Microsoft KB Archive/305027

= Summary of &quot;Piling On&quot; Scenarios in Active Directory Domains =

Article ID: 305027

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server
 * Microsoft Windows 2000 Server
 * Microsoft Windows NT 4.0
 * Microsoft Windows Small Business Server 2003 Premium Edition
 * Microsoft Windows Small Business Server 2003 Standard Edition

-



This article was previously published under Q305027



IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry



SUMMARY
This article describes piling -on scenarios in Windows 2000 and Windows Server 2003 domains. It also describes how to troubleshoot and resolve certain issues when piling on occurs.



Overview
With certain exceptions, Windows 2000 and Windows Server 2003 domain controllers in an Active Directory forest are equal peers in terms of the following characteristics:
 * Object creation
 * Object deletion
 * Object replication
 * Authentication
 * Responses to Lightweight Directory Access Protocol (LDAP) queries

Memory, CPU utilization, and server response time are generally the same for domain controllers that use the same hardware and that are performing the same task in a particular Active Directory site.

Certain operations in domain members or domain controllers favor a specific domain controller or class of domain controllers (ignoring site preference). This causes specific domain controllers to experience greater CPU utilization, use of memory, network traffic, and disk I/O, or a greater use of a combination of these components.

The targeting of a specific domain controller or group of domain controllers is referred to as a piling on scenario. This behavior may occur if certain domain-wide and enterprise-wide operations that are not intended for multi-master placement reside on a single domain controller in the domain or forest. Other single-master operations that occur in other environments may be resolved or minimized by configuration changes.

Piling-On Scenarios
The following list summarizes the piling-on scenarios that may occur, describes the symptoms that you may experience in each scenario, and contains information about how to resolve each scenario:
 * DFS Clients Query the Primary Domain Controller (PDC) Every 15 Minutes
 * PDC Registers Two 1C Records
 * PDC Record Appears at the Top of the Windows Internet Name Service (WINS) [1C] List
 * Object Picker Queries the PDC Exclusively
 * Pass-Through Authentication Goes to the PDC Exclusively
 * Windows 2000 Clients in Windows NT 4.0 Domain Are Authenticated Exclusively by the PDC
 * Windows 2000, Windows XP, and Windows Server 2003 Clients in Mixed-Operating System Domains Are Authenticated Exclusively by Later-Model Domain Controllers After Being Discovered
 * Many Earlier-Version Clients May Lead to the PDC Not Functioning Correctly
 * High Number of Incorrect Password Attempts May Cause High Load on PDC
 * DFS Servers Pull Partition Knowledge Table (PKT) from PDC on DFS Configuration Changes

Symptoms
 ==== Windows NT 4.0 ====

Windows NT 4.0 Service Pack 6 (SP6) DFS clients query the PDC four times per hour for the domain-based Microsoft Distributed File System (DFS).  ==== Windows 2000, Windows XP, and Windows Server 2003 ====

Windows 2000, Windows XP, and Windows Server 2003 clients query the PDC four times per hour for the domain-based DFS by using the dsgetdc command instead of the PDC-directed netgetdc command that is used by Windows NT 4.0 SP6 clients. 

Resolution
To resolve this issue, reduce the frequency of queries. To do so, use one of the following methods (as appropriate to your version of Windows).  ==== Windows NT 4.0 ====

To reduce the frequency of queries, edit the registry according to the method described in the following article in the Microsoft Knowledge Base:

291377 Policy to Control the Frequency of Windows XP Client DFS Queries

 ==== Windows XP and Windows Server 2003 Clients ====

For additional information about how to reduce the frequency of queries, click the following article number to view the article in the Microsoft Knowledge Base:

291377 Policy to Control the Frequency of Windows XP Client DFS Queries



back to top

PDC Registers Two 1C Records
To resolve this issue on Windows 2000-based domain controllers, obtain and install the latest Windows 2000 service pack. For additional information about how to obtain the latest Windows 2000 service pack, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

For additional information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:

269424 WINS Prepend1BTo1CQueries Feature Aids Load-Balancing Between Domain Controllers

For Windows Server 2003-based domain controllers, only configure the registry.

back to top

Symptoms
The WINS [1C] list is sorted by IP address; therefore, the server with the lowest IP address is returned first and may be favored by clients.

Resolution
To resolve this issue, use one of the following methods (as appropriate to your version of Windows):  ==== Windows NT 4.0 ====

To resolve this issue, install Windows NT 4.0 Service Pack 4 (SP4) or later, and then enable the   registry value in the registry. For additional information about how to obtain the latest Windows NT 4.0 service pack, click the following article number to view the article in the Microsoft Knowledge Base:

152734 How to Obtain the Latest Windows NT 4.0 Service Pack

For additional information about how to enable the Randomize1cList feature, click the following article number to view the article in the Microsoft Knowledge Base:

231305 WINS Randomize1cList Feature Aids Load-Balancing Between DCs

</li> ==== Windows 2000 ====

To resolve this issue, enable the   registry value by editing the registry. For additional information about how to do so, click the following article number to view the article in the Microsoft Knowledge Base:

231305 WINS Randomize1cList Feature Aids Load-Balancing Between DCs

</li></ul>

back to top

Symptoms
When Object Picker on pre-Windows 2000 Service Pack 3 (SP3) clients enumerates users, groups, or computer accounts from a domain based on an earlier operating system, only the PDC is contacted to provide the list of objects.

