wins questions

[jason]

i'm about to migrate a domain that actually span about 10
nt 4 domains in different offices. The links are with 2mb
leased lines. The domain is going to be only one with a a
DC in each office.

Ok, the machines will be domain controllers in 2000 and
ALL the clients in windows 98. I will use WINS and *not*
the adclient.

My questions is that i want all the machines login in the
domain to authenticate in the DC of their office, not in
the dc of other offices.

Whats the role of PDC emulator in this? only used for
change passwords?? will the local wins send a list with
the <1B> in first place, and all machines look for it
wherever it's found (maybe far away). Or maybe a broadcast
will authenticate the machines with the local dc in first
place.

Can all the DCS in the domain authenticate 98 users or
only the PDC emulator?. Will be the preferred DC of all
lanmanager clients the local one.

All clients will be configured with the local one as a
wins.

thanx a lot.

No bdcs in nt 4.

 

[Joe Wu [MSFT]]

Dear Jason,

Thank you for your post.

I have performed some research on this issue and I would like to share the
following information with you:

1. Since there are about 10 sites in your network, I highly recommend that
you install Directory Services (DS) Client on Windows 9X clients. Actually,
site awareness is a key feature in Directory Services (DS) Client.

The Directory Services client adds the ability to discover a domain
controller in the same site as the client. When a user logs on, the
Directory Services DsGetDcName API function is invoked to discover the
optimal domain controller. DsGetDcName uses the available name service
providers to carry out this task.

Generally, a Netlogon datagram is sent to all domain controllers in the
user's domain that were discovered by a standard query for the NetBIOS '1C'
domain name (WINS resolution).

Windows 2000 domain controllers respond to the datagram with information
that includes the domain controller's Domain Name System (DNS) domain name,
the domain controller's site, the client's site, and a flag.

If the response from the Windows 2000 domain controller indicates that
client is not in the same site as the domain controller, the client will
retry the discovery, by using the domain controller's DNS domain name and
client's site name, until any of the tasks following occurs:

1.1) An appropriate domain controller (one in the client's site) responds.
1.2) If no appropriate Windows 2000 domain controller responds, the client
will randomly select a Windows 2000 domain controller.
1.3) If no Windows 2000 domain controller responds, a Windows NT 4.0 domain
controller is selected.

Therefore, this will ensure that the client logon to the domain controller
in the same site.

2. If necessary, we can specifically choose a domain controller to log on.

2.1) On the computer running Windows 95, run Registry Editor and add a key
that corresponds to your domain name to the following key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetLogon\PreferredServe
r

For example, if the domain name is MyDomain, create the following key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetLogon\PreferredServe
r\MyDomain

2.2.) Add a String value named LogonServer to the key you created in step
1. Set the data value of the LogonServer value to the name of the domain
controller you want to use for domain validation.

3. Regarding PDC emulator:

Generally, the PDC emulator performs the following roles:
3.1) Acts as the PDC for any existing BDCs.
If a domain contains any BDCs or client computers that are running
pre-Windows 2000 versions of Windows, the PDC emulator functions as a
Windows NT PDC. The PDC emulator services client computers and replicates
directory changes to any BDCs running Windows NT.
3.2) Manages password changes from computers running Windows NT, Windows
95, or Windows 98, which need to be written to the directory.
3.3) Minimizes replication latency for password changes.
When the password of a client computer running Windows 2000 is changed on a
domain controller, that domain controller immediately forwards the change
to the PDC emulator. If a password was recently changed, that change takes
time to replicate to every domain controller in the domain. If a logon
authentication fails at another domain controller because of a bad
password, that domain controller will forward the authentication request to
the PDC emulator before rejecting the logon attempt.

3.4) Synchronizes the time on all domain controllers throughout the domain
to its time.
All domain controllers in the domain get their time synchronized to the
clock of the PDC emulator of that domain. The PDC emulator of the domain
gets its clock set to the PDC emulator's clock in the forest root domain.
The forest root domain's PDC emulator should be configured to synchronize
with an external time source. The end result is that the time kept by the
clocks of all Windows 2000-based computers in the entire forest is within
seconds of each other.

3.5) Prevents the possibilities of overwriting Group Policy objects (GPOs).

By the way, although legacy operating systems continue to use NetBIOS for
name resolution to find a domain controller, it is recommended that you
also point all computers to the internal Windows 2000 DNS server for name
resolution.

Please let me know if anything is unclear. Thanks!

