Optimize NT Services on TCP/IP Networks
If you maintain a Windows NT network across multiple subnets and WAN links, you can make several Registry changes to enhance your network's efficiency and performance. In this article, I'll look at how you can reduce the amount of traffic that domain controller synchronization and NT's Browser service generate on an NT network.
Domain Controller Synchronization
Whenever you make changes to a SAM database on a PDC, NT must copy those changes to your domain's BDCs so that the BDCs' logon and authentication services are up-to-date. Three databases on each domain controller store SAM information; these databases are in the SAM Registry hive in %systemroot%\system32\config. (Make sure you include all the files in the config subfolder in your daily backups.) Each database has an update sequence number (USN) that NT uses to determine whether a PDC's database is in sync with a BDC's replica of the database. The PDC keeps track of changes to its SAM databases by listing recent database changes in a buffer in memory called the change log. The PDC retains a list of USNs for each of its BDCs' SAM databases. Periodically, a PDC checks its SAM databases to determine whether the databases have changed since the PDC last synchronized with its BDCs. If the databases haven't changed, the PDC waits for a set interval, then checks its databases for changes again. If the databases have changed, the PDC sends a directed message (i.e., a message that NT delivers to a specific IP address) to every BDC that has different USNs from the PDC's USNs. The directed message informs the BDCs that the PDC's SAM databases have changed, and contains the PDC's USNs. When a BDC receives an update message from a PDC, the BDC compares the USNs in the message with the USNs for its three databases. If one or more of its current USNs are lower than those that the PDC announces, the BDC establishes a secure session with the PDC and downloads changes from the change log.
You can change several Registry entries in your domain controllers' HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\Netlogon\Parameters Registry key to optimize this synchronization process' efficiency in your environment. The Pulse entry lets you adjust the interval at which a PDC checks its SAM databases for changes. By default, PDCs check their databases and update BDCs every 5 minutes. Change the Pulse entry on the PDC to the number of seconds you want the PDC to wait between database checks. Increasing this length of time can be beneficial if some or all of your BDCs connect to the PDC across a slow WAN link, as long as you don't perform many regular updates to the SAM databases. If you only infrequently make changes in the SAM, increase the Pulse value to reduce network traffic. If you make frequent changes in the SAM, decrease the Pulse value to keep your BDCs up-to-date.
If you change the length of time between a PDC's SAM database checks, you might need to change the size of the PDC's change log. NT usually needs to synchronize domain controllers only partially, so a PDC replicates to its BDCs only the information that has changed since the PDC's last replication. A partial synchronization requires fewer resources than a full synchronization, which replicates the SAM databases in their entirety. However, if the PDC's SAM databases have more changes between synchronizations than the change log can hold, the PDC can no longer track recent changes, and partial synchronization becomes impossible. When a PDC's change log is full, NT replicates the PDC's SAM databases to its BDCs.
The change log is 64KB by default. Approximately 2000 SAM records can fit in a 64KB buffer, because most change entries are 32 bytes long. If you might make more than 2000 changes in the SAM within the interval at which a PDC checks for database changes, increase the size of the PDC's change log to avert a full synchronization. Conversely, if you never make 2000 changes to the SAM database within the interval of a PDC's database checks, you might want to reduce the change log's size to increase system memory available for other uses. To modify the change log's size, create a new Registry value of type REG_DWORD called ChangeLogSize in the PDC's Netlogon\Parameters key. Set ChangeLogSize to the size in kilobytes that you want the PDC's change log to be.
Every BDC has a memory buffer in which it stores changes to the SAM databases that it receives from the PDC. If the buffer fills up, the BDC receives only part of the new information and has to wait until the PDC's next synchronization to receive the remaining information. If a BDC regularly receives less data than the PDC sends, the BDC can rapidly get far out of sync with the PDC. The BDC will remain out of sync permanently only if the PDC continuously sends too many changes for the BDC's buffer to absorb. Usually, administrators create, edit, and delete accounts, and users change passwords only during the day, so BDCs can catch up with busy PDCs overnight.
You change the size of a BDC's synchronization buffer by changing the BDC's ReplicationGovernor Registry entry. ReplicationGovernor's value is a percentage; the default value is 100. A BDC with a ReplicationGovernor value of 100 percent has a synchronization buffer space of 100 percent of 128KB (i.e., 128KB), and the BDC accepts SAM synchronization traffic that uses 100 percent of the network's bandwidth if necessary. Reducing the ReplicationGovernor value reduces these percentages. For example, a ReplicationGovernor value of 50 gives a BDC a 64KB buffer and lets synchronization traffic use only up to 50 percent of network bandwidth. If you use a WAN link exclusively for replication traffic, you can leave ReplicationGovernor at 100. However, if you also use the link for activities such as videoconferencing, you need to keep some bandwidth available at all times for those other activities, so you need to reduce the value. Don't decrease the ReplicationGovernor value too much, or you run the risk of making your BDCs' SAM databases always out-of-date. Microsoft recommends that you never use a ReplicationGovernor value lower than 25.