DNS, SLow Login, and Internet Access

[Fink]

I run a small business and have Windows 2000 setup with
AD. The Windows 2000 servers acts as teh DNS server. I
have a few workstations on the network raging from ME,
Windows 2000 Pro, and XP Pro. Here's the problem, the
2000 and XP workstations suffer from extremely slow login
(but work fine once loged into the network). The XP
machine gets the following errors when logging on:

Automatic certificate enrollment for local system failed
to contact the active directory (oX8007054b). The
specified domain either does not exist or could not be
contacted. Enrollment will not be performed.

Windows cannot obtain the domain controller name for your
computer network. (The specified domain either does not
exist or could not be contacted.). Group Policy
processing aborted.

This does not happen on the ME workstations!

I have all the workstations set up to auto detect the DNS
server. If I "hard code" the IP of the perfered DNS
server, the login works much faster, but I cannot get
onto the internet!?

The network config is as follows:

1. All workstations are conencted to a switch
2. A router hangs off of the switch
3. A DLS modem hangs off of the router to connect to the
internet.

I would hard code the DNS address to get faster login,
but I need the internet access!

I have not been able to find anything to help so far.

Thanks in advance!

 

[Ron Lowe]

I run a small business and have Windows 2000 setup with
AD. The Windows 2000 servers acts as teh DNS server. I
have a few workstations on the network raging from ME,
Windows 2000 Pro, and XP Pro. Here's the problem, the
2000 and XP workstations suffer from extremely slow login
(but work fine once loged into the network). The XP
machine gets the following errors when logging on:

Automatic certificate enrollment for local system failed
to contact the active directory (oX8007054b). The
specified domain either does not exist or could not be
contacted. Enrollment will not be performed.

Windows cannot obtain the domain controller name for your
computer network. (The specified domain either does not
exist or could not be contacted.). Group Policy
processing aborted.

This does not happen on the ME workstations!

I have all the workstations set up to auto detect the DNS
server. If I "hard code" the IP of the perfered DNS
server, the login works much faster, but I cannot get
onto the internet!?

The network config is as follows:

1. All workstations are conencted to a switch
2. A router hangs off of the switch
3. A DLS modem hangs off of the router to connect to the
internet.

I would hard code the DNS address to get faster login,
but I need the internet access!

I have not been able to find anything to help so far.

Thanks in advance!

Your DNS experimenting points the way ahead.

When you 'hard code' the DNS, and the logins work,
then presumably you are hard coding it to point to the server.

When you let it 'Auto Detect', what IP address of DNS server are you picking
up?
( ipconfig /all will show you )
Presumably, an ISP's DNS server, since Internet resolution now works.

Which points to the source of the problem.

Where is the DHCP server on the network?
I'd guess you are using the DNCP server on the router.
And it is onpassing the ISP's DNS to all the machines.

You are halfway there with your hard-coding.
You MUST point your clients to the server for DNS.
BUT you then must enable the DNS server to 'forward' unresolved queries to
your ISP.
( or let it use 'root hints'. )
This will require you to remove any root ( dot) zones on the DNS server.

I'd either:

Shut down DHCP on the router, and use DHCP server on the server machine,
And push out the server's IP address as DNS server;
-or-
Configure the router's DHCP to do this.

Then fix up the DNS server to resolve Internet names.

Here's my usual lecture on the topic...


XP differs from previous versions of windows in that it uses
DNS as it's primary name resolution method for finding domain
controllers:

How Domain Controllers Are Located in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;314861

If DNS is misconfigured, XP will spend a lot of time waiting for it to
timeout before it tries using legacy NT4 sytle NetBIOS.
( Which may or may not work. )

1) Ensure that the XP clients are all configured to point to the local
DNS server which hosts the AD domain. That will probably be the
win2k server itself.
They should NOT be pointing an an ISP's DNS server.
An 'ipconfig /all' on the XP box should reveal ONLY the domain's
DNS server.

( you should use the DHCP server to push out the local DNS server
address. )

2) Ensure DNS server on win2k is configured to permit dynamic updates.

3) Ensure the win2k server points to itself as a DNS server.

4) For external ( internet ) name resolution, specify your ISP's DNS server
not on the clients, but in the 'forwarders' tab of the local win2k DNS
server.

On the DNS server, if you cannot access the 'Forwarders' and 'Root Hints'
tabs because they are greyed out, that is because there is a root zone (".")
present on the DNS server. You MUST delete this root zone to permit the
server to forward unresolved queries to yout ISP or the root servers.
Accept any nags etc, and let it delete any corresponding reverse lookuop
zones if it asks.


The following articles may assist you in setting up DNS correctly:

Setting Up the Domain Name System for Active Directory
http://support.microsoft.com/default.aspx?scid=kb;en-us;237675
HOW TO: Configure DNS for Internet Access in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;300202