JSI Tip 8163. Windows 2000 Startup and Logon Traffic Analysis.

The TechNet Windows 2000 Startup and Logon Traffic Analysis page begins with:

Published: August 1, 2000

Microsoft Enterprise Services

For information on Enterprise Services, see http://www.microsoft.com/learning/default.asp


Greg Molnar - USMCS MidWest

Keith Olinger - USMCS MidWest

David Trulli - Program Manager, Microsoft Enterprise Customer Solutions

Markus Vilcinskas - Program Manager, Microsoft Enterprise Services
On This Page
Introduction Introduction
Windows 2000 Component Overview Windows 2000 Component Overview
Description of the Windows 2000 Startup and Logon Process Description of the Windows 2000 Startup and Logon Process
User Logon User Logon
Conclusion Conclusion
Appendix A: Test Environment Appendix A: Test Environment
Appendix B: TCP/IP Ports Used in the Authentication Process Appendix B: TCP/IP Ports Used in the Authentication Process


The client startup and logon process is the process the Microsoft Windows operating systems uses to validate a computer or User in the Windows networking environment. Developing an understanding of the client startup and user logon process is fundamental to understanding Windows 2000 networking. This white paper will provide the reader with detailed information on this process, including:

How clients connect to the network with Windows 2000 Dynamic Host Configuration Protocol (DHCP), Automatic Private Internet Protocol (IP) addressing, and static addressing.

How Windows 2000 clients use the Dynamic Domain Naming System (DDNS) support in Windows 2000 to locate domain controllers and other servers in the infrastructure needed during startup and logon. In addition we will show how Windows 2000 clients register their names in DDNS.

How the Lightweight Directory Access Protocol (LDAP) is used during startup and logon to search the Microsoft Active Directory for required information.

How the Kerberos security protocol is used for authentication.

How MS Remote Procedure Calls (MSRPC) are used.

How Server Message Block (SMB) is used to transfer group policy information and other data during the startup and logon process.

In addition to discussing the Windows 2000 core components used by the startup and logon process, the paper shows what happens and how much network traffic is generated during each part of the process. The discussion begins with an overview of the Windows 2000 components involved in the startup and logon process. We will then examine the Client Startup process and discuss the User logon process.

Throughout the discussion sample information from network monitor traces will be used to illustrate what is happening at that particular point. We have also made an effort to provide references whenever possible to external sources of information where additional information can be found. The most common reference materials cited include:

Internet Engineering Task Force (IETF) Requests for Comments (RFCs)

Microsoft Windows 2000 Resource Kits

Microsoft Support Knowledge Base articles

Microsoft Notes from the Field books

Various Web sites

Reading and understanding this white paper will allow systems architects and administrators to better engineer and support Windows 2000 networks. It should help network designers determine where to place key components to ensure reliable startup and logon in a Windows 2000 network. Support professionals will be able to use this paper to resolve problems by comparing the baseline information provided here to their environments.


The target groups for this discussion are systems administrators and network architects who are planning, implementing, or managing Windows 2000 networks. It is expected that this group will have an understanding of the following topics:

Microsoft Windows NT or 2000 networking concepts

Basic knowledge of the TCP/IP protocol

Some exposure to examining network traces

The Windows 2000 Resource Kit, Microsoft TechNet, and the Notes from the Field series offer more detailed discussions of core Windows 2000 services we will discuss as part of the client startup and logon process. It would be worthwhile to have access to these resources as supplementary resources while reading this paper.

NOTE: See the complete Windows 2000 Startup and Logon Traffic Analysis article.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.