You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1202 lines
46 KiB
1202 lines
46 KiB
/*++
|
|
|
|
Copyright (c) 1987-1996 Microsoft Corporation
|
|
|
|
Module Name:
|
|
|
|
iniparm.h
|
|
|
|
Abstract:
|
|
|
|
Initiail values of startup parameters.
|
|
|
|
Author:
|
|
|
|
Ported from Lan Man 2.0
|
|
|
|
Revision History:
|
|
|
|
21-May-1991 (cliffv)
|
|
Ported to NT. Converted to NT style.
|
|
07-May-1992 JohnRo
|
|
Use net config helpers for NetLogon.
|
|
|
|
--*/
|
|
|
|
|
|
#ifndef _INIPARM_
|
|
#define _INIPARM_
|
|
|
|
//
|
|
// Upon RegistryChangeNotify, all registry values take effect immediately execpt
|
|
// as noted below.
|
|
//
|
|
|
|
//
|
|
// Pulse period (in seconds):
|
|
//
|
|
// Defines the typical pulse frequency. All SAM/LSA changes made within this
|
|
// time are collected together. After this time, a pulse is sent to each BDC
|
|
// needing the changes. No pulse is sent to a BDC that is up to date.
|
|
//
|
|
#define DEFAULT_PULSE (5*60) // 5 mins
|
|
#define MAX_PULSE (48*60*60) // 2 days
|
|
#define MIN_PULSE 60 // 1 min
|
|
|
|
//
|
|
// Pulse concurrency (in number of concurrent mailslot messages).
|
|
//
|
|
// Netlogon sends pulses to individual BDCs. The BDCs respond asking for any
|
|
// database changes. To control the maximum load these responses place on the
|
|
// PDC, the PDC will only have this many pulses "pending" at once. The PDC
|
|
// should be sufficiently powerful to support this many concurrent replication
|
|
// RPC calls.
|
|
//
|
|
// Increasing this number increases the load on the PDC.
|
|
// Decreasing this number increases the time it takes for a domain with a
|
|
// large number of BDC to get a SAM/LSA change.
|
|
|
|
#define DEFAULT_PULSECONCURRENCY 10
|
|
#define MAX_PULSECONCURRENCY 500
|
|
#define MIN_PULSECONCURRENCY 1
|
|
|
|
//
|
|
// Maximum pulse period (in seconds):
|
|
//
|
|
// Defines the maximum pulse frequency. Every BDC will be sent at least one
|
|
// pulse at this frequency regardless of whether its database is up to date.
|
|
//
|
|
|
|
#define DEFAULT_PULSEMAXIMUM (2*60*60) // 2 hours
|
|
#define MAX_PULSEMAXIMUM (48*60*60) // 2 days
|
|
#define MIN_PULSEMAXIMUM 60 // 1 min
|
|
|
|
//
|
|
// Pulse timeout period (in seconds):
|
|
//
|
|
// When a BDC is sent a pulse, it must respond within this time period. If
|
|
// not, the BDC is considered to be non-responsive. A non-responsive BDC is
|
|
// not counted against the "Pulse Concurrency" limit allowing the PDC to
|
|
// send a pulse to another BDC in the domain.
|
|
//
|
|
// If this number is too large, a domain with a large number of non-responsive
|
|
// BDCs will take a long time to complete a partial replication.
|
|
//
|
|
// If this number is too small, a slow BDC may be falsely accused of being
|
|
// non-responsive. When the BDC finally does respond, it will partial
|
|
// replicate from the PDC unduly increasing the load on the PDC.
|
|
//
|
|
#define DEFAULT_PULSETIMEOUT1 10 // 10 seconds
|
|
#define MAX_PULSETIMEOUT1 (2*60) // 2 min
|
|
#define MIN_PULSETIMEOUT1 1 // 1 second
|
|
|
|
//
|
|
// Maximum Partial replication timeout (in seconds):
|
|
//
|
|
// Even though a BDC initially responds to a pulse (as described for
|
|
// PULSETIMEOUT1), it must continue making replication progress or the
|
|
// BDC will be considered non-responsive. Each time the BDC calls the PDC,
|
|
// the BDC is given another PULSETIMEOUT2 seconds to be considered responsive.
|
|
//
|
|
// If this number is too large, a slow BDC (or one which has its replication
|
|
// rate artificially governed) will consume one of the PULSECONCURRENCY slots.
|
|
//
|
|
// If this number is too small, the load on the PDC will be unduly increased
|
|
// because of the large number of BDC doing a partial sync.
|
|
//
|
|
// NOTE: This parameter only affect the cases where a BDC cannot retrieve all the
|
|
// changes to the SAM/LSA database in a single RPC call. This will only
|
|
// happen if a large number of changes are made to the database.
|
|
|
|
#define DEFAULT_PULSETIMEOUT2 (5*60) // 5 minutes
|
|
#define MAX_PULSETIMEOUT2 (1*60*60) // 1 hour
|
|
#define MIN_PULSETIMEOUT2 (1*60) // 1 minute
|
|
|
|
//
|
|
// BDC random backoff (in seconds):
|
|
//
|
|
// When the BDC receives a pulse, it will back off between zero and RANDOMIZE
|
|
// seconds before calling the PDC. In Lanman and NT 3.1, the pulse was
|
|
// broadcast to all BDCs simultaneously and the BDCs used this mechanism to
|
|
// ensure they didn't overload the PDC. As of NT 3.5x, the pulse is sent
|
|
// to individual BDCs so this parameter should be minimized.
|
|
//
|
|
// This parameter should be smaller than PULSETIMEOUT1.
|
|
//
|
|
// Consider that the time to replicate a SAM/LSA change to all the BDCs in a
|
|
// domain will be greater than:
|
|
//
|
|
// ((RANDOMIZE/2) * NumberOfBdcsInDomain) / PULSECONCURRENCY
|
|
//
|
|
#define DEFAULT_RANDOMIZE 1 // 1 secs
|
|
#define MAX_RANDOMIZE 120 // 2 mins
|
|
#define MIN_RANDOMIZE 0 // 0 secs
|
|
|
|
|
|
//
|
|
// ChangeLogSize (in bytes) [NOTE: This parameter is NOT read from the GP section]
|
|
//
|
|
// This is the size of the Change Log file. Each change to the SAM/LSA database
|
|
// is represented by an entry in the change log. The changelog is maintained
|
|
// as a circular buffer with the oldest entry being overwritten by the newest
|
|
// entry. If a BDC does a partial sync and requests an entry that has been
|
|
// overwritten, the BDC is forced to do a full sync.
|
|
//
|
|
// The minimum (and typical) size of an entry is 32 bytes. Some entries are
|
|
// larger. (e.g., a 64K changelog holds about 2000 changes)
|
|
//
|
|
// This parameter need only be set larger if:
|
|
//
|
|
// a) full syncs are prohibitively expensive, AND
|
|
// b) one or more BDCs are expected to not request a partial sync within 2000
|
|
// changes.
|
|
//
|
|
// For instance, if a BDC dials in nightly to do a partial sync and on some
|
|
// days 4000 changes are made to the SAM/LSA database, this parameter should
|
|
// be set to 128K.
