No announcement yet.

AD Site SRV records on DNS don't seem to be refreshing

  • Filter
  • Time
  • Show
Clear All
new posts

  • AD Site SRV records on DNS don't seem to be refreshing

    Hi all,

    To carry out one request we recently set up a new site on the AD (Let's call it Site X). Even though there is no local DC at this new site, we had to set it up because we had to deploy a site-specific group policy. With this arrangement the GPO seems to be getting applied correctly on the clients on site but we have an issue with the DC locator service. Initially, in the absence of local DC, we had not set up site-link involving this site, so the local clients were referring to the central datacenter DC's (let's call it Site A) but as it turned out, this default link is not the fastest one. Hence we created a new site-link yesterday between this new site X to another slightly closer site (let's call it Site B -which has many DC's), with a random cost of 200 and replication interval of 60 minutes.

    The problem is that even after 24 hours I can see that the clients on site X are still referring to the datacenter DC's (Site A) where as I would have expected them to talk to Site B DC's when it is now part of an explicit site link? I did a further digging on the DNS SRV records and it looks like the site-specific available-DC-listing (for site X) is still pointing to site A DC's which is what I think is causing the clients to talk to the distant DC's.

    So, I wanted to know what might be going on here. How do I make sure the DNS SRV records for Site X get refreshed with Site B DC's?

    Thanks in advance,

  • #2
    Re: AD Site SRV records on DNS don't seem to be refreshing

    The default Cost is 100. You've given site X a higher cost than site A. I would expect domain clients to use the DC in the site with the lowest site link cost. Try setting the cost in site X to 50 and see if that resolves the problem.


    • #3
      Re: AD Site SRV records on DNS don't seem to be refreshing

      I'm not very confident with letting an AD site empty, especially only for GPO stuff. (there is maybe another way to filter on the target clients, GPP with subnetting ?)

      You need to attach the subnet of this site (clients from site X) to the site (site B) you really want these clients to authenticate. You force authentication of the site with the subnet.
      But then, your way to do "GPO for a specific site" will not work; since the subnet is attached to the site X. I can bet that the GPO will not work if the subnet is attached to "site B"

      Links (and their costs) have nothing to do with authentication at all ; even you put a low or a high cost, it affects only how DCs will replicate accross the affected sites.

      If attaching the subnet to site B is not an option for you ; you should have a try to change (or create) SRV records in the DNS sub-section of your site X.
      Then you can choose manually where the default DCs are located for this site. Since you never had a DC in this site, the sub-section on the DNS part maybe is not created and populated with SRV records; you need to create it manually.

      SRV Weight is a second option ; as well mnemonics records is another way to modify DClocator behavior.

      Last edited by Mazette; 13th October 2014, 13:05.


      • #4
        Re: AD Site SRV records on DNS don't seem to be refreshing

        I agree with Joeqwerty, change the cost to something low between the site with no DC and the site you want the clients to use for auth. The Automatic Site Coverage is calculated based on the site-link costs.

        More info:

        Also make sure you've configured the subnets for the site.

        Network Consultant/Engineer
        Baltimore - Washington area and beyond