Question

Locked

XP clients logging onto remote DC across WAN instead of local one

By shamous ·
Hello
I am new to this forum and I am hoping someone can help with a problem I'm tearing my hair out with (not much left to start with). I am midway through rolling out a new 2003 domain in to replace the existing NT4 one with trusts in place between the two. The previosu setup was multiple domains with one for each of 5 sites. I opted to go for a single 2003 domain this time with multiple sites but I am finding that even though the remote sites have local DC's they are still opting to logon to the DC at headoffice. I have read a few articles on this and all 'appears' OK. Site subnets are setup. NL Test shows correct DC info at each site but if I issue the command echo %logonserver% at any given remote site workstation they always show headoffice DC. Sorry if this is a bit long winded but hope someone has some ideas.

Shamous
Network Support

This conversation is currently closed to new comments.

7 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Local DC logon

by Wizard-09 In reply to XP clients logging onto r ...

Here you go hope this helps you out.

From this article
http://www.windowsitpro.com/Articles/ArticleID/13535/13535.html?Ad=1

How can I force a client to validate its logon against a specific domain controller?

Before answering this it is best to understand what happens when a login occurs.

When a logon request is made to a domain, the workstation sends out a request to find a domain controller for the domain. The domain name is actually a NetBIOS name that is a 16-character name with the 16th character used by Microsoft networking services to identify the NetBIOS type.

The type used for a domain controller is <1C> and so the NetBIOS name for domain controller of domain "SAVILLTECH" would be "SAVILLTECH <1C>" The NetBIOS type has to be the 16th character, hence the name of the domain has to be filled with blanks to make its length up to 15 characters.

If the client is WINS enabled then a query for the resolution of "<domain name> <1C>" will be sent to the WINS server as defined in the clients TCP/IP properties. The WINS server will return up to 25 IP addresses that correspond to domain controllers of the requested domain, a \mailslot\net\ntlogon is broadcast to the local subnet and if the workstation receives a response then it will attempt logon with the local domain controller.

If WINS is not configured then it is possible to manually configure the LMHOSTS file on the Workstations to specify the Domain Controller. This file is located in the %systemroot%\system32\drivers\etc directory.

An example entry in LMHOSTS would be as follows

200.200.200.50 titanic #PRE #DOM:savilltech #savilltech domain controller

The above sets up IP address 200.200.200.50 to be host Titanic, which is the domain controller for savilltech and instructs the machine that this entry is to be preloaded into the cache.

To check the NetBIOS name cache you can use command nbtstat -c, which will show all the entries including their type. If WINS is not configured and there is no entry in LMHOSTS then the Workstation will send out a series of 3 broadcasts. In the situation where no response is received and WINS is configured to use DNS for WINS resolution a request to the DNS server will be sent and finally the HOSTS file checked. If all of this fails then an error "A domain controller for your domain could not be contacted.

To force a client to use a specific domain controller we need only do the following:

Start the registry editor
Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
From the Edit menu select New - DWORD value
Enter a name of NodeType and press ENTER
Double click on the new value and set to 4 (this sets the network to an M-mode/mixed which means it will perform a broadcast before querying name servers for resolution). By default a system is 1 if no WINS servers are configured (B-node/broadcase) or 8 if at least one WINS server is configured (H-node/queries name resolution first then broadcasts)
Double click on the EnableLMHOSTS value and set to 1. If it does not exist select New - DWORD value from the Edit menu and enter a name of EnableLMHOSTS
Close the registry editor
Reboot the machine
The machine is now configured to broadcase for a domain controller on a local subnet and then query a name server. If no domain controllers are found on the WINS server, or WINS is not used it will then search the LMHOSTS file. The next stage is to edit this file.

Check for the LMHOSTS file
C>dir %systemroot%\system32\drivers\etc\lmhosts
If the file does not exist copy the sample host file
C>copy %systemroot%\system32\drivers\etc\lmhosts.sam %systemroot%\system32\drivers\etc\lmhosts
1 file(s) copied.
Edit the file using edit.exe, don't use notepad.exe
C>edit %systemroot%\system32\drivers\etc\lmhosts
Goto the end of the comments and add a new line of the format
<ip address> <name of DC> #PRE #DOM:<domain name> #<comment>
e.g. 200.200.200.50 titanic #PRE #DOM:savilltech #savilltech domain controller
Save the changes to the file and exit edit.exe
Force the machine to reload the LMHOSTS file (or just reboot)
C>NBTSTAT -R
Note: The -R must be in capitals, the command is case sensitive
Check the cache
C>NBTSTAT -c
At this point the configuration is complete and a reboot is advisable.
Service Pack 4 includes a new utility, SETPRFDC.EXE, which will direct a secure channel client to a preferred list of domain controllers.

The syntax is:

C> SETPRFDC <Domain Name> <DC1, DC2, ....., DCn>

SETPRFDC will try each DC in the list in order, until a secure channel is established. If DC1 does not respond, DC2 is tried, and so on. Once you run SETPRFDC on a WinNT 4.0, SP4 computer, the list is remembered until you change it. You can run SETPRFDC in batch, via the scheduler, or even in a logon script (for future logons). Don't forget to undo any LMHOSTS entries you might have set.