Regards,
Joe Wu
Product Support Services
Microsoft Corporation

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
|Content-Class: urn:content-classes:message
|From: "jason" <[email protected]>
|Sender: "jason" <[email protected]>
|Subject: wins questions
|Date: Thu, 2 Oct 2003 09:11:00 -0700
|Lines: 30
|Message-ID: <[email protected]>
|MIME-Version: 1.0
|Content-Type: text/plain;
| charset="iso-8859-1"
|Content-Transfer-Encoding: 7bit
|X-Newsreader: Microsoft CDO for Windows 2000
|X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
|Thread-Index: AcOI/8VsW5rNG/FAQUqlEWHVlvqogA==
|Newsgroups: microsoft.public.win2000.networking
|Path: cpmsftngxa06.phx.gbl
|Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.networking:39381
|NNTP-Posting-Host: TK2MSFTNGXA14 10.40.1.166
|X-Tomcat-NG: microsoft.public.win2000.networking
|
|i'm about to migrate a domain that actually span about 10
|nt 4 domains in different offices. The links are with 2mb
|leased lines. The domain is going to be only one with a a
|DC in each office.
|
|Ok, the machines will be domain controllers in 2000 and
|ALL the clients in windows 98. I will use WINS and *not*
|the adclient.
|
|My questions is that i want all the machines login in the
|domain to authenticate in the DC of their office, not in
|the dc of other offices.
|
|Whats the role of PDC emulator in this? only used for
|change passwords?? will the local wins send a list with
|the <1B> in first place, and all machines look for it
|wherever it's found (maybe far away). Or maybe a broadcast
|will authenticate the machines with the local dc in first
|place.
|
|Can all the DCS in the domain authenticate 98 users or
|only the PDC emulator?. Will be the preferred DC of all
|lanmanager clients the local one.
|
|All clients will be configured with the local one as a
|wins.
|
|thanx a lot.
|
|No bdcs in nt 4.
|

 

[Guest]

Joe, thanx for your quick answer.

Then... some facts, when a 98 logs on (surprise!) it
doesn't looks for <1C> it first broadcast netlogon and
after looks for domain <00> (old lanman behaviour?) .. if
none is found then looks for domain<1c>, provided that a
lot of 1c can be in a domain (pdc+all bdcs), the *first*
entry wins send in the list is domain <1b> (only can be
one DMB and allways it is the PDC)followed by other 1c
entries.

The first that answers (usually the local PDC) is the
server used to logon.

Regarding adclient, i used it but the machines end using
broadcasts to logon. I put the netbios name of the domain
to log on and when the locator provided by adclient tries
to find the srv record for the domain it can't be found
(bcoz is the fqdn not the netbios name the name that is
registered in the dns). Of course, provided this the
adclient isn't useful but for ntlmv2 authentication or
some searches in the directory.

I'm using the old adclient that ships with the 2kserver
disk. Any chance to get the new version (i dunno what
changes)

any solution to the netbios problem with adclient??

any known problem with w2000 sp4 and 98??? i'm about to
migrate the first server.

thanx for your help.

 

[Joe Wu [MSFT]]

Dear Jason,

Thank you for your reply.

First, we have an updated version of the Directory Services client as a
hotfix. Please refer to the following Knowledge Base article:

323466 Availability of the Directory Services Client Update for Windows 95
and
http://support.microsoft.com/?id=323466

To obtain this update, please contact our Microsoft Product Support
Services direct. To obtain the phone numbers for specific technology
request please take a look at the web site listed below.

http://support.microsoft.com/default.aspx?scid=fh;EN-US;PHONENUMBERS

NOTE: If you contact Microsoft to obtain this fix, a fee may be charged.
This fee is refundable if it is determined that you require only the
requested fix. However, this fee is non-refundable if you request
additional technical support.

Please check if this version works there.

By the way, if DNS is enabled, the client send a DNS query to each DNS
server it is aware of for the list of domain controllers for the NetBIOS
domain name. This will fail unless the DNS and NetBIOS names of the domain
are identical.

The next, and typically successful name resolution attempt is via NetBIOS
and this should work correctly.

Regarding the last question about Windows 2000 SP4 and Windows 98, I think
they can work well. However, generally, since there are pre-Windows 2000
clients, please do not use too aggressive security policies under Windows
Settings\Security Settings\Local Policies\Security Options and do not
change the RestrictAnonymous registry value to 2. Please see the KB below:

246261 How to Use the RestrictAnonymous Registry Value in Windows 2000
http://support.microsoft.com/?id=246261

Thanks!

