If you have a domain controller that you wish to reduce the number of client authentication requests that are processed then by adjusting the the servers weight or priority you can either:
Reduce the number of client authentication requests received by adjusting the domain controller’s DNS weight record or to ensure that the domain controller does not receive any client authentication requests, adjust the domain controller’s DNS priority record.
Reduce the number of client authentication requests
Active Directory assigns a default value of 100 for the weight.
By adding or adjusting a registry record for the weight with a decreased value of 50, you can proportionately reduce the number of client authentication requests that are sent to the domain controller.
Using Regedit
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Create a new DWORD value LdapSrvWeight
in the DWORD Value dialog box, select Decimal as the Base option.
Enter a value between 0 and 65535 (the recommended value is 50)
Close Regedit
Restart the NetLogon Service
Ensure that the Domain controller does not receive any client authentication requests
Active Directory assigns a default value of 0 for the priority.
By adding or adjusting a registry record for the priority and assigning it an increased value of 200, it will ensure that the domain controller will never receive client authentication requests unless it is the only accessible domain controller. The lower the value entered for LdapSrvPriority indicates a higher utilisation priority.
A domain controller with an LdapSrvPriority setting of 100 has a lower priority than a domain controller with a setting of 10; which means clients attempt to use the domain controller with the setting of 10 first.
Using Regedit
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Create a new DWORD value. LdapSrvPriority
in the DWORD Value dialog box, select Decimal as the Base option.
Enter a value between 0 and 65535 (the recommended value is 200)
Close Regedit
Restart the NetLogon Service
Why can’t this be done by directly editing the DNS records themselves?
This can be done directly but the server when it refreshes it’s DNS records would register the defaults again of: Priority 0 and Weight 100.
I changed directly via DNS (SRV) record, I changed the wt from default 100 to 80. Now I cannot change it back. Its AD integrated zone. What is the problem?
you should be able to change it back, unless the record was locked. Is this fixed now?
Mark
an additional way to control this access is to put the domain controllers into their own site with a /32 mask. This ensures that only that IP address authenticates against that server. If all the other servers fail, these servers will still answer.