|
|
//
|
|
// This parameter need only be set on the PDC. If a different PDC is promoted,
|
|
// it should be set on that PDC also.
|
|
//
|
|
|
|
#define DEFAULT_CHANGELOGSIZE (64*1024)
|
|
#define MAX_CHANGELOGSIZE (4*1024*1024)
|
|
#define MIN_CHANGELOGSIZE (64*1024)
|
|
|
|
//
|
|
// MaximumMailslotMessages (in number of messages)
|
|
//
|
|
// This parameter determines the maximum number of mailslot messages that will
|
|
// be queued to the netlogon service. Even though the Netlogon service is
|
|
// designed to process incoming mailslot messages immediately, the netlogon
|
|
// service can get backed up processing requests.
|
|
//
|
|
// Each mailslot message consumes about 1500 bytes of non-paged pool until it
|
|
// is process. By setting this parameter low, you can govern the maximum
|
|
// amount of non-paged pool that can be consumed.
|
|
//
|
|
// If you set this parameter too low, netlogon may miss important incoming
|
|
// mailslot messages.
|
|
//
|
|
// Upon RegistryChangeNotify, changes to this value are ignored.
|
|
|
|
#define DEFAULT_MAXIMUMMAILSLOTMESSAGES 500
|
|
#define MAX_MAXIMUMMAILSLOTMESSAGES 0xFFFFFFFF
|
|
#define MIN_MAXIMUMMAILSLOTMESSAGES 1
|
|
|
|
//
|
|
// MailslotMessageTimeout (in seconds)
|
|
//
|
|
// This parameter specifies the maximum acceptable age of an incoming
|
|
// mailslot message. If netlogon receives a mailslot messages that arrived
|
|
// longer ago than this, it will ignore the message. This allows netlogon
|
|
// to process messages that are more recent. The theory is that the client
|
|
// that originally sent the older mailslot message is no longer waiting for
|
|
// the response so we shouldn't bother sending a response.
|
|
//
|
|
// If you set this parameter too low, netlogon will ignore important incoming
|
|
// mailslot messages.
|
|
//
|
|
// Ideally, netlogon processes each mailslot message in a fraction of a second.
|
|
// This parameter is only significant if the NTAS server is overloaded.
|
|
//
|
|
|
|
#define DEFAULT_MAILSLOTMESSAGETIMEOUT 10
|
|
#define MAX_MAILSLOTMESSAGETIMEOUT 0xFFFFFFFF
|
|
#define MIN_MAILSLOTMESSAGETIMEOUT 5
|
|
|
|
//
|
|
// MailslotDuplicateTimeout (in seconds)
|
|
//
|
|
// This parameter specifies the interval over which duplicate incoming
|
|
// mailslot messages will be ignored. Netlogon compares each mailslot
|
|
// message received with the previous mailslot message received. If the
|
|
// previous message was received within this many seconds and the messages
|
|
// are identical, this message will be ignored. The theory is that the
|
|
// duplicate messages are caused by clients sending on multiple transports and
|
|
// that netlogon needs to only reply on one of those transports saving network
|
|
// bandwidth.
|
|
//
|
|
// Set this parameter to zero to disable this feature. You should disable this
|
|
// feature if your network is configured such that this machine can see
|
|
// certain incoming mailslot messages but can't respond to them. For instance,
|
|
// a PDC may be separated from an NT workstation by a bridge/router.
|
|
// The bridge/router might filter outgoing NBF broadcasts, but allow incoming
|
|
// one. As such, netlogon might respond to an NBF mailslot message (only to
|
|
// be filtered out by the bridge/router) and not respond to a subsequent NBT
|
|
// mailslot message. Disabling this feature (or preferably reconfiguring the
|
|
// bridge/router) solves this problem.
|
|
//
|
|
// If you set this parameter too high, netlogon will ignore retry attempts
|
|
// from a client.
|
|
//
|
|
|
|
#define DEFAULT_MAILSLOTDUPLICATETIMEOUT 2
|
|
#define MAX_MAILSLOTDUPLICATETIMEOUT 5
|
|
#define MIN_MAILSLOTDUPLICATETIMEOUT 0
|
|
|
|
//
|
|
// ExpectedDialupDelay (in seconds)
|
|
//
|
|
// This parameter specifies the time it takes for a dialup router to dial when
|
|
// sending a message from this client machine to a domain trusted by this client
|
|
// machine. Typically, netlogon assumes a domain controller is reachable in a
|
|
// short (e.g., 15 seconds) time period. Setting ExpectedDialupDelay informs
|
|
// Netlogon to expect an ADDITIONAL delay of the time specified.
|
|
//
|
|
// Currently, netlogon adjusts the following two times based on the
|
|
// ExpectedDialupDelay:
|
|
//
|
|
// 1) When discovering a DC in a trusted domain, Netlogon sends a 3 mailslot
|
|
// messages to the trusted domain at ( 5 + ExpectedDialupDelay/3 ) second
|
|
// intervals Synchronous discoveries will not be timed out for 3 times that
|
|
// interval.
|
|
// 2) An API call over a secure channel to a discovered DC will timeout only
|
|
// after (45 + ExpectedDialupDelay) seconds.
|
|
//
|
|
// This parameter should remain zero unless a dialup router exists between this
|
|
// machine and its trusted domain.
|
|
//
|
|
// If this parameter is set too high, legitimate cases where no DC is available in
|
|
// a trusted domain will take an extraordinary amount of time to detect.
|
|
//
|
|
|
|
|
|
#define DEFAULT_EXPECTEDDIALUPDELAY 0
|
|
#define MAX_EXPECTEDDIALUPDELAY (10*60) // 10 minutes
|
|
#define MIN_EXPECTEDDIALUPDELAY 0
|
|
|
|
//
|
|
// ScavengeInterval (in seconds)
|
|
//
|
|
// This parameter adjusts the interval at which netlogon performs the following
|
|
// scavenging operations:
|
|
//
|
|
// * Checks to see if a password on a secure channel needs to be changed.
|
|
//
|
|
// * Checks to see if a secure channel has been idle for a long time.
|
|
//
|
|
// * On DCs, sends a mailslot message to each trusted domain for a DC hasn't been
|
|
// discovered.
|
|
//
|
|
// * On PDC, attempts to add the <DomainName>[1B] netbios name if it hasn't
|
|
// already been successfully added.
|
|
//
|
|
// * On PDC, refreshes forest trust info for all forest trusts if enough time
|
|
// has passed since the last refresh. (See FtInfoUpdateInterval)
|
|
//
|
|
// None of these operations are critical. 15 minutes is optimal in all but extreme
|
|
// cases. For instance, if a DC is separated from a trusted domain by an
|
|
// expensive (e.g., ISDN) line, this parameter might be adjusted upward to avoid
|
|
// frequent automatic discovery of DCs in a trusted domain.
