Exclude Login Authentication from One DC

Question

HI MS Experts,

         I have a pool of DC that receive replication from forest. When user login a application server, the server connects to a DC from the pool to authenticate user login via LDAP. My goal is exclude one of the DC from the pool, which means doesn't authenticate user, but still able to receive replication.

         i tried to point the subnets to designate DC, also tried to lower the priority of that one DC under TCP -> LDAP. Neither was working. What else could i try?

Answer 1

Hi Neuvi,

            Thank you for the info. The two options you provided are the ones i tried already. 1. raise priority value to higher number for the specific DC 2. i have the DC in a separate site and only associate with one subnet that in the same site. other clients in other subnet not point to the DC

            unfortunately, other subnet still trying to authenticate to that DC. Any advice? Thanks.

Answer 2

Hi SolarPanda,

Thank you for posting in the Microsoft Community Forums.

You can try the following:

Adjust the weight and priority of DNS SRV records:

You can influence the selection of DCs by adjusting the weight and priority of DNS SRV records. Set the weight of the DCs that you do not want to use for authentication to the lowest value or the priority to the highest value.The format of a DNS SRV record is as follows:

_ldap._tcp.<DomainName>

Edit these records to lower the weight of DCs that you do not want to use for authentication or to raise the priority of other DCs.

Configure Active Directory sites and services:

In Active Directory Sites and Services, place the DC that you do not want to use for authentication in a separate site and make sure that the site is subnetted in such a way that clients do not automatically select it. This way, it can still receive replicated data, but clients will not actively use it for authentication.

Best regards

Neuvi Jiang