locked
Change Domain Controller Weight and Priority RRS feed

  • Question

  • Hi,

    We have three 2008 DC's. Two are physical and one is virtual. One of the physical DC's holds all the FSMO roles, but the virtual DC acts as the logon server for all workstations and servers. I wanted to try changing the weight and priority to the physical DC's, but I'm a little confused. I've read several articles that describe making this change in the registry and others saying to make the change using DNS SRV. Making the change in DNS makes more sense to me on a global level. After reading this site I'm not sure where in DNS to make the change.

    Questions:

    1. Should I not send all logon requests to the PDC?
    2. Can someone explain where I should make this change (registry or DNS SRV)?
    3. Is there a way of changing the logon server for only one workstation?
    4. Lower priority and higher weight mean requests will be sent to that server more than any other?
    5. What is the difference between priority and weight?

    Thanks

    Monday, August 20, 2012 3:33 PM

Answers

  • I agree with Mike and Santhosh. Why do you want to change this?

    There's really no reason to change this. After all, that's part of the idea of having two DCs, besides fault tolerance. The AD client side extensions simply query DNS and the first DC that responds is the DC the client locks on to.

    And adjusting weights and priorities, is NOT best practice.

    What's wrong with the virtual DC?

    If you want to control this where you DON'T want the virtual DC to respond, simply put it on a different subnet and create AD Sites, one for each subnet, and the client will always use the DC in its own Site.

    .

    Here's more on the logon process:

    .

    Good discussions on the DC Locator whole process:
    Technet Thread: "how to control sequence of domain controllers a client computer logging on" 8/1/2011
    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/77bc547f-4d0d-4a0c-b463-359b1c771a81/

    .


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marked as answer by Dennis MSS Wednesday, August 22, 2012 1:49 PM
    Monday, August 20, 2012 4:38 PM

All replies

  • No you don't need to send all logons to the PDC, just let all the DCs handle them.

    Read this article for more information    http://technet.microsoft.com/en-us/library/cc787370(v=ws.10).aspx

    Let us know what questions if you have after that question.  Why are you thinking that you want to do this?  I'm guessing there are no load/performance issues on the DCs.

    Thanks

    Mike


    http://adisfun.blogspot.com
    Follow @mekline

    Monday, August 20, 2012 4:06 PM
  • >>> I wanted to try changing the weight and priority to the physical DC's

    Why do you need to do this?  What are you trying to accomplish?


    Santhosh Sivarajan | Houston, TX
    http://www.sivarajan.com/

    FaceBook Twitter LinkedIn SS Tech Forum

    This posting is provided AS IS with no warranties,and confers no rights.

    Monday, August 20, 2012 4:09 PM
  • I agree with Mike and Santhosh. Why do you want to change this?

    There's really no reason to change this. After all, that's part of the idea of having two DCs, besides fault tolerance. The AD client side extensions simply query DNS and the first DC that responds is the DC the client locks on to.

    And adjusting weights and priorities, is NOT best practice.

    What's wrong with the virtual DC?

    If you want to control this where you DON'T want the virtual DC to respond, simply put it on a different subnet and create AD Sites, one for each subnet, and the client will always use the DC in its own Site.

    .

    Here's more on the logon process:

    .

    Good discussions on the DC Locator whole process:
    Technet Thread: "how to control sequence of domain controllers a client computer logging on" 8/1/2011
    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/77bc547f-4d0d-4a0c-b463-359b1c771a81/

    .


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marked as answer by Dennis MSS Wednesday, August 22, 2012 1:49 PM
    Monday, August 20, 2012 4:38 PM
  • We are having some issues with one of our applications and we feel the servers and workstations that point to our virtual DC is the cause. So we wanted to test that theory by statically assigning a handful of servers and workstations to a different logon server.

    We were also considering demoting it, but were worried that so many devices look towards it. In the past we had Exchange 2003 server that would go haywire if that DC was offline. That doesn't happen anymore since our migration to Exchange 2010. We wanted to do this rather then demoting it right now. I've read you can change the weight and priority so clients rarely look towards a failing DC until you're ready to demote it.

    I think we definitely want to try to change the logon server for specific workstations first to see if that is the resolution to our problem. Then we will investigate demoting it. 

