Windows 2000 logon process

[Paul Hadfield]

All,

We have a network with 2 DC's running Windows 2000 SP4 and 10+ members
servers running Windows 2000 Advanced Server SP4 with Terminal Services
installed in Application Mode. The first DC has it's primary DNS setting as
localhost and no secondary DNS. The second DC has it's primary DNS set to
the IP of the first DC, and it's secondary DNS set to localhost. Each member
server has it's primary DNS set to the first DC server and the second DNS
set to the second DC server.

I've noticed that by using computer management for each DC and watching the
Open Files section, the first DC seems to handle around 90% of the domain
logons and the second DC gets the rest. I'd like to try and balance out the
logon request and GPO load between the two DC's to try and increase logon
responses at peak times. Can I safely change the order of the primary and
secondary DNS servers on some of the member servers to force them to go to
the second DC first for network logons? Are there any drawbacks to doing
this? Is there a better way to try and balance the load between the two
DC's?

Cheers in advance,
Paul.

 

[Cary Shultz [A.D. MVP]]

Paul,

This is a good question. Things are supposed to be handled in a 50/50 basis
out-of-the-box when you have two Domain Controllers ( and 33/33/33 when you
have three Domain Controllers, etc. ) . How does this happen? There are
two key entries in the SRV records - weight and priority. These two entries
determine this.

Clients are supposed to first check for DCs in their Site. This is handled
by the IP Address of the client and the info that AD has about the various
IP Ranges ( from the Active Directory Sites and Services ). This is why it
is important to set this up correctly. Create a Subnet and associate it
with a Site. But, this is a bit of a digression ( well, not really ) from
where I am going with this.

Should multiple Domain Controllers exist in a Site ( and everything else is
working just fine ) which DC would a client use for authentication? The one
with the lowest weight! So, [0] is pretty low, right? Drats, both DCs have
a weight of [0]. Now what? Ah, there is a priority entry. The client
will - statistically speaking - use the DC with the higher priority ( well,
it is actually a bit of a percentage thing....if one DC has a priority of
[80] and the other DC has a priority of [20] then the first DC will handle
about 4x as many authentication requests as the second. "About" is the key
word in that phrase. ). Now, out of the box Domain Controllers have a
priority of [100].

Has anyone messed with these entries and their values?

Also, assuming that everything is at the defaults ( [0][100] for both Domain
Controllers ) you should be seeing approximately 50/50. This is clearly not
the case as you have stated that one DC is responding to about 90% of the
authentication requests. If there are any problems and the DC that is
'supposed' to respond to the request can not within the allotted time ( 100
milliseconds ) then the client will go elsewhere ( to the second DC in the
list and then to the third and so on and so forth ). Are there any problems
with the second DC? Have you installed the Support Tools and run dcdiag /c
/v on both of your Domain Controllers just to get a general idea as to their
health? I would also do a netdiag /v.

I also assume that if you were to look at your DNS MMC in the Forward Lookup
Zone you would see the exact same information on the second DC as you do on
the first DC ( records, weight, priority ). This is how it is supposed to
work!

Now, you specifically stated that you have a Primary DNS server and a
Secondary DNS server. Are you using these terms according to the way that
DNS uses them? Meaning, you have a DNS Server that is the Primary DNS
Server for a specific zone ( yourcompany.com, for example ) and then you
have some other DNS Servers that are functioning as Secondary DNS Servers
for that same zone ( yourcompany.com )? Or, are you running Active
Directory Integrated DNS and simply used these terms....

HTH,

Cary

 

[Paul Hadfield]

Cary,

Thanks for you reply.

Having checked AD Sites and Services it appears that we did not have a
subnet set for our Default-First-Site-Name (which is the only site we have -
both physically and logically). I have now corrected this.

We are running Active Directory with integrated DNS. I have cross checked
the forward lookup DNS records across both AD DNS servers and they both show
the same information. Also, the weighting and priorities for both servers
are set to their default values of 0 and 100.

Having watched the open files again on both DNS servers at peak login time
this morning, it seems that the primary AD server is still taking around 90%
of the load. However, as I created the subnet and associated it with our
site on the primary AD server only 15-20 mins or so before domain logons
really started to get busy, so I'd imagine it would be best to check again
tomorrow morning to give AD plenty of time to fully synchronise.

