We are in an education enviroment. we are testing windows
XP on minium requirement computers without SP2. We have
an active directory set up. and are connecting the winXP
machine to the domain. no we go to test it by first
loging in. but the login process takes a good 5 mins to
login where it really shouldnt take that long. It's only
pulling down at least half a meg of info , so really
shouldnt take that long to do. We currently use win2000
for workstations, these dont have a problem when loging
in. some feedback would be appreciated.

Sounds like you need to look at the DNS server settings on your XP
computers. They should be set to look at the DNS server for Active
Directory and no others.

--
Richard G. Harper [MVP Win9x] (E-Mail Removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


"josh" <(E-Mail Removed)> wrote in message
news:01da01c4939b$36347d00$(E-Mail Removed)...
> We are in an education enviroment. we are testing windows
> XP on minium requirement computers without SP2. We have
> an active directory set up. and are connecting the winXP
> machine to the domain. no we go to test it by first
> loging in. but the login process takes a good 5 mins to
> login where it really shouldnt take that long. It's only
> pulling down at least half a meg of info , so really
> shouldnt take that long to do. We currently use win2000
> for workstations, these dont have a problem when loging
> in. some feedback would be appreciated.

ok, we found the problem but not the solution. Because we
have a roaming profile. we also have an activc desktop.
so we have a school wide desktop. what winXP is doing is
re-writing the desktop as a bmp which is 2.5meg in size.
does anyone know why it is doing this instead of just
keeping the 128kb jpeg file we already have.

it has nothing do to with DNS.. if the DNS was wrong.. we
wouldnt even be able to login.. which we are doing... its
just taking long.


>-----Original Message-----
>Sounds like you need to look at the DNS server settings
on your XP
>computers. They should be set to look at the DNS server
for Active
>Directory and no others.
>
>--
>Richard G. Harper [MVP Win9x] (E-Mail Removed)
>* PLEASE post all messages and replies in the newsgroups
>* for the benefit of all. Private mail is usually not
replied to.
>* HELP us help YOU ... http://www.dts-l.org/goodpost.htm
>
>
>"josh" <(E-Mail Removed)> wrote in
message
>news:01da01c4939b$36347d00$(E-Mail Removed)...
>> We are in an education enviroment. we are testing
windows
>> XP on minium requirement computers without SP2. We have
>> an active directory set up. and are connecting the
winXP
>> machine to the domain. no we go to test it by first
>> loging in. but the login process takes a good 5 mins to
>> login where it really shouldnt take that long. It's
only
>> pulling down at least half a meg of info , so really
>> shouldnt take that long to do. We currently use win2000
>> for workstations, these dont have a problem when loging
>> in. some feedback would be appreciated.
>
>
>.
>

Oh, so untrue. You can indeed log into an AD domain with incorrect DNS
settings, but you will note an extended login time. Trust me ... I know.
:-)

What will it hurt to check the settings? Take a minute or so?

--
Richard G. Harper [MVP Win9x] (E-Mail Removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


"josh" <(E-Mail Removed)> wrote in message
news:65c501c493a3$1bbc3cd0$(E-Mail Removed)...
> it has nothing do to with DNS.. if the DNS was wrong.. we
> wouldnt even be able to login.. which we are doing... its
> just taking long.

pardon the intrusion, I have a simalar dilemma,
we used to have a w2k server with active directory while clients log in with
win98, no problem. When we begin migrating to new pc with winxp, slow log in.
The thing is the all clients has to set DNS to the ISP DNS IP, that is how
the DSL router work. If I set the DNS to the server's DNS, I lose internet
connection?
Thanks in advance,

"Richard G. Harper" wrote:

> Oh, so untrue. You can indeed log into an AD domain with incorrect DNS
> settings, but you will note an extended login time. Trust me ... I know.
> :-)
>
> What will it hurt to check the settings? Take a minute or so?
>
> --
> Richard G. Harper [MVP Win9x] (E-Mail Removed)
> * PLEASE post all messages and replies in the newsgroups
> * for the benefit of all. Private mail is usually not replied to.
> * HELP us help YOU ... http://www.dts-l.org/goodpost.htm
>
>
> "josh" <(E-Mail Removed)> wrote in message
> news:65c501c493a3$1bbc3cd0$(E-Mail Removed)...
> > it has nothing do to with DNS.. if the DNS was wrong.. we
> > wouldnt even be able to login.. which we are doing... its
> > just taking long.
>
>
>

"lost soul" <(E-Mail Removed)> wrote in message
news:3132CA11-03D7-4534-8DCB-(E-Mail Removed)...
> pardon the intrusion, I have a simalar dilemma,
> we used to have a w2k server with active directory while clients log in
> with
> win98, no problem. When we begin migrating to new pc with winxp, slow log
> in.
> The thing is the all clients has to set DNS to the ISP DNS IP, that is how
> the DSL router work. If I set the DNS to the server's DNS, I lose internet
> connection?
> Thanks in advance,

Richard is 100% correct.

