Subscribe to Windows IT Pro
February 01, 1999 12:00 AM

Pick Users' Domain Controller

Mark Minasi
Windows IT Pro
InstantDoc ID #4802
Rating: (0)

The LMHOSTS Solution
How can my fictitious firm compel Chicago machines to use Chicago domain controllers? If users have Service Pack 4 (SP4) on their workstations, administrators can use SETPRFDC to connect Chicago machines to Chicago domain controllers. (For more information about the SETPRFDC utility, see "SETPRFDC," page 203.) Alternatively, administrators can use an LMHOSTS file to solve the problem, although this solution is a bit more labor-intensive than the SETPRFDC fix.

LMHOSTS is an ASCII file that you can place on an NT machine to help the machine find other computers using the other computers' NetBIOS names. If you have a machine named LEATHERBACK at IP address 165.109.30.21, you can tell another NT machine on the network how to find LEATHERBACK by adding the following line to the other NT machine's LMHOSTS file:

165.109.30.21 LEATHERBACK

However, if you have configured the NT machine to use a WINS server, the NT machine queries the WINS server first and looks in the LMHOSTS file only if WINS can't find LEATHERBACK. You can override this process and make an LMHOSTS entry supersede WINS by adding the #PRE metacommand to LMHOSTS, as follows:

165.109.30.21 LEATHERBACK #PRE

This LMHOSTS line ensures that when that machine is looking for LEATHERBACK, it looks only to 165.109.30.21 and doesn't query WINS at all.

How does this help you find domain controllers? Suppose LEATHERBACK is a domain controller in the SEATURTLES domain. LEATHERBACK identifies itself as a SEATURTLES domain controller by registering the NetBIOS name SEATURTLES<1C>, the domain name with a hexadecimal value 1C appended. All NetBIOS names must be exactly 16 characters long; NT pads shorter names, such as SEATURTLES, with blanks to the right, so LEATHERBACK's exact NetBIOS name is SEATURTLES<space><space><space><space><space><hex 1C>. (The #DOM metacommand supposedly performs the same function as this 1C stuff, but my Network Monitor experiments show that #DOM isn't a replacement for the hex 1C.) To force a machine to use LEATHERBACK as its domain controller, you need to create an LMHOSTS entry that represents this bizarre-looking name. The entry looks like

165.109.30.21 "SEATURTLES \0x1C" #PRE

You build this line by entering, in order, the IP address, a space, a quotation mark, the name of the domain—not the name of the domain controller—then enough spaces to make the name 15 characters long, the characters \0x1C, a quotation mark, and the #PRE metacommand. Put this LMHOSTS file in the Winnt\system32\drivers\etc directory on the NT machine that you want to force to use LEATHERBACK for logons. When that machine next boots and seeks a domain controller, it won't broadcast logon requests or query WINS; it will go straight to LEATHERBACK for logon.

This isn't an answer for every network that's having problems with authentications across slow links. This solution requires an LMHOSTS file on every workstation, and installing that many LMHOSTS files can be labor-intensive (although logon batch scripts can help reduce this workload).

The LMHOSTS solution can be a blessing in scenarios in which trust links between two trusted domains are constantly breaking. For example, suppose domain A and domain B trust each other. You reboot one of domain A's domain controllers, and because the domain controller knows about the domains' trust relationship, it looks for a domain controller in domain B to perform its users' domain B authentications. But if the domain A machine is unlucky, it might choose a domain B domain controller that isn't reliable. If the domain B machine fails and the domain A machine can't quickly find another domain B domain controller to partner with, the trust between the domains will break. You can solve this potential problem by using an LMHOSTS file to point domain A domain controllers to reliable domain B domain controllers.

Be aware that using LMHOSTS removes the automation and fault tolerance that NT's standard logon process provides. If the domain controller in a machine's LMHOSTS file isn't online when the machine tries to log on, the machine simply doesn't log on. LMHOSTS, can't fall back to WINS if the logon is unsuccessful. And you can't hedge your bets by adding the names of multiple domain controllers to LMHOSTS because NT machines use only the LMHOSTS file's last entry for each domain.