    Monday, August 20, 2012 4:40 PM
  • Have you verified the health of DC by running dcdiag /q and repadmin /replsum?Can you post the log to check if there is any issue between the DC.Please post the ipconfig /all,dcdiag /q and repadmin /replsum of all DC,use skydrive to post the log.

    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Monday, August 20, 2012 5:11 PM
  • We are having some issues with one of our applications and we feel the servers and workstations that point to our virtual DC is the cause. So we wanted to test that theory by statically assigning a handful of servers and workstations to a different logon server.

    We were also considering demoting it, but were worried that so many devices look towards it. In the past we had Exchange 2003 server that would go haywire if that DC was offline. That doesn't happen anymore since our migration to Exchange 2010. We wanted to do this rather then demoting it right now. I've read you can change the weight and priority so clients rarely look towards a failing DC until you're ready to demote it.

    I think we definitely want to try to change the logon server for specific workstations first to see if that is the resolution to our problem. Then we will investigate demoting it. 


    Hi,

    If you are planning to demote the virtual DC, you have option to make DNS pointing of all clients to other DC/DNS servers than virtual DC. Once that is done shut the Virtual DC off for few days and check impact on network. Once you verified and and confirmed the all working with other 2 DCS you can go ahead and demote the Virtual DC.

    I would also not recommend to adjust weights and priorities, when an application requests access to Active Directory, an Active Directory server (domain controller) is located by a mechanism called the domain controller locator (DC Locator). It uses the "DynamicSiteName" entry to query DNS Server to find the domain controllers in that site. It appends the site name to the DNS query (SRV Record) and sends it to the DNS Server which in turns sends a response.

    Read below articles:
    Domain Controller Locator : In depth
    http://blogs.technet.com/b/arnaud_jumelet/archive/2010/07/11/domain-controller-locator-in-depth.aspx

    DC Locator Process, The Logon Process, Controlling Which DC Responds in an AD Site, and SRV Records
    http://msmvps.com/blogs/acefekay/archive/2010/01/03/the-dc-locator-process-the-logon-process-controlling-which-dc-responds-in-an-ad-site-and-srv-records.aspx

    Anyway, If you want to modify the weight and priority values then it can be configured via GPO  and registry.

    See the below article:
    Configuring which DCs register generic SRV records
    http://www.msresource.net/knowledge_base/articles/info:_fine_tuning_net_logons_srv_resource_record_rr_registrations.html

    How to lessen your PDC’s load
    http://blogs.dirteam.com/blogs/carlos/archive/2006/05/10/How-to-lessen-your-PDC_1920_s-load.aspx


    Best regards,

    Abhijit Waikar.
    MCSA | MCSA:Messaging | MCITP:SA | MCC:2012
    Blog: http://abhijitw.wordpress.com
    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    Monday, August 20, 2012 5:15 PM
  • Dennis,

    Let's see the info Sandesh requested. Let's post the ipconfig /all to your next reply so we can see them immediately, and the rest to Skydrive.

    More importantly, let's see the ipconfigs from the two DCs and a sample workstation in question.

    .

    If Exchange is going "haywire" (quoted), that means something else is going on. Are both DCs GCs? Exchange will look for DSAccess for LDAP Configuration access (to the Config container in AD), and GC for GAL and other purposes. Usually after removing a DC, Exchange will self-heal by re-evaluating the DS infrastructure to determine what other DCs to use. If that's not happening, then something else is going on. Are there DSAccess errors on the Exchange server?

    Also post an ipconfig /all of the Exchange server.

    .


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, August 20, 2012 5:28 PM
  • Exchange issue could be due to the Primary DNS or DSAccess.

    >>>We are having some issues with one of our applications and we feel the servers and workstations that point to our virtual DC

    Did you validate this?  You can run SET command and see who is the LOGON server.

    It sound like workstations are not getting the correct Primary DNS server.  Also, assuming you have proper Site/Subnet confirmation in the lab.


    Santhosh Sivarajan | Houston, TX
    http://www.sivarajan.com/

    FaceBook Twitter LinkedIn SS Tech Forum

    This posting is provided AS IS with no warranties,and confers no rights.

    Monday, August 20, 2012 5:48 PM
  • dcdiag /q displays no errors the same with repadmin /replsum.
    Monday, August 20, 2012 7:11 PM
  • We aren't receiving Exchange errors, this was a past problem that has been resolved.
    Monday, August 20, 2012 7:12 PM
  • We are having some issues with one of our applications and we feel the servers and workstations that point to our virtual DC is the cause. So we wanted to test that theory by statically assigning a handful of servers and workstations to a different logon server.

