The idea behind suppressing the SRV record for a domain controller is to see client traffic moving from Windows Server 2008 AD to Windows server 2016 AD. After Suppressing the SRV record the Domain controller will stop advertising it self as DC and hence to traffic is moved to the other DC's which are available.
Below are two methods described to suppress the SRV record -
One way to do SRV disabling is to make change in registry setting for Netlogon, for that we open Registry Editor and navigate to the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
There are two ways to do these settings.
Method 1. Suppress SRV record with Powershell.
·
Open
Powershell and type:
$DataValue= "LdapIpAddress","Ldap","LdapAtSite","Pdc","Gc","GcAtSite","DcByGuid","GcIpAddress","DsaCname","Kdc","KdcAtSite","Dc","DcAtSite","Rfc1510Kdc","Rfc1510KdcAtSite","GenericGc","GenericGcAtSite","Rfc1510UdpKdc","Rfc1510Kpwd","Rfc1510UdpKpwd"
·
Then
Press Enter and again type:
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" -Name DnsAvoidRegisterRecords -Value $DataValue -PropertyType Multistring
·
Again
Press Enter.
·
We
can see that now the registry entry has been created with the name DnsAvoidRegisterRecords along
with the data values :
o
Ldap
o
LdapAtSite
o
Pdc
o
Gc
o
GcAtSite
o
DcByGuid
o
GcIpAddress
o
DsaCname
o
Kdc
o
KdcAtSite
o
Dc
o
DcAtSite
o
Rfc1510Kdc
o
Rfc1510KdcAtSite
o
GenericGc
o
GenericGcAtSite
o
Rfc1510UdpKdc
o
Rfc1510Kpwd
o
Rfc1510UdpKpwd
Note: - The data values which are specified in the registry to the DNS resource records that should not be registered for this domain controller by the Net Logon service.
·
Restart of the Net Logon
service is not required to make the changes to this value effective. If
the DnsAvoidRegisterRecords registry key is created or modified while
the Net Logon service is stopped or within the first 15 minutes after it is
started, appropriate DNS updates may take place with a short delay. However,
the delay is no later than 15 minutes after the Net Logon service starts.
Method 2. Suppress SRV record with Registry Editor.
· Open Registry
Editor and navigate to the following registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
·
Right
Click on Parameters and Click on New
· Select REG_MULTI_SZ, type the name DnsAvoidRegisterRecords and add the following data values:
o
LdapIpAddress
o
Ldap
o
LdapAtSite
o
Pdc
o
Gc
o
GcAtSite
o
DcByGuid
o
GcIpAddress
o
DsaCname
o
Kdc
o
KdcAtSite
o
Dc
o
DcAtSite
o
Rfc1510Kdc
o
Rfc1510KdcAtSite
o
GenericGc
o
GenericGcAtSite
o
Rfc1510UdpKdc
o
Rfc1510Kpwd
o
Rfc1510UdpKpwd
· We will get the same registry key as we got
earlier with PowerShell.
No comments:
Post a Comment