: * make sure only the main central hub registers domain wide and site wide DC locator records * make sure regional hubs only register site wide DC locator records and NOT domain wide DC locator records * make sure remote offices only register site wide DC locator records and NOT domain wide DC locator records * Leave the priority of the central hub DCs as is * Configure a higher priority value for regional hub DCs * Leave the priority of the remote site DCs as is * Configure regional hub DCs to additionally cover the corresponding lower remote sites This way: * If regional hub DCs fail clients/servers go to the main central hub when these query for DCs in the domain * If remote site DCs fail clients/servers will first go to the corresponding upper regional hub as these also cover the remote site and second these will go to the main central hub when these query for DCs in the domain This configuration could be realized using GPOs with group filtering or SUB OUs below to the Domain Controllers OU (one OU with DCs, all remote sites, that do not register domain wide DC locator records AND one OU per regional hub with DCs that do not register domain wide DC locator records, have a highher priority for the SRV RR and additionally cover the lower remote site) or site GPOs using WMI filtering or a combination of the what is mentioned Cheers, Jorge
________________________________
From: [EMAIL PROTECTED] on behalf of Kamlesh Parmar
Sent: Sat 2005-12-31 13:57
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DNS SRV records
1)
AFAIK, Site is a active directory specific concept, and AD is Directory (LDAP),
Authentication server (Kerberos) etc. These services are published by AD in DNS
thru SRV records in _sites._msdcs for each site and it covers them all...
(LDAP,DC,GC,Kerberos,Kpassword)
so I was curious what applications would actually just read sitename from AD
and look for a service not offered by DC in that site? AD based distributed
applications (other than exchange) ?
2)
DNS priorities, I know by default, its only possible per DC basis thru registry.
I was hoping it was more customizable, even if it was not officially documented.
Basically we do have hub and spoke stuff. We have central hub and then at its
spokes regional hubs and at their spoke individual remote sites. (This is
highly simplified, as there are load balancing links across regions, away from
central hub, so I would say its a mash between center and regional sites and
than hub and spokes at region and remote sites)
Now, in case of DC failure at remote site, clients would go to any regional or
Central hub DC, and not necessarily its nearest regional hub DC.
With priority only per DC basis, I would have to create mess of priorities to
achieve what I want. And it would be complex.
One solution I thought was to publish regional hub DCs in their spoke DCs with
lower priority
This would surely give me some control, on where remote sites go for
authentication. But this would not help cover DC failure at region level.
Basically, I want to totally control the list of DCs referred to clients at
each site and in what order they are referred. So, per DC per Site priority
setting would have been ideal.
I am open to other possible solutions.
--
Kamlesh
On 12/31/05, Almeida Pinto, Jorge de <[EMAIL PROTECTED]> wrote:
"_sites.dc._msdcs.DNSDomainName" is for locating a DC (hence the
_msdcs) that hosts a certain service in a certain site
"_sites.DnsDomainName" is for locating a SERVER (does not need to be a
DC) that hosts a certain service in a certain site
for more info on service resource records see:
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/distrib/dsbc_nar_sdns.asp
DNS priorities are on a per DC basis, and not on a per DC per site
basis.
It is not possible to configure a different priority for the same DC
covering another site.
Why do you want to do that?
if clients cannot find a DC in a site by querying for
_ldap._tcp.SiteName._sites.DnsDomainName
the client will search for a DC in the domain by querying for
_ldap._tcp.dc._msdcs.DnsDomainName
If you have a hub-and-spoke site topology it is OK to configure all
spoke DCs (branches) NOT to register domain wide DC locator records and only
let HUB DCs register those records
Jorge
________________________________
From: [EMAIL PROTECTED] on behalf of Kamlesh Parmar
Sent: Fri 2005-12-30 22:42
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DNS SRV records
>From my limited knowledge of how AD uses SRV records, I have two
queries.
1)
Why we need separate _sites.DnsDomainName child domain when we have
_sites.dc._msdcs.DNSDomainName child domain populated?
And I guess that only later is used by clients to find the site
specific DC for authentication.
Which other applications would need site specific but generic SRV
records (former ones) ??
2)
How to publish DC1 in site1 into remote site site2 with different
priority than its own site site1?
i.e.
DC1 site1 priority=0
DC1 site2 priority=10
DC2 site1 priority=10
DC2 site2 priority=0
By the way,
Happy New Year to you all.
--
Kamlesh
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Be the change you want to see in the World"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an intended
recipient then please promptly delete this e-mail and any attachment and all
copies and inform the sender. Thank you.
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Be the change you want to see in the World"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<<winmail.dat>>