I've also installed and run the support tools on both DC's using the
switches you suggested. The dcdiag /c /v came back with 2 errors while
testing services. Both errors where while trying to open IISADMIN and
SMTPSVC. We do not have IIS installed on the DC's so should this be a
problem??? All of the netdiag.exe test's passed.

Hopefully all will be well tomorrow morning. Out of interest, how long can
AD take to fully implement the subnet I've added in Sites and Services
across the domain? I made the change at around 8.30am. Domain logons
normally start to get busy around 8:45am - 8:50am.

Thanks again,
Paul.

Paul,

This is a good question. Things are supposed to be handled in a 50/50
basis
out-of-the-box when you have two Domain Controllers ( and 33/33/33 when
you
have three Domain Controllers, etc. ) . How does this happen? There are
two key entries in the SRV records - weight and priority. These two
entries
determine this.

Clients are supposed to first check for DCs in their Site. This is
handled
by the IP Address of the client and the info that AD has about the various
IP Ranges ( from the Active Directory Sites and Services ). This is why
it
is important to set this up correctly. Create a Subnet and associate it
with a Site. But, this is a bit of a digression ( well, not really ) from
where I am going with this.

Should multiple Domain Controllers exist in a Site ( and everything else
is
working just fine ) which DC would a client use for authentication? The
one
with the lowest weight! So, [0] is pretty low, right? Drats, both DCs
have
a weight of [0]. Now what? Ah, there is a priority entry. The client
will - statistically speaking - use the DC with the higher priority (
well,
it is actually a bit of a percentage thing....if one DC has a priority of
[80] and the other DC has a priority of [20] then the first DC will handle
about 4x as many authentication requests as the second. "About" is the
key
word in that phrase. ). Now, out of the box Domain Controllers have a
priority of [100].

Has anyone messed with these entries and their values?

Also, assuming that everything is at the defaults ( [0][100] for both
Domain
Controllers ) you should be seeing approximately 50/50. This is clearly
not
the case as you have stated that one DC is responding to about 90% of the
authentication requests. If there are any problems and the DC that is
'supposed' to respond to the request can not within the allotted time (
100
milliseconds ) then the client will go elsewhere ( to the second DC in the
list and then to the third and so on and so forth ). Are there any
problems
with the second DC? Have you installed the Support Tools and run dcdiag
/c
/v on both of your Domain Controllers just to get a general idea as to
their
health? I would also do a netdiag /v.

I also assume that if you were to look at your DNS MMC in the Forward
Lookup
Zone you would see the exact same information on the second DC as you do
on
the first DC ( records, weight, priority ). This is how it is supposed to
work!

Now, you specifically stated that you have a Primary DNS server and a
Secondary DNS server. Are you using these terms according to the way that
DNS uses them? Meaning, you have a DNS Server that is the Primary DNS
Server for a specific zone ( yourcompany.com, for example ) and then you
have some other DNS Servers that are functioning as Secondary DNS Servers
for that same zone ( yourcompany.com )? Or, are you running Active
Directory Integrated DNS and simply used these terms....

HTH,

Cary

All,

We have a network with 2 DC's running Windows 2000 SP4 and 10+ members
servers running Windows 2000 Advanced Server SP4 with Terminal Services
installed in Application Mode. The first DC has it's primary DNS setting as
localhost and no secondary DNS. The second DC has it's primary DNS set to
the IP of the first DC, and it's secondary DNS set to localhost. Each member
server has it's primary DNS set to the first DC server and the second DNS
set to the second DC server.

I've noticed that by using computer management for each DC and watching the
Open Files section, the first DC seems to handle around 90% of the domain
logons and the second DC gets the rest. I'd like to try and balance out the
logon request and GPO load between the two DC's to try and increase logon
responses at peak times. Can I safely change the order of the primary and
secondary DNS servers on some of the member servers to force them to go
to
the second DC first for network logons? Are there any drawbacks to doing
this? Is there a better way to try and balance the load between the two
DC's?

Cheers in advance,
Paul.

 

[Paul Hadfield]

Hi all,

After trying everything that Cary has suggested I still get the same
problem. Has anyone any other ideas? Why can't I just change the DNS order
on some of the member servers?

Cheers,
Paul.

Cary,

Thanks for you reply.

Having checked AD Sites and Services it appears that we did not have a
subnet set for our Default-First-Site-Name (which is the only site we
have - both physically and logically). I have now corrected this.

