Unresolved questions...
Q: Are expired certs removed from the CRL?
A: ???
Q: What is secure channel, really?
A: Not really an answer, but some information here: KB823659. A signed or encrypted
'channel'
Q: What is the interactive group?
A: This is some sort of non-accessable system maintained security group - membership
is dynamic - if you are "interactively" logged on, you are in this
group. Very much like authenticated users, everyone, there is a network one
too.
Q: With regard to location aware service and clients identifying their sites,
how does the client initially find AD in order to then lookup subnets and sites
to figure out its site?
A: Once the computer and/or user authenticate via Kerberos, many tools and services
will use the authenticating DC for subsistent authentication needs. Somehow
Sites and Services is 'exposed' via DNS - so as long as a client can hit AD
DNS, they can find their site and domain DC(s) and GC(s).
Q: How does _msdcs do load balancing? If for example there are multiple DCs
in a site, and the client is looking for a DC in a certain site, what is the
mechanism for which one it will choose?
A: Traditional DNS round robin load balancing. DNS should randomly return an
IP for the requested service. (NSLOOKUP returned all A records of equal weight,
but that may be a feature of the tool.) If that IP times out, the client should
query DNS again, and hopefully get a different one to try. Round robin load
balancing does strictly by percentage, not by actually load.
Q: Does a server gracefully shutting down or changing IPs remove it's records
from DNS? How does this effect _msdcs load balancing?
A: ???
Q: What is up with the vagaries of the GC pseudo-partitions? The GC partitions
look like domain partitions from some tools. A GC doesn't have a partial replica
of the domain which it is a DC for, but does the GC software hit the "DC's"
domain partition to return queries on 3268?
A: ???
Q: Can a GC replicate over an SMTP site link?
A: ???
Q: Microsoft DNS clients traditionally did not use a DNS ping, but a ICMP ping
to the DNS server, so if the server was up but DNS was down the client would
not fail over to the next DNS server. Is this still the case with 2003/XP?
A: ???