Re: modify the SRV weightings
From: Simon Geary (simon_geary_at_hotmail.com)
Date: 09/13/04
- Next message: anonymous_at_discussions.microsoft.com: "RE: Domain Controller - Derver not operational"
- Previous message: Oli Restorick [MVP]: "Re: Folder Redirection"
- In reply to: Tim Springston [MS]: "Re: modify the SRV weightings"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 13 Sep 2004 08:57:50 +0100
Although if you did this you would have to change the IP subnet of the DMZ
which would require routing between the DMZ and LAN. Correct me if I'm wrong
but I don't think you can associate the same subnet with two different
sites?
I would go a step further and suggest a dedicated AD forest within the DMZ.
This is recommended in order to isolate your corporate AD from the more
exposed DMZ. Frits, do you really need AD in the DMZ? Would ADAM be
sufficient for any DMZ authentication, maybe in conjunction with the new
ADAM Sync tool?
However, if you do decide to go against the best practice of a new forest
then you can adjust the SRV weight records by changing the LdapSrvWeight
entry in this registry key of the DC. The range is from 0-100 and the
default is 100. I have never tried this, but I assume if you change the
value to 0 no clients will use it for authentication.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
"Tim Springston [MS]" <tspring@online.microsoft.com> wrote in message
news:Oy%23mMOTmEHA.2340@TK2MSFTNGP11.phx.gbl...
> Hi Frits-
>
> You can certainly do this, but I woudl suggest placing the different DCs
> in different Active Directory sites instead. Perhaps a site named
> SiteName DMZ and one named SiteName.
>
> The reason this will work better for you is that the clients do a
> DSGETSITE lookup to try and locate a DC specific to their site, based on
> the IP subnet the client workstations (or server or DC) has and the IP
> subnet(s) associated with a specific AD site.
>
> Please repost if we can help further.
>
> --
> Tim Springston
> Microsoft Corporation
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
> "Frits Blankenzee" <f.blankenzee@sinegroup.nl> wrote in message
> news:%23CupT8ylEHA.3392@TK2MSFTNGP15.phx.gbl...
>> Hi,
>>
>> There is a possibilty to change the SRV Weightings via a Reg key but.
>> When I go to link http://support.microsoft.com/?id=306602 I can find a
>> lot of reg keys but I can't find the solution I would like to find.
>> I have 2 DC's (win 2000) one in my lan and one in my DMZ. Both are in the
>> same domain.
>> Now I want that the clients only connect to the ad from the dc in my lan.
>> And not in the DMZ.
>> Now I heard the via SRV Weigthings I can make a sort of preffered server.
>> Can anyone give me an example what to do.
>>
>> Greetings Frits Blankenzee
>> The Netherlands
>>
>
>
- Next message: anonymous_at_discussions.microsoft.com: "RE: Domain Controller - Derver not operational"
- Previous message: Oli Restorick [MVP]: "Re: Folder Redirection"
- In reply to: Tim Springston [MS]: "Re: modify the SRV weightings"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