    We were also considering demoting it, but were worried that so many devices look towards it. In the past we had Exchange 2003 server that would go haywire if that DC was offline. That doesn't happen anymore since our migration to Exchange 2010. We wanted to do this rather then demoting it right now. I've read you can change the weight and priority so clients rarely look towards a failing DC until you're ready to demote it.

    I think we definitely want to try to change the logon server for specific workstations first to see if that is the resolution to our problem. Then we will investigate demoting it. 

    Is this an AD aware application and one that you are specifically pointing it to a DC? 

    Is the DC a global catalog?  If not do you have Global Catalog caching enabled?

    Weight and priority?
    http://blogs.dirteam.com/blogs/paulbergson/archive/2010/07/09/changing-the-weight-and-priority-of-a-domain-controller-within-a-site.aspx

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Monday, August 20, 2012 7:20 PM
  • If there is no authentication issue and exchange is also working if the virtual DC is down then it could be the case in application configuration setting it is pointing to Virtual DC IPaddress or servername,you need to get this check with application vendor or application admin, if there any setting as such  in app and change the same to other DC.Also you need to ensure that correct dns setting is configured on client and member server as below.

    -->> DNS configuration on clients and member servers:
    1. Each workstation/member server should point to local DNS server as primary DNS and other remote DNS servers as secondary.
    2. Do not set public DNS server in TCP/IP setting of client/member server.

    As paul suggest configure all DC with DNS/GC role if not configured.

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.


    Monday, August 20, 2012 7:40 PM
  • The program isn't. It speaks to a comm server that uses an AD account to speak to the SQL server. The DC is a global catalog server.
    Monday, August 20, 2012 8:06 PM
  • Well go through my blog if you still are unclear about weight and priority.  I would be curious about diagnostics:
    http://blogs.dirteam.com/blogs/paulbergson/archive/2009/01/26/troubleshooting-active-directory-issues.aspx

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://blogs.dirteam.com/blogs/paulbergson      Twitter @pbbergs

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Monday, August 20, 2012 9:14 PM
  • The program isn't. It speaks to a comm server that uses an AD account to speak to the SQL server. The DC is a global catalog server.

    Hi,

    As the application is running on SQL server, could you please check if there is any binding of applicaton/SQL database to virtual DC name or IP address to perfom queries?

    If still everything is fine and you want to modify weight and priority, you may refer articles in my earlier post.


    Best regards,

    Abhijit Waikar.
    MCSA | MCSA:Messaging | MCITP:SA | MCC:2012
    Blog: http://abhijitw.wordpress.com
    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    Monday, August 20, 2012 10:49 PM
  • The program isn't. It speaks to a comm server that uses an AD account to speak to the SQL server. The DC is a global catalog server.

    Personally, i haven't found any requirements as of yet where it is required to modify LdapSrv weight/priority. My only suggestion is be cautious while doing it, by lowering the LdapSrv Weight/Priority, you are simply gonna load one of the DC instead of distributing the load to all other DC.

    http://blogs.dirteam.com/blogs/carlos/archive/2006/05/10/How-to-lessen-your-PDC_1920_s-load.aspx


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Tuesday, August 21, 2012 10:40 AM
  • Dear Ace Fekay, 

    I have create AD site and Service as below: Site = HQ/192.168.1.0/24 and Site = DR/192.168.2.0/24. After create site client still query to domain controller located at DR site. Could you advise should we add client subnet to HQ site as well. thanks. 


    Sokneang SAM

    Wednesday, December 21, 2016 8:22 AM
  • Dear Ace Fekay, 

    I have create AD site and Service as below: Site = HQ/192.168.1.0/24 and Site = DR/192.168.2.0/24. After create site client still query to domain controller located at DR site. Could you advise should we add client subnet to HQ site as well. thanks. 


    Sokneang SAM

    If you see the image above, the client will still try to bind to all DCs in steps 2 & 6.

    If that's a DR site, I recommend the DCs in DR not be GCs.

    In the client, what does set L show?


    Ace Fekay
    MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, December 21, 2016 4:08 PM
  • In addition, can you post an ipconfig /all of a DC in both sites and of the client, please?