We are running Active Directory with integrated DNS. I have cross checked
the forward lookup DNS records across both AD DNS servers and they both
show the same information. Also, the weighting and priorities for both
servers are set to their default values of 0 and 100.

Having watched the open files again on both DNS servers at peak login time
this morning, it seems that the primary AD server is still taking around
90% of the load. However, as I created the subnet and associated it with
our site on the primary AD server only 15-20 mins or so before domain
logons really started to get busy, so I'd imagine it would be best to
check again tomorrow morning to give AD plenty of time to fully
synchronise.

I've also installed and run the support tools on both DC's using the
switches you suggested. The dcdiag /c /v came back with 2 errors while
testing services. Both errors where while trying to open IISADMIN and
SMTPSVC. We do not have IIS installed on the DC's so should this be a
problem??? All of the netdiag.exe test's passed.

Hopefully all will be well tomorrow morning. Out of interest, how long can
AD take to fully implement the subnet I've added in Sites and Services
across the domain? I made the change at around 8.30am. Domain logons
normally start to get busy around 8:45am - 8:50am.

Thanks again,
Paul.

Paul,

This is a good question. Things are supposed to be handled in a 50/50
basis
out-of-the-box when you have two Domain Controllers ( and 33/33/33 when
you
have three Domain Controllers, etc. ) . How does this happen? There are
two key entries in the SRV records - weight and priority. These two
entries
determine this.

Clients are supposed to first check for DCs in their Site. This is
handled
by the IP Address of the client and the info that AD has about the
various
IP Ranges ( from the Active Directory Sites and Services ). This is why
it
is important to set this up correctly. Create a Subnet and associate it
with a Site. But, this is a bit of a digression ( well, not really )
from
where I am going with this.

Should multiple Domain Controllers exist in a Site ( and everything else
is
working just fine ) which DC would a client use for authentication? The
one
with the lowest weight! So, [0] is pretty low, right? Drats, both DCs
have
a weight of [0]. Now what? Ah, there is a priority entry. The client
will - statistically speaking - use the DC with the higher priority (
well,
it is actually a bit of a percentage thing....if one DC has a priority of
[80] and the other DC has a priority of [20] then the first DC will
handle
about 4x as many authentication requests as the second. "About" is the
key
word in that phrase. ). Now, out of the box Domain Controllers have a
priority of [100].

Has anyone messed with these entries and their values?

Also, assuming that everything is at the defaults ( [0][100] for both
Domain
Controllers ) you should be seeing approximately 50/50. This is clearly
not
the case as you have stated that one DC is responding to about 90% of the
authentication requests. If there are any problems and the DC that is
'supposed' to respond to the request can not within the allotted time (
100
milliseconds ) then the client will go elsewhere ( to the second DC in
the
list and then to the third and so on and so forth ). Are there any
problems
with the second DC? Have you installed the Support Tools and run dcdiag
/c
/v on both of your Domain Controllers just to get a general idea as to
their
health? I would also do a netdiag /v.

I also assume that if you were to look at your DNS MMC in the Forward
Lookup
Zone you would see the exact same information on the second DC as you do
on
the first DC ( records, weight, priority ). This is how it is supposed
to
work!

Now, you specifically stated that you have a Primary DNS server and a
Secondary DNS server. Are you using these terms according to the way
that
DNS uses them? Meaning, you have a DNS Server that is the Primary DNS
Server for a specific zone ( yourcompany.com, for example ) and then you
have some other DNS Servers that are functioning as Secondary DNS Servers
for that same zone ( yourcompany.com )? Or, are you running Active
Directory Integrated DNS and simply used these terms....

HTH,

Cary

All,

We have a network with 2 DC's running Windows 2000 SP4 and 10+ members
servers running Windows 2000 Advanced Server SP4 with Terminal Services
installed in Application Mode. The first DC has it's primary DNS setting as
localhost and no secondary DNS. The second DC has it's primary DNS set
to
the IP of the first DC, and it's secondary DNS set to localhost. Each member
server has it's primary DNS set to the first DC server and the second
DNS
set to the second DC server.

