Tag: Computer Configuration
Do not use NetBIOS-based discovery for domain controller location when DNS-based discovery fails
This policy setting allows you to control the domain controller (DC) location algorithm. By default the DC location algorithm prefers DNS-based discovery if the DNS domain name is known. If DNS-based discovery fails and the NetBIOS domain name is known the algorithm then uses NetBIOS-based discovery as a fallback mechanism. NetBIOS-based discovery uses a WINS server and mailslot messages but does not use site information. Hence it does not ensure that clients will discover the closest DC. It also allows a hub-site client to discover a branch-site DC even if the branch-site DC only registers site-specific DNS records (as recommended). For these reasons NetBIOS-based discovery is not recommended. Note that this policy setting does not affect NetBIOS-based discovery for DC location if only the NetBIOS domain name is known. If you enable or do not configure this policy setting the DC location algorithm does not use NetBIOS-based discovery as a fallback mechanism when DNS-based discovery fails. This is the default behavior. If you disable this policy setting the DC location algorithm can use NetBIOS-based discovery as a fallback mechanism when DNS based discovery fails.
Use urgent mode when pinging domain controllers
This policy setting configures whether the computers to which this setting is applied are more aggressive when trying to locate a domain controller (DC). When an environment has a large number of DCs running both old and new operating systems the default DC locator discovery behavior may be insufficient to find DCs running a newer operating system. This policy setting can be enabled to configure DC locator to be more aggressive about trying to locate a DC in such an environment by pinging DCs at a higher frequency. Enabling this setting may result in additional network traffic and increased load on DCs. You should disable this setting once all DCs are running the same OS version. The allowable values for this setting result in the following behaviors:1 – Computers will ping DCs at the normal frequency. 2 – Computers will ping DCs at the higher frequency. To specify this behavior click Enabled and then enter a value. The range of values is from 1 to 2. If you do not configure this policy setting it is not applied to any computers and computers use their local configuration.
Specify address lookup behavior for DC locator ping
This policy setting configures how a domain controller (DC) behaves when responding to a client whose IP address does not map to any configured site. Domain controllers use the client IP address during a DC locator ping request to compute which Active Directory site the client belongs to. If no site mapping can be computed the DC may do an address lookup on the client network name to discover other IP addresses which may then be used to compute a matching site for the client. The allowable values for this setting result in the following behaviors:0 – DCs will never perform address lookups. 1 – DCs will perform an exhaustive address lookup to discover additional client IP addresses. 2 – DCs will perform a fast DNS-only address lookup to discover additional client IP addresses. To specify this behavior in the DC Locator DNS SRV records click Enabled and then enter a value. The range of values is from 0 to 2. If you do not configure this policy setting it is not applied to any DCs and DCs use their local configuration.
Do not process incoming mailslot messages used for domain controller location based on NetBIOS domain names
This policy setting allows you to control the processing of incoming mailslot messages by a local domain controller (DC). Note: To locate a remote DC based on its NetBIOS (single-label) domain name DC Locator first gets the list of DCs from a WINS server that is configured in its local client settings. DC Locator then sends a mailslot message to each remote DC to get more information. DC location succeeds only if a remote DC responds to the mailslot message. This policy setting is recommended to reduce the attack surface on a DC and can be used in an environment without WINS in an IPv6-only environment and whenever DC location based on a NetBIOS domain name is not required. This policy setting does not affect DC location based on DNS names. If you enable this policy setting this DC does not process incoming mailslot messages that are used for NetBIOS domain name based DC location. If you disable or do not configure this policy setting this DC processes incoming mailslot messages. This is the default behavior of DC Locator.
Allow cryptography algorithms compatible with Windows NT 4.0
This policy setting controls whether the Net Logon service will allow the use of older cryptography algorithms that are used in Windows NT 4. 0. The cryptography algorithms used in Windows NT 4. 0 and earlier are not as secure as newer algorithms used in Windows 2000 or later including this version of Windows. By default Net Logon will not allow the older cryptography algorithms to be used and will not include them in the negotiation of cryptography algorithms. Therefore computers running Windows NT 4. 0 will not be able to establish a connection to this domain controller. If you enable this policy setting Net Logon will allow the negotiation and use of older cryptography algorithms compatible with Windows NT 4. 0. However using the older algorithms represents a potential security risk. If you disable this policy setting Net Logon will not allow the negotiation and use of older cryptography algorithms. If you do not configure this policy setting Net Logon will not allow the negotiation and use of older cryptography algorithms.