|
|
//
|
|
|
|
#define DEFAULT_SCAVENGEINTERVAL (15*60) // 15 minutes
|
|
#define MAX_SCAVENGEINTERVAL (48*60*60) // 2 days
|
|
#define MIN_SCAVENGEINTERVAL 60 // 1 minute
|
|
|
|
//
|
|
// LdapSrvPriority
|
|
//
|
|
// This parameter specifies the "priority" of this DC. A client trying to
|
|
// discover a DC in this domain MUST attempt to contact the target DC with the
|
|
// lowest-numbered priority. DCs with the same priority SHOULD be tried in
|
|
// pseudorandom order.
|
|
//
|
|
// This value is published on all LDAP SRV records written by the Netlogon service.
|
|
//
|
|
|
|
#define DEFAULT_LDAPSRVPRIORITY 0
|
|
#define MAX_LDAPSRVPRIORITY 65535
|
|
#define MIN_LDAPSRVPRIORITY 0
|
|
|
|
//
|
|
// LdapSrvWeight
|
|
//
|
|
// This parameter specifies the "Weight" of this DC. When selecting a DC among
|
|
// those that have the same priority, the chance of trying this one first SHOULD
|
|
// be proportional to its weight. By convention, a weight of 100 should be used
|
|
// if all DCs have the same weight.
|
|
//
|
|
// This value is published on all LDAP SRV records written by the Netlogon service.
|
|
//
|
|
|
|
#define DEFAULT_LDAPSRVWEIGHT 100
|
|
#define MAX_LDAPSRVWEIGHT 65535
|
|
#define MIN_LDAPSRVWEIGHT 0
|
|
|
|
|
|
|
|
//
|
|
// LdapSrvPort
|
|
//
|
|
// This parameter specifies the TCP and UDP port number the LDAP server listens on.
|
|
//
|
|
// This value is published on all LDAP SRV records written by the Netlogon service.
|
|
//
|
|
|
|
#define DEFAULT_LDAPSRVPORT 389
|
|
#define MAX_LDAPSRVPORT 65535
|
|
#define MIN_LDAPSRVPORT 0
|
|
|
|
|
|
|
|
//
|
|
// LdapGcSrvPort
|
|
//
|
|
// This parameter specifies the TCP and UDP port number the LDAP server listens
|
|
// on for Global Catalog queries.
|
|
//
|
|
// This value is published on all LDAP SRV records written by the Netlogon service.
|
|
//
|
|
|
|
#define DEFAULT_LDAPGCSRVPORT 3268
|
|
#define MAX_LDAPGCSRVPORT 65535
|
|
#define MIN_LDAPGCSRVPORT 0
|
|
|
|
|
|
|
|
//
|
|
// KdcSrvPort
|
|
//
|
|
// This parameter specifies the TCP port number the KDC server listens on.
|
|
//
|
|
// This value is published on all KDC SRV records written by the Netlogon service.
|
|
//
|
|
|
|
#define DEFAULT_KDCSRVPORT 88
|
|
#define MAX_KDCSRVPORT 65535
|
|
#define MIN_KDCSRVPORT 0
|
|
|
|
//
|
|
// KerbIsDoneWithJoinDomainEntry (dword) [NOTE: This parameter is NOT read from the GP section]
|
|
//
|
|
// This is a private registry between joindomain, kerberos and netlogon.
|
|
// IF set to 1, it specifies that Kerberos is done reading the join domain
|
|
// entry dumped by join domain and netlogon should delete it.
|
|
//
|
|
// Defaults to 0
|
|
|
|
#define DEFAULT_KERBISDDONEWITHJOIN 0
|
|
#define MAX_KERBISDDONEWITHJOIN 1
|
|
#define MIN_KERBISDDONEWITHJOIN 0
|
|
|
|
//
|
|
// DnsTtl (in seconds)
|
|
//
|
|
// This parameter specifies the "Time To Live" for all DNS records registered
|
|
// by Netlogon. The "Time To Live" specifies the amount of time a client
|
|
// can safely cache the DNS record.
|
|
//
|
|
// A value of zero indicates that the record will not be cached on the client.
|
|
//
|
|
// One should not pick a value that is too large. Consider a client that gets
|
|
// the DNS records for the DCs in a domain. If a particular DC is down at the
|
|
// time of the query, the client will not become aware of that DC even if all
|
|
// the other DCs become unavailable.
|
|
//
|
|
|
|
#define DEFAULT_DNSTTL (10 * 60) // 10 minutes
|
|
#define MAX_DNSTTL 0x7FFFFFFF
|
|
#define MIN_DNSTTL 0
|
|
|
|
|
|
|
|
//
|
|
// DnsRefreshInterval (in seconds)
|
|
//
|
|
// This parameter specifies how frequently Netlogon will re-register DNS
|
|
// names that have already been registered.
|
|
//
|
|
// DNS is a distributed service. There are certain failure conditions where a
|
|
// dynamically registered name gets lost.
|
|
//
|
|
// The actual refresh interval starts at 5 minutes then doubles until it
|
|
// reaches DnsRefreshInterval.
|
|
//
|
|
|
|
#define DEFAULT_DNSREFRESHINTERVAL (24 * 60 * 60) // 24 hours
|
|
#define MAX_DNSREFRESHINTERVAL (0xFFFFFFFF / 1000) // 49 days
|
|
#define MIN_DNSREFRESHINTERVAL (5 * 60) // 5 minutes
|
|
|
|
|
|
//
|
|
// DnsFailedDeregisterTimeout (in seconds)
|
|
//
|
|
// Netlogon tries to deregister DNS records which were registered in the past
|
|
// but are no longer needed. If a failure occurs to deregister, Netlogon will
|
|
// retry to deregister at the scavenging time. This parameter specifies the
|
|
// timeout when Netlogon should give up deregistering a particular DNS record
|
|
// after a consecutive series of failed deregistrations on a given service start.
|
|
//
|
|
|
|
#define DEFAULT_DNSFAILEDDEREGTIMEOUT (48 * 60 * 60) // 48 hours.
|
|
#define MAX_DNSFAILEDDEREGTIMEOUT 0xFFFFFFFF // Infinite (never give up).
|
|
// Any period larger than
|
|
// 0xFFFFFFFF/1000 sec = 49 days
|
|
// will be treated as infinity.
|
|
#define MIN_DNSFAILEDDEREGTIMEOUT 0 // Give up after the first failure
|
|
|
|
|
|
//
|
|
// MaximumPasswordAge (in days)
|
|
//
|
|
// This parameter gives the maximum amount of time that can pass
|
|
// before a machine account's password must be changed on the PDC.
|
|
//
|
|
|
|
#define DEFAULT_MAXIMUMPASSWORDAGE (30) // 30 days
|
|
#define MIN_MAXIMUMPASSWORDAGE (1) // 1 day
|
|
#define MAX_MAXIMUMPASSWORDAGE (1000000) // 1,000,000 days
|
|
|
|
//
|
|
// SiteName
|
|
//
|
|
// This parameter specifies the name of the site this machine is in. This
|
|
// value overrides any dynamically determined value.
|
|
//
|
|
// This parameter is only used on Member Workstations and Member Servers.
|
|
//
|
|
|
|
//
|
|
// DynamicSiteName [NOTE: This parameter is NOT read from the GP section]
|
|
//
|
|
// This parameter specifies the name of the site this machine is in. This
|
|
// value is dynamically determined and should not be changed.