I've noticed that by using computer management for each DC and watching the
Open Files section, the first DC seems to handle around 90% of the
domain
logons and the second DC gets the rest. I'd like to try and balance out the
logon request and GPO load between the two DC's to try and increase
logon
responses at peak times. Can I safely change the order of the primary
and
secondary DNS servers on some of the member servers to force them to go
to
the second DC first for network logons? Are there any drawbacks to doing
this? Is there a better way to try and balance the load between the two
DC's?

Cheers in advance,
Paul.

 

[ptwilliams]

Because the zone database is the same, and thus this won't affect anything.

The DNS/IP locator requests a DC from DNS by querying either
_ldap._tcp.dc._msdcs.domain-name.com or, if it is already aware of its site,
_ldap._tcp.siteName.sites.dc._msdcs.domain-name.com (these can vary
depending on the criteria passed to dsGetDc). These records refer to an A
record, so that is resolved to an IP address and then passed back using both
round-robin and net mask ordering. So, clients querying a DNS server in
site A (a site which contains two DCs) would get the first and then the
second and then the first and the second, etc. passed back.

Like Cary said, a 50/50 split. Add another DC into the mix and divide by 3,
etc.

Are you sure the open files and connections are actually logon traffic?
Where are the home folders and profiles stored?

Also, if that machine is the only GC, the other DC will query the GC as part
of the logon process.


If you're really worried, you should ensure both round-robin and net-mask
ordering are indeed enabled, and that both DCs are GCs.

--

Paul Williams

http://www.msresource.net
http://forums.msresource.net


Hi all,

After trying everything that Cary has suggested I still get the same
problem. Has anyone any other ideas? Why can't I just change the DNS order
on some of the member servers?

Cheers,
Paul.

Cary,

Thanks for you reply.

Having checked AD Sites and Services it appears that we did not have a
subnet set for our Default-First-Site-Name (which is the only site we
have - both physically and logically). I have now corrected this.

We are running Active Directory with integrated DNS. I have cross checked
the forward lookup DNS records across both AD DNS servers and they both
show the same information. Also, the weighting and priorities for both
servers are set to their default values of 0 and 100.

Having watched the open files again on both DNS servers at peak login time
this morning, it seems that the primary AD server is still taking around
90% of the load. However, as I created the subnet and associated it with
our site on the primary AD server only 15-20 mins or so before domain
logons really started to get busy, so I'd imagine it would be best to
check again tomorrow morning to give AD plenty of time to fully
synchronise.

I've also installed and run the support tools on both DC's using the
switches you suggested. The dcdiag /c /v came back with 2 errors while
testing services. Both errors where while trying to open IISADMIN and
SMTPSVC. We do not have IIS installed on the DC's so should this be a
problem??? All of the netdiag.exe test's passed.

Hopefully all will be well tomorrow morning. Out of interest, how long can
AD take to fully implement the subnet I've added in Sites and Services
across the domain? I made the change at around 8.30am. Domain logons
normally start to get busy around 8:45am - 8:50am.

Thanks again,
Paul.

Paul,

This is a good question. Things are supposed to be handled in a 50/50
basis
out-of-the-box when you have two Domain Controllers ( and 33/33/33 when
you
have three Domain Controllers, etc. ) . How does this happen? There are
two key entries in the SRV records - weight and priority. These two
entries
determine this.

Clients are supposed to first check for DCs in their Site. This is
handled
by the IP Address of the client and the info that AD has about the
various
IP Ranges ( from the Active Directory Sites and Services ). This is why
it
is important to set this up correctly. Create a Subnet and associate it
with a Site. But, this is a bit of a digression ( well, not really )
from
where I am going with this.

Should multiple Domain Controllers exist in a Site ( and everything else
is
working just fine ) which DC would a client use for authentication? The
one
with the lowest weight! So, [0] is pretty low, right? Drats, both DCs
have
a weight of [0]. Now what? Ah, there is a priority entry. The client
will - statistically speaking - use the DC with the higher priority (
well,
it is actually a bit of a percentage thing....if one DC has a priority of
[80] and the other DC has a priority of [20] then the first DC will
handle
about 4x as many authentication requests as the second. "About" is the
key
word in that phrase. ). Now, out of the box Domain Controllers have a
priority of [100].

Has anyone messed with these entries and their values?

