Announcement

Collapse
No announcement yet.

LOGONSERVER environment variable

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • LOGONSERVER environment variable

    I want to know the effect of having incorrect LOGONSERVER environment variable in a windows XP or windows 2003 machine. When I say incorrect, it is pointing to other site DC instead of local domain controller. Also want to know at what all places this environment variable will be used in windows XP.

    Please let me know if I need to provide any more details for better understanding.

    Thanks,
    Sitaram

  • #2
    Re: LOGONSERVER environment variable

    I think you have it the wrong way around. The "Logonserver" environment variable is set when you log on to the name of the server which processed your logon.


    Tom
    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

    Anything you say will be misquoted and used against you

    Comment


    • #3
      Re: LOGONSERVER environment variable

      I understood that, Stonelaughter. I have a requirement where I have to switch hole active directory infrastructure to Disaster Recover site, which means that, I will be shutting down all DC's of current site and making DR servers online. During this process, all desktops will be running and the LOGONSERVER environment variable will be set to local DC which I had to shutdown. After switching to DR site, if the client still tries for local DC, then it will be a problem.

      So, I just want to understand, what all processes that will make use of this variable. If it is not a problem, then I want to change the LOGONSERVER to DR site DC manually.

      Thanks,
      Sitaram

      Comment


      • #4
        Re: LOGONSERVER environment variable

        Switching to DCs at a different site is something you'd do out of hours isn't it? When your users aren't logged on.
        Gareth Howells

        BSc (Hons), MBCS, MCP, MCDST, ICCE

        Any advice is given in good faith and without warranty.

        Please give reputation points if somebody has helped you.

        "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

        "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

        Comment


        • #5
          Re: LOGONSERVER environment variable

          Incase of disaster, we need to do it immediately irrespective of time.

          Comment


          • #6
            Re: LOGONSERVER environment variable

            True. In that case, you would just get users to reboot their machines if they experience problems.
            Gareth Howells

            BSc (Hons), MBCS, MCP, MCDST, ICCE

            Any advice is given in good faith and without warranty.

            Please give reputation points if somebody has helped you.

            "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

            "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

            Comment


            • #7
              Re: LOGONSERVER environment variable

              Changing "Logonserver" environment variable would achieve nothing. Like GF said, when you have to do this for a disaster, have the users reboot. They will log on to whichever DC is available, and logonserver will be set correctly.

              Changing "logonserver" manually would address I estimate about 1% of the problems you would experience when the servers went down. Rebooting would address all of them.


              Tom
              For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

              Anything you say will be misquoted and used against you

              Comment


              • #8
                Re: LOGONSERVER environment variable

                Having the DRP backup the primary site without getting client machines to reboot is a legitimate request.

                As far as I know, Windows operating system does not use the LOGONSERVER environment variable. It is calculated upon logon and is primarily used by legacy applications, scripts, batch scripts and other application that does not use API calls such as dsGetDCName to retrieve the DC.

                When you actually take the primary site offline (and switch to the DRP site), do you experience any problems that you think might be related to the LOGONSERVER environment variable?

                Comment


                • #9
                  Re: LOGONSERVER environment variable

                  Originally posted by Smart-X View Post
                  Having the DRP backup the primary site without getting client machines to reboot is a legitimate request.
                  Indeed it is; however to my knowledge such a capability was not implemented in Windows up to XP/2003.

                  In my experience, when the DC which the users authenticated to goes down, so does their ability to do anything. When the DNS server they were talking to goes down, so does their ability to do anything. When the file server they were using goes down (for roaming profiles, MyDocs and shared data) so does their ability to do anything.

                  Reconfiguring their environment at the back end to give them new DNS servers, a new DC and a DR File server and then asking them to reboot seems to me to be a perfectly reasonable DR plan and would have them up and running reasonably quickly.


                  Tom
                  For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                  Anything you say will be misquoted and used against you

                  Comment


                  • #10
                    Re: LOGONSERVER environment variable

                    It depends on the DR site scenario and file system distribution between the two sites.

                    To my knowledge, Windows 2000 will get over a non-reachable Domain Controller without having to reboot (Even if this is the DC used for authentication at logon) Previous operating system will require reboot.

                    Regarding DNS, you should configure at least two DNS servers - one (or two) in the primary site and another one (or two) in the DR site.

                    Regarding file system (Shared data, roaming profiles, My Documents, etc.), it depends which method of file system distribution you are using. Basically, there are two major alternatives:
                    1. A cluster of two or more nodes which uses a storage system that replicates between the two sites.
                    2. Two separate file servers which replicate the information.

                    If you use the first method - than your clients probably access the file system using the cluster's logical name, so nothing should be changed when the primary site fails.