|
|
//
|
|
// This parameter is only used on Member Workstations and Member Servers.
|
|
//
|
|
|
|
//
|
|
// SiteCoverage
|
|
//
|
|
// A multivalued property listing the sites that this DC registers itself for.
|
|
// This DC considers itself 'close' to the sites listed.
|
|
//
|
|
// This list is in addition to:
|
|
// the site this DC is actually in.
|
|
// the list of sites determined as described by the AutoSiteCoverage parameter.
|
|
//
|
|
|
|
//
|
|
// GcSiteCoverage
|
|
//
|
|
// A multivalued property listing the sites that this DC registers itself for in
|
|
// its role as a GC
|
|
// This DC considers itself 'close' to the sites listed.
|
|
//
|
|
// This list is in addition to:
|
|
// the site this DC is actually in.
|
|
//
|
|
|
|
//
|
|
// NdncSiteCoverage
|
|
//
|
|
// A multivalued property listing the sites that this LDAP server registers itself for in
|
|
// its role as a non-domain NC (NDNC)
|
|
// This LDAP server considers itself 'close' to the sites listed.
|
|
//
|
|
// This list is in addition to:
|
|
// the site this LDAP server is actually in.
|
|
//
|
|
// To specify for which NDNC a given site is covered, the site name should contain
|
|
// backslash so that the name preceding the backslash is the NDNC name and the name
|
|
// following the backslash is the name of the site that is covered for the given NDNC.
|
|
// For example:
|
|
//
|
|
// Ndnc1\Site1A
|
|
// Ndnc1\Site1B
|
|
// Ndnc2\Site2A
|
|
// Ndnc2\Site2B
|
|
//
|
|
// In this example this LDAP server will cover Site1A and Site1B for clients from NDNC
|
|
// Ndnc1. Similarly, it will cover Site2A and Site2B for clients from NDNC Ndnc2.
|
|
// If the backslash is absent, it will be assumed that the given site is covered
|
|
// for all NDNCs this LDAP server services.
|
|
//
|
|
|
|
//
|
|
// AutoSiteCoverage (Boolean)
|
|
//
|
|
// Specifies whether the site coverage for this DC should be automatically
|
|
// determined
|
|
//
|
|
// If TRUE, the sites this DC covers is determined by the following algorithm.
|
|
// For each site that has no DCs for this domain (the target site), the site
|
|
// this DC // is in might be chosen to "cover" the site. The following
|
|
// criteria is used:
|
|
//
|
|
// * Smaller site link cost.
|
|
// * For sites where the above is equal, the site having the most DCs is chosen.
|
|
// * For sites where the above is equal, the site having the alphabetically least
|
|
// name is chosen.
|
|
//
|
|
// If the site this DC is in is chosen to "cover" the target site, then this DC
|
|
// will cover the target site. The above algorithm is repeated for each target site.
|
|
//
|
|
// The computed list augments the list of covered sites specified by the
|
|
// SiteCoverage parameter.
|
|
//
|
|
// Defaults to TRUE.
|
|
//
|
|
|
|
//
|
|
// SiteCoverageRefreshInterval (in seconds)
|
|
//
|
|
// Specifies how often a DC will refresh its site coverage by reading the info from
|
|
// the DS. This value is ignored if automatic site coverage is turned off (i.e. when
|
|
// AutoSiteCoverage is set to FALSE). If site coverage changes, the DC will update
|
|
// its DNS records acordingly.
|
|
//
|
|
// Upon registry change, the first site coverage refresh will happen within the
|
|
// interval specified.
|
|
//
|
|
|
|
#define DEFAULT_SITECOVERAGEREFRESHINTERVAL (60 * 60) // 1 hour
|
|
#define MAX_SITECOVERAGEREFRESHINTERVAL (0xFFFFFFFF / 1000) // 49 days
|
|
#define MIN_SITECOVERAGEREFRESHINTERVAL (5 * 60) // 5 minutes
|
|
|
|
//
|
|
// AllowReplInNonMixed
|
|
//
|
|
// This boolean allows an NT 4.0 (or 3.x) BDC to replicate from this NT 5.0 PDC
|
|
// even though this DC is in NonMixed mode.
|
|
//
|
|
// Upon RegistryChangeNotify, changes to this value are ignored.
|
|
|
|
#define DEFAULT_ALLOWREPLINNONMIXED 0
|
|
|
|
//
|
|
// SignSecureChannel (Boolean)
|
|
//
|
|
// Specifies that all outgoing secure channel traffic should be signed.
|
|
//
|
|
// Defaults to TRUE. If SealSecureChannel is also TRUE, Seal overrides.
|
|
//
|
|
// Upon RegistryChangeNotify, changes to this value on affect secure channels that
|
|
// are setup after the notification is received.
|
|
|
|
//
|
|
// SealSecureChannel (Boolean)
|
|
//
|
|
// Specifies that all outgoing secure channel traffic should be sealed (encrypted)
|
|
//
|
|
// Defaults to TRUE.
|
|
//
|
|
// Upon RegistryChangeNotify, changes to this value on affect secure channels that
|
|
// are setup after the notification is received.
|
|
|
|
//
|
|
// RequireSignOrSeal (Boolean)
|
|
//
|
|
// Requires that all outgoing secure channel traffic should be signed or sealed.
|
|
// Without this flag, the ability is negotiated with the DC.
|
|
//
|
|
// This flag should only be set if ALL of the DCs in ALL trusted domains support
|
|
// signing and sealing.
|
|
//
|
|
// The SignSecureChannel and SealSecureChannel parameters are used to determine
|
|
// whether signing or sealing are actually done. It this parameter is true,
|
|
// SignSecureChannel is implied to be TRUE.
|
|
//
|
|
// Defaults to FALSE.
|
|
//
|
|
// Upon RegistryChangeNotify, changes to this value on affect secure channels that
|
|
// are setup after the notification is received.
|
|
|
|
//
|
|
// RequireStrongKey (Boolean)
|
|
//
|
|
// Requires that all outgoing secure channel traffic should require a strong key.
|
|
// Without this flag, the key strength is negotiate with the DC.
|
|
//
|
|
// This flag should only be set if ALL of the DCs in ALL trusted domains support
|
|
// strong keys.
|
|
//
|
|
// Defaults to FALSE.
|
|
//
|
|
// Upon RegistryChangeNotify, changes to this value on affect secure channels that
|
|
// are setup after the notification is received.
|
|
|
|
//
|
|
// CloseSiteTimeout (in seconds):
|
|
//
|
|
// If a client cannot find a DC in a site that is close to it, Netlogon will
|
|
// periodically try to find a close DC. It will try to find a close DC when:
|
|
//
|
|
// * An interactive logon uses pass through authentication on the secure channel.
|
|
// * CloseSiteTimeout has elapsed since the last attempt, and any other attempt
|
|
// is made to use the secure channel (e.g., pass through authentication of
|
|
// network logons)
|
|
//
|
|
// That means that Netlogon only attempts to find a close DC "on demand".
|
|
//
|
|
// If this number is too large, a client will never try to find a close DC if
|
|
// one is not available on boot.
