Net Logon Test

The Netlogon service is responsible for communication between systems in response to a logon request, a domain synchronization request, and a request to promote a Backup Domain Controller (BDC) to a Primary Domain Controller (PDC). The Netlogon service performs several tasks when servicing network logon requests. They are as follows:

  • Selects the target domain for logon authentication
  • Identifies a domain controller in the target domain to perform authentication
  • Creates a secure channel for communication between Netlogon services on the originating and target systems
  • Passes an authentication request to the appropriate domain controller
  • Returns authentication results to Netlogon on the originating system

Delays in the Netlogon authentication process can often scar a user’s overall experience with not just the domain controller, but also with the application that requests for the authentication. In order to avoid undue authentication delays, you can use the Net Logon test. This test monitors the Netlogon authentication feature, proactively detects potential authentication bottlenecks, and promptly alerts administrators to what is causing the bottleneck, so that remedial actions can be initiated in good time.

Target of the test : An Active Directory server

Agent deploying the test : An internal agent

Outputs of the test : One set of results for every Active Directory server being monitored

Configurable parameters for the test
Parameters Description

Test period

This indicates how often should the test be executed.

Host

The host for which this test is to be configured.

Port

Refers to the port used by the Windows server.

Measurements made by the test
Measurement Description Measurement Unit Interpretation

Semaphore waiters

Indicates the number of threads currently waiting to acquire the semaphore.

Number

A consistent increase in the value of this measure is a cause forconcern, as it indicates that the count of ‘busy’ semaphores is steadily increasing. This in turn could cause many threads/logon requests to be enqueued, due to the lack of adequate semaphores. Consequently, authentication will be delayed.   

Semaphore acquires

Indicates the number of times the semaphore has been acquired over this secure channel during the last measure period.

Number

 

Semaphore holders

Indicates the number of threads currently holding the semaphore.

Number

This is a good indicator of the current authentication workload over the secure channel.

If the value of this measure is equal to the MaxConcurrentApi registry setting or is fast approaching that value, it indicates that the server is getting overloaded. Authentication delays and timeouts may occur as a result. The typical way to resolve the problem is to raise the maximum allowed worker threads that service that authentication. You can do this by altering the MaxConcurrentApi registry value and then restarting the Net Logon service on the servers.

Semaphore timeouts

Indicates the number of times a thread has timed out waiting for the semaphore over the secure communication channel during the last measure period.

Number

Ideally, this measure has to be 0.

A non-zero value for the measure indicates that one/more authentication threads have hit the time-out for the waiting and the logon was denied. This is a sign of a very bad user experience, and typically occurs when the secure channel is overloaded, hung or broken.

The typical way to resolve the overload problem is to raise the maximum allowed worker threads that service that authentication. You can do this by altering the MaxConcurrentApi registry value and then restarting the Net Logon service on the servers.