Infralin's (not so) Frequently Asked Questions on Active Directory

© Gijsbert van der Linden ()
   
Infralin Consultancy (http://www.infralin.com)
    Last updated: 18-12-2007

The findings included in this document are based on Windows 2003

When do Kerberos sessions failover to another DC?

Once a Kerberos session is created from a member server with a DC and that DC fails, Windows keeps on trying to use this session for about 2 minutes, terminates this session with an error message in the system event log and sets up a new session with another DC, in the same Site if available or with a DC in a random other Site.

 If the DNS registration of either the DC or the member server hasnít been setup correctly (both forward and reverse lookup) this failover might not work, even though authentication might be possible again after booting the member server.

How to allow anonymous queries?

Allow anonymous binding by setting the seventh character of the dsHeuristics attribute to 2 AND give the "ANONYMOUS LOGON" "account" the proper access rights. See also http://support.microsoft.com/kb/320528