Also, assuming that everything is at the defaults ( [0][100] for both
Domain
Controllers ) you should be seeing approximately 50/50. This is clearly
not
the case as you have stated that one DC is responding to about 90% of the
authentication requests. If there are any problems and the DC that is
'supposed' to respond to the request can not within the allotted time (
100
milliseconds ) then the client will go elsewhere ( to the second DC in
the
list and then to the third and so on and so forth ). Are there any
problems
with the second DC? Have you installed the Support Tools and run dcdiag
/c
/v on both of your Domain Controllers just to get a general idea as to
their
health? I would also do a netdiag /v.

I also assume that if you were to look at your DNS MMC in the Forward
Lookup
Zone you would see the exact same information on the second DC as you do
on
the first DC ( records, weight, priority ). This is how it is supposed
to
work!

Now, you specifically stated that you have a Primary DNS server and a
Secondary DNS server. Are you using these terms according to the way
that
DNS uses them? Meaning, you have a DNS Server that is the Primary DNS
Server for a specific zone ( yourcompany.com, for example ) and then you
have some other DNS Servers that are functioning as Secondary DNS Servers
for that same zone ( yourcompany.com )? Or, are you running Active
Directory Integrated DNS and simply used these terms....

HTH,

Cary

All,

We have a network with 2 DC's running Windows 2000 SP4 and 10+ members
servers running Windows 2000 Advanced Server SP4 with Terminal Services
installed in Application Mode. The first DC has it's primary DNS setting as
localhost and no secondary DNS. The second DC has it's primary DNS set
to
the IP of the first DC, and it's secondary DNS set to localhost. Each member
server has it's primary DNS set to the first DC server and the second
DNS
set to the second DC server.

I've noticed that by using computer management for each DC and watching the
Open Files section, the first DC seems to handle around 90% of the
domain
logons and the second DC gets the rest. I'd like to try and balance out the
logon request and GPO load between the two DC's to try and increase
logon
responses at peak times. Can I safely change the order of the primary
and
secondary DNS servers on some of the member servers to force them to go
to
the second DC first for network logons? Are there any drawbacks to doing
this? Is there a better way to try and balance the load between the two
DC's?

Cheers in advance,
Paul.

 

[Paul Hadfield]

The files being accessed that I have been watching in Computer
Management/Open Files have names similar to
{0B46DFD3-5180-461B-B066-AD018D007F42} and so I am assuming that this is
when clients are accessing the GPO stored in SYSVOL during logon. Also I am
seeing .cmd files which are the logon scripts run by each client.

Only the first domain controller is a GC. Is it worth making both DC's
Global Catalogue servers? Are there any drawbacks to this?

As the primary DC is the only GC server at the moment, would this mean that
the secondary DC would not be able to correctly answer domain logon requests
should the primary DC fail?

All user TS profiles are roaming and are stored on 2 data servers (Windows
2000 member servers).

Round Robin and Net-mask ordering are both enabled on both AD-DNS servers.

While I think on, would the fact that all the TS servers and both DC's have
3 network cards, each configured to give access to 3 separate networks have
any bearing on this? All servers are configured to access DNS across each
network in the same order (Network and Dial-up settings - Advanced
Settings - Adapters and Bindings).

Thanks again in advance for any comments offered,

Paul.

Because the zone database is the same, and thus this won't affect
anything.

The DNS/IP locator requests a DC from DNS by querying either
_ldap._tcp.dc._msdcs.domain-name.com or, if it is already aware of its
site,
_ldap._tcp.siteName.sites.dc._msdcs.domain-name.com (these can vary
depending on the criteria passed to dsGetDc). These records refer to an A
record, so that is resolved to an IP address and then passed back using
both
round-robin and net mask ordering. So, clients querying a DNS server in
site A (a site which contains two DCs) would get the first and then the
second and then the first and the second, etc. passed back.

Like Cary said, a 50/50 split. Add another DC into the mix and divide by
3,
etc.

Are you sure the open files and connections are actually logon traffic?
Where are the home folders and profiles stored?

Also, if that machine is the only GC, the other DC will query the GC as
part
of the logon process.


If you're really worried, you should ensure both round-robin and net-mask
ordering are indeed enabled, and that both DCs are GCs.

--

Paul Williams

http://www.msresource.net
http://forums.msresource.net


Hi all,

After trying everything that Cary has suggested I still get the same
problem. Has anyone any other ideas? Why can't I just change the DNS order
on some of the member servers?

Cheers,
Paul.

Cary,

Thanks for you reply.

