COMPUTER Administrative Templates\System\Net
Logon
Positive Periodic DC Cache Refresh for Non- Background Callers At least Microsoft Windows XP Professional or Windows Server 2003 family
Determines when a successful DC cache entry is refreshed. This setting is applied to caller programs that do not periodically attempt to locate DCs, and it is applied before the returning the DC information to the caller program. This setting is relevant to only those callers of
DsGetDcName that have not specified the DS_BACKGROUND_ONLY flag. The default value for this setting is 30 minutes (1800). The
maximum value for this setting is (4294967200), while the maximum that is not treated as infinity is 49 days (4294967). Any larger value will be treated as infinity. The minimum value for this setting is to always refresh (0).
COMPUTER Administrative Templates\System\Net
Logon Scavenge Interval At least Microsoft Windows XP
Professional or Windows Server 2003 family
Determines the interval at which Netlogon performs the following scavenging operations: - Checks if a password on a secure channel needs to be modified, and modifies it if necessary. - On the domain controllers (DC), discovers a DC that has not been discovered. - On the PDC, attempts to add the <DomainName>[1B] NetBIOS name if it hasn't already been successfully added. None of these operations are critical. 15 minutes is optimal in all but extreme cases. For instance, if a DC is separated from a trusted domain by an expensive (e.g., ISDN) line, this parameter might be adjusted upward to avoid frequent automatic discovery of DCs in a trusted domain. To enable the setting, click Enabled, and then specify the interval in seconds.
COMPUTER Administrative Templates\System\Net Logon
Site Name At least Microsoft
Windows XP Professional or Windows Server 2003 family
Specifies the Active Directory site to which computers belong. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication. To specify the site name for this setting, click Enabled, and then enter the site name. When the site to which a computer belongs is not specified, the computer automatically discovers its site from Active Directory. If this setting is not configured, it is not applied to any computers, and computers use their local configuration.
COMPUTER Administrative Templates\System\Net Logon Sysvol share compatibility At least Microsoft Windows Server 2003
This setting controls whether or not the Sysvol share created by the Net Logon service on a domain controller (DC) should support compatibility in file sharing semantics with earlier applications. When this setting is enabled, the Sysvol share will honor file sharing semantics that grant requests for exclusive read access to files on the share even when the caller has only read permission. When this setting is disabled or not configured, the Sysvol share will grant shared read access to files on the share when exclusive access is requested and the caller has only read
Active Directory Training Seminar: Group Policy Administrator Reference
Node
Policy Path
Full Policy Name
Supported on
Help/Explain Text
permission. By default, the Sysvol share will grant shared read access to files on the share when exclusive access is requested. Note: The Sysvol share is a share created by the Net Logon service for use by Group Policy clients in the domain. The default behavior of the Sysvol share ensures that no application with only read permission to files on the sysvol share can lock the files by requesting exclusive read access, which might prevent Group Policy settings from being updated on clients in the domain. When this setting is enabled, an application that relies on the ability to lock files on the Sysvol share with only read permission will be able to deny Group Policy clients from reading the files, and in general the availability of the Sysvol share on the domain will be decreased. If this setting is enabled, domain administrators should ensure that the only applications using the exclusive read capability in the domain are those approved by the administrator.
COMPUTER Administrative Templates\System\Net Logon\DC Locator DNS Records
Location of the DCs hosting a domain with single label DNS name
At least Microsoft Windows XP Professional or Windows Server 2003 family
Specifies whether the computers to which this setting is applied attempt DNS name resolution of a single-label domain names. By default, when a computer (or the DC Locator running on a computer, to be more specific) needs to locate a domain controller hosting an Active Directory domain specified with a single-label name, the computer exclusively uses NetBIOS name resolution, but not the DNS name resolution, unless the computer is joined to an Active Directory forest in which at least one domain has a single-label DNS name. If this setting is enabled, computers to which this policy is applied will attempt to locate a domain controller hosting an Active Directory domain specified with a single-label name using DNS name resolution. If this setting is disabled, computers to which this setting is applied will attempt to locate a domain controller hosting an Active Directory domain specified with a single-label name only using NetBIOS name resolution, but not the DNS name resolution, unless the computer is searching for a domain with a single label DNS name that exists in the Active Directory forest to which this computer is joined. If this setting is not configured, it is not applied to any computers, and computers use their local configuration.
COMPUTER Administrative Templates\System\Net
Logon\DC Locator DNS Records Automated Site Coverage by the DC Locator DNS SRV Records At least Microsoft Windows XP Professional or Windows Server 2003 family
Determines whether domain controllers (DC) will dynamically register DC Locator site-specific SRV records for the closest sites where no DC for the same domain exists (or no Global Catalog for the same forest exists). These DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC. If this setting is enabled, the DCs to which this setting is applied dynamically register DC Locator site-specific DNS SRV records for the closest sites where no DC for the
Active Directory Training Seminar: Group Policy Administrator Reference
Node
Policy Path
Full Policy Name
Supported on
Help/Explain Text
same domain, or no Global Catalog for the same forest, exists. If you disable this setting, the DCs will not register site-specific DC Locator DNS SRV records for any other sites but their own. If this setting is not configured, it is not applied to any DCs, and DCs use their local configuration.
