BACK

Unresolved questions...

Q: Are expired certs removed from the CRL?
A: ???

 

Q: What is secure channel, really?
A: Not really an answer, but some information here: KB823659. A signed or encrypted 'channel'

 

Q: What is the interactive group?
A: This is some sort of non-accessable system maintained security group - membership is dynamic - if you are "interactively" logged on, you are in this group. Very much like authenticated users, everyone, there is a network one too.

 

Q: With regard to location aware service and clients identifying their sites, how does the client initially find AD in order to then lookup subnets and sites to figure out its site?
A: Once the computer and/or user authenticate via Kerberos, many tools and services will use the authenticating DC for subsistent authentication needs. Somehow Sites and Services is 'exposed' via DNS - so as long as a client can hit AD DNS, they can find their site and domain DC(s) and GC(s).

 

Q: How does _msdcs do load balancing? If for example there are multiple DCs in a site, and the client is looking for a DC in a certain site, what is the mechanism for which one it will choose?
A: Traditional DNS round robin load balancing. DNS should randomly return an IP for the requested service. (NSLOOKUP returned all A records of equal weight, but that may be a feature of the tool.) If that IP times out, the client should query DNS again, and hopefully get a different one to try. Round robin load balancing does strictly by percentage, not by actually load.

 

Q: Does a server gracefully shutting down or changing IPs remove it's records from DNS? How does this effect _msdcs load balancing?
A: ???

 

Q: What is up with the vagaries of the GC pseudo-partitions? The GC partitions look like domain partitions from some tools. A GC doesn't have a partial replica of the domain which it is a DC for, but does the GC software hit the "DC's" domain partition to return queries on 3268?
A: ???

 

Q: Can a GC replicate over an SMTP site link?
A: ???

 

Q: Microsoft DNS clients traditionally did not use a DNS ping, but a ICMP ping to the DNS server, so if the server was up but DNS was down the client would not fail over to the next DNS server. Is this still the case with 2003/XP?
A: ???

BACK