Having checked AD Sites and Services it appears that we did not have a
subnet set for our Default-First-Site-Name (which is the only site we
have - both physically and logically). I have now corrected this.

We are running Active Directory with integrated DNS. I have cross checked
the forward lookup DNS records across both AD DNS servers and they both
show the same information. Also, the weighting and priorities for both
servers are set to their default values of 0 and 100.

Having watched the open files again on both DNS servers at peak login
time
this morning, it seems that the primary AD server is still taking around
90% of the load. However, as I created the subnet and associated it with
our site on the primary AD server only 15-20 mins or so before domain
logons really started to get busy, so I'd imagine it would be best to
check again tomorrow morning to give AD plenty of time to fully
synchronise.

I've also installed and run the support tools on both DC's using the
switches you suggested. The dcdiag /c /v came back with 2 errors while
testing services. Both errors where while trying to open IISADMIN and
SMTPSVC. We do not have IIS installed on the DC's so should this be a
problem??? All of the netdiag.exe test's passed.

Hopefully all will be well tomorrow morning. Out of interest, how long
can
AD take to fully implement the subnet I've added in Sites and Services
across the domain? I made the change at around 8.30am. Domain logons
normally start to get busy around 8:45am - 8:50am.

Thanks again,
Paul.

Paul,

This is a good question. Things are supposed to be handled in a 50/50
basis
out-of-the-box when you have two Domain Controllers ( and 33/33/33 when
you
have three Domain Controllers, etc. ) . How does this happen? There
are
two key entries in the SRV records - weight and priority. These two
entries
determine this.

Clients are supposed to first check for DCs in their Site. This is
handled
by the IP Address of the client and the info that AD has about the
various
IP Ranges ( from the Active Directory Sites and Services ). This is why
it
is important to set this up correctly. Create a Subnet and associate it
with a Site. But, this is a bit of a digression ( well, not really )
from
where I am going with this.

Should multiple Domain Controllers exist in a Site ( and everything else
is
working just fine ) which DC would a client use for authentication? The
one
with the lowest weight! So, [0] is pretty low, right? Drats, both DCs
have
a weight of [0]. Now what? Ah, there is a priority entry. The client
will - statistically speaking - use the DC with the higher priority (
well,
it is actually a bit of a percentage thing....if one DC has a priority
of
[80] and the other DC has a priority of [20] then the first DC will
handle
about 4x as many authentication requests as the second. "About" is the
key
word in that phrase. ). Now, out of the box Domain Controllers have a
priority of [100].

Has anyone messed with these entries and their values?

Also, assuming that everything is at the defaults ( [0][100] for both
Domain
Controllers ) you should be seeing approximately 50/50. This is clearly
not
the case as you have stated that one DC is responding to about 90% of
the
authentication requests. If there are any problems and the DC that is
'supposed' to respond to the request can not within the allotted time (
100
milliseconds ) then the client will go elsewhere ( to the second DC in
the
list and then to the third and so on and so forth ). Are there any
problems
with the second DC? Have you installed the Support Tools and run dcdiag
/c
/v on both of your Domain Controllers just to get a general idea as to
their
health? I would also do a netdiag /v.

I also assume that if you were to look at your DNS MMC in the Forward
Lookup
Zone you would see the exact same information on the second DC as you do
on
the first DC ( records, weight, priority ). This is how it is supposed
to
work!

Now, you specifically stated that you have a Primary DNS server and a
Secondary DNS server. Are you using these terms according to the way
that
DNS uses them? Meaning, you have a DNS Server that is the Primary DNS
Server for a specific zone ( yourcompany.com, for example ) and then you
have some other DNS Servers that are functioning as Secondary DNS
Servers
for that same zone ( yourcompany.com )? Or, are you running Active
Directory Integrated DNS and simply used these terms....

HTH,

Cary



All,

We have a network with 2 DC's running Windows 2000 SP4 and 10+ members
servers running Windows 2000 Advanced Server SP4 with Terminal Services
installed in Application Mode. The first DC has it's primary DNS
setting
as
localhost and no secondary DNS. The second DC has it's primary DNS set
to
the IP of the first DC, and it's secondary DNS set to localhost. Each
member
server has it's primary DNS set to the first DC server and the second
DNS
set to the second DC server.

