slow login problems at branch office

[Charles Hunt]

Hi,

I have two sites linked by a VPN connection which works fine. I can ping
machines from both sides and DNS seems to be happily resolving FQDNs etc as
well as machine names. I can also access the DCs by using the
\\mydomain.com\sysvol so (with a bit of trickery).. All my DCs are 2000 SP4
machines and based in the main site.

The branch office is new and i have moved across some existing workstations
to that office.

BUT all machines in the branch office, are not logging in properly. The
XP/2000 machines take an age to log in (20mins+) and things are not really
working correctly. I have a 2003 member server which i put in to perform
DHCP which I managed to authorize remotely. (after a bit of effort and it
took about 15 mins to finally authorize)

When I try to login to the 2003 server remotely using RDP it won't let me,
the error message is "access denied" and the event log shows a 40960 error
which is "domain controller unavailable". What really perplexes me is that I
can ping and access the machines, the DNS seems to be OK, but obviously
there is some kind of problem with the AD. I am wondering if there is a
TCP/UDP port which is being blocked or some other communication problem
which isn't apparent with ping and DNS look ups. (i have checked the reverse
zone on the DNS which seems to be updating and working fine)

I have the RESKIT2000 but not entirely sure which tool can help me in this
particular problem.

any ideas or tools that could help me get a fix on this problem would be
VERY VERY welcome.

kind regards

Charles

 

[Paul Bergson]

My first thought is there a Firewall between the two?

Download PortQryUI and from the client side check to see if the ports are
open
http://www.microsoft.com/downloads/...37-1ea6-4569-aabb-f248f4bd91d0&DisplayLang=en

Ports I believe needed are:
135/TCP RPC *
389/TCP/UDP LDAP
636/TCP LDAP SSL
3268/TCP LDAP GC
3269/TCP LDAP GC SSL
53/TCP/UDP DNS
88/TCP/UDP Kerberos
445/TCP SMB

High Ports

See
http://support.microsoft.com/kb/179442/en-us


--
Paul Bergson MCT, MCSE, MCSA, Security+, CNE, CNA, CCA
http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Charles Hunt]

Hello,

Thanks for your reply. I downloaded the PortQueryUI amd ran it against the
domain controller and it appeared to report no problems with return codes of
00000000x0.

I tried all the ports you mentioned below and they all seemed to pass.

I suppose that means the problem isn't a network connectivity problem - do
you have any ideas what else could be the problem?

Kind regards

Charles

 

[Jorge Silva]

Hi


Couple of things:



- Make sure that you have at least 1 GC per site.

- Make sure that you defined the appropriate subnets in AD Sites and
Services.

- Make Sure that each Dns server only points to itself under Nic properties.

- Make sure that local clients only use their local Dns server.

- If your between subnets, and you use NetBIOS resolution (for example to
browse network neighborhood), make sure that you have Wins in both Sites
replicating with each other.

- Make sure that your Dns servers can resolve each other domain, or each
other FQDN.




--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator

 

[Charles Hunt]

Hi,

Thanks for your reply.

just to go through your list.

I don't have a GC at the branch office, according to my MS resource kit
manual, it isn't necessary for just a few PCs across a VPN with reasonable
bandwidth. (>500Kbs)

Yes, I have set up the subnets in Sites and Services

The DNS servers point to themselves and the backup AD DC.

I have set up a local DNS which appears to work properly.

I am not using NetBIOS / WINS.

I don't have a problem resolving FQDNs (both forward and reverse)

I am checking the trouble shooting guide in Q247811 to see if that can shed
any light on the problem.

kind regards

Charles

 

[Jorge Silva]

If your network name resolution works fine, and your machines are taking
20min or more to logon, my advise to you is MAKE A GC per site if you want
to speed up logons.

--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator

 

[Charles Hunt]

Hi

Thanks for your reply.

I realise that having a GC on site would speed up logins, but it shouldn't
prevent logins, which is what is happening at the moment.

PCs are logging in with cached credentials and not logging onto the domain
controller - and then cannot access resources from DCs - such as file
shares, although in some cases the "Exchange" client can access the email
server (Exchange Server 2000)

I have a 2003 member server on site and I cannot log onto that using RDP -
it responds with an error "access is denied".(it is headerless) I am not
sure logging on to the console makes any difference but I will try that
tomorrow.

kind regards

Charles

 

[Jorge de Almeida Pinto [MVP]]

When things are slow...... most of the times it is DNS

domain controllers are found by SRV RRs which point to FQDNs which point to
IPs

so If you really want to test DC locator queries, query for the service
RRs...

So let's say your domain is called DOMAIN.LOCAL (replace this with whatever
your domain is called, as long as it is NOT a single labeled domain like
just DOMAIN)

use NSLOOKUP and query for:
_ldap._tcp.dc._msdcs.DOMAIN.LOCAL
_ldap._tcp.<site name>._sites.dc._msdcs.DOMAIN.LOCAL

are you clients pointing to DNS servers?

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx