Controlling BDC Database Update Frequency
The accounts database replication process that takes place between the primary domain controller (PDC) and all backup domain controllers (BDCs) in the domain soaks up both CPU time and network bandwidth.
Cross-Reference: See Chapter 1 for a discussion of PDCs and BDCs.
By default, NT attempts to select an update frequency (called a pulse) that’s appropriate to the current load on the PDC. The default pulse is 300 seconds (five minutes). All changes to the database made during this interval are collected and sent to the BDCs that need to be updated.
You may want to force this pulse update to occur at specific intervals, so that you always know exactly how far out of date your BDCs are. If you want to have control over this frequency, there are several values that you can add and modify in the registry.
Under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon key, you can add a new value entry called Pulse. Set its data type to REG_DWORD and its value to the number of seconds that you want to elapse between pulses. I recommend selecting a value between 300 seconds (5 minutes) and 3600 seconds (60 minutes).
When the PDC sends out notification to the BDCs that it has database updates, it typically releases up to 20 notifications at one time. The BDCs respond with requests to send these updates. This barrage of requests from BDCs can bog down your PDC, depending on the available CPU cycles on this server and the number of BDCs in your domain.
You can set the maximum number of outstanding pulses under the same key where you added the Pulse value entry. This time, add a new value entry called PulseConcurrency, set its data type to REG_DWORD, and set its value between 1 and 500. Higher numbers will increase the load on the PDC but will complete replication to all BDCs more quickly. Lower numbers will decrease the load on the PDC but can drag out the time needed to get all of the BDCs in the domain updated. I recommend setting this value to the number of BDCs in the domain. You can then experiment with lower values if you see PDC performance suffer when the pulse occurs.
Rigging Browser Elections
In your work with Windows NT Server so far, you’ve probably run into quite a few Browse buttons that allow you to view available servers and resources both inside and outside your domain. You may have noticed that creating these resource lists is sometimes painfully slow. Perhaps you’ve also noticed that deleted servers and their resources seem to take forever to leave the browse lists. You may have even seen entries in NT event logs about lost and won “browse master elections.”
NT network browsing behaves according to the following rules:
One computer on the network plays the role of master browser (or browse master). It designates one or more computers as backup browsers. Backup browsers ask the master for updates every 15 minutes. Both master and backup browsers can satisfy requests for browse information.
Each transport protocol on your network needs its own set of browsers, if you want all resources to appear in the browse lists.
Servers offering network resources announce themselves after 1, 4, 8, and 12 minutes. From then on, they announce themselves on the network every 12 minutes.
If a server is removed, the master browser keeps it in the browse list for 36 minutes (three 12-minute announcement periods) and then removes it from the list. (It does this just in case the server returns.)
Since backup browsers ask for updates every 15 minutes, a backup browser may not see a server disappear until up to 51 minutes (36 + 15 minutes) after the server actually went away.
Elections on the network, as in politics, consume lots of time and resources. It’s best to take proactive steps to minimize the number of elections and the number of candidates for master browser.
If you have Windows for Workgroups computers on your network, you don’t want them acting as master or backup browsers. Not only can this generate performance bottlenecks, but it can also result in empty browse lists. On your Windows for Workgroups computers, add a line that says
MaintainServerList=No
to the [network] section of the SYSTEM.INI file.
If you don’t want Windows 95 computers to act as browse masters or backups, you can prevent them from participating in elections as well. On the Windows 95 computer, click that Start Settings Control Panel option and double-click the Network icon. Click the Configuration tab and click File and Printer Sharing. Click Properties and set the value of Browse Master to Disabled.
If you’re running only the TCP/IP protocol, you can essentially rig the election and appoint a permanent master browser. (I call this the dictator browser, who has the job for life.) By assigning this role to one server, you take the risk of being without a master browser when the server goes down. However, some administrators argue that their NT Server computer is typically running 24 hours a day, and the rare inconvenience caused by the server being down is minor compared to the network hubbub caused by incessant browser elections. Under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters key, change the value of IsDomainMaster from FALSE to TRUE. This approach works only for TCP/IP and won’t work for other transport protocols.
Tip: If you’re running TCP/IP and its resources don’t appear on your browse lists, this problem could be caused by NetBEUI and IPX/SPX protocols soaking up all of the CPU’s attention. If you don’t need the other protocols loaded, remove them to improve TCP/IP browsing. (In fact, getting rid of unneeded protocols almost always results in better overall performance.) If you need the other protocols, change the network bindings so that TCP/IP is bound first, as described in Chapter 2.
If the Election Were Held Today
The role of master browser is an elected office. Elections are held whenever a server that’s acting as a master browser is shut down. (In this case, an election is held immediately. However, if the master browser is simply turned off, no election is held until a computer requests browse information and doesn’t get it.) Elections aren’t entirely democratic – family name, experience, and how you rig your network all enter into the decision. (I guess it is like human politics, after all.)
