BDC but not logonserver

For a special servive my NT server must be setup as DC.
I don't want this BDC becoming a logonserver.

Is this possible? what need to be changed in the registry?
LVL 51
Who is Participating?
Try this,

We have a domain controller which we want to validate passwords, etc. but it has a glitch somewhere which I'm still working on which gives a client the response 'This response is not accepted by the network. Try again later'. We have PAUSED the logon service, which keeps the DC functions, but does not answer to logon requests. Try this.
If the pdc is busy then the bdc can be the server used to Authenticate the users and you have no control over this what so ever, it is how nt is designed.
You can always stop the Net Logon service on the domain controller for it to not act as one.  But, remember you will be losing other services such as Discovery and Pass-through authentication.  That is, it cannot authenticate with the domain controller since it doesn't know which is the PDC because of lack of Discovery Service.  Now, your resources on this DC have to have no security at all since it doesn't have its own SAM.
My question is, if you don't want to have logon authentication why do you want it to be a DC?  What is the special situation?   Probably there is a work around for that.  
Also, you can make it into a PDC of it's own domain.  Now, you don't have to worry about authentication 'cuz you will be coming from a different domain onto a resource free for everyone.  If you have restrictions on this resource then you will be asking for Pass-through and again this is nothing but logon authentication.  
Pretty complex, huh.....
Good Luck..
Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

ahoffmannAuthor Commented:
> why do you want it to be a DC?
See my question ;-)

Well I also thought of stopping NetLogon. If I do so can I logon
to the domain (which the server is still part of) anymore, can I even logon localy?

I cannot use another domain and any kind of trusties, my service
requires to run on a BDC ;-)) And the service must use a domain account.
OK, check out the articles Q128167 Q102968 for LanManServer parameters.  Hidden and srvannounce are the ones you are looking for.  Hidden hides it from browsing but I am not sure if it is enough to solely do your work.  You have to do some research for SRVANNOUNCE parameter.
If these do not work, then I have a rather crude solution.  In the Services\Browser\Parameters make sure IsDomainMaster and MaintainServerList are set to False.  This means, this BDC doesn't maintain a Serverlist and will not respond for client requests.  Now, if you make sure that no other machine can maintain the browse list and only PDC and other BDCs do so, then all the time the client requests go to the PDC or other BDCs.  Now, since they answer the request for the domain controller anyways, they will also respond to your logon authentication request.  This will minimize the burden on your BDC to almost 0%, though you might find some stray authentication requests.  If your aim is to decrease the burden or relieve the BDC of the authentication then this is your best solution.  
The first of the comment might suggest an easier way to completely avoid it, though.  It definetely needs some research.
Hope this helps..
Good luck..
ahoffmannAuthor Commented:
snimmaga, thanks for the suggestions.

1. HKLM\Services\Browser\  has nothing to do with logon  (authentification)

2. net config server /hidden:yes (or the corresponding key in the registry) also is for browsing, not logon

3. unfortunately the articles are not usefull

4. did not find any useful information about srvannounce (or equivalent) at M$ knowledge base  :-(

What I've seen so far is that (old) lanman.ini file had a parameter:   maxusers=
Does anybody know if there is a equivalent in the registry?

Well, I very well know that Browser/Parameters is for Browsing.  That is what I mentioned in my answer too.  I also mentioned that this will not eliminate the logon process completely but will reduce it to a negligable amount.  If you are looking for '0' - logging (period) then this is not a solution.  
If you are thinking of making MAXUSERS a value to manipulate it is not going to work.  If you set it to zero, then no sessions can be established and this is almost equivalant to NetLOGON stoppage.  Well, if you want to give it a shot, it is still a parameter under CurrentControlSet\Services\lanmanserver\parameters.  If it is not there, just add it.
cshelmerdine has the correct solution. Pausing the Netlogon service stops the server authenicating users, but retains all other DC functions, including SAM replication with the PDC.

Now all you have to do is figure out how to automatically pause NetLogon after a reboot!  Try AutoExNt from the RK to run a batch job:

REM Start

The NET START is required to ensure that NetLogon is running before you try and pause it.  Otherwise the NET PAUSE may fail.
ahoffmannAuthor Commented:
sounds that this is the workaround.

I still have a script called while booting to do what you
suggested :-)
BTW, what's exactly the difference between a paused and a stopped  service?

I'm still fideling arround with MAXUSERS in the registry. No success so far. Do you know know where exactly in the HKLM hive it should be and which type it is (REG_DWORD)?

snimmaga's solution with MAXUSERS is the workaround I would prefer, 'cause I just have to change a simple registry entry once
(which could be automated too;-)

Anyway, I'm going to grade all of you when I'm done.
The difference between PAUSE and STOP.  STOP does just that, it removes the process from memory.  PAUSE does whatever the programmer decides it does for that service, not many services implement this call.  For the NetLogon it just disables user authentication.


Setting this to zero will stop all client access to your server, is this what you want?  If so just stop the Server service.  I don't know what effect this will have on SAM replication though!
ahoffmannAuthor Commented:
Good news:
  pausing NetLogon works fine, even with SAM replication

Bad news:
  using  Users  and/or  MaxUsers  (set to 0) in the registry
  doesn't change anything

carmine, snimmaga, please check Experts-Exchange topic ;-)
I don't understand.  I rec'd a mail from EE Customer Service about you sending an email or something.  What does it mean?
Please explain.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.