controlling who logs in to a DC

  • Thread starter Thread starter Craig Householder
  • Start date Start date
C

Craig Householder

Is there a way to set up a domain controller so that it
will participate in replication but not allow users to log
in to it?

During high periods of activity ADUC (and other tools but
it is our security and account creation departments that
are asking) performs very slowly. If however we use those
same tools from those same workstations during off hours
(middle of the night) things work wonderfully. After
monitoring things the only thing we can attribute this to
is load. While the servers don't appear overly stressed
we can't find anything else to explain this.

Does anyone know if there is a way to make
an "administrative" domain controller?
 
Stopping netlogon etc will prevent logon validation but also replicatione
etc.
Depending on your network, one thing that you might try would be to place
those dc/s that you don't want doing logon validation, in a different
site/subnet in AD. Since clients will attempt to first validate against a
dc in their same site, based on the ip header info, they should attempt to
validate against those first and then against any dc they can find.

--
David Brandt
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.
 
Is there a way to set up a domain controller so that it
will participate in replication but not allow users to log
in to it?

During high periods of activity ADUC (and other tools but
it is our security and account creation departments that
are asking) performs very slowly. If however we use those
same tools from those same workstations during off hours
(middle of the night) things work wonderfully. After
monitoring things the only thing we can attribute this to
is load. While the servers don't appear overly stressed
we can't find anything else to explain this.

Does anyone know if there is a way to make
an "administrative" domain controller?
Click to expand...


You can experiment with pausing the netlogon service.


Jerold Schulman
Windows: General MVP
JSI, Inc.
http://www.jsiinc.com
 
Craig,

In addition to what David and Jerold have suggested, I might mention another
approach. Granted, it will not necessarily prevent logon authentication,
but it will - at the very least - dramatically reduce it.

Disclaimer: I have not yet tested this in a test environment but will soon.
I also assume that you have multiple DCs ( that seems to be a given... ).

You can make a change to the Weight and Priority of the DC in question in
the DNS MMC. This will reduce the load that it bears as far as logon
authentication.

However, this is not necessarily a solution to the root problem. Well, we
do not know that for sure yet.

Have you installed the Support Tools on your DCs yet? I would suggest that
you do this on all of your WIN2000 Servers ( DCs, Member Servers, et al ).
The Support Tools can be installed from the WIN2000 Server CD or from the
WIN2000 Service Pack CD ( in the Support | Tools folder ). I would go with
the Service Pack CD given the choices.

Run a netdiag /v and a dcdiag /v on all of your DCs. You might also want to
run repadmin /showreps as well as netdom query fsmo on all of your DCs.
These tools are all part of the Support Tools. These are the basic health
monitoring tools for WIN2000. There are several others but let's start with
these. Also, do not forget about the basics: ping and nslookup.

HTH,

Cary
 
Back
Top