New Active Directory Documents for IT Pros
There is a typo in the Windows Server 2003 Active Directory Branch Office Guide that has affected some customers. The typo appears in the section of the guide that explains the mnemonics of DC Locator DNS Records that should not be registered by the DCs in branch offices. Specifically, this section:
"The domain controllers of the branch domain, except the domain controllers in the data center site, must not register specific records. To ensure that these registrations do not occur, it is essential to create a new Group Policy object and a new global security group to set a special configuration for only the domain controllers in the branches. The following steps are necessary:
Computer Configuration/ Administrative Templates/ System/ NetLogon/ DC Locator DNS Record /DC Locator DNS Records not registered by the DCs/VALUE: ENABLED/Mnemonics: LdapIpAddress Ldap Gc GcIPAddress Kdc domain controller Rfc1510Kdc Rfc1510Kpwd Rfc1510UdpKdc Rfc1510UdpKpwd GenericGc
Computer Configuration/ Administrative Templates/ System/ NetLogon/ DC Locator DNS Record /Refresh Interval of the domain controller Locator DNS Records/ VALUE: 86400
This setting suppresses the branch office domain controller’s ability to communicate with the data center site domain controllers."
In the above list of mnemonics, the highlighted “domain controller” should actually read “dc”.
Unfortunately, the docs for the Windows Server 2003 Branch Office Guide are packaged as an .exe file. The .exe file was built and signed by Active Directory test team resources, and they can’t devote resources to repackage that .exe file today because they are heads down on work for upcoming products. So I am posting this correction on our AD doc team blog instead to help create awareness.
If you are deploying writable domain controllers to branch offices, the Windows Server 2003 Branch Office Guide is the best Microsoft resource. But if you are deploying read-only domain controllers, use the Read-Only Domain Controller Branch Office Guide.
Thanks to Mat W at Microsoft for the correction.
Just an elaboration to the above, which might help some:
In the 04_Plan_DNS.doc, which is part of the Branch Office guide, the following is listed on page 4-16:
• Mnemonics to select: LdapIpAddress Ldap Gc GcIPAddress Kdc Dc DcByGuid Rfc1510Kdc Rfc1510Kpwd Rfc1510UdpKdc Rfc1510UdpKpwd GenericGc
However on page 4-23, the following is listed:
Note here, that in addition to the Dc mnemonic being listed as domain controller, the DcByGuid is missing from the second list entirely. This mnemonic should also be part of the mnemonics not registered, as noted on page 4-17