You *must* point the clients to the internal DNS that hosts the AD domain.
Yes, that will break external ( Internet ) name resolution untill you go
configure the internal DNS server to handle that too.

On the Internal DNS server, configure it like this:
1) Delete any root (.) zone if it exists.

Now, it will be able to resolve external names using the Root Nameservers
listed in Root Hints.
Now, your DNS server will do the full nine yards lookup from the root on
down.
You can leave it like this if you want, but you can also:

2) Go to the forwarders tab, and add the IP address of your ISP's DNS
servers.

This will cause it to onpass unresolved ( external ) queries to your ISP's
DNS server, which in turn will do the full nine yards for you. The
advantage of using your ISP as a forwarder is you get the benefit of their
well-populated cache, and so it may be quicker. Also you reduce the load on
the root and TLD nameservers.

Here's my usual lecture on the whole topic:

XP differs from previous versions of windows in that it uses
DNS as it's primary name resolution method for finding domain
controllers:

How Domain Controllers Are Located in Windows XP
http://support.microsoft.com/default...b;en-us;314861

If DNS is misconfigured, XP will spend a lot of time waiting for it to
timeout before it tries using legacy NT4 sytle NetBIOS.
( Which may or may not work. )

1) Ensure that the XP clients are all configured to point to the local
DNS server which hosts the AD domain. That will probably be the
win2k server itself.
They should NOT be pointing an an ISP's DNS server.
An 'ipconfig /all' on the XP box should reveal ONLY the domain's
DNS server.

( you should use the DHCP server to push out the local DNS server
address. )

2) Ensure DNS server on win2k is configured to permit dynamic updates.

3) Ensure the win2k server points to itself as a DNS server.

4) For external ( internet ) name resolution, specify your ISP's DNS server
not on the clients, but in the 'forwarders' tab of the local win2k DNS
server.

On the DNS server, if you cannot access the 'Forwarders' and 'Root Hints'
tabs because they are greyed out, that is because there is a root zone (".")
present on the DNS server. You MUST delete this root zone to permit the
server to forward unresolved queries to yout ISP or the root servers:

HOWTO: Remove the Root Zone (Dot Zone)
http://support.microsoft.com/default.aspx?kbid=298148

The following articles may assist you in setting up DNS correctly:

Setting Up the Domain Name System for Active Directory
http://support.microsoft.com/default...b;en-us;237675
HOW TO: Configure DNS for Internet Access in Windows 2000
http://support.microsoft.com/default...b;en-us;300202


--
Best Regards,
Ron Lowe
MS-MVP Windows Networking

Thanks,
My concern is, would this make the w2k server become public on the internet?
It was used for accounting purpose and was intended as an internal server
only. Somehow the contractor set it as domain controller and I inherited all
the mess. Will using it as DNS server make it vulnerable to hackers since it
doesn't have a firewall? Maybe I'll just buy another server as the
proxy...How to join a win2003 server to a win2k server?
(I should have have listened to mom and study medicine)

"Ron Lowe" wrote:

