Subscribe to Windows IT Pro
February 01, 1999 12:00 AM

Pick Users' Domain Controller

Mark Minasi
Windows IT Pro
InstantDoc ID #4802
Rating: (0)
Use an LMHOSTS file to control which domain controller logs on your users and network machine

In October 1998, I attended the Microsoft Professional Developers Conference and the Networld+Interop conference. I always enjoy these types of events because they let me meet lots of Windows NT Magazine readers. An attendee of one of the October events asked me a question I'd heard before: "Can I control which domain controller logs my users on?" This question is a good one, and the answer is yes—if you're using NT machines.

Long-Distance Relationship
To envision a situation in which specifying a user's domain controller would be useful, consider an imaginary firm that uses NT. The business has headquarters in Chicago, Illinois, and a branch office in Galway, Ireland. The company has 200 people and two domain controllers in Galway and 1000 people and six domain controllers in Chicago, with a couple of 64Kbps frame relay connections linking the two sites. To make the example simple, I'll say the company uses only one domain.

At 8:00 a.m. Central time each day, all the company's Chicago users power up and log on. Some users' logons are sluggish, and those same users experience slowness in other operations, such as browsing Network Neighborhood. However, when the users reboot their systems later in the day, the sluggishness disappears.

What is the users' problem? Network sluggishness and the reboot fix are symptoms of many problems, but most likely, the users' NT machines have attached to an Irish domain controller across one of the company's 64Kbps links.

LMHOSTS is a blessing in scenarios in which trust links between two domains are constantly breaking.

To find a domain controller, an NT system asks the local Windows Internet Naming Service (WINS) server for a list of all the domain controllers that it knows about. While it's waiting for the WINS server to respond, the computer broadcasts a request to be logged on, essentially shouting to the network, If a domain controller receives this message, it needs to log me on! NT machines always send a broadcast message when they log on. This practice increases the probability that local domain controllers log on NT computers. (For information about NetBIOS names and name resolution, see "Inside a NetBIOS Name Resolution," March 1997.)

The WINS server that the NT machine contacts delivers a list of up to 25 of that domain's domain controllers—WINS remembers only the past 25 domain controllers it has heard of. The workstation sends an invitation to each domain controller on the WINS server's list, asking the domain controllers to log it on. The first domain controller that responds to the NT machine's many logon requests logs the computer on.

So why might Galway's domain controllers, which the Chicago machines connect to via the slow WAN link, respond more quickly than the Chicago domain controllers to the logon request? Well, at 8:00 a.m., everyone in Chicago is trying to log on, so the Chicago domain controllers are busy. In addition, the fictitious firm might have committed the common error of running WINS server software on its domain controllers. This practice is unwise because WINS servers and Primary Domain Controllers (PDCs) are both busiest at the start of the day. Every system on the network is logging on—which keeps the PDCs busy—and simultaneously registering its name with WINS—which keeps the WINS servers busy. Early morning is a rough time for PDCs that double as WINS servers.

In contrast to the Chicago PDCs, which at 8:00 a.m. are trying to log on 1000 users at the same time, Galway's machines are loafing along, responding to occasional authentication requests, because in Ireland it's 2:00 p.m. When these machines receive a cry for help across the WAN, they respond—and they respond quickly compared with the overloaded Chicago PDCs. The result of this scenario is that some Chicago NT workstations (or even Chicago NT servers, because some firms reboot their servers every week or so) now look to machines thousands of miles away for their authentications. When users sit down at their machine and type their name, password, and domain name, their workstation verifies their user account with a computer across the Atlantic. The users receive rotten response times, and folks in Galway who are trying to access Chicago servers across the WAN link experience delays because the unnecessary authentication traffic is choking the transatlantic link.

Related Content:

ARTICLE TOOLS

Comments
Add A Comment
  • Wayne LaDouceur
    8 years ago
    Jan 17, 2004

    I am missing the domain controller for Microsoft Networking.I also get a note indicating "no domain server (Network server). I wonder if there is a website that offers a free download of these items. I can still logon but I get a message noting "no server password not accepted". I then get popups after and click on OK and for some reason I can logon>However the note indicates that I may not have access to all websites. I need to know how to correct these errors or if possible find these components and re-install them. I would appreciate your assistance and need to resolve these problems or get new re-installs.

    I look forward to a prompt reply and your help. I am using Windows 98SE OEM version and Internet Explorer 6. Thanking you in advance and look forward to a prompt response.

  • Dave Davidson
    12 years ago
    Feb 07, 2000

    Good article. RAS has been a thorn for many of us and we appreciate all the help we can get! If you need to verify domain authentication with a Win9X machine, see the following Microsoft article: Q150898 - How to Display Domain Logon Confirmation in Windows. Or, you can simply use the registry poke it describes:

    Use Registry Editor to add a DWORD value named "DomainLogonMessage" (without quotation marks) to the following registry key:



    HKEY_LOCAL_MACHINE\\Network\\Logon


    Set the data value for DomainLogonMessage to 1.

    It works just fine.

  • George Kimmel
    13 years ago
    Aug 06, 1999

    You did it again! You took a complicated subject and made it simple for people like me to understand. I work in a large company. The PDC is in New York, and a BDC is at a site in Chicago. Users in Chicago log on (via a 56Kbps connection) to the New York domain. One user calls frequently and complains about how long logon takes. How do I tell which domain controller logged on a user?

    --George Kimmel



    If the user is running Windows NT Workstation, ask the user to run NT Diagnostics, click the Network tab, and check the Logon Server entry. If the user is running Windows 9x, you probably can’t get that information without running Network Monitor. I recall that Windows for Workgroups (WFW) gave you the option of getting a pop-up dialog box at logon that identified which machine logged you on. I haven’t found anything like that in Win9x.

    --Mark Minasi

  • Simon G. Brock
    13 years ago
    Aug 06, 1999

    The scenario about a fictitious company that Mark Minasi presents in Inside Out: “Pick Users’ Domain Controller” (February) worries me. The author states that the Galway, Ireland, domain controllers might respond to a “cry for help across the WAN.” How would the Galway machines hear this cry for help? Routers don’t forward (by default) the NetBIOS broadcasts that the Chicago, Illinois, computers would use to find servers, so the cry for help would never reach Galway.
    Another concern worth mentioning is the unlikely chance that the domain controllers would ever be swamped, given the number of users in the example (1000). Microsoft says a domain controller (if configured for Maximum Throughput for Network Applications) can service 20 logons per second. Therefore, all 1000 users would have to log on within a 10-second period to substantially stress the domain controllers. Microsoft also says you need only one BDC for every 2000 users and having more BDCs might decrease network performance because of excessive synchronization traffic.

    --Simon G. Brock



    The article explains that the client gets a list of domain controllers from WINS, then sends the domain controllers directed messages. These directed messages aren’t broadcasts, so they could make it to any branch office anywhere. My experience regarding Microsoft’s recommendations for the number of domain controllers you need is that sometimes the values are valid and sometimes they aren’t valid.

    --Mark Minasi

You must log on before posting a comment.

Are you a new visitor? Register Here

advertisement

advertisement

Dev Pro Left-Brain SharePoint Pro SQL Server Pro SuperSite for Windows Windows IT Pro

© 2012 Penton Media, Inc.

Home About Us Advertise Customer Service Privacy Statement Subscribe/Renew Terms Of Use

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.