AD/DNS infrastructure (long)

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Scott Lowe (slowe-nospam_at_nospam-mercurionsystems.com)
Date: 03/24/04 

Date: Wed, 24 Mar 2004 09:51:08 -0500

My question centers around the DNS infrastructure; specifically, the
DNS infrastructure for the child domain that will handle locations in
North, Central, and South America. Even more specifically, I am
wondering about the dynamic registration of DC-related DNS records.

Is it worthwhile, or even recommended, to limit some of the dynamically
registered entries for DCs located in branch offices?

Here's my thought process. The client has a great WAN (fully routed,
single hop between all sites, etc.), but I don't want logon traffic
from a branch office crossing the WAN to another branch office due to
limited bandwidth at the branch offices. If a local DC can't service
the logon request, I want those logon requests to ONLY travel to one of
their core sites that has a T-3 connection to the WAN. It is my
understanding that the best way to do this would be to use the
DnsAvoidRegisterRecords parameter (found at
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters; see
Microsoft Knowledge Base article 267855) to restrict what records are
registered for branch office DCs. In particular, we would instruct the
branch office DCs *not* to register any non-site-specific records, and
allow only the DCs at the high-speed core sites to register those
records.

Then, when an AD-aware client performs DNS lookups to find a DC, it
will find the site-specific DC (through the site-specific DNS records)
and the domain-wide records at one of the core sites (through the
non-site-specific DNS records), but it will *not* find a DC at another
branch office.

Thoughts? Am I wrong here? Am I introducing too much complexity?

Scott Lowe
Mercurion Systems, Inc.

Relevant Pages

  • DNS fine-tuning for AD logon traffic
    ... My question centers around the DNS infrastructure; ... from a branch office crossing the WAN to another branch office due to ... their core sites that has a T-3 connection to the WAN. ... allow only the DCs at the high-speed core sites to register those ...
    (microsoft.public.win2000.active_directory)
  • Re: DNS fine-tuning for AD logon traffic
    ... Integrated DNS, and have the DHCP for the branch offices point at these DCs ... > from a branch office crossing the WAN to another branch office due to ... > allow only the DCs at the high-speed core sites to register those ...
    (microsoft.public.win2000.active_directory)
  • Re: Branch Office Networking
    ... Troubleshooting Windows Event ID ... BRANCH OFFICE CLIENT ... DNS SUFFIC SEARCH LIST...ATW.LOCAL ... > Everything works fine (able to access network, email, dns, etc.). ...
    (microsoft.public.windows.server.networking)
  • Re: SBS2003 Prem and branch office W2003 server: replication errors
    ... The usual reason for replication errors in the scenario you detailed is DNS ... have to dcpromo demote the branch office server and start again. ...
    (microsoft.public.windows.server.sbs)
  • Re: Branch Office Networking
    ... I just checked the error logs of my branch office computers and they are still generating the same error code. ... Change the DNS ip from the DNS server to the real ip address, loopback ip 127.0.0.1 sometimes creates unwanted problems although it should work. ... Make sure that no external DNS servers are configured on any NIC on ...
    (microsoft.public.windows.server.networking)