I'm guessing he wants to use the GC solely as a directory/ldap server rather than as a
point of authentication - ldap heavy app, wnat to dedicate a GC to it would be my
guess.
--Brian
-----Original Message-----
From: Mulnick, Al [mailto:[EMAIL PROTECTED]
Sent: Thu 9/9/2004 2:21 PM
To: '[EMAIL PROTECTED]'
Cc:
Subject: RE: [ActiveDir] Stopping a GC from doing Authentications
What you may find is that users that have already used it as an
authentication source will try again. Not sure if they'll try to look up
the DNS records or not but I would expect them to just try to use server
again. Additionally, wondering what's going to happen if you remove the
ability for authentication and you want the other DC's to replicate with it.
Not saying it can't work, but it seems odd to have it work that way off the
cuff.
What really has me quizzical is why you would want to prevent authentication
on a GC? Seems a waste of hardware since you'll have all of the data there
anyway.
Can you expand why you would want to do that? I'm a curious person by
nature and it's killing me not to be able to think of a reason on my own ;-)
Al
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, September 09, 2004 3:09 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Stopping a GC from doing Authentications
Hi Todd
True, but if you misconfigure the DNS settings the clients will not be able
to find the DC SRV records to authenticate. We did have one location that
was using a BIND DNS server and had a local DC. They replaced their DC but
did not update the SRV records in their DNS server. Consequently, there
users all authenticated to a DC in another site rather then the local one
because they could not find the DNS SRV records for that local DC.
We have not yet done extensive testing on the SRV record Group Policy or
registry changes but the preliminary testing we have done has hidden the
LDAP SRV records from DNS which should make it invisible as an available
authentication option for the users. We are looking at testing some parts
of this over the next 2 weeks so I will let you know what we find out.
Regards;
James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
(202) 354-1464 (direct)
(202) 371-1549 (fax)
[EMAIL PROTECTED]
|---------+---------------------------------->
| | "Myrick, Todd |
| | (NIH/CIT)" |
| | <[EMAIL PROTECTED]> |
| | Sent by: |
| | [EMAIL PROTECTED]|
| | tivedir.org |
| | |
| | |
| | 09/09/2004 02:46 PM AST|
| | Please respond to |
| | ActiveDir |
|---------+---------------------------------->
>---------------------------------------------------------------------------
---------------------------------------------------|
|
|
| To: [EMAIL PROTECTED]
|
| cc: [EMAIL PROTECTED], (bcc: James
Day/Contractor/NPS) |
| Subject: RE: [ActiveDir] Stopping a GC from doing Authentications
|
>---------------------------------------------------------------------------
---------------------------------------------------|
There just isn't a way to turn off the authentication function other than
block port 88.
Todd
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Thursday, September 09, 2004 2:37 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Stopping a GC from doing Authentications
Hi Todd
You can use a GPO (2003) or Reg Hacks (2000) to hide the SRV records so it
can no longer do authentications. The following is an excerpt from
Microsoft Q306602
Windows 2000
1. Start Registry Editor (Regedt32.exe).
2. Locate and click the following key in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
3. On the Edit menu, click Add Value, and then add the following
registry value:
Value name: DnsAvoidRegisterRecords
Data type: REG_MULTI_SZ
Set the value to the list of the space-delimited mnemonics that
are specified in the following tables.
4. Quit Registry Editor.
Windows Server 2003
To configure Windows Server 2003-based domain controllers, use the Net Logon
service Group Policy "DNS records not registered by the domain controllers"
by specifying the list of the space-delimited mnemonics that are specified
in the following tables.
Reference Tables
The following tables contain mnemonics, types, and the owner names of the
domain controller locator DNS records that should not be registered by the
satellite domain controllers and global catalogs to optimize the domain
controller location.
Domain Controller-Specific Records
|--------------+----+------------------------------------------------------|
| Mnemonic |Type| DNS Record
|
|--------------+----+------------------------------------------------------|
|LdapIpAddress |A |<DnsDomainName>
|
|--------------+----+------------------------------------------------------|
| Ldap |SRV |_ldap._tcp.<DnsDomainName>
|
|--------------+----+------------------------------------------------------|
| DcByGuid |SRV
|_ldap._tcp.<DomainGuid>.domains._msdcs.<DnsForestName>|
|--------------+----+------------------------------------------------------|
| Kdc |SRV |_kerberos._tcp.dc._msdcs.<DnsDomainName>
|
|--------------+----+------------------------------------------------------|
| Dc |SRV |_ldap._tcp.dc._msdcs.<DnsDomainName>
|
|--------------+----+------------------------------------------------------|
| Rfc1510Kdc |SRV |_kerberos._tcp.<DnsDomainName>
|
|--------------+----+------------------------------------------------------|
| Rfc1510UdpKdc|SRV |_kerberos._udp.<DnsDomainName>
|
|--------------+----+------------------------------------------------------|
| Rfc1510Kpwd |SRV |_kpasswd._tcp.<DnsDomainName>
|
|--------------+----+------------------------------------------------------|
| Rfc1510UdpKpw|SRV |_kpasswd._udp.<DnsDomainName>
|
| d | |
|
|--------------+----+------------------------------------------------------|
Global Catalog-Specific Records
|-----------+----+------------------------------------|
| Mnemonic |Type| DNS Record |
|-----------+----+------------------------------------|
|Gc |SRV |_ldap._tcp.gc._msdcs.<DnsForestName>|
|-----------+----+------------------------------------|
| GcIpAddres|A |gc._msdcs.<DnsForestName> |
| s | | |
|-----------+----+------------------------------------|
| GenericGc |SRV |_gc._tcp.<DnsForestName> |
|-----------+----+------------------------------------|
For the complete list of the domain controller locator DNS records, see the
Windows 2000 Server Resource Kit, "Distributed Systems Guide" book, Chapter
3 "Name Resolution in Active Directory". For the complete list of the domain
controller locator DNS records, refer to KB article Q267855 that is
referenced in this article
You should be able to hide all but the GC records and it will stop being
available to clients for authentication. We have hidden DCs from all but in
site clients with success. We also found you need to wipe out the SRV
records in DNS after you apply the registry / GPO changes.
Regards;
James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
(202) 354-1464 (direct)
(202) 371-1549 (fax)
[EMAIL PROTECTED]
|---------+---------------------------------->
| | "Myrick, Todd |
| | (NIH/CIT)" |
| | <[EMAIL PROTECTED]> |
| | Sent by: |
| | [EMAIL PROTECTED]|
| | tivedir.org |
| | |
| | |
| | 09/09/2004 02:16 PM AST|
| | Please respond to |
| | ActiveDir |
|---------+---------------------------------->
>-----------------------------------------------------------------------
>----
---------------------------------------------------|
|
|
| To: [EMAIL PROTECTED]
|
| cc: (bcc: James Day/Contractor/NPS)
|
| Subject: [ActiveDir] Stopping a GC from doing Authentications
|
>-----------------------------------------------------------------------
>----
---------------------------------------------------|
Is it possible to configure a GC to perform GC functions, but to disable the
ability to process authentication request? I was asked this question and
figured this would be an interesting topic here. I know it is possible to
mess with the SRV records to lower the priority of the server, etc.
Thanks,
Todd
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
