Can I restrict a particular Domain Controller to serve only few clients with particular IP addresses and nothing else. I know I can put up a site with the Domain controller and attach the required IP addresses to that site. But how can I make sure no other client IP addresses get authenticated via this site as there might be IP address range not defined in the subnets? Can I set up some firewall rules in DC so that it talks to only defined client IP addresses? If so what rules would they be?

You can achieve this by configuring the SRV records registered by the domain controller. When the NetLogon service of the domain controller will register two "types" of SRV records: The site specific records that allow clients on the same site de locate the domain controller. The generic records that allow clients which do not know in which site they are in, or have to an IP address that doesn't belong to any subnet nor site If you want the DC to be used only by clients which are in the same site of the DC (the point 1) then you can instruct your domain controller NOT to register its generic records (the point 2). In order to do that, follow those stepts: Edit the group policy and find the following parameter: Computer Configuration > Policies > Administrative Templates > System > Net logon > DC Locator DNS record > Specify DC Locator DNS records not registered by the DCs. Enable this parameter and in the field you have to type all the records that you don't want to see in the DNS (those keywords are explained here ). So type the following (the separator is a space character): LdapIpAddress Ldap LdapAtSite Pdc Gc GcAtSite GcIpAddress Kdc KdcAtSite Dc DcAtSite Rfc1510Kdc Rfc1510KdcAtSite GenericGc GenericGcAtSite Rfc1510UdpKdc Rfc1510Kpwd Rfc1510UdpKpwd . Do not delete the DsaCname , this is used for the replication. Restart the NetLogon service At this point your DC is invisible for clients outside of the site. But it is possible that clients picked up that DC before your changes. In that case you can just be patient. Clients are re-discovering DCs every 12 hours. So after 12 hours you should only see clients in the same site. Also, if applications have hardcoded this DC, they might still continue to use it (you can have a look here if that's a concern: https://learn.microsoft.com/en-us/archive/blogs/pie/how-to-detect-applications-using-hardcoded-dc-name-or-ip ). But if that's a new DC then the problem doesn't exist since the applications will not have the time to hardcode to that DC yet.

Hello @Yankee30 , According to our requirement, our requiremenet is: A particular Domain Controller in one site will only server a few clients. No other clients from other sites get authenticated from this domain controller. As mentioned, we will need different IP ranges to configure the sites and subnets. Please specify what subnets define each site. And then make some restrictions from the network side, such as make the network segment of each site isolated. Hope this information could be of some help to you. Thanks a lot. Best regards, Hannah Xiong

AD Sites & Services exclusivly for only certain client machines

Accepted answer

Pierre Audonnet - MSFT 10,166 Reputation points Microsoft Employee

2021-07-22T18:29:52.817+00:00
You can achieve this by configuring the SRV records registered by the domain controller.

When the NetLogon service of the domain controller will register two "types" of SRV records:

The site specific records that allow clients on the same site de locate the domain controller.

The generic records that allow clients which do not know in which site they are in, or have to an IP address that doesn't belong to any subnet nor site

If you want the DC to be used only by clients which are in the same site of the DC (the point 1) then you can instruct your domain controller NOT to register its generic records (the point 2). In order to do that, follow those stepts:

Edit the group policy and find the following parameter: Computer Configuration > Policies > Administrative Templates > System > Net logon > DC Locator DNS record > Specify DC Locator DNS records not registered by the DCs.

Enable this parameter and in the field you have to type all the records that you don't want to see in the DNS (those keywords are explained here). So type the following (the separator is a space character): LdapIpAddress Ldap LdapAtSite Pdc Gc GcAtSite GcIpAddress Kdc KdcAtSite Dc DcAtSite Rfc1510Kdc Rfc1510KdcAtSite GenericGc GenericGcAtSite Rfc1510UdpKdc Rfc1510Kpwd Rfc1510UdpKpwd.

Do not delete the DsaCname, this is used for the replication.

Restart the NetLogon service

At this point your DC is invisible for clients outside of the site. But it is possible that clients picked up that DC before your changes. In that case you can just be patient. Clients are re-discovering DCs every 12 hours. So after 12 hours you should only see clients in the same site.

Also, if applications have hardcoded this DC, they might still continue to use it (you can have a look here if that's a concern: https://learn.microsoft.com/en-us/archive/blogs/pie/how-to-detect-applications-using-hardcoded-dc-name-or-ip). But if that's a new DC then the problem doesn't exist since the applications will not have the time to hardcode to that DC yet.
Please sign in to rate this answer.

1 person found this answer helpful.
Yankee30 206 Reputation points

2021-07-22T18:43:32.533+00:00

When you say “ The site specific records that allow clients on the same site de locate the domain controller.”

I already have a Site (Site A with multiple DC’s mapped with multiple subnets) and say I create this new Site (Site B with that one new DC and map only required end client IP addresses in subnet)

Now DC’s in Site A and the new DC in Site B are all physically in same location and have the same IP range.

Now with the procedure you mentioned, will the clients mapped via subnet to Site B only authorize via DC in Site B or the subnets mapped to Site A may as well authorize via Site B coz the DC’s and physically all DC’s are in same range?

Pierre Audonnet - MSFT 10,166 Reputation points Microsoft Employee

2021-07-22T18:47:29.56+00:00

You need a different IP ranges associated to sites to make it work. Can you share some of your subnets as example?

This is not about authorization, it is about discoverability. The clients are using DCs they can discovery and reach for authentication. If a DC is not in DNS, it is basically invisible for clients.