Regards,
Joe Wu
Product Support Services
Microsoft Corporation

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
|Content-Class: urn:content-classes:message
|From: <[email protected]>
|Sender: <[email protected]>
|References: <[email protected]>
<[email protected]>
|Subject: RE: wins questions
|Date: Fri, 3 Oct 2003 00:57:30 -0700
|Lines: 257
|Message-ID: <[email protected]>
|MIME-Version: 1.0
|Content-Type: text/plain;
| charset="iso-8859-1"
|Content-Transfer-Encoding: 7bit
|X-Newsreader: Microsoft CDO for Windows 2000
|X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
|Thread-Index: AcOJg/6fuUdHCxAdTNKJU/Rwv9I17g==
|Newsgroups: microsoft.public.win2000.networking
|Path: cpmsftngxa06.phx.gbl
|Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.networking:39524
|NNTP-Posting-Host: TK2MSFTNGXA12 10.40.1.164
|X-Tomcat-NG: microsoft.public.win2000.networking
|
|Joe, thanx for your quick answer.
|
|Then... some facts, when a 98 logs on (surprise!) it
|doesn't looks for <1C> it first broadcast netlogon and
|after looks for domain <00> (old lanman behaviour?) .. if
|none is found then looks for domain<1c>, provided that a
|lot of 1c can be in a domain (pdc+all bdcs), the *first*
|entry wins send in the list is domain <1b> (only can be
|one DMB and allways it is the PDC)followed by other 1c
|entries.
|
|The first that answers (usually the local PDC) is the
|server used to logon.
|
|Regarding adclient, i used it but the machines end using
|broadcasts to logon. I put the netbios name of the domain
|to log on and when the locator provided by adclient tries
|to find the srv record for the domain it can't be found
|(bcoz is the fqdn not the netbios name the name that is
|registered in the dns). Of course, provided this the
|adclient isn't useful but for ntlmv2 authentication or
|some searches in the directory.
|
|I'm using the old adclient that ships with the 2kserver
|disk. Any chance to get the new version (i dunno what
|changes)
|
|any solution to the netbios problem with adclient??
|
|any known problem with w2000 sp4 and 98??? i'm about to
|migrate the first server.
|
|thanx for your help.
|
|
|>-----Original Message-----
|>Dear Jason,
|>
|>Thank you for your post.
|>
|>I have performed some research on this issue and I would
|like to share the
|>following information with you:
|>
|>1. Since there are about 10 sites in your network, I
|highly recommend that
|>you install Directory Services (DS) Client on Windows 9X
|clients. Actually,
|>site awareness is a key feature in Directory Services
|(DS) Client.
|>
|>The Directory Services client adds the ability to
|discover a domain
|>controller in the same site as the client. When a user
|logs on, the
|>Directory Services DsGetDcName API function is invoked to
|discover the
|>optimal domain controller. DsGetDcName uses the available
|name service
|>providers to carry out this task.
|>
|>Generally, a Netlogon datagram is sent to all domain
|controllers in the
|>user's domain that were discovered by a standard query
|for the NetBIOS '1C'
|>domain name (WINS resolution).
|>
|>Windows 2000 domain controllers respond to the datagram
|with information
|>that includes the domain controller's Domain Name System
|(DNS) domain name,
|>the domain controller's site, the client's site, and a
|flag.
|>
|>If the response from the Windows 2000 domain controller
|indicates that
|>client is not in the same site as the domain controller,
|the client will
|>retry the discovery, by using the domain controller's DNS
|domain name and
|>client's site name, until any of the tasks following
|occurs:
|>
|>1.1) An appropriate domain controller (one in the
|client's site) responds.
|>1.2) If no appropriate Windows 2000 domain controller
|responds, the client
|>will randomly select a Windows 2000 domain controller.
|>1.3) If no Windows 2000 domain controller responds, a
|Windows NT 4.0 domain
|>controller is selected.
|>
|>Therefore, this will ensure that the client logon to the
|domain controller
|>in the same site.
|>
|>2. If necessary, we can specifically choose a domain
|controller to log on.
|>
|>2.1) On the computer running Windows 95, run Registry
|Editor and add a key
|>that corresponds to your domain name to the following key:
|>
|>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetLo
|gon\PreferredServe
|>r
|>
|>For example, if the domain name is MyDomain, create the
|following key:
|>
|>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetLo
|gon\PreferredServe
|>r\MyDomain
|>
|>2.2.) Add a String value named LogonServer to the key you
