JSI Tip 4771. How do I force Kerberos to use TCP instead of UDP in Windows 2000?

RFC 1510 dictates that a client should contact the Key Distribution Center (KDC) with a UDP datagram to port 88 at the KDC's Ip address. This may result in:

Event Log Error 5719 Source NETLOGON No Windows NT or Windows 2000 Domain Controller is available for domain Domain. The following error occurred: There are currently no logon servers available to service the logon request.

If you run Netdiag, you receive:

DC list test . . . . . . . . . . . : Failed [WARNING] Cannot call DsBind to COMPUTERNAMEDC.domain.com (159.140.176.32).                                     [ERROR_DOMAIN_CONTROLLER_NOT_FOUND] Kerberos test. . . . . . . . . . . : Failed [FATAL] Kerberos does not have a ticket for MEMBERSERVER$.]

If the data can be fit in packets that are less than 2,000 bytes, Windows 2000 uses UDP, otherwise it uses TCP. You can alter the behavior:

1. Use Regedt32 to navigate to:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaKerberosParameters.

NOTE:: You may have to Add the Parameters sub-key.

2. At the Parameters sub-key, Add Value name MaxPacketSize, as a REG_DWORD data type, and set the data value to any Decimal number between 1 and 2000. To prevent UDP from being used, set it to 1.