SRV Records and Active Directory, Part III

In recent posts I’ve written about the SRV resource records in DNS and how they provide location information for domain controllers and global catalog servers. In addition, SRV records point to the one server in each domain that acts as the PDC emulator. The format for this resource record is as follows: _ldap._tcp.pdc._msdcs.DNSDomainName …which contains the address of the PDC emulator for the domain DNSDomainName. This record is registered by the PDC emulator. The PDC emulator is one of the Flexible Single Master Operations (FSMO) roles – in fact, the only such role that gets registered in DNS – and it turns out to have significance well beyond what its name would indicate. (The “PDC emulation” function simply means that this domain controller can “pretend” to be an NT-style primary domain controller, for purposes of providing domain information to any NT backup domain controller [BDC] or pre-Active-Directory client that might be running on the network.) The PDC emulator receives data on password changes on a preferential basis to other domain controllers. It also acts as the time server for other domain controllers in the same domain. Because the PDC emulator is typically the busiest of the five FSMO roles, it might be a good idea to ease its workload a little when it comes to normal DC authentication chores. We do this by changing the “weight” of the PDC emulator’s SRV record in DNS. The default weight is 100, so by specifying a lower number we proportionally reduce the likelihood that DNS will refer any given client to the PDC emulator. Make the change in the PDC emulator’s registry; the location is HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters and the value is LdapSrvWeight, of type DWORD. (If you’re not comfortable editing the Registry, get someone else to help you out, because mistakes can be very inconvenient!)