I guess I find my solution more elegant and cheaper to manage/maintain. I try to avoid implementing changes to one DC but not others. The TCO tends to go thru the roof :)
DCs placed in a separate site and/or configured with different SRV weightings via GPO can/does work and is simpler to manage IMHO. Additional DCs can then be added to that site (from other domains for example) with minimal effort and changes to docs/processes etc. neil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: 19 May 2005 15:59 To: [email protected] Subject: RE: [ActiveDir] AD DR - replication lag site Just two things... Disable Netlogon. If it's disabled as a policy or by going to services and changing the service properties, restarting on reboot won't be an issue. Disabled is disabled, regardless. As to DNS records, I suppose that if the Netlogon service is disabled (primary for registering the SRV records) one could remove the _kerberos records for the lag site servers. I can pretty much assure that without Kerberos records, the DCs will not be offered up as authN points. -rtk -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Thursday, May 19, 2005 2:46 AM To: '[email protected]' Subject: RE: [ActiveDir] AD DR - replication lag site That solution is fine until the machine is rebooted and netlogon starts again :) Why not change the DNS SRV record priorities/weights? Or alternatively, place the DC in a separate site, which consists of just 1 subnet (i.e. the subnet where the DC itself lives). If DNS records are removed, then the DC will fail to authenticate and replicate with other DCs. neil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme Sent: 18 May 2005 23:12 To: [email protected] Subject: RE: [ActiveDir] AD DR - replication lag site I have several large clients who are going this direction and are in testing right now. Things look quite good. I had read somewhere that an alternative approach to preventing authentication to the 'lag' DCs was to stop the Netlogon service. The approach of removing DNS records seems more elegant, and I'll be interested to hear ppls thoughts on these alternatives. Dan -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Danny Sent: Wednesday, May 18, 2005 6:45 AM To: [email protected] Subject: [ActiveDir] AD DR - replication lag site I am interested in your thoughts regarding this suggestion for DR: <http://searchwin2000.techtarget.com/tip/1,289483,sid1_gci1086805,00.htm l> (You may need to register) Basically it states that you should create another AD site and set the replication for 168 hours. Thank you, ...D List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ============================================================================ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not waive any confidentiality or privilege. CS retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CS until they are confirmed by us. Message transmission is not guaranteed to be secure. ============================================================================ == List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ============================================================================== This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not waive any confidentiality or privilege. CS retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CS until they are confirmed by us. Message transmission is not guaranteed to be secure. ============================================================================== List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
