Re: Windows 2000 logon process

• Previous message: Erik Østby: "Windows and Unix account management and authentication integration"
• In reply to: Paul Hadfield: "Re: Windows 2000 logon process"
• Messages sorted by: [ date ] [ thread ]

Date: Mon, 29 Nov 2004 21:09:20 -0000

I've answered inline...

-- 
Paul Williams
http://www.msresource.net
http://forums.msresource.net
"Paul Hadfield" <paul@anon.com> wrote in message 
news:uDjnSyI1EHA.1124@tk2msftngp13.phx.gbl...
The files being accessed that I have been watching in Computer
Management/Open Files have names similar to
{0B46DFD3-5180-461B-B066-AD018D007F42} and so I am assuming that this is
when clients are accessing the GPO stored in SYSVOL during logon. Also I am
seeing .cmd files which are the logon scripts run by each client.
PW >> Sound's like - that's a combination of DNS and Dfs client pointing 
them here...
Only the first domain controller is a GC. Is it worth making both DC's
Global Catalogue servers? Are there any drawbacks to this?
PW >> Yes!!  You should have at least two GCs - in single domain 
environments I always make all DCs GCs.
No, there are no drawbacks (to having more than one - there's a bit more to 
it in multiple-domain environments with disparate sites and WAN links, but 
we'll not go into that here).
As the primary DC is the only GC server at the moment, would this mean that
the secondary DC would not be able to correctly answer domain logon requests
should the primary DC fail?
PW >> It would mean just that!!!  GCs are contacted as part of the 
authentication process to enumerate group memberships (as you can be a 
member of groups in other domains, e.g. Universal Groups) and to resolve 
your UPN.
You need multiple GCs.  And don't worry about the GC/IM conflict -that only 
applies to multiple domain forests with a mix of DCs and GCs.
 -- http://www.msresource.net/content/view/14/46/
All user TS profiles are roaming and are stored on 2 data servers (Windows
2000 member servers).
Round Robin and Net-mask ordering are both enabled on both AD-DNS servers.
PW >> OK, that's fine.
While I think on, would the fact that all the TS servers and both DC's have
3 network cards, each configured to give access to 3 separate networks have
any bearing on this? All servers are configured to access DNS across each
network in the same order (Network and Dial-up settings - Advanced
Settings - Adapters and Bindings).
PW >> Yes, this could have a bearing.  With multiple NICs there's going to 
be multiple entries in DNS for different IP addresses -net mask ordering 
will 'tweak' the order in which the results are returned.  I'd look into 
this, but would try having more than one GC first -that will make a 
difference.
Remember - DNS is the single-most important aspect in all this!!!
Thanks again in advance for any comments offered,
PW >> No problem!!!  : )
Paul.
"ptwilliams" <ptw2001@hotmail.com> wrote in message
news:ONSIGu$0EHA.2112@TK2MSFTNGP15.phx.gbl...
> Because the zone database is the same, and thus this won't affect
> anything.
>
> The DNS/IP locator requests a DC from DNS by querying either
> _ldap._tcp.dc._msdcs.domain-name.com or, if it is already aware of its
> site,
> _ldap._tcp.siteName.sites.dc._msdcs.domain-name.com (these can vary
> depending on the criteria passed to dsGetDc).  These records refer to an A
> record, so that is resolved to an IP address and then passed back using
> both
> round-robin and net mask ordering.  So, clients querying a DNS server in
> site A (a site which contains two DCs) would get the first and then the
> second and then the first and the second, etc. passed back.
>
> Like Cary said, a 50/50 split.  Add another DC into the mix and divide by
> 3,
> etc.
>
> Are you sure the open files and connections are actually logon traffic?
> Where are the home folders and profiles stored?
>
> Also, if that machine is the only GC, the other DC will query the GC as
> part
> of the logon process.
>
>
> If you're really worried, you should ensure both round-robin and net-mask
> ordering are indeed enabled, and that both DCs are GCs.
>
> -- 
>
> Paul Williams
>
> http://www.msresource.net
> http://forums.msresource.net
>
>
> "Paul Hadfield" <paul@anon.com> wrote in message
> news:%23vjuJk%230EHA.3416@TK2MSFTNGP09.phx.gbl...
> Hi all,
>
> After trying everything that Cary has suggested I still get the same
> problem. Has anyone any other ideas? Why can't I just change the DNS order
> on some of the member servers?
>
> Cheers,
> Paul.
>
>
> "Paul Hadfield" <paul@anon.com> wrote in message
> news:udgEvnV0EHA.1264@TK2MSFTNGP12.phx.gbl...
>> Cary,
>>
>> Thanks for you reply.
>>
>> Having checked AD Sites and Services it appears that we did not have a
>> subnet set for our Default-First-Site-Name (which is the only site we
>> have - both physically and logically). I have now corrected this.
>>
>> We are running Active Directory with integrated DNS. I have cross checked
>> the forward lookup DNS records across both AD DNS servers and they both
>> show the same information. Also, the weighting and priorities for both
>> servers are set to their default values of 0 and 100.
>>
>> Having watched the open files again on both DNS servers at peak login
>> time
>> this morning, it seems that the primary AD server is still taking around
>> 90% of the load. However, as I created the subnet and associated it with
>> our site on the primary AD server only 15-20 mins or so before domain
>> logons really started to get busy, so I'd imagine it would be best to
>> check again tomorrow morning to give AD plenty of time to fully
>> synchronise.
>>