COMPUTER Administrative Templates\System\Net Logon\DC Locator DNS Records
DC Locator DNS records not registered by the DCs At least Microsoft Windows XP Professional or Windows Server 2003 family
Determines which Domain Controller (DC) Locator DNS records are not registered by the Netlogon service. To enable this setting, select Enable and specify a list of space-delimited mnemonics (instructions) for the DC Locator DNS records that will not be registered by the DCs to which this setting is applied. Select the mnemonics from the following list: Mnemonic Type DNS Record LdapIpAddress A
<DnsDomainName> Ldap SRV _ldap._tcp.<DnsDomainName> LdapAtSite SRV _ldap._tcp.<SiteName>._sites.<DnsDomainName> Pdc SRV _ldap._tcp.pdc._msdcs.<DnsDomainName> Gc SRV _ldap._tcp.gc._msdcs.<DnsForestName> GcAtSite SRV _ldap._tcp.<SiteName>._sites.gc._msdcs.<DnsForestName> DcByGuid SRV _ldap._tcp.<DomainGuid>.domains._msdcs.<DnsForestName> GcIpAddress A _gc._msdcs.<DnsForestName> DsaCname CNAME <DsaGuid>._msdcs.<DnsForestName> Kdc SRV _kerberos._tcp.dc._msdcs.<DnsDomainName> KdcAtSite SRV _kerberos._tcp.dc._msdcs.<SiteName>._sites.<DnsDomainName> Dc SRV _ldap._tcp.dc._msdcs.<DnsDomainName> DcAtSite SRV _ldap._tcp.<SiteName>._sites.dc._msdcs.<DnsDomainName> Rfc1510Kdc SRV _kerberos._tcp.<DnsDomainName> Rfc1510KdcAtSite SRV _kerberos._tcp.<SiteName>._sites.<DnsDomainName> GenericGc SRV _gc._tcp.<DnsForestName> GenericGcAtSite SRV _gc._tcp.<SiteName>._sites.<DnsForestName> Rfc1510UdpKdc SRV _kerberos._udp.<DnsDomainName> Rfc1510Kpwd SRV _kpasswd._tcp.<DnsDomainName> Rfc1510UdpKpwd SRV _kpasswd._udp.<DnsDomainName> If this setting is disabled, DCs configured to perform dynamic registration of DC Locator DNS records register all DC locator DNS resource records. If this setting is not applied to DCs, DCs use their local configuration.
COMPUTER Administrative Templates\System\Net Logon\DC Locator DNS Records
Refresh Interval of the DC Locator DNS Records At least Microsoft Windows XP Professional or Windows Server
Specifies the Refresh Interval of the domain controller (DC) Locator DNS resource records for DCs to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used by the Locator algorithm to locate the DC. This setting may be
Active Directory Training Seminar: Group Policy Administrator Reference
Node
Policy Path
Full Policy Name
Supported on
Help/Explain Text
2003 family applied only to DCs using dynamic update. DCs configured to perform dynamic registration of the DC Locator DNS resource records
periodically reregister their records with DNS servers, even if their records' data has not changed. If authoritative DNS servers are
configured to perform scavenging of the stale records, this reregistration is required to instruct the DNS servers configured to automatically remove (scavenge) stale records that these records are current and should be preserved in the database. Warning: If the DNS resource records are registered in zones with scavenging enabled, the value of this setting should never be longer than the Refresh Interval configured for these zones. Setting the Refresh Interval of the DC Locator DNS records to longer than the Refresh Interval of the DNS zones may result in the undesired deletion of DNS resource records. To specify the Refresh Interval of the DC records, click Enabled, and then enter a value larger than 1800. This value specifies the Refresh Interval of the DC records in seconds (for example, the value 3600 is 60 minutes). If this setting is not configured, it is not applied to any DCs, and DCs use their local configuration.
COMPUTER Administrative Templates\System\Net Logon\DC Locator DNS Records
TTL Set in the DC Locator DNS Records At least Microsoft Windows XP Professional or Windows Server 2003 family
Specifies the value for the Time-To-Live (TTL) field in Net Logon registered SRV resource records. These DNS records are dynamically registered by the Net Logon service, and they are used to locate the domain controller (DC). To specify the TTL for DC Locator DNS records, click Enabled, and then enter a value in seconds (for example, the value 900 is 15 minutes). If this setting is not configured, it is not applied to any DCs, and DCs use their local configuration.
COMPUTER Administrative Templates\System\Net
Logon\DC Locator DNS Records Sites Covered by the GC Locator DNS SRV Records At least Microsoft Windows XP Professional or Windows Server 2003 family
Specifies the sites for which the global catalogs (GC) should register site-specific GC locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the GC resides, and records registered by a GC configured to register GC Locator DNS SRV records for those sites without a GC that are closest to it. The GC Locator DNS records and the site-specific SRV records are dynamically registered by the Net Logon service, and they are used to locate the GC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication. A GC is a domain controller that contains a partial replica of every domain in Active Directory. To specify the sites covered by the GC Locator DNS SRV records, click Enabled, and enter the sites' names in a space-delimited format. If this setting is not configured, it is not applied to any GCs, and GCs use their local
Active Directory Training Seminar: Group Policy Administrator Reference