NETLOGON on the DC is repopulating the SRV recs for you. You need to set the registry entry (on the DC) /HKLM/CCS/Services/NetLogon/Parameters/LdapSrvPriority to the appropriate DNS SRV priority value. I don't think you can set the weight this way.
This doesn't make it impossible for the DC to service authentication, just less likely. You should disable the publication of generic (non-site-specific) SRV recs as well. Set /HKLM/CCS/Services/NetLogon/Parameters/DnsAvoidRegisterRecords to contain the string "LdapIPAddress Kdc Dc Rfc1510Kdc Rfc1510UpdKdc Rfc1510Kpwd Rfc1510UpdKpwd", basically all the possible generic record mnemonics except for DCByGuid, which is needed for replication. And you should disable auto site coverage on the DC as well. Set /HKL/CCS/Services/NetLogon/AutoSiteCoverage to 0. That should make your DC pretty much invisible to everyone except its replication partners. -gil -----Original Message----- From: Ken Cornetet [mailto:Ken.Cornetet@;kimball.com] Sent: Tuesday, October 29, 2002 11:24 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Phantom DNS entries for domain controllers I have three DCs for our main domain, one of which I do not want servicing active directory logons under normal circumstances. I went into DNS and changed all of the entries for that DC to have a priority of "100" which should insure that all DNS replies will have that DC last in the list. However, when I go back into DNS, my modified entries are still there, but there are new entries for the same DC with the priority set to "0". If I delete these "phantoms", they simply reappear. Any ideas? SP3 is applied to all the domain/DNS servers. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
