• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 878
  • Last Modified:

Slow logon after initial promotion in a site without a local authenticating DC

This is our problem: http://support.microsoft.com/?id=319440

We are migrating our servers over to windows 2003 from windows 2000.
Pilot migration occurred this weekend without incident, but they are expecting this weekend's migration to have trouble with the information referenced above.  Apparently, Microsoft's #1 recommendation is to install a local authenticating DC - well, we don't want to do that to eliminate this problem in offices that we've deemed to be too small for two servers (the local server is a DC, but not authenticating, and is used only for File & Print).

So, I understand there's a hotfix available for 2003 servers that resolves an issue with SMB copies, but no one knows if it will definitely fix our problem.

So, I'm hoping some of you other 2003 admins have seen this and found resolution for it?

Thanx, in advance!
0
sirbounty
Asked:
sirbounty
  • 7
  • 6
1 Solution
 
Netman66Commented:
Just make the existing server a Global Catalog Server.

If it is already a DC and if you have configured Sites and Subnets, then it already authenticates local site users.

0
 
Netman66Commented:
Oh, hey sir...

Just realized it was you asking.

If each site (physical) contains an AD server (DC) and you have configured (correctly) Sites and associated subnets, then the Site boundary will control authentication - closest server, starting within the same site.  Sites will also help control replication - SYSVOL will replicate along with your Policies - so, this issue should not affect you since these policies will be local to each client.

If you make each remote server a GC, then it will also help speed things up.



0
 
Netman66Commented:
This could also be a function of no local DNS.  You should have DNS on each remote server as well.  Once all these services are initially setup then they should help ease WAN traffic and speed up everything local.

0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
sirbountyAuthor Commented:
I believe the local server is a GC (currently, and I believe after the migration).  We also have the sites configured appropriately, but apparently this is an issue with 2003 that wasn't necessarily with 2000.
My (limited) understanding of the problem is that not only will the first console login (not connected clients) create a 45-90 minute login delay, but subsequent/intermittent console logins could see the same problem.  I'm sorry I don't fully understand what the issue is myself, but they are referencing the above KB as the problem ("resolvable" by installing a local auth server).  I don't buy it though, as there's got to be others in this same scenario.  The local DNS 'may' be part of the issue... we don't install local DNS servers (and I doubt they would in sites such as this one - only a handful of employees).  But again, the issue is/would be local login at the server - not the local client's authentication.

As of 30 mins ago, they have effectively halted two of our sites schedule for this weekend (including the one I was schedule to do).

I'd like to leave this open for about a week and if no other responses from anyone - the points are yours for stopping by...  Thanx Netman66! : )
0
 
Netman66Commented:
Well, I can't say I understand what they are worried about.  I now understand the logon comment as being the server console - which I didn't before.

A DC in 2000/2003 by virtue of being a DC is an auth server - if Sites and subnets are configured properly, the console logon will authenticate itself.

Local DNS is not a big issue.  Make all your DNS AD Integrated, each site should point to itself and forward to the Internet.  Clients point to their local DNS server.  If you have the server in place, this is the best scenario as all lookups (including AD/GC) are done in the local site not across the WAN.

You'll have to convince them to try a site and see.

0
 
sirbountyAuthor Commented:
Reading your reply, I need to restate it a bit...
Our file and print servers are in one domain and the user accounts are in another...perhaps that's the problem.
Yes, they are both DC/Auth servers, but the F&P dc will not authenticate the user logging in at the console, so that will happen off-site.

To be honest, I'm not sure that I understand it completely either - and no one seems to be able to explain it to me... : {
But upper-management (got in the way again...) and wants to hold off on the migration schedule for our smaller offices...
Oh well.
0
 
Netman66Commented:
Ok...that does make a difference.  What they are doing - and I can't say I agree - is mirroring the old NT4 Account and Resource Domain model.

It makes no sense to do this - in fact, they're stifling the technology that they paid good money for.

To make this work correctly, they will need to install DNS locally and a stub zone (or conditional forwarding) at each site - the DNS server will clear up WAN resolution and the Stub Zone will tell any account logon where the other Domain's DNS SOA is located.

0
 
sirbountyAuthor Commented:
I knew there was a arbitrary limit of accounts per domain in NT 4, but thought that was done away with in 2k.
I don't know that they are necessarily mirroring the same model, but would presume there's some other reason for doing so.  We're no where near a small organization, and I must say our server engineers are top-notch, but this is supposedly a 'feature' in MS 2k3 that is "only resolvable" by the items listed in the KB, topmost being add a local login dc....

Found some more information that it has to do with copying down the profile, although that still doesn't quite make sense to me...
I'll see if I can get even more teeth pulled here (sheesh)...
0
 
sirbountyAuthor Commented:
Oh well - guess I won't get a valid response from our engineering team on this, but I thank you for your time and suggestions... :)
0
 
Netman66Commented:
Too bad - post a blurb if you find out what is the motive behind this.

Thanks for the Q.
0
 
sirbountyAuthor Commented:
Just in case you're still curious - apparently this is the resolution found.  The kb states for xp/2k - but it works for 2003 as well.  Thanx again! : )

http://support.microsoft.com/?id=812599
0
 
sirbountyAuthor Commented:
Guess I should've mentioned sysprep - doh!   Sorry about that... ; )
0
 
Netman66Commented:
Interesting - yes, Sysprep causes lots of these types of things.

Glad it has been resolved.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 7
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now