Hi Chandra
We played with it a little bit in our test lab. Definately an improvement
over making registry changes to force DCs to change SRV records (we did
that in one domain with 15 DCs to make the main office the secondary site
in case the onsite DC was down and it was a fair bit of work to change and
keep track of). We did conclude that in order to make the GPO work you
need to put separate OUs inside your Domain Controller OU - and only apply
the settings on each OU. For instance, one of the settings is Priority
setting - with the lowest priority being the first one that DNS will
provide in the authentication lookup. Changing that for all DCs does not
change anything. Raising that value for all DCs except the one at your hub
site will force your hub site to the second choice for authentication after
the DC within the site.
We never checked to see how long it would take the changes to propogate out
- we forced things by updating the GPO on the server, removing all the SRV
records and forcing record reregistration to make the changes.
One other thing we found that adds to the hassle a little bit - not only do
universal changes require that you use OUs to separate your Domain
Controllers, the settings can only be applied either via. registry or via.
GPO. There is a setting to let the DC ignore the GPO but it ignores all
settings in the GPO.
That being said, we are looking to use parts of the GPO in our live forest
shortly to control authentication in the other regions. In a perfect
world, I would love it if you could find a way to set theses settings on a
less global basis. Perhaps WMI filtering allows that, I have not played
with that much. In my dream world, I would be able to say any DC that is
designated a hub gets these settings, any DC that is designated a fast link
gets these settings, any DC that is designated a slow link gets these
settings, and any DC that starts with M gets these settings - and not have
these be mutually exclusive (in essence a DC could get the hub, fast link,
slow DC and starts with M settings all at the same time).
I gripe less when the coffee supply is greater.
James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
(202) 354-1464 (direct)
(202) 371-1549 (fax)
[EMAIL PROTECTED]
Chandra Burra
<[EMAIL PROTECTED] To:
[email protected]
m> cc: (bcc: James
Day/Contractor/NPS)
Sent by: Subject: [ActiveDir]
Netlogon Polocies in W2K3 AD GP
[EMAIL PROTECTED]
tivedir.org
02/01/2005 07:49 AM EST
Please respond to
ActiveDir
All,
Just wondering if some one has worked on the Netlogon policies in the
W2K3 GP (system.adm)
This have options to specify the site - DC srv records and so on....
just was going through them...Can some one highlight on specifically
tested and used.
Thanks,
Chandra
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