                    If you use the second method - you should configure your clients to use the file system through DFS links only. This way, even if one of the file servers fail, you will still be able to use the file system since client requests will be directed to the available server. (There will be a pause when client are accessing the FS right after the server they where using failed).

                    BTW, DFS is also smart enough to direct clients to their nearest file server according to their site.

                    Comment


                    • #11
                      Re: LOGONSERVER environment variable

                      Thanks for your comments people.

                      I am testing this condition in my test lab. My scenario is like this.

                      * Two DCs with DNS
                      * one client XP machine with DNS servers configuration pointing to both the DCs

                      Testing...

                      o
                      I logged into client machine with a normal domain account. Verified the LOGONSERVER env variable and disconnected the DC from network to which logonserver is pointing.

                      o Tried launching dsa.msc from client machine and it failed with a error saying unable to load the domain. I think it is using LOGONSERVER

                      o I stopped netlogon service. Deleted netlogon.etl(cached file where netlogon stores DC information) and started netlogon service.

                      o Launched dsa.msc and observed that it going to other DC and connecting properly. But still LOGONSERVER has old DC value and it is not updated.

                      I am able to make dsa.msc work 60% of the times using above procedure, but I am just wondering is there any other place where netlogon service(or DC location process) stores the domain controller name. My above test is failing 40% of the times.

                      Any one has a data point to me which can help me to troubleshoot this further?

                      Thanks,
                      Sitaram

                      Comment


                      • #12
                        Re: LOGONSERVER environment variable

                        And have you tried rebooting the machine in question?
                        Logonserver is set during a reboot, not during some modifications.
                        Marcel
                        Technical Consultant
                        Netherlands
                        http://www.phetios.com
                        http://blog.nessus.nl

                        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                        "No matter how secure, there is always the human factor."

                        "Enjoy life today, tomorrow may never come."
                        "If you're going through hell, keep going. ~Winston Churchill"

                        Comment


                        • #13
                          Re: LOGONSERVER environment variable

                          Are these DR DCs always kept offline?

                          Comment


                          • #14
                            Re: LOGONSERVER environment variable

                            >And have you tried rebooting the machine in question?

                            Rebooting the machine will fix all the problems. But I am trying to figure out a way which doesn't require a reboot or re-login.

                            > Are these DR DCs always kept offline?

                            No..they are online..always...

                            Thanks,
                            Sitaram

                            Comment


                            • #15
                              Re: LOGONSERVER environment variable

                              charlsteve,
                              You don't have to reboot the client machines.

                              This behavior is by design and can be altered if needed. Allow me to explain...

                              The netlogon initiates a DC Locator process which is implemented at netapid.dll. This is done when the netlogon process is starting.

                              This process which is responsible for choosing the closest DC only performs the discovery once, and then it caches the results.

                              All subsequent calls made by ANY application to the DC Locator are responded with the cached results UNLESS called with a specific flag - &H1 (or 0x00000001)

                              You can look which DC exists in the cache by running the following command:

                              Code:
                              nltest /DSGetDC:<your domain>


                              Note that when you take one of your DC down, those machines who have already cached this DC will continue to try to access it until the cache is refreshed. According to MS, application which need to query the DC should use the DC Locator, verify that the DC is responsive and if not, call the DC Locator again with the &H1 flag.
                              Funny enough, dsa.msc does not implement this!

                              Now, in order to refresh the DC Locator cache, run the following command:
                              nltest /DSGetDC:<your domain> /FORCE


                              You will see that once you do that, the machine will re-discover the available DC, cache it and from now on applications will use it.

                              However, the Q is how you can use these commands to resolve your situation?

                              You can invoke the command on your machine as a scheduled task, but it is not very elegant, also, what would be the interval? You wouldn't want the clients to discover DC too often, but you also wouldn't want them to wait a long time in case the DC fails.
                              It is also not very smart to force the discovery process when all DCs are up and running. This would generate extra load on the DCs. After all, there is a reason MS has implemented the Cache algorithm.

                              I tell you what I think, since you're probably not the only one who is facing this challenge, I think it makes sense to create a command which can also run as a service and perform the following procedure on a given interval:

                              1. Checks which DC is in cache (only performs it once) for all domains.
                              2. Every interval - Checks if the DC in each domain is responsive by a performing a simple LDAP bind
                              3. If LDAP bind did not succeed, refresh the cache by calling the DC Locator with the 'Force' flag

                              So, please check if the
                              nltest /DSGetDC:<your domain> /FORCE
                              works for you.


                              I will create the command and post back the link to it and then all of us will be able to use it freely in order to make their DR site more available.

                              Comment

                              Working...
                              X