Microsoft KB Archive/309115

= Windows NT PDC Handles All Secure Channel/Authentication Requests for Windows 2000 Domain Members =

Article ID: 309115

Article Last Modified on 2/28/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Datacenter Server

-



This article was previously published under Q309115



SYMPTOMS
Windows 2000 domain member computers are authenticated exclusively by the primary domain controller (PDC) of the Microsoft Windows NT 4.0 domain that hosts the computer accounts. Windows NT 4.0 backup domain controllers (BDCs) authenticate logon requests for Windows 2000 member computers when the Netlogon service on the PDC has been stopped by the administrator. The Windows NT 4.0 PDC processes all authentication requests as soon as the Netlogon service is restarted.



CAUSE
When a Windows 2000-based computer is joined to a Windows domain, the join process caches the name of the domain controller (DC) that is used during the join operation. When the computer is restarted for first time after the join operation, it reads the cached information from the registry and uses a cached DC for to set up a secure channel. The DC that was used during the initial join operation is contacted to ensure that the DC that was contacted has the correct computer account information for the client computer.

In a Windows NT 4.0 domain, users, computers, and groups can only be created on the PDC of a domain. Because of this, all Windows 2000-based clients that join a Windows NT 4.0 domain establish a secure channel with the PDC on the first boot after the domain join operation. This behavior contributes to:
 * Higher network utilization as Windows 2000 member computers establish secure channels and perform logon authentication exclusive with the Windows NT 4.0 PDC. This is especially noticeable as Windows 2000 clients ignore local Windows NT 4.0 BDCs for logon requests and instead use the PDC across the WAN.
 * Higher CPU utilization and longer logon requests as Windows 2000 uses the Windows NT 4.0 PDC exclusively for logon authentication. The PDC in a given domain typically has the highest CPU and memory utilization of all DCs.

Cached information in the registry is used by the Netlogon and Kerberos client components.

The expected behavior is that once Kerberos is done with the cache information, it writes &quot;KerbIsDoneWithJoinDomainEntry&quot; into the \Netlogon\Parameters section of the registry. Netlogon is notified by the registry and it (Netlogon) deletes the cached information so that next time Netlogon establishes the secure channel, the domain member will use a generic DC that is discovered through the 1C query in WINS.

When Windows 2000 member computers are joined to a Windows NT 4.0 domain, Kerberos doesn't write KerbIsDoneWithJoinDomainEntry. Because of this, Netlogon is stuck using the PDC that uses a Windows NT 4.0 computer for its secure channel. As a result, all Windows 2000 computers that join a Windows NT 4.0 domain authenticate and &quot;talk&quot; exclusively with the domain's PDC (unless the PDC is down or the secure channel is reset manually).



RESOLUTION
To resolve this problem, apply Windows 2000 Service Pack 2 to the member computer.NOTE: As a temporary workaround, turn off the Netlogon service on the PDC or manually set the secure channel for Windows 2000 domain members to BDCs in the NT 4.0 domain.



STATUS
Microsoft has confirmed this to be a problem in Microsoft Windows 2000.



MORE INFORMATION
The code fix that is implemented in Windows 2000 Service Pack 2 (installed on the member computer), is for Netlogon to delete the cached information without waiting for Kerberos when joining Windows NT 4.0 domains (Kerberos isn't going to use a Windows NT 4.0 DC anyway).

The sample Netlogon.log file (dbflag = 0x2080FFFF) and network trace summary shows NetBIOS and locator calls made during startup for a Windows 2000 member computer that is joined in a Windows NT 4.0 domain.

07/18 13:24:11 [SESSION] ML: NlDiscoverDc: Start Synchronous Discovery

07/18 13:24:11 [MAILSLOT] Sent 'Sam Logon' message to ML[1C] on all transports.

07/18 13:24:14 [MAILSLOT] Sent 'Sam Logon' message to ML[1C] on all transports.

07/18 13:24:15 [MISC] DsGetDcName function called: Dom:(null) Acct:(null) Flags: DSP PDC <-DSGETDC w/ PDC switch

07/18 13:24:15 [MAILSLOT] Sent 'Primary Query' message to ML[1B] on all transports.

07/18 13:24:16 [INIT] NlWaitForService: WMI: wait for service to start

Network Trace Summary:

Query for 1C name for ML domain. client = IP:

Response to 1C query - PDC ip address = NBT:

Client sends samlogon request to PDC.

Netlogon: Query for Primary DC

Session setup to PDC

Keywords: kbbug kbenv kbnetwork KB309115

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.