>> I've also installed and run the support tools on both DC's using the
>> switches you suggested. The dcdiag /c /v came back with 2 errors while
>> testing services. Both errors where while trying to open IISADMIN and
>> SMTPSVC. We do not have IIS installed on the DC's so should this be a
>> problem??? All of the netdiag.exe test's passed.
>>
>> Hopefully all will be well tomorrow morning. Out of interest, how long
>> can
>> AD take to fully implement the subnet I've added in Sites and Services
>> across the domain? I made the change at around 8.30am. Domain logons
>> normally start to get busy around 8:45am - 8:50am.
>>
>> Thanks again,
>> Paul.
>>
>>
>>
>> "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
>> news:uRg%23UUK0EHA.2788@TK2MSFTNGP15.phx.gbl...
>>> Paul,
>>>
>>> This is a good question.  Things are supposed to be handled in a 50/50
>>> basis
>>> out-of-the-box when you have two Domain Controllers ( and 33/33/33 when
>>> you
>>> have three Domain Controllers, etc. ) .  How does this happen?  There
>>> are
>>> two key entries in the SRV records - weight and priority.  These two
>>> entries
>>> determine this.
>>>
>>> Clients are supposed to first check for DCs in their Site.  This is
>>> handled
>>> by the IP Address of the client and the info that AD has about the
>>> various
>>> IP Ranges ( from the Active Directory Sites and Services ).  This is why
>>> it
>>> is important to set this up correctly.  Create a Subnet and associate it
>>> with a Site.  But, this is a bit of a digression ( well, not really )
>>> from
>>> where I am going with this.
>>>
>>> Should multiple Domain Controllers exist in a Site ( and everything else
>>> is
>>> working just fine ) which DC would a client use for authentication?  The
>>> one
>>> with the lowest weight!  So, [0] is pretty low, right?  Drats, both DCs
>>> have
>>> a weight of [0].  Now what?  Ah, there is a priority entry. The client
>>> will - statistically speaking - use the DC with the higher priority (
>>> well,
>>> it is actually a bit of a percentage thing....if one DC has a priority
>>> of
>>> [80] and the other DC has a priority of [20] then the first DC will
>>> handle
>>> about 4x as many authentication requests as the second.  "About" is the
>>> key
>>> word in that phrase.  ).  Now, out of the box Domain Controllers have a
>>> priority of [100].
>>>
>>> Has anyone messed with these entries and their values?
>>>
>>> Also, assuming that everything is at the defaults ( [0][100] for both
>>> Domain
>>> Controllers ) you should be seeing approximately 50/50.  This is clearly
>>> not
>>> the case as you have stated that one DC is responding to about 90% of
>>> the
>>> authentication requests.  If there are any problems and the DC that is
>>> 'supposed' to respond to the request can not within the allotted time (
>>> 100
>>> milliseconds ) then the client will go elsewhere ( to the second DC in
>>> the
>>> list and then to the third and so on and so forth ).  Are there any
>>> problems
>>> with the second DC?  Have you installed the Support Tools and run dcdiag
>>> /c
>>> /v on both of your Domain Controllers just to get a general idea as to
>>> their
>>> health?   I would also do a netdiag /v.
>>>
>>> I also assume that if you were to look at your DNS MMC in the Forward
>>> Lookup
>>> Zone you would see the exact same information on the second DC as you do
>>> on
>>> the first DC ( records, weight, priority ).  This is how it is supposed
>>> to
>>> work!
>>>
>>> Now, you specifically stated that you have a Primary DNS server and a
>>> Secondary DNS server.  Are you using these terms according to the way
>>> that
>>> DNS uses them?  Meaning, you have a DNS Server that is the Primary DNS
>>> Server for a specific zone ( yourcompany.com, for example ) and then you
>>> have some other DNS Servers that are functioning as Secondary DNS
>>> Servers
>>> for that same zone ( yourcompany.com )?  Or, are you running Active
>>> Directory Integrated DNS and simply used these terms....
>>>
>>> HTH,
>>>
>>> Cary
>>>
>>>
>>>
>>> "Paul Hadfield" <paul@anon.com> wrote in message
>>> news:%23b0gUrH0EHA.1652@TK2MSFTNGP11.phx.gbl...
>>>> All,
>>>>
>>>> We have a network with 2 DC's running Windows 2000 SP4 and 10+ members
>>>> servers running Windows 2000 Advanced Server SP4 with Terminal Services
>>>> installed in Application Mode. The first DC has it's primary DNS
>>>> setting
>>> as
>>>> localhost and no secondary DNS. The second DC has it's primary DNS set
>>>> to
>>>> the IP of the first DC, and it's secondary DNS set to localhost. Each
>>> member
>>>> server has it's primary DNS set to the first DC server and the second
>>>> DNS
>>>> set to the second DC server.
>>>>
>>>> I've noticed that by using computer management for each DC and watching
>>> the
>>>> Open Files section, the first DC seems to handle around 90% of the
>>>> domain
>>>> logons and the second DC gets the rest. I'd like to try and balance out
>>> the
>>>> logon request and GPO load between the two DC's to try and increase
>>>> logon
>>>> responses at peak times. Can I safely change the order of the primary
>>>> and
>>>> secondary DNS servers on some of the member servers to force them to go
>>>> to
>>>> the second DC first for network logons? Are there any drawbacks to
>>>> doing
>>>> this? Is there a better way to try and balance the load between the two
>>>> DC's?
>>>>
>>>> Cheers in advance,
>>>> Paul.
>>>>
>>>>
>>>
>>>
>>
>>
>
>
>

• Previous message: Erik Østby: "Windows and Unix account management and authentication integration"
• In reply to: Paul Hadfield: "Re: Windows 2000 logon process"
• Messages sorted by: [ date ] [ thread ]