Microsoft KB Archive/187825

= How to minimize Exchange authentication traffic over TCP/IP =

Article ID: 187825

Article Last Modified on 2/27/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows NT Server 4.0 Enterprise Edition
 * Microsoft Windows NT Server 3.51
 * Microsoft Windows NT Server 4.0 Standard Edition
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Web Edition

-



This article was previously published under Q187825





SUMMARY
Computers running Microsoft Exchange Server can generate considerable WAN traffic authenticating users. This article indicates possible measures to minimize the traffic.



MORE INFORMATION
Users accessing Exchange using a Domain Account must be authenticated. If the computer running Exchange Server is a backup domain controller (BDC) for the domain in which the user account resides, no network traffic is generated authenticating the user. If the computer running Exchange Server is not a domain controller (DC) or the account is from a trusted domain, pass-through authentication is used to validate the user.

In a pass-through authentication scenario, the computer running Exchange Server must find a domain controller for the user desiring access. With TCP/IP, Exchange will usually query WINS for the [1C] entry of the user's domain. That returns a list of up to 25 domain controllers that the computer running Exchange Server attempts to contact. After a DC is found, a secure channel is setup, and the computer running Exchange server validates the user.

Depending on NetBIOS name resolution strategy, the computer running Exchange Server may setup its secure channel with a non-local or distant DC. This can lead the authentication traffic to go over the WAN instead of going to a more local DC (if available).

To limit the amount of authentication traffic over the WAN, place a BDC for every domain in which an Exchange user account is located on the same network segment as the computer running Exchange Server. Then take the necessary steps to ensure the Exchange server uses these local DCs for validation purposes.

Keywords: kbhowto KB187825

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.