|
|
//
|
|
// If this number is too small, secure channel traffic will be un-necessarily
|
|
// be slowed down by discovery attempts.
|
|
//
|
|
|
|
#define DEFAULT_CLOSESITETIMEOUT (15*60) // 15 minutes
|
|
#define MAX_CLOSESITETIMEOUT (0xFFFFFFFF/1000) // 49 days
|
|
#define MIN_CLOSESITETIMEOUT (1*60) // 1 minute
|
|
|
|
//
|
|
// SiteNameTimeout (in seconds):
|
|
//
|
|
// If the age of the site name is more than SiteNameTimeout on the client,
|
|
// the client will attempt to synchronize the site name with the server.
|
|
// This will be done only when the site name needs to be returned, i.e. on
|
|
// demand.
|
|
//
|
|
|
|
#define DEFAULT_SITENAMETIMEOUT (5*60) // 5 minutes
|
|
#define MAX_SITENAMETIMEOUT (0xFFFFFFFF/1000) // 49 days
|
|
#define MIN_SITENAMETIMEOUT (0) // 0 minutes
|
|
|
|
//
|
|
// Sundry flags
|
|
//
|
|
|
|
#define DEFAULT_DISABLE_PASSWORD_CHANGE 0
|
|
#define DEFAULT_REFUSE_PASSWORD_CHANGE 0
|
|
|
|
#define DEFAULT_SYSVOL L"SYSVOL\\SYSVOL"
|
|
#define DEFAULT_SCRIPTS L"\\SCRIPTS"
|
|
|
|
//
|
|
// DuplicateEventlogTimeout (in seconds):
|
|
//
|
|
// The Netlogon service keeps track of eventlog messages it has logged in the
|
|
// past. Any duplicate eventlog message logged within DuplicateEventlogMessage
|
|
// seconds will not be logged.
|
|
//
|
|
// Set this value to zero to have all messages be logged.
|
|
//
|
|
|
|
#define DEFAULT_DUPLICATEEVENTLOGTIMEOUT (4*60*60) // 4 hours
|
|
#define MAX_DUPLICATEEVENTLOGTIMEOUT (0xFFFFFFFF/1000) // 49 days
|
|
#define MIN_DUPLICATEEVENTLOGTIMEOUT (0) // 0 seconds
|
|
|
|
//
|
|
// SysVolReady (Boolean)
|
|
//
|
|
// This is a private registry entry that indicates whether the SYSVOL share is
|
|
// ready to be shared. It is set by DcPromo, Backup, and FRS at appropriate times
|
|
// to inidcate the replication state of the SYSVOL share.
|
|
//
|
|
// This boolean is only used on a DC.
|
|
//
|
|
// If 0, the SYSVOL share will not be shared and this DC will not indicate it is
|
|
// a DC to DsGetDcName calls.
|
|
//
|
|
// If non-zero, the SYSVOL share will be shared.
|
|
//
|
|
|
|
//
|
|
// UseDynamicDns (Boolean)
|
|
//
|
|
// Specifies that a DC is to dynamically register DNS names in DNS using
|
|
// dynamic DNS. If FALSE, Dynamic DNS is avoided and the records specified
|
|
// in %windir%\system32\config\netlogon.dns should be manually registered in DNS.
|
|
//
|
|
// Defaults to TRUE
|
|
|
|
//
|
|
// RegisterDnsARecords (Boolean)
|
|
//
|
|
// Specifies that the DC is to register DNS A records for the domain.
|
|
// If the DC is a GC, specifies that the DC is to register DNS A records for
|
|
// the GC.
|
|
//
|
|
// If FALSE, the records will not be registered and older LDAP implementations
|
|
// (ones that do not support SRV records) will not be able to locate the LDAP
|
|
// server on this DC.
|
|
//
|
|
// Defaults to TRUE
|
|
|
|
//
|
|
// AvoidPdcOnWan (Boolean)
|
|
//
|
|
// This parameter specifies if BDC should send any validation/synchronization
|
|
// requests to PDC. The validation against PDC is normally performed if the
|
|
// user does not validate on BDC. This validation will be avoided if AvoidPdcOnWan
|
|
// is set to TRUE and PDC and BDC are on different sites. Likewise, if this key is
|
|
// set to TRUE and a BDC and the PDC are in different sites, then the new password
|
|
// info being updated on a BDC will not be immediately propagated to the PDC. (The
|
|
// new password will be replicated on the PDC by DS replication, not by Netlogon.)
|
|
//
|
|
// Defaults to FALSE.
|
|
|
|
//
|
|
// MaxConcurrentApi (Number of calls)
|
|
//
|
|
// This parameter specifies the maximum number of concurrent API calls that can
|
|
// be active over the secure channel at any one time.
|
|
//
|
|
// Increasing this parameter may improve throughput on the secure channel.
|
|
//
|
|
// This parameter currently only affect Logon APIs. They may affect other secure
|
|
// channel operations in the future.
|
|
//
|
|
// Concurrent API calls are only possible if the secure channel is signed or sealed.
|
|
//
|
|
// If this parameter is set too large, this machine will place an excessive load
|
|
// on the DC the secure channel is to.
|
|
//
|
|
// The default value is 0. Zero will use 1 concurrent API call on member workstations
|
|
// and DCs. Zero implies 2 concurrent API calls on member servers
|
|
//
|
|
//
|
|
#define DEFAULT_MAXCONCURRENTAPI 0
|
|
#define MAX_MAXCONCURRENTAPI 10
|
|
#define MIN_MAXCONCURRENTAPI 0
|
|
|
|
//
|
|
// AvoidDnsDeregOnShutdown (Boolean)
|
|
//
|
|
// This parameter specifies if DNS record deregistration should be avoided on shutting
|
|
// down netlogon. If set to FALSE, it can be used to force such deregistrations for
|
|
// debugging or some other purposes. However, setting this value to FALSE may brake the
|
|
// DS replication, as the following example shows. Suppose we have two DS intergrated
|
|
// DNS servers, A and B which are authoritative for a particular zone and use each other
|
|
// as secondary DNS servers for that zone. Suppose Netlogon shuts down on B and deregisters
|
|
// its records. That gets propagated to A. Then netlogon is started on B and the records
|
|
// are re-registered on B. Now A needs to do its pull ssync from B. To do that, the DS uses
|
|
// B's DsaGuid record (of the form <DsaGuid>._msdcs.<DnsForestName>). But the record is
|
|
// missing on A and A is authoritative for that zone, so A is not going to find B and cannot
|
|
// pull from B.
|
|
//
|
|
// Defaults to TRUE.
|
|
|
|
//
|
|
// DnsUpdateOnAllAdapters (Boolean)
|
|
//
|
|
// This parameter specifies whether DNS updates should be sent over all available
|
|
// adapters including those where dynamic DNS updates are normally disabled.
|
|
// DHCP initiated A record updates are not sent through such adapters.
|
|
// An adapter that is connected to external network (e.g. Internet) is normally
|
|
// marked as such through the UI.
