Available as a hotfix utility after SP3 and included in SP4, SetPrfDC.exe allows you to control the order the workstation
(or server) attempts to establish a secure channel connection for login.
Normally NT makes a secure channel connection with the first domain control in
its domain which responds. This is a race condition. Normally this is the
closest domain controller but should the closest be busy momentarily, a remote
BDC across a WAN connection could answer first. When this happens, the login
process is slow. In some cases VERY slow. SP3 added the ability to direct the
NETLOGON process to a preferred DC for the secure channel. SetPrfDC.exe is a commandline utility you can set in the user
profile. The syntax is:
SETPRFDC Domain Example: setprfdc accntdom accsanfran1,accsanfran2,acclosang1
ListOfDCsInOrderofPreference(DC1,DC2,DC3,…)
to a domain controller. If the secure channel is to DC1, netlogon will
authenication using that channel. If the secure channel is not with DC1, it will
attempt to establish a secure channel to DC1. If it fails, it will try DC2, DC3,
… If all attempts to connect to a domain controller in the list, the secure
channel which was made at boot will be used. This will have been with whichever
domain controller answered first.
Re: number of domain controllers need – Microsoft’s recommendation is: 1 PDC,
1 BDC for up to 5000 user accounts, 2 BDCs for 5,000-9,999, 5 BDCs for
10,000-19,999, 10 BDCs for 20,000-29,9999, … The standard is a BDC for every
2-3,000 user accounts. Irregardless of number of accounts, I recommend a BDC in
each remote location in the domain. We have about 3,000 user accounts spread
across 4 locations. We have PDC & 2 BDCs in the head office, and a BDC in
each of the three branch offices.
An alternative approach procedure: Add the following line to the file
\WinNT\system32\drivers\etc\LMHOSTS on NT workstation. Start the line with the
IP of the DC you want to force a logon to followed by the name of the domain
& “n” spaces & \0x1C in quotes so that (domain name) + (spaces) = 15.
Follow this by #PRE. If the target DC is at 172.77.71.9 and the domain is “ACME”
the line should look like this:
172.77.71.9 “ACME \0x1C” #PRE
bother, Windows NT will ignore all but the last line. Tip lifted from Minasi’
Mastering Windows NT Server 4.