I read some threads with the same problem but without any solution, so I will try it again.

Today we have four completely separated Active Directory with thousands of clients.
I implemented a MIT KDC to build a shared resource Realm for SSO.

Now I want to deploy that to all client.

The client send a TGS to his AD Controller, the DC sends a referral with the resource Realm.

At this point the client needs to evaluate what KDC is responsible for the Realm.

Easiest way is to configure it on client (ksetup /AddKdc [Realm] [KDC]). If there is no configuration the client try to
resolve the KDC over DNS (SVR _kerberos._tcp.dc._msdcs.[domain]).

ksetup on each client would take a long time and be a lot of work. I add this DNS settings entry with a pointer to the
The client resolved it successfully and does a CLDAP query —> No Response (or icmp).

I read CLDAP query is something like a AD ping, to check if the AD is responsible for the domain and available.

Is there a way to switch this setting off (CLDAP Query)? Or could I emulate the required response, for example with

Any Ideas?

Andrin Vocat