Windows NT PDC Handles All Secure Channel/Authentication Requests for Windows 2000 Domain Members (309115)
The information in this article applies to:
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Datacenter Server
This article was previously published under Q309115 SYMPTOMS
Windows 2000 domain member computers are authenticated exclusively by the primary domain controller (PDC) of the Microsoft Windows NT 4.0 domain that hosts the computer accounts. Windows NT 4.0 backup domain controllers (BDCs) authenticate logon requests for Windows 2000 member computers when the Netlogon service on the PDC has been stopped by the administrator. The Windows NT 4.0 PDC processes all authentication requests as soon as the Netlogon service is restarted.
CAUSE
When a Windows 2000-based computer is joined to a Windows domain, the join process caches the name of the domain controller (DC) that is used during the join operation. When the computer is restarted for first time after the join operation, it reads the cached information from the registry and uses a cached DC for to set up a secure channel. The DC that was used during the initial join operation is contacted to ensure that the DC that was contacted has the correct computer account information for the client computer.
In a Windows NT 4.0 domain, users, computers, and groups can only be created on the PDC of a domain. Because of this, all Windows 2000-based clients that join a Windows NT 4.0 domain establish a secure channel with the PDC on the first boot after the domain join operation. This behavior contributes to:
- Higher network utilization as Windows 2000 member computers establish secure channels and perform logon authentication exclusive with the Windows NT 4.0 PDC. This is especially noticeable as Windows 2000 clients ignore local Windows NT 4.0 BDCs for logon requests and instead use the PDC across the WAN.
- Higher CPU utilization and longer logon requests as Windows 2000 uses the Windows NT 4.0 PDC exclusively for logon authentication. The PDC in a given domain typically has the highest CPU and memory utilization of all DCs.
Cached information in the registry is used by the Netlogon and Kerberos client components.
The expected behavior is that once Kerberos is done with the cache information, it writes "KerbIsDoneWithJoinDomainEntry" into the \Netlogon\Parameters section of the registry. Netlogon is notified by the registry and it (Netlogon) deletes the cached information so that next time Netlogon establishes the secure channel, the domain member will use a generic DC that is discovered through the 1C query in WINS.
When Windows 2000 member computers are joined to a Windows NT 4.0 domain, Kerberos doesn't write KerbIsDoneWithJoinDomainEntry. Because of this, Netlogon is stuck using the PDC that uses a Windows NT 4.0 computer for its secure channel. As a result, all Windows 2000 computers that join a Windows NT 4.0 domain authenticate and "talk" exclusively with the domain's PDC (unless the PDC is down or the secure channel is reset manually).
RESOLUTION
To resolve this problem, apply Windows 2000 Service Pack 2 to the member computer.NOTE: As a temporary workaround, turn off the Netlogon service on the PDC or manually set the secure channel for Windows 2000 domain members to BDCs in the NT 4.0 domain.
STATUS
Microsoft has confirmed this to be a problem in Microsoft Windows 2000.
| Modification Type: | Major | Last Reviewed: | 3/6/2004 |
|---|
| Keywords: | kbbug kbenv kbnetwork KB309115 |
|---|
|