How to prevent overloading on the first domain controller during domain upgrade (298713)


The information in this article applies to:

  • Microsoft Windows Server 2003, 64-Bit Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows XP Professional
  • Microsoft Windows 2000 Server SP2
  • Microsoft Windows 2000 Advanced Server SP2
  • Microsoft Windows 2000 Professional SP2
  • Microsoft Windows Small Business Server 2003, Premium Edition
  • Microsoft Windows Small Business Server 2003, Standard Edition
This article was previously published under Q298713
Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry

SUMMARY

This article describes the situation in which a domain controller can become overloaded, outlines a solution that prevents overloading, and offers recommendations about deploying the solution.

MORE INFORMATION

Understanding why the overloading effect occurs

The overloading effect takes place under the following set of conditions:
  • You have a Microsoft Windows NT 4.0-based domain.
  • You upgrade several computers in the domain to Windows 2000 or Windows XP before you upgrade a primary domain controller (PDC) to Windows 2000 or Windows Server 2003.
  • You then upgrade the PDC to Windows 2000 or Windows Server 2003 and convert the Windows NT 4.0-based domain to an Active Directory domain.
After Windows 2000- and Windows XP-based computers join an Active Directory domain, they will not use a Windows NT 4.0-based domain controller for any operation that requires them to contact the domain controller. Therefore, all of the computers that run Windows 2000 or Windows XP contact only the lone Windows Server-based domain controller.

The overloading effect on the domain controller introduces a single point of failure. If that lone Windows Server-based domain controller becomes unavailable, computers and users cannot contact any other of the (non-Windows Server) domain controllers in the domain.

There is a scenario in which the overloading effect can take place even though you upgrade the PDC before you upgrade the domain members. In this scenario, no additional domain controllers are upgraded to Windows Server while large numbers of the domain member computers are being upgraded. However, this scenario is not common because if you upgrade the PDC first, you probably plan to upgrade enough of the domain controllers before you upgrade the mass of the non-domain controller computers or domain members.

Preventing the overloading effect

This solution is implemented in Windows 2000 Service Pack 2 (SP2) and in Windows Server 2003.

The solution enables special configuration to make a domain controller emulate the behavior of a Windows NT 4.0-based domain controller. The domain member computers that run Windows Server do not distinguish between a domain controller that is in Windows NT 4.0 emulation mode and a domain controller that runs Windows NT 4.0. This configuration prevents overloading of the first domain controller that you upgrade to Windows 2000 SP2 or Windows Server 2003. The configuration also allows administrators to perform a gradual upgrade of the domain controllers in the domain.

Windows NT 4.0 emulation mode is intended only for temporary use during the process of upgrading a small set of the first domain controllers from Windows NT 4.0 to Windows 2000 and Windows Server 2003 in a domain that has a large number of computers that run Windows Server. After you upgrade enough domain controllers to serve the computers' and users' requests, you should remove the Windows NT 4.0 emulation configuration from the domain controllers.

Configuring Windows NT 4.0 emulation

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
  1. Start Registry Editor (Regedt32.exe).
  2. Locate the NT4Emulator value under the following key in the registry:

    HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/Netlogon/Parameters

  3. On the Edit menu, click REG_DWORD, type 0x1, and then click OK.
  4. Quit Registry Editor.
Consider the following scenario:
  • Your domain has member computers that run Windows 2000 and Windows XP.
  • At least one of the domain controllers hosting the domain is running on Windows Server.
  • This domain controller is overloaded because the number of upgraded domain controllers in the domain is not yet sufficient to withstand requests from all upgraded clients.
  • This domain controller is not configured in Windows NT 4.0 emulation mode.
In this scenario, you must configure each domain controller for Windows NT 4.0 emulation to stop the overloading effect until a sufficient number of the domain controllers have been upgraded. You also have to rejoin all Windows 2000-based and Windows XP-based domain members. In the join procedure, specify a NetBIOS name for the domain. Until these domain members are rejoined, they cannot contact any domain controller in the domain.

