I would recommend doing a trace of one of the problem clients logging on and
watch the whole referral process, etc. Actually I would probably just turn
on a sniffer and let it watch everything from one of those machines from
boot up for some time so you catch refreshes and everything else. At least
then you should be able to nail down whether the clients are being referred
to something incorrectly or they are off making their own incorrect
O'Reilly Active Directory Third Edition -


[mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh Parmar
Sent: Saturday, December 02, 2006 1:55 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Bulk of client going to PDC

Yes checked the correct subnets are attached to correct sites.
All clients are connected via Ethernet 100/Full Duplex.

Its like mass exodus of swarm of computers,  going to PDCe, and in turn
choking the WAN links. 
It happened like once a day.. and everyday it would be random site.

Have asked different site people to install netmon on some PCs and keep it
running..on Monday..hoping that one of those sites.. and in them.. one of
those PCs misbehaves. 

Anything else, I should look at?


On 12/2/06, Al Mulnick <[EMAIL PROTECTED]> wrote: 

Site definitions - are your site definitions up to date?
How are your clients connected - Are they ethernet, 802.11x, tokenring, ??


On 12/2/06, Kamlesh Parmar <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> > wrote: 

Am sorry, I didn't follow what you are asking.. could you be more specific. 

On 12/2/06, Al Mulnick <[EMAIL PROTECTED]  <mailto:[EMAIL PROTECTED]> >

How are your clients connected? Site definitions? 

On 12/1/06, Kamlesh Parmar <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> > wrote: 

Appreciate the efforts taken.
AFAIK, this would be more of a DFS issue then authentication, as clients are
pulling policies and files from PDCe.
When I look into details of DFS link targets for sysvol or netlogon, PDCe is
listed as distance 9th in the list of servers which clients should contact
in case there primary link target failed.
And this happens so randomly, from clients that I am not able to setup a
network trace also.


On 12/1/06, Thomas Michael Heß <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> > wrote: 

Hi Kamlesh,


first of all, iwould enable the logging of the Netlogon Service.

I ve found an article in the WindowsITPro



The Netlogon service is one of the key Local Security Authority (LSA)
processes that run on every Windows domain controller. When you troubleshoot
authentication problems, analyzing the Netlogon service log files can be
useful. How do I turn Netlogon service logging on and off, and how do I
analyze the content of the Netlogon log files? 

To turn on Netlogon service logging, type the following Nltest command at
the command line: 

nltest /dbflag:2080ffff 

Enabling Netlogon service logging requires that you restart the Netlogon
service. To do so, use the Net Stop Netlogon and Net Start Netlogon
commands. To disable netlogon service logging, type: 

nltest /dbflag:0 

Then, restart the Netlogon service again. The Netlogon service stores log
data in a special log file called netlogon.log, in the %Windir%\debug

Two utilities are useful in querying the Netlogon log files: Nlparse.exe and
Findstr.exe. Nlparse.exe is a GUI tool that comes with Microsoft Account
Lockout tools. You can download Account Lockout tools for free from the
Microsoft Web site as part of the "Account Lockout and Management Tools"
ALTools.exe file at
8629-B999ADDE0B9E&displaylang=en .
<http://www.winnetmag.com/Files/42850/Figure_01.gif> Figure 1 shows the
Nlparse GUI, which contains the most common Netlogon error codes and their
meaning. Nlparse stores the output of its queries in two files in the
%Windir%\debug folder: netlogon.log-out.scv and netlogon.log-summaryout.txt.
. . . 





[mailto:[EMAIL PROTECTED] Im Auftrag von Kamlesh Parmar
Gesendet: Donnerstag, 30. November 2006 20:51
An: ActiveDir@mail.activedir.org
Betreff: [ActiveDir] Bulk of client going to PDC


Hi Guys,

We are facing some strange issue, randomly clients from some sites are going
to PDCe for group policy refresh,along with screensaver and wallpaper stored
in netlogon. 

Clients are ignoring their nearest DC, and approaching PDCe. 

All DCs : Win2k3 SP1
All Clients: XP SP2

I verified, 
1) DNS entries for site DC are correct.
2) Netlogon and Sysvol folder of site DC are accessible. 
3) Verified the clients are authenticating with site DC by : nltest.exe
4) Verified DFS info for netlogon and sysvol on clients is correct :
dfsutil.exe  /pktinfo

I am clueless where else, should I look? 

You teach best what you most need to learn.


You teach best what you most need to learn.


You teach best what you most need to learn.

You teach best what you most need to learn.

Reply via email to