This article was previously published under Q231305
This article has been archived. It is offered "as is" and will no longer be updated.
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows Registry
You are experiencing logon and network validation problems on a network in which workstations and their associated domain controllers (DCs) reside on different subnets. This network is also configured to use WINS as the main vehicle for name resolution.
If domain controllers are monitored, one is found to be much more heavily loaded than the others. Monitoring the overloaded DC, and network traffic to and from it, reveals the following: In Server Manager, you may see the following:
A large number (hundreds) of connections to Pipe\Lsarpc.
In Network Monitor captures of network traffic, you may see the following:
Connections are frequently not made or transaction performed on Pipe\Lsarpc.
Typical Server Message Block error message codes include STATUS_IO_TIMEOUT and STATUS_PIPE_NOT_AVAILABLE.
In Performance Monitor, you may see the following:
A large Handle Count in the LSASS process.
A large Thread Count in the LSASS process (300 - 700+).
A combined high CPU usage (approaching 100 percent) by the LSASS and System processes.NOTE: As the LSASS Thread Count increases, the proportion of CPU time used by the System process versus that used by LSASS increases because of increased context switching between the LSASS threads.
Detailed analysis of Network Monitor captures of network traffic generated when a workstation is restarted and logs on to the network reveals that the most overloaded DC is the DC whose IP address is the first in the list of IP addresses returned in WINS domainname<1C> name query responses.
A new WINS server feature, Randomize1cList, is now available and can promote more even load balancing between DCs in these specific circumstances. For example, where the overloaded DC is the DC whose IP address is the first in the domainname<1C> list).
In a network that uses WINS for name resolution, a workstation's logon server is selected as follows:
The workstation broadcasts a SAM logon request on its local subnet.
The workstation sends a WINS name query for domainname<1C> to its WINS server, which returns a list of up to 25 Domain Controller IP addresses, and the workstation sends a directed SAM logon request to each listed DC IP address in turn.
The order in which these directed SAM logon requests are issued is determined by the order of the IP addresses in the WINS domainname<1C> name query response; the first SAM logon request is sent to the first address in the list, and so on. The first DC to respond to a SAM logon request (broadcast or directed) is selected as the workstation's Logon Server.
If there are DCs on the workstation's subnet, one of these local DCs is usually selected as the workstation's logon server, as it receives the first broadcast SAM logon request earlier than remote DCs, and is therefore more likely to respond sooner than the remote DCs.
If there is no DC on the workstation's subnet, one of the DCs whose IP address appears in the domainname<1C> name query response is selected as the workstation's logon server. Normally, all the directed SAM logon requests are issued rapidly one after the other, and the first response is likely to be from the least busy DC. Over time, the usual result is each DC will become the logon server for a roughly equal numbers of workstations.
However, in some situations, it is possible for one of the remote DCs to be regularly selected as a workstation's logon server, causing it to become overloaded by subsequent volumes of validation traffic.
Windows NT 4.0 and Windows NT Server 4.0, Terminal Server Edition
To resolve this problem, obtain the latest service pack for Windows NT 4.0 or Windows NT Server 4.0, Terminal Server Edition. For additional information, click the following article number to view the article in theMicrosoft Knowledge Base:
152734 How to Obtain the Latest Windows NT 4.0 Service Pack
Windows NT 3.51
A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that this article describes. Apply it only to systems that are experiencing this specific problem.
To resolve this problem, contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:
Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.
The English version of this fix should have the following file attributes or later:
Date Time Size File name Platform -------------------------------------------------- 06/08/98 06:23p 170,400 Wins.exe x86 06/08/98 06:24p 310,544 Wins.exe Alpha
How to Activate Randomize1cList
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk. After you apply the hotfix, you can activate Randomize1cList by modifying the registry as described below.
WARNING: In most networks, there should be no need to activate this feature. In some situations, it could actually have an adverse effect, depending on where the DCs in the domainname<1C> list are located. For example, changing the order of the list might cause workstations in London to select logon servers in Hong Kong. It is recommended that you activate Randomize1cList ONLY after performing a thorough network analysis, and confirming that doing so is appropriate to the observed symptoms along with your WINS and network configurations.
To activate the Randomize1cList feature after installing the fix:
Start Registry Editor (Regedt32.exe).
From the HKEY_LOCAL_MACHINE subtree, go to the following key:
Value Name: Randomize1cList Data Type: REG_DWORD Data: 00000001 Radix: Hex
This key determines whether the WINS server changes the order of IP addresses in successive domainname<1C> name query responses. In certain situations, this change can improve load-balancing between domain controllers acting as logon servers within a domain.
Value: 0Meaning: 1C List Randomization is not enabled. The WINS server returns thelist of IP addresses in WINS domainname<1C> name query responses inthe same order each time such a name query is made.Value: 1 Meaning: Enables 1C List Randomization. The WINS server rotates the list ofIP addresses in WINS domainname<1C> name query responses a randomamount each time such a query is made.
Microsoft has confirmed that this is a problem in Windows NT 4.0 and Windows NT Server 4.0, Terminal Server Edition. This problem was first corrected in Windows NT 4.0 and Windows NT Server 4.0, Terminal Server Edition Service Pack 4.
If there are no local DCs, one scenario that might lead to uneven laod balancing between DCs is network or router congestion. This can cause transmission delays between successive directed security account manager (SAM) logon requests. If such a transmission delay approaches the time required to receive a SAM logon request response from the first server in the DC IP address list, then it is likely that this DC will become the logon server for the bulk of the workstations in the domain.
An enhancement has been made to Wins.exe to provide a Randomize1CList feature to overcome this potential problem. With the Randomize1CList feature activated, the list of IP addresses in successive domainname<1C> name query responses is rotated a random amount before transmission to the workstation. This ensures a more even loading of DCs in problem scenarios, as described above.