10 Apr 2013

How to control and prioritize Client authentication and logon requests on Domain Controllers

Each domain joined Windows client locates an appropriate Domain Controller using a component called “DCLocator” as part of the NETLOGON service.

Refer to the following article for detailed information (strongly recommended)

Now the question arises, if there is a logic which domain controller responds first to queries from the DCLocator. Based on my experiences the following facts counts into play.

The OS version of the DC (e.g. a 2012 DC responds generally before a 2003 DC)
The responsiveness (mainly based on HW resources)
The ordering within the DNS SRV records (_ldap / _gc)
**The priority and weight values for the SRV records
**

There are multiple scenarios where you might have to limit LDAP requests to one or more of your Domain Controllers. The following are the most common ones:

DC holding the PDC Emulator is more loaded than other DCs (causing logon performance issues in large user environments)
Upgrading / Installing new Domain Controllers as part of an AD upgrade (causing logons to occur on the new DC by dwfault)

The NETLOGON service has two parameters which control the response-behavior to LDAP requests: LdapSrvWeigth and LdapSrvPriority **
**

By default, each DC has a priority of 0 and a weight of 100. The weight can be used to prefer particular DCs with the same priority.

If the priority value is set, it takes precedence over the weight value.

**Domain controllers with the highest weight and the lowest priority are most likely to be contacted
**

To modify the behavior, just create two REG_DWORD values (LdapSrvWeight and LdapSrvPriority) under the Key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Netlogon\Parameters

Choose a value between 0 and 65335

Restart the NETLOGON Service, and watch the SRV records in DNS, they should be updated shortly with the new values.

The following table illustrates a configuration example

Name	Priority	Weight	Effective Order
DC1	10	50	2
DC2	10	100	1
DC3	100

Additional resources

How DNS Support for Active Directory Works http://technet.microsoft.com/en-us/library/cc759550.aspx

To modify the behavior, just create two REG_DWORD values (LdapSrvWeight and LdapSrvPriority) under the Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Netlogon\Parameters

Choose a value between 0 and 65335

Restart the NETLOGON Service, and watch the SRV records in DNS, they should be updated shortly with the new values.

The following table illustrates a configuration example

Name

Priority

Weight

Effective Order

DC1

10

50

2

DC2

10

100

1

DC3

100

Additional resources

To modify the behavior, just create two REG_DWORD values (LdapSrvWeight and LdapSrvPriority) under the Key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Netlogon\Parameters