Yankee30 206 Reputation points

2021-07-26T12:30:30.077+00:00

Consider something like I already have the subnet 10.120.168.0/24 mapped to Site A but I”ll have to map certain IP’s say 10.120.168.43, 10.120.168.120, 10.120.168.155 to Site B so they discover the DC in Site B and no other machine.

Pierre Audonnet - MSFT 10,166 Reputation points Microsoft Employee

2021-07-26T12:52:33.847+00:00

You could do the following:

Create 3 subnets with the /32 for 10.120.168.43,10.120.168.120 and 10.120.168.155. It creates a site with no client.

Still goes through the steps I outlined earlier to make sure they do not publish their generic records.

On the systems you want to use those 3 DCs, you can "force" them to use the new site by creating the registry value: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\SiteName (REG_Z) and in the data of that value, you can enter the name of your site with no clients subnet. When a client has a SiteName value it will overide the discovery mechanism.

Yankee30 206 Reputation points

2021-07-26T15:40:58.86+00:00

Thanks , please correct me if I'm wrong:-

Create a new Site named Site B & create 3 subnets with the /32 for 10.120.168.43,10.120.168.120 and 10.120.168.155. Map these subnets to Site B. 2. Before promoting a member server to DC, edit the group policy as Computer Configuration > Policies > Administrative Templates > System > Net logon > DC Locator DNS record > Specify DC Locator DNS records not registered by the DCs.

Enable this parameter and in the field you have to type all the records that you don't want to see in the DNS (those keywords are explained here). So type the following (the separator is a space character): LdapIpAddress Ldap LdapAtSite Pdc Gc GcAtSite GcIpAddress Kdc KdcAtSite Dc DcAtSite Rfc1510Kdc Rfc1510KdcAtSite GenericGc GenericGcAtSite Rfc1510UdpKdc Rfc1510Kpwd Rfc1510UdpKpwd.

Do not enter DsaCname & **DcByGuid as well ? **

On the systems(10.120.168.43,10.120.168.120 and 10.120.168.155. ) I want to use the DC in Site B, I shall "force" them to use the new site by creating the registry value: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\SiteName (REG_Z) and in the data of that value, you can enter the name of your site Site B. When a client has a SiteName value it will overide the discovery mechanism.

Questions following in next comment coz of character limit

Yankee30 206 Reputation points

2021-07-26T15:46:24.74+00:00

Questions :-

I shall change the local gpo of member server before promoting it to a DC ?

I don't really see any information about all these "LdapIpAddress Ldap LdapAtSite Pdc Gc GcAtSite GcIpAddress Kdc KdcAtSite Dc DcAtSite Rfc1510Kdc Rfc1510KdcAtSite GenericGc GenericGcAtSite Rfc1510UdpKdc Rfc1510Kpwd Rfc1510UdpKpwd" what does what not even in the article what you sent.
So I don't need any records except DsaCname & DcByGuid ??

So by entering all the above parameters except 2 it'll not register for any DNS entries except the two you left & that's how it should be ? this will not create SRV records and not let any other client see this DC while with the registry I'll be forcing the clients to talk to the DC in Site B only.

Now after testing when I want to make that DC public , all I have to do is...Remove those entries from GPO & move it from Site B to Site A & delete Site B & those empty subnets with /32 ?

Pierre Audonnet - MSFT 10,166 Reputation points Microsoft Employee

2021-07-26T16:19:28.84+00:00

We dont' care very much about the DcByGuid as it is really (never?) used to "hardcode" clients to a DC. Byt

Up to you. That would reduce the chances that a clients pick them up yes.

Untrue, the post points to the following article: https://learn.microsoft.com/en-US/troubleshoot/windows-server/identity/optimize-dc-location-global-catalog

There are more mnemonics (that's how we call those words) that than (you can check the netlogon.dns log file on a domain controller to see that there are many entries, all of them have a corresponding mnemonics). You just hide the ones considered "generic" without site's information (check page 579 of https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-ADTS/%5bMS-ADTS%5d.pdf).

You can clear that setting and restart the netlogon service of the DCs. The DCs will now be visible for everyone. And you can remove the subnet/32 too.

Yankee30 206 Reputation points

2021-07-26T18:12:17.427+00:00

Thanks I do see the mnemonics & what kind of DNS entries it creates but I don't see the function of each one. Like you mentioned DsaCname is used for replication so don't disabled that, I don't see the function mentioned for each menmonic, unless I'm still overlooking ?

So I shall disable all except keep DsaCname ?

Another question - Wouldn't just unchecking register to DNS help as that shouldn't create any records in DNS. And I can just create a manual A record of the hostname in DNS which shall help the only 3 clients to reach the DC ?

Pierre Audonnet - MSFT 10,166 Reputation points Microsoft Employee

2021-07-27T01:59:12.857+00:00

They are sorta self explatory. The one with gc in it is for Global catalogs location, the one with _ldap for DC location in general, the one with _kerberos to locate a KDC etc... Most mnemonics come in pair:

You want to keep the one with the"AtSite" in it. And the DcByGuid and the DsaCname. Just hide the one suggested by the articles.

The checbox you refer to is for the server A and PTR records. Not for records registered by the NetLogon service.

A records needs to exist. Regardless of the scenario. If we don't have the A record for the server FQDN nothing will work. No replication, no authentication etc...
Sign in to comment

AD Sites & Services exclusivly for only certain client machines

1 additional answer