I'm using the instructions here:
http://technet.microsoft.com/en-us/library/cc737541%28WS.10%29.aspx
to try and limit a particular 2003 DC from servicing authentication requests. I set the LdapSrvPriority to 250 (rather than the default 0), restarted the DC, and confirmed this has updated in DNS. I have also confirmed that the TTL on the DCs LDAP DNS entries are 10 minutes. It is now 30 minutes later. According to my reading, this DC should now not service authentication requests unless there is no other DC available of a lower priority.
When looking in the Security log on the DC, I see it is still servicing requests (users and computers) – over 100 a minute. Does anyone know why this is the case? Domain members are by definition all AD aware so I would not expect to see computer authentication requests against this DC when I have 4 other DCs with a lower priority available in the site.
Best Answer
To close this off:
Not sure why the computers were still authenticating, but the users were doing so because they had an old Novell client installed that was specifically targetting the PDC for lookups (discovered this after network and process monitoring some offending machines). Updating the client resolved the effective DOS the workstations were doing against the PDC.