How to control and prioritize Client authentication and logon requests on Domain Controllers
Each domain joined Windows client locates an appropriate Domain Controller using a component called “DCLocator” as part of the NETLOGON service.
Refer to the following article for detailed information (strongly recommended)
Now the question arises, if there is a logic which domain controller responds first to queries from the DCLocator. Based on my experiences the following facts counts into play.
- The OS version of the DC (e.g. a 2012 DC responds generally before a 2003 DC)
- The responsiveness (mainly based on HW resources)
- The ordering within the DNS SRV records (_ldap / _gc)
- **The priority and weight values for the SRV records
**
There are multiple scenarios where you might have to limit LDAP requests to one or more of your Domain Controllers. The following are the most common ones:
- DC holding the PDC Emulator is more loaded than other DCs (causing logon performance issues in large user environments)
- Upgrading / Installing new Domain Controllers as part of an AD upgrade (causing logons to occur on the new DC by dwfault)
The NETLOGON service has two parameters which control the response-behavior to LDAP requests: LdapSrvWeigth and LdapSrvPriority **
**
By default, each DC has a priority of 0 and a weight of 100. The weight can be used to prefer particular DCs with the same priority.
If the priority value is set, it takes precedence over the weight value.
- **Domain controllers with the highest weight and the lowest priority are most likely to be contacted
**
To modify the behavior, just create two REG_DWORD values (LdapSrvWeight and LdapSrvPriority) under the Key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Netlogon\Parameters
Choose a value between 0 and 65335
-
Restart the NETLOGON Service, and watch the SRV records in DNS, they should be updated shortly with the new values.
The following table illustrates a configuration example
Name |
Priority |
Weight |
Effective Order |
DC1 |
10 |
50 |
2 |
DC2 |
10 |
100 |
1 |
DC3 |
100 |
|
Additional resources
How DNS Support for Active Directory Works http://technet.microsoft.com/en-us/library/cc759550.aspx