    This will help to identify if there are any issues on the client side.

    Thanks


    Ace Fekay, MVP Ent Mobility, Microsoft Cert Trainer, MCSE 2012/2008 R2, Ex 2013/2010/2007/2003/2000. This post is provided AS-IS with no warranties or guarantees and confers no rights.

    Thursday, December 22, 2016 5:22 AM
  • Dear Sir, I have follow your instruction in forum and testing with our lab seem working by site and map client subnet to HQ, we have adjust priority for DC located at DR higher than HQ. as previous installation we put DC at DR as GC and live in production so we not able to remove it from GC yet. 


    Sokneang SAM

    Thursday, December 22, 2016 2:38 PM
  • Dear Ace Fekay, 

    I have create AD site and Service as below: Site = HQ/192.168.1.0/24 and Site = DR/192.168.2.0/24. After create site client still query to domain controller located at DR site. Could you advise should we add client subnet to HQ site as well. thanks. 


    Sokneang SAM

    If you see the image above, the client will still try to bind to all DCs in steps 2 & 6.

    If that's a DR site, I recommend the DCs in DR not be GCs.

    In the client, what does set L show?


    Microsoft recommends ALL DCs in a single domain forest be GCs. The reason I would want to prefer one DC over another in priority is that anytime our Exchange server, which is also a DC, becomes the logonserver, things start getting a little dicey. I'm sure there is a problem somewhere, but nothing is showing up anywhere. Replication is fine, no log entries indicate anything is going wrong. But AD integrated software will begin to disconnect if the server is using the Exchange DC as the logonserver. All problems go away when I force them to use the primary DC. I can troubleshoot later, but for now I need to ensure reliable authentication, and the easiest way to do that is to make the primary DC the priority one.

    But to all those who reply, "Why would you do that?" Let me play that same game. Why would Microsoft put the ability to change the weight and priority of a DC if it was a bad or unrecommended practice?


    • Edited by Bob Sneidar Thursday, December 21, 2017 3:46 PM
    Thursday, December 21, 2017 3:46 PM
  • Dear Ace Fekay, 

    I have create AD site and Service as below: Site = HQ/192.168.1.0/24 and Site = DR/192.168.2.0/24. After create site client still query to domain controller located at DR site. Could you advise should we add client subnet to HQ site as well. thanks. 


    Sokneang SAM

    If you see the image above, the client will still try to bind to all DCs in steps 2 & 6.

    If that's a DR site, I recommend the DCs in DR not be GCs.

    In the client, what does set L show?


    Microsoft recommends ALL DCs in a single domain forest be GCs. The reason I would want to prefer one DC over another in priority is that anytime our Exchange server, which is also a DC, becomes the logonserver, things start getting a little dicey. I'm sure there is a problem somewhere, but nothing is showing up anywhere. Replication is fine, no log entries indicate anything is going wrong. But AD integrated software will begin to disconnect if the server is using the Exchange DC as the logonserver. All problems go away when I force them to use the primary DC. I can troubleshoot later, but for now I need to ensure reliable authentication, and the easiest way to do that is to make the primary DC the priority one.

    But to all those who reply, "Why would you do that?" Let me play that same game. Why would Microsoft put the ability to change the weight and priority of a DC if it was a bad or unrecommended practice?


    Bob,

    It's not that it's a good or bad practice to put exchange on a DC, it's just not recommended because of various complications. And what were to happen if the DC were to fail, you can't even demote it, because  Exchange is installed on it. Matter of fact, I have a blog that explains the whole problem with exchange on a DC.

    As far as what you're seeing, and about all DCs in a single domain Forest, yes that's correct, but you're trying to push the envelope because you got Exchange on that DC and you expect that Exchange server to use itself. It doesn't work that way, just because it's installed on it. It still follows the DC locator service. Just as a DC will follow the DC locator service to find itself. My suggestions are to install Exchange on a member server then move all the mailboxes over to the new Exchange Server, then uninstall exchange off the DC, then you can make it work.


    Ace Fekay
    MVP, MCT, MCSE, 2016/2012/2008/2003/2000/NT4, Exchange 2016/2013/2010/2007/2003/2000/5.5
    Microsoft Certified Trainer
    Microsoft MVP: Enterprise Mobility
    Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBookTwitterLinkedIn


    Saturday, December 23, 2017 7:16 PM