There is a typo in the Windows Server 2003 Active Directory Branch Office Guide that has affected some customers. The typo appears in the section of the guide that explains the mnemonics of DC Locator DNS Records that should not be registered by the DCs in branch offices. Specifically, this section:
"The domain controllers of the branch domain, except the domain controllers in the data center site, must not register specific records. To ensure that these registrations do not occur, it is essential to create a new Group Policy object and a new global security group to set a special configuration for only the domain controllers in the branches. The following steps are necessary:
- Create a new global group named Hub-DCs.
- Place all domain controllers from the Data-Center-Site in this group.
- Create a new Group Policy object in the Domain Controllers OU named: BranchOfficeGPO.
- Modify the security of this policy object so that the Hub-DCs are denied permission to apply the policy, but have read access to the object.
- Set the values of the following Group Policies:
Computer Configuration/ Administrative Templates/ System/ NetLogon/ DC Locator DNS Record /DC Locator DNS Records not registered by the DCs/VALUE: ENABLED/Mnemonics: LdapIpAddress Ldap Gc GcIPAddress Kdc domain controller Rfc1510Kdc Rfc1510Kpwd Rfc1510UdpKdc Rfc1510UdpKpwd GenericGc
Computer Configuration/ Administrative Templates/ System/ NetLogon/ DC Locator DNS Record /Refresh Interval of the domain controller Locator DNS Records/ VALUE: 86400
This setting suppresses the branch office domain controller’s ability to communicate with the data center site domain controllers."
In the above list of mnemonics, the highlighted “domain controller” should actually read “dc”.
Unfortunately, the docs for the Windows Server 2003 Branch Office Guide are packaged as an .exe file. The .exe file was built and signed by Active Directory test team resources, and they can’t devote resources to repackage that .exe file today because they are heads down on work for upcoming products. So I am posting this correction on our AD doc team blog instead to help create awareness.
If you are deploying writable domain controllers to branch offices, the Windows Server 2003 Branch Office Guide is the best Microsoft resource. But if you are deploying read-only domain controllers, use the Read-Only Domain Controller Branch Office Guide.
Thanks to Mat W at Microsoft for the correction.