If you have a domain controller that you wish to reduce the number of client authentication requests that are processed then by adjusting the the servers weight or priority you can either:

Reduce the number of client authentication requests received by adjusting the domain controller’s DNS weight record  or to ensure that the domain controller does not receive any client authentication requests, adjust the domain controller’s DNS priority record.

Reduce the number of client authentication requests

Active Directory assigns a default value of 100 for the weight.

By adding or adjusting a registry record for the weight with a decreased value of 50, you can proportionately reduce the number of client authentication requests that are sent to the domain controller.

Using Regedit

Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Create a new DWORD value  LdapSrvWeight

in the DWORD Value dialog box, select Decimal as the Base option.

Enter a value between 0 and 65535 (the recommended value is 50)

Close Regedit

Restart the NetLogon Service

Ensure that the Domain controller does not receive any client authentication requests

Active Directory assigns a default value of 0 for the priority.

By adding or adjusting a registry record for the priority and assigning it an increased value of 200, it will ensure that the domain controller will never receive client authentication requests unless it is the only accessible domain controller.   The lower the value entered for LdapSrvPriority indicates a higher utilisation priority.
A domain controller with an LdapSrvPriority setting of 100 has a lower priority than a domain controller with a setting of 10; which means clients attempt to use the domain controller with the setting of 10 first.

Using Regedit

Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Create a new DWORD value. LdapSrvPriority

in the DWORD Value dialog box, select Decimal as the Base option.

Enter a value between 0 and 65535 (the recommended value is 200)

Close Regedit

Restart the NetLogon Service

Posted by markparris

Microsoft MVP - Enterprise mobility.

All Posts Website

7 Comments

  1. Fred Woodbridge March 4, 2010 at 5:06 pm

    Why can’t this be done by directly editing the DNS records themselves?

    Reply

    1. markparris March 5, 2010 at 11:08 am

      This can be done directly but the server when it refreshes it’s DNS records would register the defaults again of: Priority 0 and Weight 100.

      Reply

  2. That’s A Load Off! March 4, 2010 at 7:27 pm

    […] Parris (Microsoft MVP) has a post about reducing client authentication loads on a […]

    Reply

  4. Ravi Tandukar April 4, 2012 at 12:48 am

    I changed directly via DNS (SRV) record, I changed the wt from default 100 to 80. Now I cannot change it back. Its AD integrated zone. What is the problem?

    Reply

    1. markparris April 7, 2012 at 10:51 pm

      you should be able to change it back, unless the record was locked. Is this fixed now?

      Mark

      Reply

  5. Dan Salmon August 28, 2012 at 6:11 pm

    an additional way to control this access is to put the domain controllers into their own site with a /32 mask. This ensures that only that IP address authenticates against that server. If all the other servers fail, these servers will still answer.

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Cancel

Connecting to %s