question

Yankee30 avatar image
0 Votes"
Yankee30 asked ·

AD Sites & Services exclusivly for only certain client machines

Can I restrict a particular Domain Controller to serve only few clients with particular IP addresses and nothing else.

I know I can put up a site with the Domain controller and attach the required IP addresses to that site.

But how can I make sure no other client IP addresses get authenticated via this site as there might be IP address range not defined in the subnets?

Can I set up some firewall rules in DC so that it talks to only defined client IP addresses? If so what rules would they be?

windows-active-directorywindows-server-2019
10 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

piaudonn avatar image
0 Votes"
piaudonn answered ·

You can achieve this by configuring the SRV records registered by the domain controller.

When the NetLogon service of the domain controller will register two "types" of SRV records:

  1. The site specific records that allow clients on the same site de locate the domain controller.

  2. The generic records that allow clients which do not know in which site they are in, or have to an IP address that doesn't belong to any subnet nor site

If you want the DC to be used only by clients which are in the same site of the DC (the point 1) then you can instruct your domain controller NOT to register its generic records (the point 2). In order to do that, follow those stepts:

  • Edit the group policy and find the following parameter: Computer Configuration > Policies > Administrative Templates > System > Net logon > DC Locator DNS record > Specify DC Locator DNS records not registered by the DCs.

  • Enable this parameter and in the field you have to type all the records that you don't want to see in the DNS (those keywords are explained here). So type the following (the separator is a space character): LdapIpAddress Ldap LdapAtSite Pdc Gc GcAtSite GcIpAddress Kdc KdcAtSite Dc DcAtSite Rfc1510Kdc Rfc1510KdcAtSite GenericGc GenericGcAtSite Rfc1510UdpKdc Rfc1510Kpwd Rfc1510UdpKpwd.

  • Do not delete the DsaCname, this is used for the replication.

  • Restart the NetLogon service

At this point your DC is invisible for clients outside of the site. But it is possible that clients picked up that DC before your changes. In that case you can just be patient. Clients are re-discovering DCs every 12 hours. So after 12 hours you should only see clients in the same site.

Also, if applications have hardcoded this DC, they might still continue to use it (you can have a look here if that's a concern: https://docs.microsoft.com/en-us/archive/blogs/pie/how-to-detect-applications-using-hardcoded-dc-name-or-ip). But if that's a new DC then the problem doesn't exist since the applications will not have the time to hardcode to that DC yet.







· 2
10 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

When you say “ The site specific records that allow clients on the same site de locate the domain controller.”

I already have a Site (Site A with multiple DC’s mapped with multiple subnets) and say I create this new Site (Site B with that one new DC and map only required end client IP addresses in subnet)

Now DC’s in Site A and the new DC in Site B are all physically in same location and have the same IP range.

Now with the procedure you mentioned, will the clients mapped via subnet to Site B only authorize via DC in Site B or the subnets mapped to Site A may as well authorize via Site B coz the DC’s and physically all DC’s are in same range?

0 Votes 0 ·

You need a different IP ranges associated to sites to make it work. Can you share some of your subnets as example?

This is not about authorization, it is about discoverability. The clients are using DCs they can discovery and reach for authentication. If a DC is not in DNS, it is basically invisible for clients.

0 Votes 0 ·
HannahXiong-MSFT avatar image
0 Votes"
HannahXiong-MSFT answered ·

Hello @Yankee30,

According to our requirement, our requiremenet is:

  1. A particular Domain Controller in one site will only server a few clients.

  2. No other clients from other sites get authenticated from this domain controller.

As mentioned, we will need different IP ranges to configure the sites and subnets. Please specify what subnets define each site. And then make some restrictions from the network side, such as make the network segment of each site isolated.

Hope this information could be of some help to you. Thanks a lot.


Best regards,
Hannah Xiong

10 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.