I agree AL, It seems kinda "challenged" to me as well... I was just asked the question, and I am the kinda guy that looks for answers to questions people pose. All your input has been really appreciated.
Todd -----Original Message----- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, September 09, 2004 3:22 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Stopping a GC from doing Authentications What you may find is that users that have already used it as an authentication source will try again. Not sure if they'll try to look up the DNS records or not but I would expect them to just try to use server again. Additionally, wondering what's going to happen if you remove the ability for authentication and you want the other DC's to replicate with it. Not saying it can't work, but it seems odd to have it work that way off the cuff. What really has me quizzical is why you would want to prevent authentication on a GC? Seems a waste of hardware since you'll have all of the data there anyway. Can you expand why you would want to do that? I'm a curious person by nature and it's killing me not to be able to think of a reason on my own ;-) Al -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, September 09, 2004 3:09 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [ActiveDir] Stopping a GC from doing Authentications Hi Todd True, but if you misconfigure the DNS settings the clients will not be able to find the DC SRV records to authenticate. We did have one location that was using a BIND DNS server and had a local DC. They replaced their DC but did not update the SRV records in their DNS server. Consequently, there users all authenticated to a DC in another site rather then the local one because they could not find the DNS SRV records for that local DC. We have not yet done extensive testing on the SRV record Group Policy or registry changes but the preliminary testing we have done has hidden the LDAP SRV records from DNS which should make it invisible as an available authentication option for the users. We are looking at testing some parts of this over the next 2 weeks so I will let you know what we find out. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] |---------+----------------------------------> | | "Myrick, Todd | | | (NIH/CIT)" | | | <[EMAIL PROTECTED]> | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org | | | | | | | | | 09/09/2004 02:46 PM AST| | | Please respond to | | | ActiveDir | |---------+----------------------------------> >--------------------------------------------------------------------------- ---------------------------------------------------| | | | To: [EMAIL PROTECTED] | | cc: [EMAIL PROTECTED], (bcc: James Day/Contractor/NPS) | | Subject: RE: [ActiveDir] Stopping a GC from doing Authentications | >--------------------------------------------------------------------------- ---------------------------------------------------| There just isn't a way to turn off the authentication function other than block port 88. Todd -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, September 09, 2004 2:37 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [ActiveDir] Stopping a GC from doing Authentications Hi Todd You can use a GPO (2003) or Reg Hacks (2000) to hide the SRV records so it can no longer do authentications. The following is an excerpt from Microsoft Q306602 Windows 2000 1. Start Registry Editor (Regedt32.exe). 2. Locate and click the following key in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters 3. On the Edit menu, click Add Value, and then add the following registry value: Value name: DnsAvoidRegisterRecords Data type: REG_MULTI_SZ Set the value to the list of the space-delimited mnemonics that are specified in the following tables. 4. Quit Registry Editor. Windows Server 2003 To configure Windows Server 2003-based domain controllers, use the Net Logon service Group Policy "DNS records not registered by the domain controllers" by specifying the list of the space-delimited mnemonics that are specified in the following tables. Reference Tables The following tables contain mnemonics, types, and the owner names of the domain controller locator DNS records that should not be registered by the satellite domain controllers and global catalogs to optimize the domain controller location. Domain Controller-Specific Records |--------------+----+------------------------------------------------------| | Mnemonic |Type| DNS Record | |--------------+----+------------------------------------------------------| |LdapIpAddress |A |<DnsDomainName> | |--------------+----+------------------------------------------------------| | Ldap |SRV |_ldap._tcp.<DnsDomainName> | |--------------+----+------------------------------------------------------| | DcByGuid |SRV |_ldap._tcp.<DomainGuid>.domains._msdcs.<DnsForestName>| |--------------+----+------------------------------------------------------| | Kdc |SRV |_kerberos._tcp.dc._msdcs.<DnsDomainName> | |--------------+----+------------------------------------------------------| | Dc |SRV |_ldap._tcp.dc._msdcs.<DnsDomainName> | |--------------+----+------------------------------------------------------| | Rfc1510Kdc |SRV |_kerberos._tcp.<DnsDomainName> | |--------------+----+------------------------------------------------------| | Rfc1510UdpKdc|SRV |_kerberos._udp.<DnsDomainName> | |--------------+----+------------------------------------------------------| | Rfc1510Kpwd |SRV |_kpasswd._tcp.<DnsDomainName> | |--------------+----+------------------------------------------------------| | Rfc1510UdpKpw|SRV |_kpasswd._udp.<DnsDomainName> | | d | | | |--------------+----+------------------------------------------------------| Global Catalog-Specific Records |-----------+----+------------------------------------| | Mnemonic |Type| DNS Record | |-----------+----+------------------------------------| |Gc |SRV |_ldap._tcp.gc._msdcs.<DnsForestName>| |-----------+----+------------------------------------| | GcIpAddres|A |gc._msdcs.<DnsForestName> | | s | | | |-----------+----+------------------------------------| | GenericGc |SRV |_gc._tcp.<DnsForestName> | |-----------+----+------------------------------------| For the complete list of the domain controller locator DNS records, see the Windows 2000 Server Resource Kit, "Distributed Systems Guide" book, Chapter 3 "Name Resolution in Active Directory". For the complete list of the domain controller locator DNS records, refer to KB article Q267855 that is referenced in this article You should be able to hide all but the GC records and it will stop being available to clients for authentication. We have hidden DCs from all but in site clients with success. We also found you need to wipe out the SRV records in DNS after you apply the registry / GPO changes. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] |---------+----------------------------------> | | "Myrick, Todd | | | (NIH/CIT)" | | | <[EMAIL PROTECTED]> | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org | | | | | | | | | 09/09/2004 02:16 PM AST| | | Please respond to | | | ActiveDir | |---------+----------------------------------> >----------------------------------------------------------------------- >---- ---------------------------------------------------| | | | To: [EMAIL PROTECTED] | | cc: (bcc: James Day/Contractor/NPS) | | Subject: [ActiveDir] Stopping a GC from doing Authentications | >----------------------------------------------------------------------- >---- ---------------------------------------------------| Is it possible to configure a GC to perform GC functions, but to disable the ability to process authentication request? I was asked this question and figured this would be an interesting topic here. I know it is possible to mess with the SRV records to lower the priority of the server, etc. Thanks, Todd List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
