Summary of "piling on" scenarios in Active Directory domains

Article translations Article translations
Article ID: 305027 - View products that this article applies to.
This article was previously published under Q305027
Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
Expand all | Collapse all

On This Page

SUMMARY

This article describes "piling-on" scenarios in domains that use Windows 2000 Server, Windows Server 2003, and Windows Server 2008. It also describes how to troubleshoot and resolve certain issues that occur when "piling on" occurs.

MORE INFORMATION

Overview

With certain exceptions, domain controllers in an Active Directory directory service forest in Windows 2000 Server, in Windows Server 2003, and in Windows Server 2008 are equal peers in terms of the following characteristics:
  • Object creation
  • Object deletion
  • Object replication
  • Authentication
  • Responses to Lightweight Directory Access Protocol (LDAP) queries
Memory, CPU utilization, and server response time are generally the same for domain controllers that use the same hardware and that are performing the same task in a particular Active Directory site.

Certain operations in domain members or domain controllers favor a specific domain controller or class of domain controllers (ignoring site preference). This causes specific domain controllers to experience greater CPU utilization, use of memory, network traffic, and disk I/O, or a greater use of a combination of these components.

The targeting of a specific domain controller or group of domain controllers is referred to as a "piling-on" scenario. This behavior may occur if certain domain-wide and enterprise-wide operations that are not intended for multi-master placement reside on a single domain controller in the domain or forest. Other single-master operations that occur in other environments may be resolved or minimized by configuration changes.

"Piling-on" scenarios

The following list summarizes the piling-on scenarios that may occur, describes the symptoms that you may experience in each scenario, and contains information about how to resolve each scenario:
  • PDC registers two 1C records
  • PDC record appears at the top of the Windows Internet Name Service (WINS) [1C] list
  • Object Picker queries the PDC exclusively
  • Pass-through authentication goes to the PDC exclusively
  • Windows 2000 clients in Windows NT 4.0 domain are authenticated exclusively by the PDC
  • Windows 2000, Windows XP, and Windows Server 2003 clients in mixed-operating system domains are authenticated exclusively by later-model domain controllers after being discovered
  • Many earlier-version clients may lead to the PDC not functioning correctly
  • High number of incorrect password attempts may cause high load on PDC
  • DFS servers pull Partition Knowledge Table (PKT) from PDC on DFS configuration changes

PDC registers two 1C records

To resolve this issue on Windows 2000-based domain controllers, obtain and install the latest Windows 2000 service pack. For additional information about how to obtain the latest Windows 2000 service pack, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack
For additional information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:
269424 WINS Prepend1BTo1CQueries Feature Aids Load-Balancing Between Domain Controllers
For Windows Server 2003-based domain controllers, only configure the registry.

PDC record appears at the top of the Windows Internet Name Service (WINS) [1C] list

Symptoms

The WINS [1C] list is sorted by IP address; therefore, the server with the lowest IP address is returned first and may be favored by clients.

Resolution

To resolve this issue, use one of the following methods (as appropriate to your version of Windows):
  • Windows NT 4.0

    To resolve this issue, install Windows NT 4.0 Service Pack 4 (SP4) or later, and then enable the
    Randomize1CList
    registry value in the registry. For additional information about how to obtain the latest Windows NT 4.0 service pack, click the following article number to view the article in the Microsoft Knowledge Base:
    152734 How to Obtain the Latest Windows NT 4.0 Service Pack
    For additional information about how to enable the Randomize1cList feature, click the following article number to view the article in the Microsoft Knowledge Base:
    231305 WINS Randomize1cList Feature Aids Load-Balancing Between DCs
  • Windows 2000

    To resolve this issue, enable the
    Randomize1CList
    registry value by editing the registry. For additional information about how to do so, click the following article number to view the article in the Microsoft Knowledge Base:
    231305 WINS Randomize1cList Feature Aids Load-Balancing Between DCs

Object Picker queries the PDC exclusively

Symptoms

When Object Picker on pre-Windows 2000 Service Pack 3 (SP3) clients enumerates users, groups, or computer accounts from a domain based on an earlier operating system, only the PDC is contacted to provide the list of objects.

Resolution

For additional information about how to obtain the latest Windows 2000 service pack, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack

Pass-through authentication goes to the PDC exclusively

Authentication requests from Windows NT LAN Manager (NTLM) clients with security channels to Windows NT 4.0 and Windows 2000 backup domain controllers (BDCs) are forwarded to the PDC if the authentication request fails and any of the following status codes are returned:
  • STATUS_ACCOUNT_LOCKED_OUT
  • STATUS_WRONG_PASSWORD
  • STATUS_PASSWORD_MUST_CHANGE
  • STATUS_PASSWORD_EXPIRED
Note NTLM clients include LanMan, Microsoft Windows 95, Microsoft Windows 98, Windows NT 4.0, and sometimes Windows 2000 clients.
The following scenarios can cause the PDC to experience a greater usage of CPU, memory, disk or other resources than other domain controllers in the domain:
  • Service accounts on domain member computers with expired passwords that have security channels to non-PDC domain controllers (STATUS_WRONG_PASSWORD).
  • Logon authentication for user accounts when the User must change password check box is selected in Windows NT 4.0 domains, or on Windows network clients that are not multi-master aware. Or, a reset of the User must change password attribute for many users.
  • Users who enter passwords during logon or network authentication that do not match their respective passwords on their security channel domain controller.
In sufficient quantity, these operations individually may overload a domain controller, or they may cause sufficient incremental load to affect service levels.

