There just isn't a way to turn off the authentication function other than block port 88.
Todd -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, September 09, 2004 2:37 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [ActiveDir] Stopping a GC from doing Authentications Hi Todd You can use a GPO (2003) or Reg Hacks (2000) to hide the SRV records so it can no longer do authentications. The following is an excerpt from Microsoft Q306602 Windows 2000 1. Start Registry Editor (Regedt32.exe). 2. Locate and click the following key in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters 3. On the Edit menu, click Add Value, and then add the following registry value: Value name: DnsAvoidRegisterRecords Data type: REG_MULTI_SZ Set the value to the list of the space-delimited mnemonics that are specified in the following tables. 4. Quit Registry Editor. Windows Server 2003 To configure Windows Server 2003-based domain controllers, use the Net Logon service Group Policy "DNS records not registered by the domain controllers" by specifying the list of the space-delimited mnemonics that are specified in the following tables. Reference Tables The following tables contain mnemonics, types, and the owner names of the domain controller locator DNS records that should not be registered by the satellite domain controllers and global catalogs to optimize the domain controller location. Domain Controller-Specific Records |--------------+----+------------------------------------------------------| | Mnemonic |Type| DNS Record | |--------------+----+------------------------------------------------------| |LdapIpAddress |A |<DnsDomainName> | |--------------+----+------------------------------------------------------| | Ldap |SRV |_ldap._tcp.<DnsDomainName> | |--------------+----+------------------------------------------------------| | DcByGuid |SRV |_ldap._tcp.<DomainGuid>.domains._msdcs.<DnsForestName>| |--------------+----+------------------------------------------------------| | Kdc |SRV |_kerberos._tcp.dc._msdcs.<DnsDomainName> | |--------------+----+------------------------------------------------------| | Dc |SRV |_ldap._tcp.dc._msdcs.<DnsDomainName> | |--------------+----+------------------------------------------------------| | Rfc1510Kdc |SRV |_kerberos._tcp.<DnsDomainName> | |--------------+----+------------------------------------------------------| | Rfc1510UdpKdc|SRV |_kerberos._udp.<DnsDomainName> | |--------------+----+------------------------------------------------------| | Rfc1510Kpwd |SRV |_kpasswd._tcp.<DnsDomainName> | |--------------+----+------------------------------------------------------| | Rfc1510UdpKpw|SRV |_kpasswd._udp.<DnsDomainName> | | d | | | |--------------+----+------------------------------------------------------| Global Catalog-Specific Records |-----------+----+------------------------------------| | Mnemonic |Type| DNS Record | |-----------+----+------------------------------------| |Gc |SRV |_ldap._tcp.gc._msdcs.<DnsForestName>| |-----------+----+------------------------------------| | GcIpAddres|A |gc._msdcs.<DnsForestName> | | s | | | |-----------+----+------------------------------------| | GenericGc |SRV |_gc._tcp.<DnsForestName> | |-----------+----+------------------------------------| For the complete list of the domain controller locator DNS records, see the Windows 2000 Server Resource Kit, "Distributed Systems Guide" book, Chapter 3 "Name Resolution in Active Directory". For the complete list of the domain controller locator DNS records, refer to KB article Q267855 that is referenced in this article You should be able to hide all but the GC records and it will stop being available to clients for authentication. We have hidden DCs from all but in site clients with success. We also found you need to wipe out the SRV records in DNS after you apply the registry / GPO changes. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] |---------+----------------------------------> | | "Myrick, Todd | | | (NIH/CIT)" | | | <[EMAIL PROTECTED]> | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org | | | | | | | | | 09/09/2004 02:16 PM AST| | | Please respond to | | | ActiveDir | |---------+----------------------------------> >--------------------------------------------------------------------------- ---------------------------------------------------| | | | To: [EMAIL PROTECTED] | | cc: (bcc: James Day/Contractor/NPS) | | Subject: [ActiveDir] Stopping a GC from doing Authentications | >--------------------------------------------------------------------------- ---------------------------------------------------| Is it possible to configure a GC to perform GC functions, but to disable the ability to process authentication request? I was asked this question and figured this would be an interesting topic here. I know it is possible to mess with the SRV records to lower the priority of the server, etc. Thanks, Todd List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
