Offsite DNS question

[Ace Fekay [MVP]]

In

Indeed, we run all our sites this way, and I can't think of any
"administrative" overhead which has ever been experienced.
I am more than capable of running split horizon DNS.
..




Unfortunately, a one minute delay is an eternity to a customer sitting
in front of a PC. Yes, it is that bad.

Can you tell me more of this fast logon option?

I really need a fix for this.

I never said you weren't capable of managing a split-zone. I just said it's
administrative overhead. You're here trying to make it work, right? How much
time have you spent on it so far?

I think it's just a time delay that many deal with on a constant basis.
Maybe the Fast Logon feature may help, but if I remember correctly, it's
enabled by default. Here's more info on it.

Description of Windows XP Professional Fast Logon Optimization
http://support.microsoft.com/support/kb/articles/q305/2/93.asp

Managing Windows XP in a Windows 2000 Server Environment
(search for fast logon in this article):
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/mngwinxp.mspx

Ace

 

[jsmall]

Thanks Ace,

I've checked this and yes, it's enabled on the PC's in question. Guess
I'll keep looking.

With regards to Malevolent's message, as a side issue, here is why we
made this design decision. Consider a server accessible both
internally, from an internal address, and externally, from a port
forward on a firewall. This server in this case is a Terminal server.

Users have one shortcut to click on. When in the building,
ts.domain.com.au will resolve to an internal address. Thanks to split
horizon, it will resolve to the live IP and the users will access what
they need to. Split horizon works perfectly for us here.

From what I see, Windows has these possible bootup scenarios:

1. Finds domain DNS and SRV records (when internal) and logs on
properly
2. You are outside the network, you have a local.net domain, your
workstation can't see it externally and immediately logs in with cached
credentials (as it should)
3. You are outside network, have a domain.com domain (doing split
horizon), you see an external DNS server with no SRV records, but for
some reason the PC keeps looking for them until timeout.

Shouldn't scenario 3 behave like scenario 2 and just logon with cached
credentials?

 

[Ace Fekay [MVP]]

In

Thanks Ace,

I've checked this and yes, it's enabled on the PC's in question. Guess
I'll keep looking.

With regards to Malevolent's message, as a side issue, here is why we
made this design decision. Consider a server accessible both
internally, from an internal address, and externally, from a port
forward on a firewall. This server in this case is a Terminal server.

Users have one shortcut to click on. When in the building,
ts.domain.com.au will resolve to an internal address. Thanks to split
horizon, it will resolve to the live IP and the users will access what
they need to. Split horizon works perfectly for us here.

I have it setup at a couple of clients like this (I didn't originally set it
up), and yes, I agree it works. Just a little extra work if users want to
get to your website as http://domain.com.au instead of
http://www.domain.com.au.

1. Finds domain DNS and SRV records (when internal) and logs on
properly
2. You are outside the network, you have a local.net domain, your
workstation can't see it externally and immediately logs in with
cached credentials (as it should)
3. You are outside network, have a domain.com domain (doing split
horizon), you see an external DNS server with no SRV records, but for
some reason the PC keeps looking for them until timeout.

Shouldn't scenario 3 behave like scenario 2 and just logon with cached
credentials?

The time out setting for a DNS query I believe, if I remember correctly, is
6 seconds, then it goes to the next. Until that is done, and the Winlogon
process and LSA are satisfied that a DC really isn't available, then does it
give the user (provided they've already logged on at least once
successfully), the ability to logon on locally with cached credentials.
Honestly, your machines taking multiple minutes is extraneous, and not sure
why in your case. If I also remember, I believe the first time logging on
using cached credentials is the longest, subsequent times are shorter.

Other than putting a domain controller out on the internet (unlikely), I'm
not sure what else to tell you. Sorry I couldn't have offered better
assistance.

Ace

 

[jsmall]

Actually Ace, you may have offerred more assistance than you realised.

Do I read you right as saying 6 seconds *per DNS server*?

If that is the case, we are looking at a 36 second logon for external
users.

That is about what we are experiencing- I will continue looking at this
angle.

 

[Ace Fekay [MVP]]

In

Actually Ace, you may have offerred more assistance than you
realised.

Do I read you right as saying 6 seconds *per DNS server*?

If that is the case, we are looking at a 36 second logon for external
users.

That is about what we are experiencing- I will continue looking at
this angle.

If I remembered correctly, yes. But I need to find the doc desribing it,
unless someone else jumps in. I'll get back to you.

Ace

 

[Ace Fekay [MVP]]

In

Actually Ace, you may have offerred more assistance than you
realised.

Do I read you right as saying 6 seconds *per DNS server*?

If that is the case, we are looking at a 36 second logon for external
users.

That is about what we are experiencing- I will continue looking at
this angle.

It's longer, depending on how you look at it:

DNS Client Query - Microsoft Windows 2000 Server Documentation:
http://www.microsoft.com/windows200...00/en/server/help/sag_DNS_und_HowDnsWorks.htm

DNSQueryTimeouts and how to set on client side to reset DNS query list:
http://www.microsoft.com/resources/...s/2000/server/reskit/en-us/regentry/96406.asp

Name Resolution Process:
http://www.comptechdoc.org/os/windows/wintcp/wtcpname.html

Windows 2000 DNS White Paper (p.38 explains resolver service and reg entry
to disable cache to reset list):
http://www.microsoft.com/windows2000/techinfo/howitworks/communications/nameadrmgmt/w2kdns.asp

Ace