I've noticed that by using computer management for each DC and watching
the
Open Files section, the first DC seems to handle around 90% of the
domain
logons and the second DC gets the rest. I'd like to try and balance out
the
logon request and GPO load between the two DC's to try and increase
logon
responses at peak times. Can I safely change the order of the primary
and
secondary DNS servers on some of the member servers to force them to go
to
the second DC first for network logons? Are there any drawbacks to
doing
this? Is there a better way to try and balance the load between the two
DC's?

Cheers in advance,
Paul.

 

[ptwilliams]

I've answered inline...

--

Paul Williams

http://www.msresource.net
http://forums.msresource.net



The files being accessed that I have been watching in Computer
Management/Open Files have names similar to
{0B46DFD3-5180-461B-B066-AD018D007F42} and so I am assuming that this is
when clients are accessing the GPO stored in SYSVOL during logon. Also I am
seeing .cmd files which are the logon scripts run by each client.

PW >> Sound's like - that's a combination of DNS and Dfs client pointing
them here...


Only the first domain controller is a GC. Is it worth making both DC's
Global Catalogue servers? Are there any drawbacks to this?

PW >> Yes!! You should have at least two GCs - in single domain
environments I always make all DCs GCs.
No, there are no drawbacks (to having more than one - there's a bit more to
it in multiple-domain environments with disparate sites and WAN links, but
we'll not go into that here).

As the primary DC is the only GC server at the moment, would this mean that
the secondary DC would not be able to correctly answer domain logon requests
should the primary DC fail?

PW >> It would mean just that!!! GCs are contacted as part of the
authentication process to enumerate group memberships (as you can be a
member of groups in other domains, e.g. Universal Groups) and to resolve
your UPN.

You need multiple GCs. And don't worry about the GC/IM conflict -that only
applies to multiple domain forests with a mix of DCs and GCs.
-- http://www.msresource.net/content/view/14/46/


All user TS profiles are roaming and are stored on 2 data servers (Windows
2000 member servers).

Round Robin and Net-mask ordering are both enabled on both AD-DNS servers.

PW >> OK, that's fine.


While I think on, would the fact that all the TS servers and both DC's have
3 network cards, each configured to give access to 3 separate networks have
any bearing on this? All servers are configured to access DNS across each
network in the same order (Network and Dial-up settings - Advanced
Settings - Adapters and Bindings).

PW >> Yes, this could have a bearing. With multiple NICs there's going to
be multiple entries in DNS for different IP addresses -net mask ordering
will 'tweak' the order in which the results are returned. I'd look into
this, but would try having more than one GC first -that will make a
difference.

Remember - DNS is the single-most important aspect in all this!!!


Thanks again in advance for any comments offered,

PW >> No problem!!! : )


Paul.

Because the zone database is the same, and thus this won't affect
anything.

The DNS/IP locator requests a DC from DNS by querying either
_ldap._tcp.dc._msdcs.domain-name.com or, if it is already aware of its
site,
_ldap._tcp.siteName.sites.dc._msdcs.domain-name.com (these can vary
depending on the criteria passed to dsGetDc). These records refer to an A
record, so that is resolved to an IP address and then passed back using
both
round-robin and net mask ordering. So, clients querying a DNS server in
site A (a site which contains two DCs) would get the first and then the
second and then the first and the second, etc. passed back.

Like Cary said, a 50/50 split. Add another DC into the mix and divide by
3,
etc.

Are you sure the open files and connections are actually logon traffic?
Where are the home folders and profiles stored?

Also, if that machine is the only GC, the other DC will query the GC as
part
of the logon process.


If you're really worried, you should ensure both round-robin and net-mask
ordering are indeed enabled, and that both DCs are GCs.

--

Paul Williams

http://www.msresource.net
http://forums.msresource.net


Hi all,

After trying everything that Cary has suggested I still get the same
problem. Has anyone any other ideas? Why can't I just change the DNS order
on some of the member servers?

Cheers,
Paul.

Cary,

Thanks for you reply.

Having checked AD Sites and Services it appears that we did not have a
subnet set for our Default-First-Site-Name (which is the only site we
have - both physically and logically). I have now corrected this.

We are running Active Directory with integrated DNS. I have cross checked
the forward lookup DNS records across both AD DNS servers and they both
show the same information. Also, the weighting and priorities for both
servers are set to their default values of 0 and 100.

