Re: Windows 2000 logon process

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Cary Shultz [A.D. MVP] (cwshultz_at_mvps.org)
Date: 11/22/04 

Date: Mon, 22 Nov 2004 10:07:58 -0500

Paul,

This is a good question. Things are supposed to be handled in a 50/50 basis
out-of-the-box when you have two Domain Controllers ( and 33/33/33 when you
have three Domain Controllers, etc. ) . How does this happen? There are
two key entries in the SRV records - weight and priority. These two entries
determine this.

Clients are supposed to first check for DCs in their Site. This is handled
by the IP Address of the client and the info that AD has about the various
IP Ranges ( from the Active Directory Sites and Services ). This is why it
is important to set this up correctly. Create a Subnet and associate it
with a Site. But, this is a bit of a digression ( well, not really ) from
where I am going with this.

Should multiple Domain Controllers exist in a Site ( and everything else is
working just fine ) which DC would a client use for authentication? The one
with the lowest weight! So, [0] is pretty low, right? Drats, both DCs have
a weight of [0]. Now what? Ah, there is a priority entry. The client
will - statistically speaking - use the DC with the higher priority ( well,
it is actually a bit of a percentage thing....if one DC has a priority of
[80] and the other DC has a priority of [20] then the first DC will handle
about 4x as many authentication requests as the second. "About" is the key
word in that phrase. ). Now, out of the box Domain Controllers have a
priority of [100].

Has anyone messed with these entries and their values?

Also, assuming that everything is at the defaults ( [0][100] for both Domain
Controllers ) you should be seeing approximately 50/50. This is clearly not
the case as you have stated that one DC is responding to about 90% of the
authentication requests. If there are any problems and the DC that is
'supposed' to respond to the request can not within the allotted time ( 100
milliseconds ) then the client will go elsewhere ( to the second DC in the
list and then to the third and so on and so forth ). Are there any problems
with the second DC? Have you installed the Support Tools and run dcdiag /c
/v on both of your Domain Controllers just to get a general idea as to their
health? I would also do a netdiag /v.

I also assume that if you were to look at your DNS MMC in the Forward Lookup
Zone you would see the exact same information on the second DC as you do on
the first DC ( records, weight, priority ). This is how it is supposed to
work!

Now, you specifically stated that you have a Primary DNS server and a
Secondary DNS server. Are you using these terms according to the way that
DNS uses them? Meaning, you have a DNS Server that is the Primary DNS
Server for a specific zone ( yourcompany.com, for example ) and then you
have some other DNS Servers that are functioning as Secondary DNS Servers
for that same zone ( yourcompany.com )? Or, are you running Active
Directory Integrated DNS and simply used these terms....

HTH,

Cary

"Paul Hadfield" <paul@anon.com> wrote in message
news:%23b0gUrH0EHA.1652@TK2MSFTNGP11.phx.gbl...
> All,
>
> We have a network with 2 DC's running Windows 2000 SP4 and 10+ members
> servers running Windows 2000 Advanced Server SP4 with Terminal Services
> installed in Application Mode. The first DC has it's primary DNS setting
as
> localhost and no secondary DNS. The second DC has it's primary DNS set to
> the IP of the first DC, and it's secondary DNS set to localhost. Each
member
> server has it's primary DNS set to the first DC server and the second DNS
> set to the second DC server.
>
> I've noticed that by using computer management for each DC and watching
the
> Open Files section, the first DC seems to handle around 90% of the domain
> logons and the second DC gets the rest. I'd like to try and balance out
the
> logon request and GPO load between the two DC's to try and increase logon
> responses at peak times. Can I safely change the order of the primary and
> secondary DNS servers on some of the member servers to force them to go to
> the second DC first for network logons? Are there any drawbacks to doing
> this? Is there a better way to try and balance the load between the two
> DC's?
>
> Cheers in advance,
> Paul.
>
>

Relevant Pages

  • Re: WINDOWS RAPLICATION ISSUE
    ... My head of dns server _msdcs.x.x.x it shwing CNAME recored for my doha DC ... But still I AM NOT ABLE TO RESOLVE THE NAME FROM MY HEAD OFFICE to my DOHA ... to configure all domain controllers to point to Dubai DNS and did you restart ... DNS server that is authoritative for that zone. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Domain workstation cannot see the domain for adding user permi
    ... use only domain controllers as their preferred DNS servers because in an AD ... access to also obtain their DNS server automatically as the rest of the ... The network has a dsl router which only some machines are allowed to use ...
    (microsoft.public.windowsxp.security_admin)
  • Re: DNS dfs issue
    ... You say that some clients are OK. ... The domain controllers for SiteA are named: ... No matter which dns server I use on clientB1 its %logonserver% is always ...
    (microsoft.public.windows.server.dns)
  • Re: Failed Security Audit
    ... your description though I would first check your dns configuration for the ... other W2K domain controllers for their preferred dns server and the domain ... computers must be pointing ONLY [never an ISP dns server] to a domain ... caused this failure audit. ...
    (microsoft.public.win2000.security)
  • RE: NTFRS PROBLEM
    ... > I am having a problem with FRS on one of our domain controllers. ... > DNS is working fine and so is ping. ... When the DC starts up it tries to start the services (NTFRS and DNS Server) ...
    (microsoft.public.win2000.general)