Resolution

  • If service accounts are trying to log on with outdated passwords, identify the problem service accounts by using your preferred account lockout tool against the PDC, and then either stop the service accounts or reset the passwords.
  • If a password reset occurs for many users, scope the number of accounts where User must change password is set.
  • "Hide" the PDC in WINS and DNS by editing the registry to enable the
    Randomize1CList
    registry value.

    For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:
    231305 WINS Randomize1cList Feature Aids Load-Balancing Between DCs
  • Investigate whether the PDC contains the negative-caching fixes that are discussed in the following article in the Microsoft Knowledge Base:
    272065 Bad Password Attempts are Repeatedly Forwarded from Domain Controllers to the PDC Operations Master

Windows 2000 clients in Windows NT 4.0 domain are authenticated exclusively by the PDC

Symptoms

Windows 2000 clients in Windows NT 4.0 domains are initially authenticated only by the PDC of the domain.

Resolution

To resolve this issue, install Windows 2000 Service Pack 2 (SP 2) or later.

Windows 2000, Windows XP, and Windows Server 2003 clients in mixed-operating system domains are authenticated exclusively by later-model domain controllers after being discovered

Symptoms

Windows 2000, Windows XP, and Windows Server 2003 clients that are joined to mixed-operating system domains are authenticated only by Windows 2000 or Windows Server 2003 domain controllers after the security channel is updated.

Resolution

This behavior is by design, but it may be mitigated by deploying additional Active Directory domain controllers, particularly in Active Directory sites that contain many users. Also, make sure that the
NT4Emulator
registry key is set correctly to prevent bulk security channel migration to one Active Directory domain controller.
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
298713 How to Prevent Overloading on the First Domain Controller During Domain Upgrade

Many earlier-version clients may lead to the PDC not functioning correctly

Symptoms

If you have many Windows NT clients (more than 25,000), and they all send the PDC a request to change the user password or the computer account password, the client requests are “Discarded as too old."

This problem occurs because a request to change the user password or the computer password is sent specifically to the PDC in the form of a mailslot Request for primary. By default, as the mailslots are received by the PDC, they are queued for 15 seconds before being discarded as too old. However, in Windows 2000 Service Pack 3 (SP3) or earlier, the client-name-to-IP mapping is held in the NBT cache for only 10 seconds. As a result, the PDC may have to contact the WINS server to resolve the client name to an IP address for each client request. If the name resolution cannot be completed before the mailslot's 15-second cache limit expires, the PDC's mailslot processing cannot recover from this situation. Therefore, the client requests will be “Discarded as too old."

Resolution

Windows 2000 Service Pack 4 (SP4) contains a hotfix that increases the NBT cache limit to be equal to the mailslot timeout of 15 seconds.
For additional information about this hotfix, click the following article number to view the article in the Microsoft Knowledge Base:
316803 Earlier Clients May Fail to Change Passwords or Join in a Windows 2000 Domain
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack

High number of incorrect password attempts may cause high load on PDC

Symptoms

By default, when a user enters an incorrect password, the password is sent to the PDC in case the password was changed recently. In a domain that has many users, this may cause a high load on the PDC's resources. Or, many computers in the domain may run a program or a service that uses incorrect logon credentials and may retry these credentials repeatedly.

Resolution

To resolve this behavior, you set the AvoidPdcOnWan registry key to take this load off the PDC.

For additional information about this problem, click the following article number to view the article in the Microsoft Knowledge Base:
225511 New Password Change and Conflict Resolution Functionality in Windows

DFS servers pull partition knowledge table (PKT) from PDC on DFS configuration changes

Symptoms

When the DFS configuration of a DFS fault-tolerant root changes, all root targets are notified of the configuration change. They then receive the new PKT from the PDC of the domain. If you have many root targets and frequent changes, it can be a significant load on the PDC.

Resolution

Windows Server 2003 implements a feature known as Root Scalability Mode. When this feature is turned on, changes are not sent as notification to the root targets, and the targets do not pull the PKT from the PDC. Instead, they pull the PKT from their closest domain controller. Although configuration changes move around the network more slowly, the load on the PDC is significantly lower. To turn on Root Scalability Mode, run the following command:
dfsutil /root:\\domain\dfsroot /RootScalability /Enable
Note Only servers that are running Windows Server 2003 can use this setting.

Properties

Article ID: 305027 - Last Review: December 3, 2007 - Revision: 6.7
APPLIES TO
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Server
  • Microsoft Windows NT 4.0
  • Microsoft Windows Small Business Server 2003 Premium Edition
  • Microsoft Windows Small Business Server 2003 Standard Edition
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Standard
Keywords: 
kbinfo KB305027

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com