|
|
// However, there may be a need to update Netlogon SRV records through such adapters,
|
|
// hence the need for this parameter. Note that not only SRV records, but Netlogon's
|
|
// A records as well will be updated through all adapters if this parameter is TRUE,
|
|
// but it should not cause any significantly undesired behavior since Netlogon's A
|
|
// records are rarely used.
|
|
//
|
|
// Defaults to FALSE.
|
|
|
|
//
|
|
// DnsAvoidRegisterRecords
|
|
//
|
|
// A multivalued property listing the mnemonics for names of DNS records which
|
|
// this DC should not register. The mnemonics uses the convention for descriptive
|
|
// names of records used in the table of all records for this server (see
|
|
// NlDcDnsNameTypeDesc[] in nlcommon.h). The descriptive name of each record is
|
|
// prefixed by "NlDns". For example, "NlDnsLdapIpAddress", "NlDnsLdapAtSite", etc.
|
|
// To avoid registering one of the records, one should use the suffix following
|
|
// "NlDns" in the descriptive name of that record. For instance, to skip registering
|
|
// the NlDnsLdapIpAddress record, one should enter "LdapIpAddress" as one of the
|
|
// values for this maltivalued property.
|
|
//
|
|
// This is the most flexible way of avoiding DNS registrations for particular
|
|
// records. It superceeds all other ways which enable DNS registrations through
|
|
// the registry. For instance, if RegisterDnsARecords is expicitly set to 1
|
|
// while the A record mnemonic is listed for DnsAvoidRegisterRecords, no A record
|
|
// will be registered.
|
|
//
|
|
|
|
//
|
|
// NegativeCachePeriod (in seconds):
|
|
//
|
|
// Specifies the amount of time that DsGetDcName will remember that a DC couldn't
|
|
// be found in a domain. If a subsequent attempt is made within this time,
|
|
// the DsGetDcName call will immediately fail without attempting to find a DC again.
|
|
//
|
|
// If this number is too large, a client will never try to find a DC again if the
|
|
// DC is initially unavailable
|
|
//
|
|
// If this number is too small, every call to DsGetDcName will have to attempt
|
|
// to find a DC even when none is available.
|
|
//
|
|
|
|
#define DEFAULT_NEGATIVECACHEPERIOD 45 // 45 seconds
|
|
#define MIN_NEGATIVECACHEPERIOD 0 // No minimum
|
|
#define MAX_NEGATIVECACHEPERIOD (7*24*60*60) // 7 days
|
|
|
|
|
|
//
|
|
// BackgroundRetryInitialPeriod (in seconds):
|
|
//
|
|
// Some applications periodically try to find a DC. If the DC isn't available, these
|
|
// periodic retries can be costly in dial-on-demand scenarios. This registry value
|
|
// defines the minimum amount of elapsed time before the first retry will occur.
|
|
//
|
|
// The value only affects callers of DsGetDcName that have specified the
|
|
// DS_BACKGROUND_ONLY flag.
|
|
//
|
|
// If a value smaller than NegativeCachePeriod is specified, NegativeCachePeriod will
|
|
// be used.
|
|
//
|
|
// If this number is too large, a client will never try to find a DC again if the
|
|
// DC is initially unavailable
|
|
//
|
|
// If this number is too small, periodic DC discovery traffic may be excessive in
|
|
// cases where the DC will never become available.
|
|
//
|
|
|
|
#define DEFAULT_BACKGROUNDRETRYINITIALPERIOD (10*60) // 10 minutes
|
|
#define MIN_BACKGROUNDRETRYINITIALPERIOD 0 // NegativeCachePeriod
|
|
#define MAX_BACKGROUNDRETRYINITIALPERIOD (0xFFFFFFFF/1000) // 49 days
|
|
|
|
|
|
//
|
|
// BackgroundRetryMaximumPeriod (in seconds):
|
|
//
|
|
// Some applications periodically try to find a DC. If the DC isn't available, these
|
|
// periodic retries can be costly in dial-on-demand scenarios. This registry value
|
|
// defines the maximum interval the retries will be backed off to. That is, if
|
|
// the first retry is after 10 minutes, the second will be after 20 minutes, then after 40.
|
|
// This continues until the retry interval is BackgroundRetryMaximumPeriod. That interval
|
|
// will continue until BackgroundRetryQuitTime is reached.
|
|
//
|
|
// The value only affects callers of DsGetDcName that have specified the
|
|
// DS_BACKGROUND_ONLY flag.
|
|
//
|
|
// If a value smaller that BackgroundRetryInitialPeriod is specified,
|
|
// BackgroundRetryInitialPeriod will be used.
|
|
//
|
|
// If this number is too large, a client will try very infrequently after
|
|
// sufficient consecutive failures resulting in a backoff to BackgroundRetryMaximumPeriod.
|
|
//
|
|
// If this number is too small, periodic DC discovery traffic may be excessive in
|
|
// cases where the DC will never become available.
|
|
//
|
|
|
|
#define DEFAULT_BACKGROUNDRETRYMAXIMUMPERIOD (60*60) // 60 minutes
|
|
#define MIN_BACKGROUNDRETRYMAXIMUMPERIOD 0 // BackgroundRetryInitialPeriod
|
|
#define MAX_BACKGROUNDRETRYMAXIMUMPERIOD (0xFFFFFFFF/1000) // 49 days
|
|
|
|
//
|
|
// BackgroundRetryQuitTime (in seconds):
|
|
//
|
|
// Some applications periodically try to find a DC. If the DC isn't available, these
|
|
// periodic retries can be costly in dial-on-demand scenarios. This registry value
|
|
// defines the maximum interval the retries will be backed off to. That is, if
|
|
// the first retry is after 10 minutes, the second will be after 20 minutes, then after 40.
|
|
// This continues until the retry interval is BackgroundRetryMaximumPeriod. That interval
|
|
// will continue until BackgroundRetryQuitTime is reached.
|
|
//
|
|
// The value only affects callers of DsGetDcName that have specified the
|
|
// DS_BACKGROUND_ONLY flag.
|
|
//
|
|
// If a value smaller that BackgroundRetryMaximumPeriod is specified,
|
|
// BackgroundRetryMaximumPeriod will be used.
|
|
//
|
|
// 0 means to never quit retrying.
|
|
//
|
|
// If this number is too small, a client will eventually stop trying to find a DC
|
|
//
|
|
|
|
#define DEFAULT_BACKGROUNDRETRYQUITTIME 0 // Infinite
|
|
#define MIN_BACKGROUNDRETRYQUITTIME 0 // BackgroundRetryMaximumPeriod
|
|
#define MAX_BACKGROUNDRETRYQUITTIME (0xFFFFFFFF/1000) // 49 days
|
|
|
|
//
|
|
// BackgroundSuccessfulRefreshPeriod (in seconds):
|
|
//
|
|
// When a positive cache entry is old (older than the successful refresh interval),
|
|
// the DC discovery routine will ping the cached DC to refresh its info before
|
|
// returning that DC to the caller. Here we distiguish between background
|
|
// callers which periodically perform DC discovery and the rest of the callers
|
|
// because they have different characteristics. Namely, for background callers
|
|
// which call the DC locator frequently, the cache refresh shouldn't happen
|
|
// frequently to avoid extensive network overhead and load on DCs. In fact,
|
|
// the default for background callers is to never refresh the info. If the cached
|
|
// DC no longer plays the same role, a background caller will detect this change
|
|
// when it performs its operation on that DC in which case it will call us back
|
|
// with forced rediscovery bit set.