Return domain controller address type
This policy setting detremines the type of IP address that is returned for a domain controller. The DC Locator APIs return the IP address of the DC with the other parts of information. Before the support of IPv6 the returned DC IP address was IPv4. But with the support of IPv6 the DC Locator APIs can return IPv6 DC address. The returned IPv6 DC address may not be correctly handled by some of the existing applications. So this policy is provided to support such scenarios. By default DC Locator APIs can return IPv4/IPv6 DC address. But if some applications are broken due to the returned IPv6 DC address this policy can be used to disable the default behavior and enforce to return only IPv4 DC address. Once applications are fixed this policy can be used to enable the default behavior. If you enable this policy setting DC Locator APIs can return IPv4/IPv6 DC address. This is the default behavior of the DC Locator. If you disable this policy setting DC Locator APIs will ONLY return IPv4 DC address if any. So if the domain controller supports both IPv4 and IPv6 addresses DC Locator APIs will return IPv4 address. But if the domain controller supports only IPv6 address then DC Locator APIs will fail. If you do not configure this policy setting DC Locator APIs can return IPv4/IPv6 DC address. This is the default behavior of the DC Locator.
Force Rediscovery Interval
This policy setting determines the interval for when a Force Rediscovery is carried out by DC Locator. The Domain Controller Locator (DC Locator) service is used by clients to find domain controllers for their Active Directory domain. When DC Locator finds a domain controller it caches domain controllers to improve the efficiency of the location algorithm. As long as the cached domain controller meets the requirements and is running DC Locator will continue to return it. If a new domain controller is introduced existing clients will only discover it when a Force Rediscovery is carried out by DC Locator. To adapt to changes in network conditions DC Locator will by default carry out a Force Rediscovery according to a specific time interval and maintain efficient load-balancing of clients across all available domain controllers in all domains or forests. The default time interval for Force Rediscovery by DC Locator is 12 hours. Force Rediscovery can also be triggered if a call to DC Locator uses the DS_FORCE_REDISCOVERY flag. Rediscovery resets the timer on the cached domain controller entries. If you enable this policy setting DC Locator on the machine will carry out Force Rediscovery periodically according to the configured time interval. The minimum time interval is 3600 seconds (1 hour) to avoid excessive network traffic from rediscovery. The maximum allowed time interval is 4294967200 seconds while any value greater than 4294967 seconds (~49 days) will be treated as infinity. If you disable this policy setting Force Rediscovery will be used by default for the machine at every 12 hour interval. If you do not configure this policy setting Force Rediscovery will be used by default for the machine at every 12 hour interval unless the local machine setting in the registry is a different value.
Try Next Closest Site
This policy setting enables DC Locator to attempt to locate a DC in the nearest site based on the site link cost if a DC in same the site is not found. In scenarios with multiple sites failing over to the try next closest site during DC Location streamlines network traffic more effectively. The DC Locator service is used by clients to find domain controllers for their Active Directory domain. The default behavior for DC Locator is to find a DC in the same site. If none are found in the same site a DC in another site which might be several site-hops away could be returned by DC Locator. Site proximity between two sites is determined by the total site-link cost between them. A site is closer if it has a lower site link cost than another site with a higher site link cost. If you enable this policy setting Try Next Closest Site DC Location will be turned on for the computer. If you disable this policy setting Try Next Closest Site DC Location will not be used by default for the computer. However if a DC Locator call is made using the DS_TRY_NEXTCLOSEST_SITE flag explicitly the Try Next Closest Site behavior is honored. If you do not configure this policy setting Try Next Closest Site DC Location will not be used by default for the machine. If the DS_TRY_NEXTCLOSEST_SITE flag is used explicitly the Next Closest Site behavior will be used.
Specify dynamic registration of the DC Locator DNS Records
This policy setting determines if dynamic registration of the domain controller (DC) locator DNS resource records is enabled. These DNS records are dynamically registered by the Net Logon service and are used by the Locator algorithm to locate the DC. If you enable this policy setting DCs to which this setting is applied dynamically register DC Locator DNS resource records through dynamic DNS update-enabled network connections. If you disable this policy setting DCs will not register DC Locator DNS resource records. If you do not configure this policy setting it is not applied to any DCs and DCs use their local configuration.
Specify sites covered by the DC Locator DNS SRV records
This policy setting specifies the sites for which the domain controllers (DC) register the site-specific DC Locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the DC resides and records registered by a DC configured to register DC Locator DNS SRV records for those sites without a DC that are closest to it. The DC Locator DNS records are dynamically registered by the Net Logon service and they are used to locate the DC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication. To specify the sites covered by the DC Locator DNS SRV records click Enabled and then enter the sites names in a space-delimited format. If you do not configure this policy setting it is not applied to any DCs and DCs use their local configuration.