Active Directory Branch Office setup & DC Locator

Un scenariu foarte uzual este acela de a avea domain controllere raspandite in mai multe site-uri, dar cu unul dintre ele desemnat ca site central.

Toate sunt bune si frumoase si setup-ul default functioneaza in majoritatea cazurilor pentru ca daca aveam definite bine subneturile in AD, clientii vor discuta cu DC-ul din site-ul lor.

Dar sunt scenarii cand clientul nu isi stie site-ul, sau cand subnetul nu este definit in AD si atunci incepe sa contacteze DC-uri random in unele cazuri creand si probleme (cel mai cunoscut scenariu mi se pare cel cand joinam in calculator la domeniu).

Problema apare datorita faptului ca toate DC-urile (si cele din site-ul central si cele din branch offices) isi pun in DNS anumite tipuri de inregistrari SRV ce le fac vizibile pentru clientii ce nu isi cunosc site-ul (generic service records).

Recomandat este ca aceste inregistrari sa existe doar pentru DC-urile din site-ul central.

Iata si recomandarea din Windows Server 2003 Active Directory Branch Office Guide:

The domain controllers of the branch domain, except the domain controllers in the data center site, must not register specific records. To ensure that these registrations do not occur, it is essential to create a new Group Policy object and a new global security group to set a special configuration for only the domain controllers in the branches. The following steps are necessary:

1. Create a new global group named Hub-DCs.
2. Place all domain controllers from the Data-Center-Site in this group.
3. Create a new Group Policy object in the Domain Controllers OU named: BranchOfficeGPO.
4. Modify the security of this policy object so that the Hub-DCs are denied permission to apply the policy, but have read access to the object.
5. Set the values of the following Group Policies:

Computer Configuration/ Administrative Templates/ System/ NetLogon/ DC Locator DNS Record /DC Locator DNS Records not registered by the DCs/VALUE: ENABLED/Mnemonics: LdapIpAddress Ldap Gc GcIPAddress Kdc domain controller Rfc1510Kdc Rfc1510Kpwd Rfc1510UdpKdc Rfc1510UdpKpwd GenericGc

Computer Configuration/ Administrative Templates/ System/ NetLogon/ DC Locator DNS Record /Refresh Interval of the domain controller Locator DNS Records/ VALUE: 86400

Iar daca scenariul este mic exista si varianta setarii prin registry (vezi in link-urile de mai jos).

Si iata si alte cateva resurse pe aceasta tema:

http://windowsitpro.com/networking/how-can-i-prevent-my-branch-office-domain-controllers-dcs-registering-generic-dns-service

http://support.microsoft.com/kb/306602

http://blogs.technet.com/b/activedirectoryua/archive/2011/06/03/typo-in-the-mnemonic-of-dclocator-dns-record-in-windows-server-2003-active-directory-branch-office-guide.aspx

PS: Daca nu stiati de recomandarea asta stati linistiti. Nu am vazut pana acum nici un AD cu asa ceva implementat :).