Having watched the open files again on both DNS servers at peak login
time
this morning, it seems that the primary AD server is still taking around
90% of the load. However, as I created the subnet and associated it with
our site on the primary AD server only 15-20 mins or so before domain
logons really started to get busy, so I'd imagine it would be best to
check again tomorrow morning to give AD plenty of time to fully
synchronise.

I've also installed and run the support tools on both DC's using the
switches you suggested. The dcdiag /c /v came back with 2 errors while
testing services. Both errors where while trying to open IISADMIN and
SMTPSVC. We do not have IIS installed on the DC's so should this be a
problem??? All of the netdiag.exe test's passed.

Hopefully all will be well tomorrow morning. Out of interest, how long
can
AD take to fully implement the subnet I've added in Sites and Services
across the domain? I made the change at around 8.30am. Domain logons
normally start to get busy around 8:45am - 8:50am.

Thanks again,
Paul.

Paul,

This is a good question. Things are supposed to be handled in a 50/50
basis
out-of-the-box when you have two Domain Controllers ( and 33/33/33 when
you
have three Domain Controllers, etc. ) . How does this happen? There
are
two key entries in the SRV records - weight and priority. These two
entries
determine this.

Clients are supposed to first check for DCs in their Site. This is
handled
by the IP Address of the client and the info that AD has about the
various
IP Ranges ( from the Active Directory Sites and Services ). This is why
it
is important to set this up correctly. Create a Subnet and associate it
with a Site. But, this is a bit of a digression ( well, not really )
from
where I am going with this.

Should multiple Domain Controllers exist in a Site ( and everything else
is
working just fine ) which DC would a client use for authentication? The
one
with the lowest weight! So, [0] is pretty low, right? Drats, both DCs
have
a weight of [0]. Now what? Ah, there is a priority entry. The client
will - statistically speaking - use the DC with the higher priority (
well,
it is actually a bit of a percentage thing....if one DC has a priority
of
[80] and the other DC has a priority of [20] then the first DC will
handle
about 4x as many authentication requests as the second. "About" is the
key
word in that phrase. ). Now, out of the box Domain Controllers have a
priority of [100].

Has anyone messed with these entries and their values?

Also, assuming that everything is at the defaults ( [0][100] for both
Domain
Controllers ) you should be seeing approximately 50/50. This is clearly
not
the case as you have stated that one DC is responding to about 90% of
the
authentication requests. If there are any problems and the DC that is
'supposed' to respond to the request can not within the allotted time (
100
milliseconds ) then the client will go elsewhere ( to the second DC in
the
list and then to the third and so on and so forth ). Are there any
problems
with the second DC? Have you installed the Support Tools and run dcdiag
/c
/v on both of your Domain Controllers just to get a general idea as to
their
health? I would also do a netdiag /v.

I also assume that if you were to look at your DNS MMC in the Forward
Lookup
Zone you would see the exact same information on the second DC as you do
on
the first DC ( records, weight, priority ). This is how it is supposed
to
work!

Now, you specifically stated that you have a Primary DNS server and a
Secondary DNS server. Are you using these terms according to the way
that
DNS uses them? Meaning, you have a DNS Server that is the Primary DNS
Server for a specific zone ( yourcompany.com, for example ) and then you
have some other DNS Servers that are functioning as Secondary DNS
Servers
for that same zone ( yourcompany.com )? Or, are you running Active
Directory Integrated DNS and simply used these terms....

HTH,

Cary



All,

We have a network with 2 DC's running Windows 2000 SP4 and 10+ members
servers running Windows 2000 Advanced Server SP4 with Terminal Services
installed in Application Mode. The first DC has it's primary DNS
setting
as
localhost and no secondary DNS. The second DC has it's primary DNS set
to
the IP of the first DC, and it's secondary DNS set to localhost. Each
member
server has it's primary DNS set to the first DC server and the second
DNS
set to the second DC server.

I've noticed that by using computer management for each DC and watching
the
Open Files section, the first DC seems to handle around 90% of the
domain
logons and the second DC gets the rest. I'd like to try and balance out
the
logon request and GPO load between the two DC's to try and increase
logon
responses at peak times. Can I safely change the order of the primary
and
secondary DNS servers on some of the member servers to force them to go
to
the second DC first for network logons? Are there any drawbacks to
doing
this? Is there a better way to try and balance the load between the two
DC's?

Cheers in advance,
Paul.