Windows NT’s SetPrfDC controls login domain controller in WAN environment


Available as a hotfix utility after SP3 and included in SP4, SetPrfDC.exe allows you to control the order the workstation
(or server) attempts to establish a secure channel connection for login.
Normally NT makes a secure channel connection with the first domain control in
its domain which responds. This is a race condition. Normally this is the
closest domain controller but should the closest be busy momentarily, a remote
BDC across a WAN connection could answer first. When this happens, the login
process is slow. In some cases VERY slow. SP3 added the ability to direct the
NETLOGON process to a preferred DC for the secure channel. SetPrfDC.exe is a commandline utility you can set in the user
profile. The syntax is:

SETPRFDC Domain
ListOfDCsInOrderofPreference(DC1,DC2,DC3,…)

Example:

setprfdc accntdom accsanfran1,accsanfran2,acclosang1

When NT connects to the network, a secure channel will be established
to a domain controller. If the secure channel is to DC1, netlogon will
authenication using that channel. If the secure channel is not with DC1, it will
attempt to establish a secure channel to DC1. If it fails, it will try DC2, DC3,
… If all attempts to connect to a domain controller in the list, the secure
channel which was made at boot will be used. This will have been with whichever
domain controller answered first.


Re: number of domain controllers need – Microsoft’s recommendation is: 1 PDC,
1 BDC for up to 5000 user accounts, 2 BDCs for 5,000-9,999, 5 BDCs for
10,000-19,999, 10 BDCs for 20,000-29,9999, … The standard is a BDC for every
2-3,000 user accounts. Irregardless of number of accounts, I recommend a BDC in
each remote location in the domain. We have about 3,000 user accounts spread
across 4 locations. We have PDC & 2 BDCs in the head office, and a BDC in
each of the three branch offices.

An alternative approach procedure: Add the following line to the file
\WinNT\system32\drivers\etc\LMHOSTS on NT workstation. Start the line with the
IP of the DC you want to force a logon to followed by the name of the domain
& “n” spaces & \0x1C in quotes so that (domain name) + (spaces) = 15.
Follow this by #PRE. If the target DC is at 172.77.71.9 and the domain is “ACME”
the line should look like this:

172.77.71.9 “ACME           \0x1C” #PRE

If you’re thinking about adding multiple lines like this don’t
bother, Windows NT will ignore all but the last line. Tip lifted from Minasi’
Mastering Windows NT Server 4.

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top