Q231305: WINS Randomize1cList Feature Aids Load-Balancing Between DCs

Article: Q231305
Product(s): Microsoft Windows NT
Version(s): winnt:4.0
Operating System(s): 
Keyword(s): 
Last Modified: 11-JUN-2002

-------------------------------------------------------------------------------
The information in this article applies to:

- Microsoft Windows NT Server, Enterprise Edition version 4.0 
-------------------------------------------------------------------------------


IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

  Q256986 Description of the Microsoft Windows Registry

SYMPTOMS
========

You are experiencing logon and network validation problems on a network in which
workstations and their associated domain controllers (DCs) reside on different
subnets. This network is also configured to use WINS as the main vehicle for
name resolution.

If domain controllers are monitored, one is found to be much more heavily loaded
than the others. Monitoring the overloaded DC, and network traffic to and from
it, reveals the following:

  In Server Manager, you may see the following:

- A large number (hundreds) of connections to Pipe\Lsarpc.

  In Network Monitor captures of network traffic, you may see the following:

- Connections are frequently not made or transaction performed on Pipe\Lsarpc.

- Typical Server Message Block error message codes include STATUS_IO_TIMEOUT
  and STATUS_PIPE_NOT_AVAILABLE.

  In Performance Monitor, you may see the following:

- A large Handle Count in the LSASS process.

- A large Thread Count in the LSASS process (300 - 700+).

- A combined high CPU usage (approaching 100 percent) by the LSASS and System
  processes.

  NOTE: As the LSASS Thread Count increases, the proportion of CPU time used by
  the System process versus that used by LSASS increases because of increased
  context switching between the LSASS threads.

Detailed analysis of Network Monitor captures of network traffic generated when a
workstation is restarted and logs on to the network reveals that the most
overloaded DC is the DC whose IP address is the first in the list of IP
addresses returned in WINS domainname<1C> name query responses.

A new WINS server feature, Randomize1cList, is now available and can promote more
even load balancing between DCs in these specific circumstances. For example,
where the overloaded DC is the DC whose IP address is the first in the
domainname<1C> list).

CAUSE
=====

In a network that uses WINS for name resolution, a workstation's logon server is
selected as follows:

1. The workstation broadcasts a SAM logon request on its local subnet.

2. The workstation sends a WINS name query for domainname<1C> to its WINS
  server, which returns a list of up to 25 Domain Controller IP addresses, and
  the workstation sends a directed SAM logon request to each listed DC IP
  address in turn.

  The order in which these directed SAM logon requests are issued is determined
  by the order of the IP addresses in the WINS domainname<1C> name query
  response; the first SAM logon request is sent to the first address in the
  list, and so on. The first DC to respond to a SAM logon request (broadcast or
  directed) is selected as the workstation's Logon Server.

If there are DCs on the workstation's subnet, one of these local DCs is usually
selected as the workstation's logon server, as it receives the first broadcast
SAM logon request earlier than remote DCs, and is therefore more likely to
respond sooner than the remote DCs.

If there is no DC on the workstation's subnet, one of the DCs whose IP address
appears in the domainname<1C> name query response is selected as the
workstation's logon server. Normally, all the directed SAM logon requests are
issued rapidly one after the other, and the first response is likely to be from
the least busy DC. Over time, the usual result is each DC will become the logon
server for a roughly equal numbers of workstations.

However, in some situations, it is possible for one of the remote DCs to be
regularly selected as a workstation's logon server, causing it to become
overloaded by subsequent volumes of validation traffic.

RESOLUTION
==========

Windows NT 4.0 and Windows NT Server 4.0, Terminal Server Edition
-----------------------------------------------------------------

To resolve this problem, obtain the latest service pack for Windows NT 4.0 or
Windows NT Server 4.0, Terminal Server Edition. For additional information,
please see the following article in the Microsoft Knowledge Base:

  Q152734 How to Obtain the Latest Windows NT 4.0 Service Pack

Windows NT 3.51
---------------

A supported fix is now available from Microsoft, but it is only intended to
correct the problem described in this article and should be applied only to
systems experiencing this specific problem.

