NetLogon Service Entries

The Registry path for the parameters for the NetLogon service is the following:


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Note The NetLogon share name should also be in the path for logon scripts.

ChangeLogSize REG_DWORD 64K to 4 MB

Defines the size (in bytes) of the change log. The change log exists both in memory and on disk, %SystemRoot%\netlogon.chg. Since this parameter setting does not degrade system performance, it is advisable to leave it at the 0x4000000 (4 MB) setting, rather than returning it to the 64K default setting. The 4 MB setting ensures that the domain's database will not be completely replicated when large changes are made in the future.

ChangeLogSize should be the same on all BDCs to ensure that when a BDC is promoted to a PDC, it will have that same ChangeLogSize value.

Default: 64K

The minimum (and typical) size of an entry is 32 bytes. Therefore, a 64K change log holds about 2000 changes.

MaximumMailslotMessages REG_DWORD 1 to 0xffffffff messages

Specifies the maximum number of mailslot messages that will be queued to the Netlogon service. Even though the Netlogon service is designed to process incoming mailslot messages immediately, it can get backed up processing requests on a heavily loaded system. Each mailslot message consumes about 1500 bytes of non-paged pool until it is processed. By setting this parameter low, you can govern the maximum amount of non-paged pool that can be consumed. If this parameter is set too low, Netlogon may miss important incoming mailslot messages.

Default: 500

MaximumMailslotTimeout REG_DWORD 5 to 0xffffffff seconds

Specifies the maximum acceptable age (in seconds) of an incoming mailslot message. If Netlogon receives a mailslot messages that arrived longer ago than this, it ignores the message. This allows Netlogon to process messages that are more recent. If this parameter is set too low, Netlogon will ignore important incoming mailslot messages. Ideally, Netlogon processes each mailslot message in a fraction of a second. This parameter is only significant if the Windows NT server is overloaded.

Default: 10

MailslotDuplicateTimeout REG_DWORD 0 to 5 seconds

Specifies the interval (in seconds) over which duplicate incoming mailslot messages will be ignored. Netlogon compares each mailslot message received with the previous mailslot message received. If the previous message was received within this many seconds and the messages are identical, this message will be ignored. Set this parameter to 0 to disable this feature. You should disable this feature if your network is configured such that this machine can see certain incoming mailslot messages but cannot respond to them. For instance, a DC may be separated from a Windows NT workstation by a bridge/router. The bridge/router might filter outgoing NBF broadcasts, but allow an incoming one. As such, Netlogon might respond to an NBF mailslot message (only to be filtered out by the bridge/router) and not respond to a subsequent NBT mailslot message. Disabling this feature (or preferably reconfiguring the bridge/router) solves this problem. If you set this parameter too high, Netlogon will ignore retry attempts from a client.

Default: 2

Pulse REG_DWORD 60 to 3600 seconds

Defines the typical pulse frequency (in seconds). All SAM/LSA changes made within this time are collected together. After this time, a pulse is sent to each BDC needing the changes. No pulse is sent to a BDC that is up to date.

When this value is not specified in the Registry, NetLogon determines optimal values depending on the domain controller's load.

Default: 300 (5 minutes)

PulseConcurrency REG_DWORD 1 to 500 pulses

Defines the maximum number of simultaneous pulses the Primary Domain Controller (PDC) will send to Backup Domain Controllers (BDCs). Netlogon sends pulses to individual BDCs. The BDCs respond asking for any database changes. To control the maximum load these responses place on the PDC, the PDC will only have PulseConcurrency pulses "pending" at once. The PDC should be sufficiently powerful to support this many concurrent replication RPC calls. Increasing PulseConcurrency increases the load on the PDC. Decreasing PulseConcurrency increases the time it takes for a domain with a large number of BDCs to get a SAM/LSA change to all of the BDCs.

Default: 20

PulseMaximum REG_DWORD 60 to 86,400 seconds

Defines the maximum pulse frequency (in seconds). Every BDC will be sent at least one pulse at this frequency regardless of whether its database is up to date.

Default: 7200 (2 hours)

PulseTimeout1 REG_DWORD 1 to 120 seconds

Defines how long (in seconds) the PDC waits for a non-responsive BDC. When a BDC is sent a pulse, it must respond within this time period. If not, the BDC is considered to be non-responsive. A non-responsive BDC is not counted against the PulseConcurrency limit allowing the PDC to send a pulse to another BDC in the domain. If this number is too large, a domain with a large number of non-responsive BDCs will take a long time to complete a partial replication. If this number is too small, a slow BDC may be falsely accused of being non-responsive. When the BDC finally does respond, it will partial replicate from the PDC unduly increasing the load on the PDC.

Default: 5

PulseTimeout2 REG_DWORD 60 to 3600 seconds

Defines how long (in seconds) a PDC waits for a BDC to complete partial replication. Even though a BDC initially responds to a pulse (as described for PulseTimeout1), it must continue making replication progress or the BDC will be considered non-responsive. Each time the BDC calls the PDC, the BDC is given another PulseTimeout2 seconds to be considered responsive. If this number is too large, a slow BDC (or one that has its replication rate artificially governed) will consume one of the PulseConcurrency slots. If this number is too small, the load on the PDC will be unduly increased because of the large number of BDCs doing a partial sync.

Note This parameter only affects the cases where a BDC cannot retrieve all the changes to the SAM/LSA database in a single RPC call. This will only happen if a large number of changes are made to the database.

Default: 300 (5 minutes)

Randomize REG_DWORD 0 to 120 seconds

Specifies the BDC back off period (in seconds). When the BDC receives a pulse, it will back off between zero and Randomize seconds before calling the PDC. The pulse is sent to individual BDCs, so this parameter should be small. Randomize should be smaller than PulseTimeout1. Consider that the time to replicate a SAM/LSA change to all the BDCs in a domain will be greater than:


[(Randomize/2) * NumberOfBdcsInDomain] / PulseConcurrency

When this value is not specified in the Registry, NetLogon determines optimal values depending on the domain controller's load.

Default: 1

ReplicationGovernor REG_DWORD 0 to 100 percent

Defines both the size of the data transferred on each call to the PDC and the frequency of those calls. For instance, setting ReplicationGovernor to 50% will use a 64K buffer rather than a 128K buffer and will only have a replication call outstanding on the net a maximum of 50% of the time. Do not set the ReplicationGovernor too low, or replication may never complete. A value of 0 will cause Netlogon to never replicate. The SAM/LSA database will be allowed to get completely out of sync.

BDCs can be configured for the variances of WAN types. ReplicationGovernor allows the administrator to control the partial synchronization parameters. This parameter must be set individually on each BDC.

Note It is also possible to configure different replication rates at different times of the day using a script file with the AT command (for example, net stop netlogon, regini scriptfile, net start netlogon). The script file contains the path to the RegistrationGovernor parameter and the new Registry entries. REGINI.EXE is part of the Windows NT Resource Kit.

Default: 100

Scripts REG_SZ Pathname

Specifies the fully qualified path name to where logon scripts reside. This value can be set using the Services icon in Control Panel or the Server Manager.

Default: NULL

Update REG_SZ Yes or No

When this value is set to Yes, NetLogon fully synchronizes the database each time it starts.

Default: No