> "lost soul" <(E-Mail Removed)> wrote in message
> news:3132CA11-03D7-4534-8DCB-(E-Mail Removed)...
> > pardon the intrusion, I have a simalar dilemma,
> > we used to have a w2k server with active directory while clients log in
> > with
> > win98, no problem. When we begin migrating to new pc with winxp, slow log
> > in.
> > The thing is the all clients has to set DNS to the ISP DNS IP, that is how
> > the DSL router work. If I set the DNS to the server's DNS, I lose internet
> > connection?
> > Thanks in advance,
>
> Richard is 100% correct.
>
> You *must* point the clients to the internal DNS that hosts the AD domain.
> Yes, that will break external ( Internet ) name resolution untill you go
> configure the internal DNS server to handle that too.
>
> On the Internal DNS server, configure it like this:
> 1) Delete any root (.) zone if it exists.
>
> Now, it will be able to resolve external names using the Root Nameservers
> listed in Root Hints.
> Now, your DNS server will do the full nine yards lookup from the root on
> down.
> You can leave it like this if you want, but you can also:
>
> 2) Go to the forwarders tab, and add the IP address of your ISP's DNS
> servers.
>
> This will cause it to onpass unresolved ( external ) queries to your ISP's
> DNS server, which in turn will do the full nine yards for you. The
> advantage of using your ISP as a forwarder is you get the benefit of their
> well-populated cache, and so it may be quicker. Also you reduce the load on
> the root and TLD nameservers.
>
> Here's my usual lecture on the whole topic:
>
> XP differs from previous versions of windows in that it uses
> DNS as it's primary name resolution method for finding domain
> controllers:
>
> How Domain Controllers Are Located in Windows XP
> http://support.microsoft.com/default...b;en-us;314861
>
> If DNS is misconfigured, XP will spend a lot of time waiting for it to
> timeout before it tries using legacy NT4 sytle NetBIOS.
> ( Which may or may not work. )
>
> 1) Ensure that the XP clients are all configured to point to the local
> DNS server which hosts the AD domain. That will probably be the
> win2k server itself.
> They should NOT be pointing an an ISP's DNS server.
> An 'ipconfig /all' on the XP box should reveal ONLY the domain's
> DNS server.
>
> ( you should use the DHCP server to push out the local DNS server
> address. )
>
> 2) Ensure DNS server on win2k is configured to permit dynamic updates.
>
> 3) Ensure the win2k server points to itself as a DNS server.
>
> 4) For external ( internet ) name resolution, specify your ISP's DNS server
> not on the clients, but in the 'forwarders' tab of the local win2k DNS
> server.
>
> On the DNS server, if you cannot access the 'Forwarders' and 'Root Hints'
> tabs because they are greyed out, that is because there is a root zone (".")
> present on the DNS server. You MUST delete this root zone to permit the
> server to forward unresolved queries to yout ISP or the root servers:
>
> HOWTO: Remove the Root Zone (Dot Zone)
> http://support.microsoft.com/default.aspx?kbid=298148
>
> The following articles may assist you in setting up DNS correctly:
>
> Setting Up the Domain Name System for Active Directory
> http://support.microsoft.com/default...b;en-us;237675
> HOW TO: Configure DNS for Internet Access in Windows 2000
> http://support.microsoft.com/default...b;en-us;300202
>
>
> --
> Best Regards,
> Ron Lowe
> MS-MVP Windows Networking
>
>

>> You *must* point the clients to the internal DNS that hosts the AD
>> domain.
>> Yes, that will break external ( Internet ) name resolution untill you go
>> configure the internal DNS server to handle that too.
>>

> Thanks,
> My concern is, would this make the w2k server become public on the
> internet?
> It was used for accounting purpose and was intended as an internal server
> only. Somehow the contractor set it as domain controller and I inherited
> all
> the mess. Will using it as DNS server make it vulnerable to hackers since
> it
> doesn't have a firewall? Maybe I'll just buy another server as the
> proxy...How to join a win2003 server to a win2k server?
> (I should have have listened to mom and study medicine)
>

Can I address this in sections:

> My concern is, would this make the w2k server become public on the
> internet?

No, it would not be a Internet-facing DNS server.
It is providing DNS service for internal machines only.

Sure, it needs to make_outbound_ connections to other DNS
servers to query them, but you will not be permitting inbound
connections to you. Your router or firewall will be dropping
any inbound connection attempts to all your LAN except those
which you explicitly permit.

Which brings me to:

> doesn't have a firewall?

Hmm, alarm bells are ringing.

How is it connected to the Internet?
If it's via a broadband router, which provides NAT, then that's not so bad.
That automatically provides stateful inbound firewalling.
This is a common configuration, and is what I expect you would have.

Does the machine have a non-routable IP address ( eg 192.168.x.x )?
That's what the above configuration would give.

If you have a routed subnet of public IP addresses, then you need some form
of firewalling, I'd use a standalone firewall box between the router and
the LAN.

If it's directly conneted, via a modem directly connected to the server,
then again you need some form of firewalling as described above.

In addition to a boreder firewall, you might want to consider host firewalls
on individual machines.
The XP-SP2 windows firewall is perfectly good for this, as are others like
Zone Alarm.

Of your configuration is either a routed subnet of public IP addresses, or a
direct connection, and there is no firewalling, then you are seriously
exposed and you need to bet a firewall installed.

An exposed DNS service would be the least of your worries in this case.


--
Best Regards,
Ron Lowe
MS-MVP Windows Networking

"lost soul" <(E-Mail Removed)> wrote in message
news:F8F372FA-CE4F-4B1D-B378-(E-Mail Removed)...
> Guess I'll have to follow your advise.
> The firewall will have to wait until funds are available. The network is
> connected to the internet via a DSL router, on the WAN side it uses IP
> assigned by the ISP, on the LAN side it use 192.168.x.x

In that case, you are safe from unsolicited connections coming in from the
Internet.
An additional border firewall would not add greatly to your protection from
external attacks.

You may wish to consider deploying XP-SP2 on your client machines, and using
the Windows Firewall it provides. Enable the File+Print sharing exception
if you share folders on the client machines.


> Do you know where can I find more reference on routable/non-routeable IP
> issues?
>

Google...

http://www.faqs.org/rfcs/rfc1597.html
http://www.safety.net/sum1597.html


--
Best Regards,
Ron Lowe
MS-MVP Windows Networking