To resolve this problem, contact Microsoft Product Support Services to obtain the
fix. For a complete list of Microsoft Product Support Services phone numbers and
information on support costs, please go to the following address on the World
Wide Web:

  http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS

NOTE: In special cases, charges that are normally incurred for support calls may
be canceled, if a Microsoft Support Professional determines that a specific
update will resolve your problem. Normal support costs will apply to additional
support questions and issues that do not qualify for the specific update in
question.

The English version of this fix should have the following file attributes or
later:

  Date      Time     Size      File name   Platform
  --------------------------------------------------
  06/08/98  06:23p   170,400   Wins.exe    x86
  06/08/98  06:24p   310,544   Wins.exe    Alpha



How to Activate Randomize1cList
-------------------------------

WARNING: If you use Registry Editor incorrectly, you may cause serious problems
that may require you to reinstall your operating system. Microsoft cannot
guarantee that you can solve problems that result from using Registry Editor
incorrectly. Use Registry Editor at your own risk.
After you apply the hotfix, you can activate Randomize1cList by modifying the
registry as described below.

WARNING: In most networks, there should be no need to activate this feature. In
some situations, it could actually have an adverse effect, depending on where
the DCs in the domainname<1C> list are located. For example, changing the
order of the list might cause workstations in London to select logon servers in
Hong Kong. It is recommended that you activate Randomize1cList ONLY after
performing a thorough network analysis, and confirming that doing so is
appropriate to the observed symptoms along with your WINS and network
configurations.

To activate the Randomize1cList feature after installing the fix:

1. Start Registry Editor (Regedt32.exe).

2. From the HKEY_LOCAL_MACHINE subtree, go to the following key:

  \SYSTEM\CurrentControlSet\Services\Wins\Parameters

3. From the Edit menu, click Add Value.

4. Add the following:

  Value Name: Randomize1cList
  Data Type:  REG_DWORD
  Data:       00000001
  Radix:      Hex

  This key determines whether the WINS server changes the order of IP addresses
  in successive domainname<1C> name query responses. In certain
  situations, this change can improve load-balancing between domain controllers
  acting as logon servers within a domain.

  Value: 0
  Meaning: 1C List Randomization is not enabled. The WINS server returns the
  list of IP addresses in WINS domainname<1C> name query responses in
  the same order each time such a name query is made.

  Value: 1   
  Meaning: Enables 1C List Randomization. The WINS server rotates the list of
  IP addresses in WINS domainname<1C> name query responses a random
  amount each time such a query is made. 

STATUS
======

Microsoft has confirmed this to be a problem in Windows NT 4.0 and Windows NT
Server 4.0, Terminal Server Edition. This problem was first corrected in Windows
NT 4.0 and Windows NT Server 4.0, Terminal Server Edition Service Pack 4.

MORE INFORMATION
================

If there are no local DCs, one scenario that might lead to uneven laod balancing
between DCs is network or router congestion. This can cause transmission delays
between successive directed security account manager (SAM) logon requests. If
such a transmission delay approaches the time required to receive a SAM logon
request response from the first server in the DC IP address list, then it is
likely that this DC will become the logon server for the bulk of the
workstations in the domain.

An enhancement has been made to Wins.exe to provide a Randomize1CList feature to
overcome this potential problem. With the Randomize1CList feature activated, the
list of IP addresses in successive domainname<1C> name query responses is
rotated a random amount before transmission to the workstation. This ensures a
more even loading of DCs in problem scenarios, as described above.

Additional query words: wts tse RoundRobin Round Robin

======================================================================
Keywords          :  
Technology        : kbWinNTsearch kbWinNT400search kbWinNTSsearch kbWinNTSEntSearch kbWinNTSEnt400 kbWinNTS400search
Version           : winnt:4.0
Hardware          : ALPHA x86
Issue type        : kbbug
Solution Type     : kbfix

=============================================================================