slow logon on windows 2000 domain

D

Devendra Panchal

Hello,

Recently we created a new win2000 server and made it the only domain
controller. The existing clients were on NT4 domain server which had
crashed. So overnite this W2k server was prepared and the clients were
shifted onto the new domain. Since then, the clients take about 4-5 mins to
reach the desktop after logon.
This delay is noticed only on clients with XP Prof. Not on W2K Prof.
The clients which had Adobe Pagemaker 6.5 installed in them, started giving
registry error after being shifted to new 2000 Domain.
The server also has a Cable Internet connection with ISA server installed
and running fine.
The groups created (in the Active Directory Users and Computers) have a
global scope and 'security' as its type.
A group with 'Domain Local' Scope was created and a new user was made its
member. No change. The client still took 4 mins to logon with that new user.

What can be done to speed up the logons?

Will be highly obliged for any help

Devendra
 
P

ptwilliams

Hi Dev,

Sounds suspiciously like a DNS issue.

Ensure that all clients are pointing to internal DNS servers only. The only
boxes that should be pointing to public DNS servers are the ISA and/ or the
DNS servers (forwarders tab).


--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

Hello,

Recently we created a new win2000 server and made it the only domain
controller. The existing clients were on NT4 domain server which had
crashed. So overnite this W2k server was prepared and the clients were
shifted onto the new domain. Since then, the clients take about 4-5 mins to
reach the desktop after logon.
This delay is noticed only on clients with XP Prof. Not on W2K Prof.
The clients which had Adobe Pagemaker 6.5 installed in them, started giving
registry error after being shifted to new 2000 Domain.
The server also has a Cable Internet connection with ISA server installed
and running fine.
The groups created (in the Active Directory Users and Computers) have a
global scope and 'security' as its type.
A group with 'Domain Local' Scope was created and a new user was made its
member. No change. The client still took 4 mins to logon with that new user.

What can be done to speed up the logons?

Will be highly obliged for any help

Devendra
 
A

Andrew Mitchell

ptwilliams said:
Hi Dev,

Sounds suspiciously like a DNS issue.

Ensure that all clients are pointing to internal DNS servers only. The
only boxes that should be pointing to public DNS servers are the ISA
and/ or the DNS servers (forwarders tab).
Click to expand...

Is that correct for the ISA server?
I've always just pointed them at the AD DNS servers and let the DNS
forwarding or root hints take over for external domain resolution.

I was working under the assumption that ISA required access to the internal
DNS servers to be able to authenticate users against DC's.
 
P

ptwilliams

The setup's can vary. Personally, I've always configured it just like
you've said -only configure internal DNS on the internal adapter; however,
I've seen recommendations about make ISA a caching only DNS server (which
means it points to itself and then either internally or externally depending
on whether it's a domain member or stand-alone box).

Some of our ISA boxes are not domain members, they're simply stand-alone
proxy servers; you can then chain these with internal fringe boxes, etc.

There's also many people out there who simply configure it wrong... <g>


--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

ptwilliams said:
Hi Dev,

Sounds suspiciously like a DNS issue.

Ensure that all clients are pointing to internal DNS servers only. The
only boxes that should be pointing to public DNS servers are the ISA
and/ or the DNS servers (forwarders tab).
Click to expand...

Is that correct for the ISA server?
I've always just pointed them at the AD DNS servers and let the DNS
forwarding or root hints take over for external domain resolution.

I was working under the assumption that ISA required access to the internal
DNS servers to be able to authenticate users against DC's.
 
A

Andrew Mitchell

ptwilliams said:
The setup's can vary. Personally, I've always configured it just like
you've said -only configure internal DNS on the internal adapter;
Click to expand...

I've mainly done it that way for simplicity of the firewall rules and to
allow domain based user authentication on the proxy. The only box allowed out
on ports 80 or 443 is the proxy and the only machines allowed out on port 53
are the DNS servers. Everthing else either goes through the proxy for web, or
uses the internal DNS servers which forward requests on their behalf.
however, I've seen recommendations about make ISA a caching only DNS
server (which means it points to itself and then either internally or
externally depending on whether it's a domain member or stand-alone
box).

Some of our ISA boxes are not domain members, they're simply stand-alone
proxy servers;
Click to expand...

I hadn't thought that through properly. It makes absolute sense for reverse
proxies - eg RPC over HTTP proxy server sitting in the DMZ. You want to keep
as many ports between the DMZ and internal segments closed as possible so why
would you want it pointed at an internal DNS.
you can then chain these with internal fringe boxes, etc.

There's also many people out there who simply configure it wrong... <g>
Click to expand...

There's always that.........
 
H

Herb Martin

Right. As pt says you can do it many ways, but
the most secure and least trouble with the firewall
(and perhaps the best performance and least WAN
traffic if you have multiple internal DNS servers)
is to have the internal DNS servers forward strictly
at the firewall/gateway/DMZ caching only DNS,
and allow that firewall DNS to forward strictly
to the ISP.

[This is not cool if the ISP is a small and flaky,
but with big ISPs 95% of all lookups will be in
the caches due to other customers.]

This keeps DNS servers (which frequently DCs)
off the Internet -- and we don't even have to open
the firewall between them and the firewall.

Our caching only DNS server only needs to
activate DNS on the internal NIC (if it is a
multi-homed machine itself) unless it is trying
to provide external (Internet/public) resolution
for our external resources (www, SMTP, etc.)

And generally for companies without a massive
Internet presence the should put external/public
DNS (back) at the Registrar.

[The registrars have multiple/fault tolerant/24-7/
crews for caring for DNS and give a web interface
where one can manage one's own actual records
which are small in number and seldom change for
those on the Internet.]

The thing that many people mess up (to the point
of it being the answer to many FAQs) is that they
really must point all internal DNS clients STRICLY
to internal DNS servers.

And reminding everyone that DCs, and even DNS
and other servers are ALSO DNS CLIENTS.

In that case the ISA might or might not point to
itself as a DNS client.

If the ISA is a domain member, then it is also an
INTERNAL name client and needs to point not
to itself (even though it is a caching only DNS
server) but rather to the INTERNAL DNS servers.
 
D

Devendra Panchal

Dear Mr. Williams

Let me profoundly thank you for your help.


Regards
Devendra Panchal
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Windows 2000 DHCP server not working 3
Windows SBS 2003 Networking Issues 1
Logon to Domain 5
NT4 Domain upgrade to Windows 2000 AD 4
Domain level appending domain name at logon screen? 4
Windows 2000 Domain with Windows 2003 DC's?? 6
Domain clients logon time is slow (Win XP) 5
RDP 6.0 - Changing Logon Domains 3

Top