The NT4Emulator parameter specifies whether this domain controller will emulate the behavior of an Windows NT 4.0-based domain controller. By default, the domain controller does not emuluate this behavior. Emulation of the Windows NT 4.0 behavior is desirable when the first domain controller that is running Windows 2000 or a later version of Windows is promoted to a primary domain controller in a Windows NT 4.0 domain that has many Windows 2000-based clients. Unless you emulate the Windows NT 4.0 behavior, all the Windows 2000-based clients will target the Windows-based domain controller and potentially overload it. This parameter is ignored on computers that are not domain controllers.

If this parameter is set to TRUE, the following scenario occurs on a domain controller:
  1. Incoming LDAP locator pings are ignored unless the ping comes from an admin computer. (See the "Neutralizing Windows NT 4.0 Emulation for Some Computers" section.)
  2. The flags that are negotiated during the incoming security channel setup will be set to what an Windows NT 4.0-based domain controller can support unless the channel setup comes from an admin computer.

Neutralizing Windows NT 4.0 emulation for some computers

You can configure computers that run Windows 2000 SP2 or later, or Windows Server 2003-based member servers, to inform the Windows-based domain controllers that have Windows NT 4.0 emulation mode not to use Windows NT 4.0 emulation when they respond to requests from those computers. That is, you can neutralize Windows NT 4.0 emulation:
  1. Start Registry Editor (Regedt32.exe).
  2. Locate the NeutralizeNT4Emulator value under the following key in the registry:

    HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/Netlogon/Parameters

  3. On the Edit menu, click REG_DWORD, type 0x1, and then click OK.
  4. Quit Registry Editor.
Note:You do not need to configure this registry key value on the domain controllers because the domain controllers always behave as if they are configured with this key.

For a non-domain controller or member workstation, this behavior defaults to FALSE. In other words, these computers will request that the domain controller use Windows NT 4.0 emulation in communications with the non-domain controller or member workstation. This parameter specifies whether this computer will communicate to the domain controller that the doman controller must avoid the Windows NT 4.0 emulation mode. If this parameter is TRUE, the computer is said to be an admin computer.

Impact of the NT4Emulator and NeutralizeNT4Emulator keys on System and Group Policy Processing

While the NT4Emulator setting is in effect Active Directory, aware customers will continue to use existing Windows NT 4.0 System Policies. These are .POL files that are typically stored in the NETLOGON share. Additionally, the customers will not process Active Directory-based Group Policies. It is important to ensure that NT 4.0 System Policies that are being used to manage Active Directory Group Policy aware operating systems have been migrated to appropriate Group Policies prior to the removal of the NT4Emulator key. In some cases, this occurred prior to the application of the NeutralizeNT4Emulator key. This is because NT 4.0 System Policies are no longer applied and Active Directory Group Policy processing is attempted as soon as these operating systems are allowed to detect a Windows 2000 or higher domain controller that is not emulating NT 4.0. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

318753 How to create a system policy setting in Windows 2000

Upgrading domain controllers in a Windows NT 4.0-based domain that has Windows 2000- or Windows XP-based members

Upgrade the first domain controller from Windows NT 4.0 to Windows 2000 Server, Windows 2000 Advanced Server, or Windows 2003 Standard Server or Windows 2003 Enterprise Edition. Before you run the Active Directory Installation Wizard, configure the domain controller for Windows NT 4.0 emulation, following the procedure that is outlined in this article. After you do so, upgrade one or more of the other domain controllers by using the same procedure.

Note Before you upgrade additional domain controllers, you must also add the NeutralizeNT4Emulator entry to the HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/Netlogon/Parameters subkey and assign it a value of 1.

After you upgrade enough domain controllers to handle the load from all of the computers in the domain, remove the Windows NT 4.0 emulation mode from the domain controllers by deleting the NT4Emulator value from the registry on each domain controller.

If you need to perform either of the following tasks, set the NeutralizeNT4Emulator registry value to 0x1 in the registry on these computers:
  • Use a remote computer that is not a Windows Server-based domain controller to administer the upgraded domain controllers that are configured for Windows NT 4.0 emulation
  • Allow domain controllers that are configured for Windows NT 4.0 emulation mode to respond to a small set of the Windows 2000 SP2- and Windows XP-based computers without emulating Windows NT 4.0 behavior
Modification Type:MinorLast Reviewed:6/1/2006
Keywords:kbenv kbinfo kbnetwork KB298713
©2004 Microsoft Corporation. All rights reserved.