|
|
//
|
|
|
|
#define DEFAULT_BACKGROUNDREFRESHPERIOD 0xFFFFFFFF // Infinite - never refresh
|
|
#define MIN_BACKGROUNDREFRESHPERIOD 0 // Always refresh
|
|
#define MAX_BACKGROUNDREFRESHPERIOD 0xFFFFFFFF // Infinite. Any period larger than
|
|
// 0xFFFFFFFF/1000 sec = 49 days
|
|
// will be treated as infinity
|
|
//
|
|
// NonBackgroundSuccessfulRefreshPeriod (in seconds):
|
|
//
|
|
// See the description of BackgroundSuccessfulRefreshPeriod
|
|
//
|
|
|
|
#define DEFAULT_NONBACKGROUNDREFRESHPERIOD 1800 // 30 minutes
|
|
#define MIN_NONBACKGROUNDREFRESHPERIOD 0 // Always refresh
|
|
#define MAX_NONBACKGROUNDREFRESHPERIOD 0xFFFFFFFF // Infinite. Any period larger than
|
|
// 0xFFFFFFFF/1000 sec = 49 days
|
|
// will be treated as infinity
|
|
//
|
|
// MaxLdapServersPinged (DWORD)
|
|
//
|
|
// This parameter specifies the maximum number of DCs that should be
|
|
// pinged using LDAP during a DC discovery attempt. If this value is
|
|
// too large, a greater network traffic may be imposed and the DC discovery
|
|
// may take longer to return. If this number is too small, it may decrease
|
|
// chances for successful DC discovery if none of the pinged DCs responds
|
|
// in a timely manner.
|
|
//
|
|
// The default value of 55 has been chosen so that the discovery attempt
|
|
// takes roughly 15 seconds max. We make up to 2 loops through DC addresses
|
|
// pinging each address on the list with the following distribution for
|
|
// response wait time:
|
|
//
|
|
// For the first 5 DCs the wait time is 0.4 seconds per ping
|
|
// For the next 5 DCs the wait time is 0.2 seconds per ping
|
|
// For the rest of 45 DCs the wait time is 0.1 seconds per ping
|
|
//
|
|
// This will take (5*0.4 + 5*0.2 + 45*0.1) = 7.5 seconds per loop assuming
|
|
// that each DC has just one IP address. It will take longer if some DCs have
|
|
// more than one IP address.
|
|
//
|
|
// The rational behind this distribution is that we want to reduce the network
|
|
// traffic and reduce chances for network flooding (that is harmful for DCs)
|
|
// in case all DCs are slow to respond due to high load. Thus, the first 10 DCs
|
|
// have higher chances to be discovered before we impose greater network traffic
|
|
// by pinging the rest of DCs. If the first 10 DCs happen to be slow we have to
|
|
// reduce the wait timeout to a minimum as we want to cover a reasonable number
|
|
// of DCs in the time left.
|
|
//
|
|
|
|
#define DEFAULT_MAXLDAPSERVERSPINGED 55
|
|
#define MIN_MAXLDAPSERVERSPINGED 1
|
|
#define MAX_MAXLDAPSERVERSPINGED 0xFFFFFFFF
|
|
|
|
//
|
|
// AllowSingleLabelDnsDomain (Boolean)
|
|
//
|
|
// By default, the DC locator will not attempt DNS specific discovery for single
|
|
// labeled domain names. This is done to avoid spurious DNS queries since DNS
|
|
// domain names are usually multi labeled. However, this parameter may be used to
|
|
// allow DNS specific discoveries for single labeled domain names which may exist
|
|
// in a specific customer deployment.
|
|
//
|
|
// Defaults to FALSE.
|
|
//
|
|
|
|
//
|
|
// Nt4Emulator (Boolean)
|
|
//
|
|
// This parameter specifies whether this DC should emulate the behavior of an NT4.0 DC.
|
|
// Emulation of the NT4.0 behavior is desirable when the first Windows 2000 or newer
|
|
// DC is promoted to the PDC in an NT4.0 domain with a huge number of alredy existing
|
|
// Windows 2000 clients. Unless we emulate the NT4.0 behavior, all the Windows 2000
|
|
// clients will stick with the Windows 2000 or newer DC upon learning about the domain
|
|
// upgrade thereby potentially overloading the DC.
|
|
//
|
|
// This parameter is ignored on non-DC. If this parameter is set to TRUE, the following
|
|
// takes place on a DC:
|
|
//
|
|
// * Incoming LDAP locator pings are ignored unless the ping comes
|
|
// from an admin machine (see NeutralizeNt4Emulator description below).
|
|
//
|
|
// * The flags negotiated during the incoming secure channel setup
|
|
// will be set to at most what an NT4.0 DC would support unless
|
|
// the channel setup comes form an admind machine (see NeutralizeNt4Emulator
|
|
// description below).
|
|
//
|
|
// Defaults to FALSE.
|
|
//
|
|
|
|
//
|
|
// NeutralizeNt4Emulator (Boolean)
|
|
//
|
|
// This parameter specifies whether this machine should indicate in the relevant
|
|
// communication with a DC that the DC should avoid the NT4.0 emulation mode (see
|
|
// Nt4Emulator description above). If this parameter is TRUE, the machine is said
|
|
// to be an admin machine.
|
|
//
|
|
// Defaults to FALSE on a non-DC. Defaults to TRUE on a DC.
|
|
//
|
|
|
|
//
|
|
// DcTcpipPort (DWORD)
|
|
//
|
|
// This parameter specifies the port number that the netlogon server on the DC
|
|
// should register with the RPC endpoint mapper for the TCPIP protocol sequence.
|
|
// If this value doesn't exist, netlogon will not specify the port number in
|
|
// which case the port will be chosen dynamically by the end point mapper at the
|
|
// time a client makes an RPC call to netlogon on the DC.
|
|
//
|
|
// Note that netlogon registers the port number only on service start up, so registry
|
|
// change notifications are ignored for this parameter. Also note that this parameter
|
|
// is not stored in the NlGlobalParameters structure. Rather, it is read from the
|
|
// registry once at the netlogon service start.
|
|
//
|
|
// By default, this parameter does not exist. It is ignored on non-DCs.
|
|
//
|
|
|
|
//
|
|
// AllowExclusiveSysvolShareAccess
|
|
//
|
|
// This parameter specifies whether the exclusive access to the Sysvol share
|
|
// is allowed. If the exclusive access is allowed, an app with only read
|
|
// permission to files on the sysvol share can lock the files by requesting
|
|
// exclusive read access, which might prevent Group Policy settings from being
|
|
// updated on other clients in the domain. When the exclsuve access needs to
|
|
// be allowed because some critical app relies on it, domain administrators
|
|
// should ensure that the only applications using the exclusive read capability
|
|
// in the domain are those approved by the administrator.
|
|
//
|
|
// Defaults to FALSE.