In selecting a new master browser, NT Server computers are given preference over computers running NT Workstation. NT Workstation computers are given preference over any remaining computers, including Windows for Workgroups, LAN Manager servers, and so forth. In case of a tie between NT Server computers, PDCs are given preference. You can take steps to control which computers do and don’t become master browsers, as you’ll see later in this section.
PERFORMING ADMINISTRATOR TRICKS
In the following sections, I present some useful tips and tricks to help you get your job done more efficiently and impress your coworkers.
Creating Invisible Share Points
You can create invisible share points on your server by making the last character of the share name a dollar sign ($). When users browse for shared resources on your server, they won’t see this share point. However, if they know its name, they can connect to it by explicitly typing it.
When you install Windows NT Server, Setup invisibly shares the root directory of each drive on your computer over the network. These share points are named C$, D$, and so forth. NT also shares the SystemRoot directory as ADMIN$. Access is restricted to members of the Administrators group. You can see these share points by using the Server application in Control Panel. Click Shares to see a list of all share points on your server, including the invisible ones.
Caution: Don’t use invisible share points as a replacement for security; use them in addition to NT security. It’s easy for hackers to guess share point names and add dollar signs to the ends of them. If you’re sharing confidential information over the network, apply NT security to the share point or, better yet, to the individual folders and files on the server.
Scheduling Automated Batch Jobs
NT Server includes a Schedule service that enables you to set up tasks to run unattended after hours, over the weekend, and periodically. You establish an account for the Schedule service so that it can log itself on and perform the assigned tasks at any time of the day or night.
Note: You can also configure NT’s Schedule service to work only when someone is logged on to the computer, but that sort of defeats the purpose of off-hours scheduling of tasks.
Here’s how to set up the schedule service:
Establish an account that the Schedule service will use to log itself on to perform the work that you assign.
If you’re going to have it perform unattended backups, make sure to add the user account that you create to the Backup Operators group.
Cross-Reference: See Chapter 9 for details on creating accounts and managing groups.
Log on with the account that you created in step 1. Make sure that you can actually perform the tasks that you’re planning to schedule.
If you find that you don’t have rights to perform certain necessary operations, add the account to the appropriate groups to grant these rights.
Caution: If you can possibly avoid it, don’t add the Schedule service’s account to the Administrators group. There’s nothing more disconcerting and dangerous than having an account with God-like privileges logging itself on to perform some unsupervised task. Also, don’t forget to assign a password to this account.
Click Start Settings Control Panel. Double-click the Services icon. In the Services dialog box, double-click the Schedule service.
Under Startup Type, click Automatic. Under Log On As, click This Account. Type the user account name that you created in step 1, along with the password. Confirm the password and click OK, as shown in Figure 12-12.
If the Schedule service is running, click Stop.
This step is required to allow the service to pick up the changes that you made in step 4.
Click Start to start the Schedule service. Then click Close.
Now that the Schedule service is properly configured and running, you can schedule jobs using the AT command. At a Command Prompt, you can type AT /? to see its syntax. When you schedule a job, it’s given a unique ID and is added to a list of all scheduled jobs.
For example, if you want to schedule a batch file called NITETASK to run at 2:00 a.m. every Monday, Wednesday, and Friday, the AT command is:
AT 02:00 /EVERY:MONDAY,WEDNESDAY,FRIDAY “NITETASK”
To run the same batch file at midnight on the 15th of every month, the AT command is:
AT 00:00 /NEXT:15 “NITETASK”
To see a list of all scheduled jobs (including their ID numbers), just type AT with no command line parameters. To delete a job from the schedule, use the /DELETE switch. For example, to delete the job with an ID of 5, the command is:
AT 5 /DELETE
Caution: For unattended tasks that run when there’s no one logged on to the computer, don’t use the /INTERACTIVE switch on your AT command line. If you do, the task will attempt to attach itself to a desktop that doesn’t exist, and this may cause the whole task to fail.
Protecting Administrators from Themselves
For each person with administrator responsibilities, assign them two accounts: one with administrator privileges and one with normal user privileges. Encourage them to utilize their normal user account for normal business such as e-mail and other activities. Tell them to reserve their administrative account only for performing operations that require this privilege level. Although logging on and off will incur some overhead, this practice will help to protect your network from damage due to viruses or accidents.
Order Your SQL Fundamentals CD Today! Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.
You've Deployed SharePoint...Now What? This one-day free online conference delivers the technical knowledge needed to kick MOSS up a notch. In one information-packed day, independent SharePoint experts will present practical, real-world information and provide take-away, ready-to-use solutions
What Would You Do If You Ran Microsoft? ITTV's 2008 inaugural video contest, "If I Ran Microsoft..." is your chance to tell it like it is. Be goofy or be serious, but don"t miss this chance to have fun, win prizes, and go viral in a major way.
Maximize Your SharePoint Investment This web seminar discusses how true bi-directional replication of SharePoint content from one server to another enables branch offices to maintain access to current SharePoint content.
Windows IT Pro
Register
Settings 
