Admin Tip #236: Windows NT's SetPrfDC controls login domain controller in WAN environment

Hits: Failed to execute CGI : Win32 Error Code = 3


Available as a hotfix utility after SP3 and included in SP4, SetPrfDC.exe allows you to control the order the workstation (or server) attempts to establish a secure channel connection for login. Normally NT makes a secure channel connection with the first domain control in its domain which responds. This is a race condition. Normally this is the closest domain controller but should the closest be busy momentarily, a remote BDC across a WAN connection could answer first. When this happens, the login process is slow. In some cases VERY slow. SP3 added the ability to direct the NETLOGON process to a preferred DC for the secure channel. SetPrfDC.exe is a commandline utility you can set in the user profile. The syntax is:

SETPRFDC Domain ListOfDCsInOrderofPreference(DC1,DC2,DC3,...)

Example:

setprfdc accntdom accsanfran1,accsanfran2,acclosang1

When NT connects to the network, a secure channel will be established to a domain controller. If the secure channel is to DC1, netlogon will authenication using that channel. If the secure channel is not with DC1, it will attempt to establish a secure channel to DC1. If it fails, it will try DC2, DC3, ... If all attempts to connect to a domain controller in the list, the secure channel which was made at boot will be used. This will have been with whichever domain controller answered first.

Re: number of domain controllers need - Microsoft's recommendation is: 1 PDC, 1 BDC for up to 5000 user accounts, 2 BDCs for 5,000-9,999, 5 BDCs for 10,000-19,999, 10 BDCs for 20,000-29,9999, ... The standard is a BDC for every 2-3,000 user accounts. Irregardless of number of accounts, I recommend a BDC in each remote location in the domain. We have about 3,000 user accounts spread across 4 locations. We have PDC & 2 BDCs in the head office, and a BDC in each of the three branch offices.

An alternative approach procedure: Add the following line to the file \WinNT\system32\drivers\etc\LMHOSTS on NT workstation. Start the line with the IP of the DC you want to force a logon to followed by the name of the domain & "n" spaces & \0x1C in quotes so that (domain name) + (spaces) = 15. Follow this by #PRE. If the target DC is at 172.77.71.9 and the domain is "ACME" the line should look like this:


172.77.71.9 "ACME           \0x1C" #PRE

If you're thinking about adding multiple lines like this don't bother, Windows NT will ignore all but the last line. Tip lifted from Minasi' Mastering Windows NT Server 4.




If you can only buy one book. Its in its 7th edition.