Solved

BDC but not logonserver

Posted on 1998-08-19
12
2,006 Views
Last Modified: 2013-12-23
For a special servive my NT server must be setup as DC.
I don't want this BDC becoming a logonserver.

Is this possible? what need to be changed in the registry?
0
Comment
Question by:ahoffmann
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
  • +2
12 Comments
 
LVL 8

Expert Comment

by:wayneb
ID: 1560744
If the pdc is busy then the bdc can be the server used to Authenticate the users and you have no control over this what so ever, it is how nt is designed.
0
 
LVL 5

Expert Comment

by:snimmaga
ID: 1560745
You can always stop the Net Logon service on the domain controller for it to not act as one.  But, remember you will be losing other services such as Discovery and Pass-through authentication.  That is, it cannot authenticate with the domain controller since it doesn't know which is the PDC because of lack of Discovery Service.  Now, your resources on this DC have to have no security at all since it doesn't have its own SAM.
My question is, if you don't want to have logon authentication why do you want it to be a DC?  What is the special situation?   Probably there is a work around for that.  
Also, you can make it into a PDC of it's own domain.  Now, you don't have to worry about authentication 'cuz you will be coming from a different domain onto a resource free for everyone.  If you have restrictions on this resource then you will be asking for Pass-through and again this is nothing but logon authentication.  
Pretty complex, huh.....
Good Luck..
Srini.
0
 
LVL 51

Author Comment

by:ahoffmann
ID: 1560746
> why do you want it to be a DC?
See my question ;-)

Well I also thought of stopping NetLogon. If I do so can I logon
to the domain (which the server is still part of) anymore, can I even logon localy?

I cannot use another domain and any kind of trusties, my service
requires to run on a BDC ;-)) And the service must use a domain account.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 5

Expert Comment

by:snimmaga
ID: 1560747
OK, check out the articles Q128167 Q102968 for LanManServer parameters.  Hidden and srvannounce are the ones you are looking for.  Hidden hides it from browsing but I am not sure if it is enough to solely do your work.  You have to do some research for SRVANNOUNCE parameter.
If these do not work, then I have a rather crude solution.  In the Services\Browser\Parameters make sure IsDomainMaster and MaintainServerList are set to False.  This means, this BDC doesn't maintain a Serverlist and will not respond for client requests.  Now, if you make sure that no other machine can maintain the browse list and only PDC and other BDCs do so, then all the time the client requests go to the PDC or other BDCs.  Now, since they answer the request for the domain controller anyways, they will also respond to your logon authentication request.  This will minimize the burden on your BDC to almost 0%, though you might find some stray authentication requests.  If your aim is to decrease the burden or relieve the BDC of the authentication then this is your best solution.  
The first of the comment might suggest an easier way to completely avoid it, though.  It definetely needs some research.
Hope this helps..
Good luck..
Srini.
0
 
LVL 51

Author Comment

by:ahoffmann
ID: 1560748
snimmaga, thanks for the suggestions.

1. HKLM\Services\Browser\  has nothing to do with logon  (authentification)

2. net config server /hidden:yes (or the corresponding key in the registry) also is for browsing, not logon

3. unfortunately the articles are not usefull

4. did not find any useful information about srvannounce (or equivalent) at M$ knowledge base  :-(

What I've seen so far is that (old) lanman.ini file had a parameter:   maxusers=
Does anybody know if there is a equivalent in the registry?

0
 
LVL 5

Expert Comment

by:snimmaga
ID: 1560749
Well, I very well know that Browser/Parameters is for Browsing.  That is what I mentioned in my answer too.  I also mentioned that this will not eliminate the logon process completely but will reduce it to a negligable amount.  If you are looking for '0' - logging (period) then this is not a solution.  
If you are thinking of making MAXUSERS a value to manipulate it is not going to work.  If you set it to zero, then no sessions can be established and this is almost equivalant to NetLOGON stoppage.  Well, if you want to give it a shot, it is still a parameter under CurrentControlSet\Services\lanmanserver\parameters.  If it is not there, just add it.
Srini.
0
 

Accepted Solution

by:
cshelmerdine earned 50 total points
ID: 1560750
Try this,

We have a domain controller which we want to validate passwords, etc. but it has a glitch somewhere which I'm still working on which gives a client the response 'This response is not accepted by the network. Try again later'. We have PAUSED the logon service, which keeps the DC functions, but does not answer to logon requests. Try this.
0
 
LVL 5

Expert Comment

by:carmine
ID: 1560751
cshelmerdine has the correct solution. Pausing the Netlogon service stops the server authenicating users, but retains all other DC functions, including SAM replication with the PDC.

Now all you have to do is figure out how to automatically pause NetLogon after a reboot!  Try AutoExNt from the RK to run a batch job:

REM Start
NET START NET LOGON
NET PAUSE NET LOGON
REM End

The NET START is required to ensure that NetLogon is running before you try and pause it.  Otherwise the NET PAUSE may fail.
0
 
LVL 51

Author Comment

by:ahoffmann
ID: 1560752
cshelmerdine,
sounds that this is the workaround.

carmine,
I still have a script called while booting to do what you
suggested :-)
BTW, what's exactly the difference between a paused and a stopped  service?

snimmaga,
I'm still fideling arround with MAXUSERS in the registry. No success so far. Do you know know where exactly in the HKLM hive it should be and which type it is (REG_DWORD)?


snimmaga's solution with MAXUSERS is the workaround I would prefer, 'cause I just have to change a simple registry entry once
(which could be automated too;-)

Anyway, I'm going to grade all of you when I'm done.
0
 
LVL 5

Expert Comment

by:carmine
ID: 1560753
The difference between PAUSE and STOP.  STOP does just that, it removes the process from memory.  PAUSE does whatever the programmer decides it does for that service, not many services implement this call.  For the NetLogon it just disables user authentication.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\Users
DataType REG_DWORD

Setting this to zero will stop all client access to your server, is this what you want?  If so just stop the Server service.  I don't know what effect this will have on SAM replication though!
0
 
LVL 51

Author Comment

by:ahoffmann
ID: 1560754
Good news:
  pausing NetLogon works fine, even with SAM replication

Bad news:
  using  Users  and/or  MaxUsers  (set to 0) in the registry
  doesn't change anything


carmine, snimmaga, please check Experts-Exchange topic ;-)
0
 
LVL 5

Expert Comment

by:snimmaga
ID: 1560755
I don't understand.  I rec'd a mail from EE Customer Service about you sending an email or something.  What does it mean?
Please explain.
Srini.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A common practice in small networks is making file sharing easy which works extremely well when intra-network security is not an issue. In essence, everyone, that is "Everyone", is given access to all of the shared files - often the entire C: drive …
The Need In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more …
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Suggested Courses
Course of the Month2 days, 18 hours left to enroll

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question