|created in step
|>1. Set the data value of the LogonServer value to the
|name of the domain
|>controller you want to use for domain validation.
|>
|>3. Regarding PDC emulator:
|>
|>Generally, the PDC emulator performs the following roles:
|>3.1) Acts as the PDC for any existing BDCs.
|>If a domain contains any BDCs or client computers that
|are running
|>pre-Windows 2000 versions of Windows, the PDC emulator
|functions as a
|>Windows NT PDC. The PDC emulator services client
|computers and replicates
|>directory changes to any BDCs running Windows NT.
|>3.2) Manages password changes from computers running
|Windows NT, Windows
|>95, or Windows 98, which need to be written to the
|directory.
|>3.3) Minimizes replication latency for password changes.
|>When the password of a client computer running Windows
|2000 is changed on a
|>domain controller, that domain controller immediately
|forwards the change
|>to the PDC emulator. If a password was recently changed,
|that change takes
|>time to replicate to every domain controller in the
|domain. If a logon
|>authentication fails at another domain controller because
|of a bad
|>password, that domain controller will forward the
|authentication request to
|>the PDC emulator before rejecting the logon attempt.
|>
|>3.4) Synchronizes the time on all domain controllers
|throughout the domain
|>to its time.
|>All domain controllers in the domain get their time
|synchronized to the
|>clock of the PDC emulator of that domain. The PDC
|emulator of the domain
|>gets its clock set to the PDC emulator's clock in the
|forest root domain.
|>The forest root domain's PDC emulator should be
|configured to synchronize
|>with an external time source. The end result is that the
|time kept by the
|>clocks of all Windows 2000-based computers in the entire
|forest is within
|>seconds of each other.
|>
|>3.5) Prevents the possibilities of overwriting Group
|Policy objects (GPOs).
|>
|>By the way, although legacy operating systems continue to
|use NetBIOS for
|>name resolution to find a domain controller, it is
|recommended that you
|>also point all computers to the internal Windows 2000 DNS
|server for name
|>resolution.
|>
|>Please let me know if anything is unclear. Thanks!
|>
|>Regards,
|>Joe Wu
|>Product Support Services
|>Microsoft Corporation
|>
|>Get Secure! - www.microsoft.com/security
|>
|>====================================================
|>When responding to posts, please "Reply to Group" via
|your newsreader so
|>that others may learn and benefit from your issue.
|>====================================================
|>This posting is provided "AS IS" with no warranties, and
|confers no rights.
|>
|>--------------------
|>|Content-Class: urn:content-classes:message
|>|From: "jason" <[email protected]>
|>|Sender: "jason" <[email protected]>
|>|Subject: wins questions
|>|Date: Thu, 2 Oct 2003 09:11:00 -0700
|>|Lines: 30
|>|Message-ID: <[email protected]>
|>|MIME-Version: 1.0
|>|Content-Type: text/plain;
|>| charset="iso-8859-1"
|>|Content-Transfer-Encoding: 7bit
|>|X-Newsreader: Microsoft CDO for Windows 2000
|>|X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
|>|Thread-Index: AcOI/8VsW5rNG/FAQUqlEWHVlvqogA==
|>|Newsgroups: microsoft.public.win2000.networking
|>|Path: cpmsftngxa06.phx.gbl
|>|Xref: cpmsftngxa06.phx.gbl
|microsoft.public.win2000.networking:39381
|>|NNTP-Posting-Host: TK2MSFTNGXA14 10.40.1.166
|>|X-Tomcat-NG: microsoft.public.win2000.networking
|>|
|>|i'm about to migrate a domain that actually span about
|10
|>|nt 4 domains in different offices. The links are with
|2mb
|>|leased lines. The domain is going to be only one with a
|a
|>|DC in each office.
|>|
|>|Ok, the machines will be domain controllers in 2000 and
|>|ALL the clients in windows 98. I will use WINS and *not*
|>|the adclient.
|>|
|>|My questions is that i want all the machines login in
|the
|>|domain to authenticate in the DC of their office, not in
|>|the dc of other offices.
|>|
|>|Whats the role of PDC emulator in this? only used for
|>|change passwords?? will the local wins send a list with
|>|the <1B> in first place, and all machines look for it
|>|wherever it's found (maybe far away). Or maybe a
|broadcast
|>|will authenticate the machines with the local dc in
|first
|>|place.
|>|
|>|Can all the DCS in the domain authenticate 98 users or
|>|only the PDC emulator?. Will be the preferred DC of all
|>|lanmanager clients the local one.
|>|
|>|All clients will be configured with the local one as a
|>|wins.
|>|
|>|thanx a lot.
|>|
|>|No bdcs in nt 4.
|>|
|>
|>.
|>
|