|
|
//
|
|
|
|
//
|
|
// AllowExclusiveScriptsShareAccess
|
|
//
|
|
// This parameter specifies whether the exclusive access to the Scripts share
|
|
// is allowed. If the exclusive access is allowed, an app with only read
|
|
// permission to files on the NETLOGON share can lock the files by requesting
|
|
// exclusive read access, which might prevent client machines or users in the
|
|
// domain from conforming to administrator specified settings and actions such
|
|
// as logon scripts. When the exclsuve access needs to be allowed because some
|
|
// critical app relies on it, domain administrators should ensure that the only
|
|
// applications using the exclusive read capability in the domain are those
|
|
// approved by the administrator.
|
|
//
|
|
// Defaults to FALSE.
|
|
//
|
|
|
|
//
|
|
// FtInfoUpdateInterval (in seconds)
|
|
//
|
|
// This parameter defines how often forest trust info is to be refreshed on PDC.
|
|
// If forest trust info on PDC is older than this time interval, the forest trust
|
|
// info will be refreshed at the next scavenging. See ScavengeInterval that defines
|
|
// how often scavenging is performed.
|
|
//
|
|
#define DEFAULT_FTINFO_UPDATE_INTERVAL (24*3600) // 1 day
|
|
#define MIN_FTINFO_UPDATE_INTERVAL (3600) // 1 hour
|
|
#define MAX_FTINFO_UPDATE_INTERVAL 0xFFFFFFFF // Infinite. Any period larger than
|
|
// 0xFFFFFFFF/1000 sec = 49 days
|
|
// will be treated as infinity
|
|
//
|
|
// AvoidLocatorAccountLookup (Boolean)
|
|
//
|
|
// This parameter specifies whether this DC should perform account lookups
|
|
// during DC discovery response processing for queries with account. Excessive
|
|
// account lookups may be expensive and can affect the DC performance. Also,
|
|
// malicious user can take advantage of this and cause a DoS attack by bombing
|
|
// the DC with discoveries with account. In any case, if the performance is
|
|
// determined to be affected, account lookups can be avoided by temporarily
|
|
// setting this parameter to 1 on the DC in which case the DC will respond to
|
|
// the discovery even if the specified account does not exist on the DC. While
|
|
// this setting is chosen, clients which legitimately require DC with a particular
|
|
// account may get denied service on this DC. After the problem is rectified, the
|
|
// setting should be reverted to the default.
|
|
//
|
|
// Defaults to FALSE
|
|
//
|
|
|
|
//
|
|
// Structure to hold all of the parameters.
|
|
//
|
|
typedef struct _NETLOGON_PARAMETERS {
|
|
ULONG DbFlag;
|
|
ULONG LogFileMaxSize;
|
|
ULONG Pulse;
|
|
ULONG PulseMaximum;
|
|
|
|
ULONG PulseConcurrency;
|
|
ULONG PulseTimeout1;
|
|
ULONG PulseTimeout2;
|
|
BOOL DisablePasswordChange;
|
|
|
|
BOOL RefusePasswordChange;
|
|
ULONG Randomize;
|
|
ULONG MaximumMailslotMessages;
|
|
ULONG MailslotMessageTimeout;
|
|
|
|
ULONG MailslotDuplicateTimeout;
|
|
ULONG ExpectedDialupDelay;
|
|
ULONG ScavengeInterval;
|
|
ULONG LdapSrvPriority;
|
|
|
|
ULONG LdapSrvWeight;
|
|
ULONG LdapSrvPort;
|
|
ULONG LdapGcSrvPort;
|
|
ULONG KdcSrvPort;
|
|
|
|
ULONG DnsTtl;
|
|
ULONG DnsRefreshInterval;
|
|
ULONG CloseSiteTimeout;
|
|
ULONG SiteNameTimeout;
|
|
ULONG DnsFailedDeregisterTimeout;
|
|
ULONG SiteCoverageRefreshInterval;
|
|
|
|
ULONG DuplicateEventlogTimeout;
|
|
ULONG KerbIsDoneWithJoinDomainEntry;
|
|
ULONG MaxConcurrentApi;
|
|
ULONG MaximumPasswordAge;
|
|
|
|
ULONG NegativeCachePeriod;
|
|
ULONG BackgroundRetryInitialPeriod;
|
|
ULONG BackgroundRetryMaximumPeriod;
|
|
ULONG BackgroundRetryQuitTime;
|
|
|
|
ULONG BackgroundSuccessfulRefreshPeriod;
|
|
ULONG NonBackgroundSuccessfulRefreshPeriod;
|
|
|
|
ULONG MaxLdapServersPinged;
|
|
|
|
ULONG FtInfoUpdateInterval;
|
|
|
|
LPWSTR UnicodeSysvolPath;
|
|
LPWSTR UnicodeScriptPath;
|
|
LPWSTR SiteName;
|
|
|
|
BOOL SiteNameConfigured;
|
|
LPWSTR SiteCoverage;
|
|
LPWSTR GcSiteCoverage;
|
|
LPWSTR NdncSiteCoverage;
|
|
BOOL AutoSiteCoverage;
|
|
LPWSTR DnsAvoidRegisterRecords;
|
|
|
|
BOOL AvoidSamRepl;
|
|
BOOL AvoidLsaRepl;
|
|
BOOL AllowReplInNonMixed;
|
|
BOOL SignSecureChannel;
|
|
BOOL SealSecureChannel;
|
|
BOOL RequireSignOrSeal;
|
|
BOOL RequireStrongKey;
|
|
BOOL SysVolReady;
|
|
BOOL UseDynamicDns;
|
|
BOOL RegisterBeta2Dns;
|
|
BOOL RegisterDnsARecords;
|
|
BOOL AvoidPdcOnWan;
|
|
BOOL AvoidDnsDeregOnShutdown;
|
|
BOOL DnsUpdateOnAllAdapters;
|
|
BOOL Nt4Emulator;
|
|
BOOL NeutralizeNt4Emulator;
|
|
BOOL AllowSingleLabelDnsDomain;
|
|
BOOL AllowExclusiveSysvolShareAccess;
|
|
BOOL AllowExclusiveScriptsShareAccess;
|
|
BOOL AvoidLocatorAccountLookup;
|
|
|
|
//
|
|
// Parameters converted to 100ns units
|
|
//
|
|
LARGE_INTEGER PulseMaximum_100ns;
|
|
LARGE_INTEGER PulseTimeout1_100ns;
|
|
LARGE_INTEGER PulseTimeout2_100ns;
|
|
LARGE_INTEGER MailslotMessageTimeout_100ns;
|
|
LARGE_INTEGER MailslotDuplicateTimeout_100ns;
|
|
LARGE_INTEGER MaximumPasswordAge_100ns;
|
|
LARGE_INTEGER BackgroundRetryQuitTime_100ns;
|
|
|
|
//
|
|
// Other computed parameters
|
|
//
|
|
ULONG ShortApiCallPeriod;
|
|
ULONG DnsRefreshIntervalPeriod;
|
|
} NETLOGON_PARAMETERS, *PNETLOGON_PARAMETERS;
|
|
|
|
#endif // _INIPARM_
|