I have Microsoft AD Domain with multiple geographical sites. All sites are interconnected by VPN. All sites have 2 Domain Controllers running Windows Server 2012 R2.
I was reviewing the automated _ldap
and _kerberos
SRV
records for each site in the DNS manager, and many (most?) of the entries make little sense.
A few sites had entries only for DCs that were off-site.
Many sites had one entry for the primary on-site DC (which is good), but instead of having the secondary on-site DC as another entry, it had an off-site DC as an equally weighted entry.
Many sites with off-site DCs had seemingly random off-site DCs. In most cases they were the most geographically distant DCs, which generally means higher pings and less bandwidth.
Just to be clear, the appropriate DCs are mapped correctly to their corresponding geographic sites within the Domain Sites and Services manager.
It seems to me that I would be much better off managing these entries myself. Ideally I would setup the SRV
entries for each site like this:
Primary On-site DC - weight 0
Secondary On-site DC - weight 0
Primary Off-site DC, geographically close - weight 1
Secondary Off-site DC, geographically close - weight 1
Primary Off-site DC, geographically far - weight 2
Secondary Off-site DC, geographically far - weight 2
So in order to do this, I'd need to change all those SRV
records to static, and then manage everything myself manually.
Aside from the tedious nature of this task, and the possibility for introducing human error into these essential records, is there a good reason I should not be revising these SRV
entries manually?
Alternatively, is there a way to have more intelligently created automatic SRV
records?
Tangentially related question: When messing around with creating static SRV
records, I've noticed a strange behavior. Normally, automatically created DNS records get a time stamp, whereas records I create manually get a <static>
label. Often, though, a record I create just gets a blank label (i.e. null). But if I check the advanced properties of the record, it does not have the Delete this record when it becomes stale
option checked, so it seems it is static?
There are many records for different services and different types of clients. Some of those records ARE site specific, and will be used by clients that ARE site aware. Example:
_ldap._tcp.SiteName._sites.DnsDomainName.
Some of them are NOT site specific and will be used by clients that are NOT site aware. Example:
_ldap._tcp.dc._msdcs.DnsDomainName.
There is also a record for the PDC FSMO holder that begins with
_ldap
but as there is only one PDC, every client in every site can only use the PDC if that service is required. Example:_ldap._tcp.pdc._msdcs.DnsDomainName.