if your test clients are all win2k/xp, you could also use the "NT4emulator" registry key on the server to prevent the machine from accepting the kerboros auth. protocol => win2k/xp clients will search for other DCs that allow kerb.auth. (check MS Q298713)
initially the key was added to prevent the PDC overload issue during migration, but it sounds like this would be valuable for your tests without disturbing other things (I'm simply unsure what other things would seize to work if netlogon is turned off - I could imagine that you could also no longer logon via TS...?) \Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Donnerstag, 10. Juni 2004 03:28 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Preventing a DC from authenticating users True - would work. But, why not just shut off netlogon? Seems to be about the easiest way to be sure that it's not going to answer requests for authN. Rick Kingslan MCSE, MCSA, MCT, CISSP Microsoft MVP: Windows Server / Directory Services Windows Server / Rights Management Windows Security (Affiliate) Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Wednesday, June 09, 2004 1:15 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Preventing a DC from authenticating users Why not create a dummy site, and move the DC into it? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Tuesday, June 08, 2004 4:06 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Preventing a DC from authenticating users I want to stop a specific DC from authenticating users as part of a test. The server also provides DNS for the clients, so I don't want to shut down the box during the test - I just want it to be 'invisible' to clients looking for a DC for the duration of the test (a couple of days max). Is 'net stop netlogon' and deleting the appropriate GC and LDAP SRV records a reasonable way to go about this ? Will this prevent replication? Any other ideas to accomplish this ? Thanks! Dave Fugleberg List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
