I have only been monitoring these specific requests on the DC that I am looking to demote, so I am not completely sure. It is actually the PDC Emulator that is doing the referrals. The only role the to-be-demoted DC presently has is that it is a global catalog.
From: [email protected] [mailto:[email protected]] On Behalf Of Charles F Sullivan Sent: Wednesday, June 22, 2016 12:13 PM To: [email protected] Subject: RE: [NTSysADM] Does LDAP have method for distributing requests? ….“at least one other DC” If it is actually only one other DC, is that the PDC Emulator? In any case, I don’t see any way that demoting the DC is going to cause any failures. You’ve already confirmed that none of the copiers are pointing directly to it. We have several apps that users or vendors insist need to have a hard coded DC. I have fought against this and insisted that they try just using the domain name instead of a particular DC and that usually works. (After all, you would expect that SRV records can take care of the rest.) For those that can’t use just the domain name, or refuse to, we tell them that they are responsible for keeping track of this for when we replace DCs. From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Mayo, Bill Sent: Wednesday, June 22, 2016 11:13 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] Does LDAP have method for distributing requests? We have a number of copiers (primarily Konica Minolta BizHubs) that are configured to do directory lookups via LDAP for sending scans. In this configuration, we provide a generic DNS name that points to a specific domain controller as the LDAP server. There are no pointers anywhere to any other domain controller. Despite this, we see authentication requests for these copiers in the Event Viewer on at least one other DC. It seems clearly be related to LDAP because it is using the account assigned for this purpose and the source IP is that of the copier. Every other thing that we have doing LDAP only queries the listed domain controller(s), and I am at a loss as to how the copier is being directed to the other DC. Is there some mechanism through which the intended DC is pointing the request to another DC, or is there perhaps more than meets the eye in what the copier is doing? We are trying to demote a particular DC, but I want to understand why this DC is seeing these requests before doing so—I don’t want to break scanning from the copiers. As an addendum to this question, is it a bad idea to maybe just shut the DC down for a few days to make sure things work, and then just bring it back up after a few days and do the demotion? I have tried to research best practices on that, but found mixed recommendations. ~~~~~~~~~~ Bill Mayo Pitt County MIS