Keep us informed as to your progress if you require further assistance.

If you think that any of the posts that have been made by all TR Members, have solved or contributed to solving the problem, please Mark them as Helpful so that others may benefit from the outcome.

Collapse -

Local DC logon New

by Wizard-09 In reply to XP clients logging onto r ...

Seems like my last post got messed up here you go.

To force a client to use a specific domain controller we need only do the following:

Start the registry editor
Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
From the Edit menu select New - DWORD value
Enter a name of NodeType and press ENTER
Double click on the new value and set to 4 (this sets the network to an M-mode/mixed which means it will perform a broadcast before querying name servers for resolution). By default a system is 1 if no WINS servers are configured (B-node/broadcase) or 8 if at least one WINS server is configured (H-node/queries name resolution first then broadcasts)
Double click on the EnableLMHOSTS value and set to 1. If it does not exist select New - DWORD value from the Edit menu and enter a name of EnableLMHOSTS
Close the registry editor
Reboot the machine
The machine is now configured to broadcase for a domain controller on a local subnet and then query a name server. If no domain controllers are found on the WINS server, or WINS is not used it will then search the LMHOSTS file. The next stage is to edit this file.

Check for the LMHOSTS file
C>dir %systemroot%\system32\drivers\etc\lmhosts
If the file does not exist copy the sample host file
C>copy %systemroot%\system32\drivers\etc\lmhosts.sam %systemroot%\system32\drivers\etc\lmhosts
1 file(s) copied.
Edit the file using edit.exe, don't use notepad.exe
C>edit %systemroot%\system32\drivers\etc\lmhosts
Goto the end of the comments and add a new line of the format
<ip address> <name of DC> #PRE #DOM:<domain name> #<comment>
e.g. 200.200.200.50 titanic #PRE #DOM:savilltech #savilltech domain controller
Save the changes to the file and exit edit.exe
Force the machine to reload the LMHOSTS file (or just reboot)
C>NBTSTAT -R
Note: The -R must be in capitals, the command is case sensitive
Check the cache
C>NBTSTAT -c
At this point the configuration is complete and a reboot is advisable.
Service Pack 4 includes a new utility, SETPRFDC.EXE, which will direct a secure channel client to a preferred list of domain controllers.

The syntax is:

C> SETPRFDC <Domain Name> <DC1, DC2, ....., DCn>

SETPRFDC will try each DC in the list in order, until a secure channel is established. If DC1 does not respond, DC2 is tried, and so on. Once you run SETPRFDC on a WinNT 4.0, SP4 computer, the list is remembered until you change it. You can run SETPRFDC in batch, via the scheduler, or even in a logon script (for future logons). Don't forget to undo any LMHOSTS entries you might have set. Keep us informed as to your progress if you require further assistance.

If you think that any of the posts that have been made by all TR Members, have solved or contributed to solving the problem, please Mark them as Helpful so that others may benefit from the outcome.

Collapse -

Unreal It wont post all the information

by Wizard-09 In reply to XP clients logging onto r ...

Here you go this is the site it has been taking from http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Q_22521481.html

near the bottom you will find your answer dam site lol

Collapse -

Still unsure

by shamous In reply to Unreal It wont post all t ...

Thanks Wizard. Can it be down without using lmhosts? I am using it to ease transition between NT4 and 2K3 but I'd rather not rely on it long term. I've read up on sites, subnets etc and everything looks fine and sounds logical. Could legacy lhmosts file be causing me grief as in it I have only referenced the one AD server at head office and not included remote servers? Main reason I started looking at thisis that XP clients are starting to experience very slow logons. This happended when I added AD DNS servers to DHCP scope shared by NT4 domain and 2003 AD domain client members.
Thanks again

Shamous

Collapse -

Yes

by Wizard-09 In reply to Still unsure

Ok this is what I would do, the site having the problems is only seeing one DC to logon to (Thats head offices DC) I would create a Lmhost file on that end to 1st point to the local DC, then if that fails to point to the Head office DC, so even if the local DC goes down the machine have another DC at head office to log into.

Have you read everything on the link that i provided it breaks it all down for you so you can understand each step.

Collapse -

I'll give it a go

by shamous In reply to Yes

Thanks for help again wizard. I'll make the changes. Yep read one of the links but I had to hunt for the other one as not subscribed and it wasn't showing me the content under the adverts as it usually does.
The thing that's strange is that all 4 remote sites are doing the same. I'll give it a go as I don't really want to have to go back to the multi domain model we had with NT4.

Collapse -

Hope

by Wizard-09 In reply to I'll give it a go

You get it sorted, if you have any problems just shout back or drop me a peer email and I will see what else I can do for you, I think that the LMhost files will be the easy way to go here.

Good Luck.

Back to Networks Forum
7 total posts (Page 1 of 1)  

Related Discussions

Related Forums