LMHOSTS is a nice solution for NT machines. Unfortunately, LMHOSTS can't force Windows 98 or Win95 workstations to log on to a particular domain controller. I haven't found a solution to the long-distance domain controller problem for Windows 9x machines.

Related Content:

ARTICLE TOOLS

Comments
Add A Comment
  • Wayne LaDouceur
    8 years ago
    Jan 17, 2004

    I am missing the domain controller for Microsoft Networking.I also get a note indicating "no domain server (Network server). I wonder if there is a website that offers a free download of these items. I can still logon but I get a message noting "no server password not accepted". I then get popups after and click on OK and for some reason I can logon>However the note indicates that I may not have access to all websites. I need to know how to correct these errors or if possible find these components and re-install them. I would appreciate your assistance and need to resolve these problems or get new re-installs.

    I look forward to a prompt reply and your help. I am using Windows 98SE OEM version and Internet Explorer 6. Thanking you in advance and look forward to a prompt response.

  • Dave Davidson
    12 years ago
    Feb 07, 2000

    Good article. RAS has been a thorn for many of us and we appreciate all the help we can get! If you need to verify domain authentication with a Win9X machine, see the following Microsoft article: Q150898 - How to Display Domain Logon Confirmation in Windows. Or, you can simply use the registry poke it describes:

    Use Registry Editor to add a DWORD value named "DomainLogonMessage" (without quotation marks) to the following registry key:



    HKEY_LOCAL_MACHINE\\Network\\Logon


    Set the data value for DomainLogonMessage to 1.

    It works just fine.

  • George Kimmel
    13 years ago
    Aug 06, 1999

    You did it again! You took a complicated subject and made it simple for people like me to understand. I work in a large company. The PDC is in New York, and a BDC is at a site in Chicago. Users in Chicago log on (via a 56Kbps connection) to the New York domain. One user calls frequently and complains about how long logon takes. How do I tell which domain controller logged on a user?

    --George Kimmel



    If the user is running Windows NT Workstation, ask the user to run NT Diagnostics, click the Network tab, and check the Logon Server entry. If the user is running Windows 9x, you probably can’t get that information without running Network Monitor. I recall that Windows for Workgroups (WFW) gave you the option of getting a pop-up dialog box at logon that identified which machine logged you on. I haven’t found anything like that in Win9x.

    --Mark Minasi

  • Simon G. Brock
    13 years ago
    Aug 06, 1999

    The scenario about a fictitious company that Mark Minasi presents in Inside Out: “Pick Users’ Domain Controller” (February) worries me. The author states that the Galway, Ireland, domain controllers might respond to a “cry for help across the WAN.” How would the Galway machines hear this cry for help? Routers don’t forward (by default) the NetBIOS broadcasts that the Chicago, Illinois, computers would use to find servers, so the cry for help would never reach Galway.
    Another concern worth mentioning is the unlikely chance that the domain controllers would ever be swamped, given the number of users in the example (1000). Microsoft says a domain controller (if configured for Maximum Throughput for Network Applications) can service 20 logons per second. Therefore, all 1000 users would have to log on within a 10-second period to substantially stress the domain controllers. Microsoft also says you need only one BDC for every 2000 users and having more BDCs might decrease network performance because of excessive synchronization traffic.

    --Simon G. Brock



    The article explains that the client gets a list of domain controllers from WINS, then sends the domain controllers directed messages. These directed messages aren’t broadcasts, so they could make it to any branch office anywhere. My experience regarding Microsoft’s recommendations for the number of domain controllers you need is that sometimes the values are valid and sometimes they aren’t valid.

    --Mark Minasi

You must log on before posting a comment.

Are you a new visitor? Register Here

advertisement

advertisement

Dev Pro Left-Brain SharePoint Pro SQL Server Pro SuperSite for Windows Windows IT Pro

© 2012 Penton Media, Inc.

Home About Us Advertise Customer Service Privacy Statement Subscribe/Renew Terms Of Use

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.