Resolution
For additional information about how to obtain the latest Windows 2000 service pack, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

back to top

Pass-Through Authentication Goes to the PDC Exclusively
Authentication requests from Windows NT LAN Manager (NTLM) clients with security channels to Windows NT 4.0 and Windows 2000 backup domain controllers (BDCs) are forwarded to the PDC if the authentication request fails and any of the following status codes are returned:


 * STATUS_ACCOUNT_LOCKED_OUT
 * STATUS_WRONG_PASSWORD
 * STATUS_PASSWORD_MUST_CHANGE
 * STATUS_PASSWORD_EXPIRED

Note NTLM clients include LanMan, Microsoft Windows 95, Microsoft Windows 98, Windows NT 4.0, and sometimes Windows 2000 clients.

The following scenarios can cause the PDC to experience a greater usage of CPU, memory, disk or other resources than other domain controllers in the domain:
 * Service accounts on domain member computers with expired passwords that have security channels to non-PDC domain controllers (STATUS_WRONG_PASSWORD).
 * Logon authentication for user accounts when the User must change password check box is selected in Windows NT 4.0 domains, or on Windows network clients that are not multi-master aware. Or, a reset of the User must change password attribute for many users.
 * Users who enter passwords during logon or network authentication that do not match their respective passwords on their security channel domain controller.

In sufficient quantity, these operations individually may overload a domain controller, or they may cause sufficient incremental load to affect service levels.

Resolution
 If service accounts are trying to log on with outdated passwords, identify the problem service accounts by using your preferred account lockout tool against the PDC, and then either stop the service accounts or reset the passwords.</li> If a password reset occurs for many users, scope the number of accounts where User must change password is set.</li> &quot;Hide&quot; the PDC in WINS and DNS by editing the registry to enable the   registry value. For additional information about how to do so, click the following article number to view the article in the Microsoft Knowledge Base:

231305 WINS Randomize1cList Feature Aids Load-Balancing Between DCs

</li> Investigate whether the PDC contains the negative-caching fixes that are discussed in the following article in the Microsoft Knowledge Base:

272065 Bad Password Attempts are Repeatedly Forwarded from Domain Controllers to the PDC Operations Master

</li></ul>

back to top

Symptoms
Windows 2000 clients in Windows NT 4.0 domains are initially authenticated only by the PDC of the domain.

Resolution
To resolve this issue, install Windows 2000 Service Pack 2 (SP 2) or later.

back to top

Symptoms
Windows 2000, Windows XP, and Windows Server 2003 clients that are joined to mixed-operating system domains are authenticated only by Windows 2000 or Windows Server 2003 domain controllers after the security channel is updated.

Resolution
This behavior is by design, but it may be mitigated by deploying additional Active Directory domain controllers, particularly in Active Directory sites that contain many users. Also, make sure that the   registry key is set correctly to prevent bulk security channel migration to one Active Directory domain controller.

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

298713 How to Prevent Overloading on the First Domain Controller During Domain Upgrade

back to top

Symptoms
If you have many Windows NT clients (more than 25,000), and they all send the PDC a request to change the user password or the computer account password, the client requests are “Discarded as too old.&quot;

This problem occurs because a request to change the user password or the computer password is sent specifically to the PDC in the form of a mailslot Request for primary. By default, as the mailslots are received by the PDC, they are queued for 15 seconds before being discarded as too old. However, in Windows 2000 Service Pack 3 (SP3) or earlier, the client-name-to-IP mapping is held in the NBT cache for only 10 seconds. As a result, the PDC may have to contact the WINS server to resolve the client name to an IP address for each client request. If the name resolution cannot be completed before the mailslot's 15-second cache limit expires, the PDC's mailslot processing cannot recover from this situation. Therefore, the client requests will be “Discarded as too old.&quot;

Resolution
Windows 2000 Service Pack 4 (SP4) contains a hotfix that increases the NBT cache limit to be equal to the mailslot timeout of 15 seconds.

For additional information about this hotfix, click the following article number to view the article in the Microsoft Knowledge Base:

316803 Earlier Clients May Fail to Change Passwords or Join in a Windows 2000 Domain

To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

back to top

Symptoms
By default, when a user enters an incorrect password, the password is sent to the PDC in case the password was changed recently. In a domain that has many users, this may cause a high load on the PDC's resources.

-or-

Many computers in the domain may run a program or a service that uses incorrect logon credentials and may retry these credentials repeatedly.

Resolution
To resolve this behavior, you set the registry key  to take this load off the PDC. For additional information about this problem, click the following article number to view the article in the Microsoft Knowledge Base:

225511 New Password Change and Conflict Resolution Functionality in Windows

<div class="moreinformation_section">

back to top

Symptoms
When the DFS configuration of a DFS fault-tolerant root changes, all root targets are notified of the configuration change. They then receive the new PKT from the PDC of the domain. If you have many root targets and frequent changes, it can be a significant load on the PDC.

Resolution
Windows Server 2003 implements a feature known as Root Scalability Mode. When this feature is turned on, changes are not sent as notification to the root targets, and the targets do not pull the PKT from the PDC. Instead, they pull the PKT from their closest domain controller. Although configuration changes move around the network more slowly, the load on the PDC is significantly lower. To turn on Root Scalability Mode, run the following command:

dfsutil /root:\\ \ /RootScalability /Enable

Note Only servers that are running Windows Server 2003 can use this setting.

back to top

Keywords: kbinfo KB305027

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.