Admin Tip #236: Windows NT's SetPrfDC controls login domain controller in WAN environment |
Hits: Failed to execute CGI : Win32 Error Code = 3
|
SETPRFDC Domain ListOfDCsInOrderofPreference(DC1,DC2,DC3,...)
Example:
setprfdc accntdom accsanfran1,accsanfran2,acclosang1
When NT connects to the network, a secure channel will be established to a domain controller. If the secure channel is to DC1, netlogon will authenication using that channel. If the secure channel is not with DC1, it will attempt to establish a secure channel to DC1. If it fails, it will try DC2, DC3, ... If all attempts to connect to a domain controller in the list, the secure channel which was made at boot will be used. This will have been with whichever domain controller answered first.
Re: number of domain controllers need - Microsoft's recommendation is: 1 PDC, 1 BDC for up to 5000 user accounts, 2 BDCs for 5,000-9,999, 5 BDCs for 10,000-19,999, 10 BDCs for 20,000-29,9999, ... The standard is a BDC for every 2-3,000 user accounts. Irregardless of number of accounts, I recommend a BDC in each remote location in the domain. We have about 3,000 user accounts spread across 4 locations. We have PDC & 2 BDCs in the head office, and a BDC in each of the three branch offices.
An alternative approach procedure: Add the following line to the file \WinNT\system32\drivers\etc\LMHOSTS on NT workstation. Start the line with the IP of the DC you want to force a logon to followed by the name of the domain & "n" spaces & \0x1C in quotes so that (domain name) + (spaces) = 15. Follow this by #PRE. If the target DC is at 172.77.71.9 and the domain is "ACME" the line should look like this:
172.77.71.9 "ACME \0x1C" #PREIf you're thinking about adding multiple lines like this don't bother, Windows NT will ignore all but the last line. Tip lifted from Minasi' Mastering Windows NT Server 4.
If you can only buy one book. Its in its 7th edition.