Solved

BDC but not logonserver

Posted on 1998-08-19
12
1,998 Views
Last Modified: 2013-12-23
For a special servive my NT server must be setup as DC.
I don't want this BDC becoming a logonserver.

Is this possible? what need to be changed in the registry?
0
Comment
Question by:ahoffmann
  • 4
  • 4
  • 2
  • +2
12 Comments
 
LVL 8

Expert Comment

by:wayneb
Comment Utility
If the pdc is busy then the bdc can be the server used to Authenticate the users and you have no control over this what so ever, it is how nt is designed.
0
 
LVL 5

Expert Comment

by:snimmaga
Comment Utility
You can always stop the Net Logon service on the domain controller for it to not act as one.  But, remember you will be losing other services such as Discovery and Pass-through authentication.  That is, it cannot authenticate with the domain controller since it doesn't know which is the PDC because of lack of Discovery Service.  Now, your resources on this DC have to have no security at all since it doesn't have its own SAM.
My question is, if you don't want to have logon authentication why do you want it to be a DC?  What is the special situation?   Probably there is a work around for that.  
Also, you can make it into a PDC of it's own domain.  Now, you don't have to worry about authentication 'cuz you will be coming from a different domain onto a resource free for everyone.  If you have restrictions on this resource then you will be asking for Pass-through and again this is nothing but logon authentication.  
Pretty complex, huh.....
Good Luck..
Srini.
0
 
LVL 51

Author Comment

by:ahoffmann
Comment Utility
> why do you want it to be a DC?
See my question ;-)

Well I also thought of stopping NetLogon. If I do so can I logon
to the domain (which the server is still part of) anymore, can I even logon localy?

I cannot use another domain and any kind of trusties, my service
requires to run on a BDC ;-)) And the service must use a domain account.
0
 
LVL 5

Expert Comment

by:snimmaga
Comment Utility
OK, check out the articles Q128167 Q102968 for LanManServer parameters.  Hidden and srvannounce are the ones you are looking for.  Hidden hides it from browsing but I am not sure if it is enough to solely do your work.  You have to do some research for SRVANNOUNCE parameter.
If these do not work, then I have a rather crude solution.  In the Services\Browser\Parameters make sure IsDomainMaster and MaintainServerList are set to False.  This means, this BDC doesn't maintain a Serverlist and will not respond for client requests.  Now, if you make sure that no other machine can maintain the browse list and only PDC and other BDCs do so, then all the time the client requests go to the PDC or other BDCs.  Now, since they answer the request for the domain controller anyways, they will also respond to your logon authentication request.  This will minimize the burden on your BDC to almost 0%, though you might find some stray authentication requests.  If your aim is to decrease the burden or relieve the BDC of the authentication then this is your best solution.  
The first of the comment might suggest an easier way to completely avoid it, though.  It definetely needs some research.
Hope this helps..
Good luck..
Srini.
0
 
LVL 51

Author Comment

by:ahoffmann
Comment Utility
snimmaga, thanks for the suggestions.

1. HKLM\Services\Browser\  has nothing to do with logon  (authentification)

2. net config server /hidden:yes (or the corresponding key in the registry) also is for browsing, not logon

3. unfortunately the articles are not usefull

4. did not find any useful information about srvannounce (or equivalent) at M$ knowledge base  :-(

What I've seen so far is that (old) lanman.ini file had a parameter:   maxusers=
Does anybody know if there is a equivalent in the registry?

0
 
LVL 5

Expert Comment

by:snimmaga
Comment Utility
Well, I very well know that Browser/Parameters is for Browsing.  That is what I mentioned in my answer too.  I also mentioned that this will not eliminate the logon process completely but will reduce it to a negligable amount.  If you are looking for '0' - logging (period) then this is not a solution.  
If you are thinking of making MAXUSERS a value to manipulate it is not going to work.  If you set it to zero, then no sessions can be established and this is almost equivalant to NetLOGON stoppage.  Well, if you want to give it a shot, it is still a parameter under CurrentControlSet\Services\lanmanserver\parameters.  If it is not there, just add it.
Srini.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Accepted Solution

by:
cshelmerdine earned 50 total points
Comment Utility
Try this,

We have a domain controller which we want to validate passwords, etc. but it has a glitch somewhere which I'm still working on which gives a client the response 'This response is not accepted by the network. Try again later'. We have PAUSED the logon service, which keeps the DC functions, but does not answer to logon requests. Try this.
0
 
LVL 5

Expert Comment

by:carmine
Comment Utility
cshelmerdine has the correct solution. Pausing the Netlogon service stops the server authenicating users, but retains all other DC functions, including SAM replication with the PDC.

Now all you have to do is figure out how to automatically pause NetLogon after a reboot!  Try AutoExNt from the RK to run a batch job:

REM Start
NET START NET LOGON
NET PAUSE NET LOGON
REM End

The NET START is required to ensure that NetLogon is running before you try and pause it.  Otherwise the NET PAUSE may fail.
0
 
LVL 51

Author Comment

by:ahoffmann
Comment Utility
cshelmerdine,
sounds that this is the workaround.

carmine,
I still have a script called while booting to do what you
suggested :-)
BTW, what's exactly the difference between a paused and a stopped  service?

snimmaga,
I'm still fideling arround with MAXUSERS in the registry. No success so far. Do you know know where exactly in the HKLM hive it should be and which type it is (REG_DWORD)?


snimmaga's solution with MAXUSERS is the workaround I would prefer, 'cause I just have to change a simple registry entry once
(which could be automated too;-)

Anyway, I'm going to grade all of you when I'm done.
0
 
LVL 5

Expert Comment

by:carmine
Comment Utility
The difference between PAUSE and STOP.  STOP does just that, it removes the process from memory.  PAUSE does whatever the programmer decides it does for that service, not many services implement this call.  For the NetLogon it just disables user authentication.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\Users
DataType REG_DWORD

Setting this to zero will stop all client access to your server, is this what you want?  If so just stop the Server service.  I don't know what effect this will have on SAM replication though!
0
 
LVL 51

Author Comment

by:ahoffmann
Comment Utility
Good news:
  pausing NetLogon works fine, even with SAM replication

Bad news:
  using  Users  and/or  MaxUsers  (set to 0) in the registry
  doesn't change anything


carmine, snimmaga, please check Experts-Exchange topic ;-)
0
 
LVL 5

Expert Comment

by:snimmaga
Comment Utility
I don't understand.  I rec'd a mail from EE Customer Service about you sending an email or something.  What does it mean?
Please explain.
Srini.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

This article is in response to a question (http://www.experts-exchange.com/Networking/Network_Management/Network_Analysis/Q_28230497.html) here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
Resolve DNS query failed errors for Exchange
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now