Solved

Slow logon after initial promotion in a site without a local authenticating DC

Posted on 2004-08-03
13
839 Views
Last Modified: 2010-04-19
This is our problem: http://support.microsoft.com/?id=319440

We are migrating our servers over to windows 2003 from windows 2000.
Pilot migration occurred this weekend without incident, but they are expecting this weekend's migration to have trouble with the information referenced above.  Apparently, Microsoft's #1 recommendation is to install a local authenticating DC - well, we don't want to do that to eliminate this problem in offices that we've deemed to be too small for two servers (the local server is a DC, but not authenticating, and is used only for File & Print).

So, I understand there's a hotfix available for 2003 servers that resolves an issue with SMB copies, but no one knows if it will definitely fix our problem.

So, I'm hoping some of you other 2003 admins have seen this and found resolution for it?

Thanx, in advance!
0
Comment
Question by:sirbounty
  • 7
  • 6
13 Comments
 
LVL 51

Expert Comment

by:Netman66
ID: 11707799
Just make the existing server a Global Catalog Server.

If it is already a DC and if you have configured Sites and Subnets, then it already authenticates local site users.

0
 
LVL 51

Expert Comment

by:Netman66
ID: 11707946
Oh, hey sir...

Just realized it was you asking.

If each site (physical) contains an AD server (DC) and you have configured (correctly) Sites and associated subnets, then the Site boundary will control authentication - closest server, starting within the same site.  Sites will also help control replication - SYSVOL will replicate along with your Policies - so, this issue should not affect you since these policies will be local to each client.

If you make each remote server a GC, then it will also help speed things up.



0
 
LVL 51

Expert Comment

by:Netman66
ID: 11708010
This could also be a function of no local DNS.  You should have DNS on each remote server as well.  Once all these services are initially setup then they should help ease WAN traffic and speed up everything local.

0
 
LVL 67

Author Comment

by:sirbounty
ID: 11708350
I believe the local server is a GC (currently, and I believe after the migration).  We also have the sites configured appropriately, but apparently this is an issue with 2003 that wasn't necessarily with 2000.
My (limited) understanding of the problem is that not only will the first console login (not connected clients) create a 45-90 minute login delay, but subsequent/intermittent console logins could see the same problem.  I'm sorry I don't fully understand what the issue is myself, but they are referencing the above KB as the problem ("resolvable" by installing a local auth server).  I don't buy it though, as there's got to be others in this same scenario.  The local DNS 'may' be part of the issue... we don't install local DNS servers (and I doubt they would in sites such as this one - only a handful of employees).  But again, the issue is/would be local login at the server - not the local client's authentication.

As of 30 mins ago, they have effectively halted two of our sites schedule for this weekend (including the one I was schedule to do).

I'd like to leave this open for about a week and if no other responses from anyone - the points are yours for stopping by...  Thanx Netman66! : )
0
 
LVL 51

Expert Comment

by:Netman66
ID: 11710825
Well, I can't say I understand what they are worried about.  I now understand the logon comment as being the server console - which I didn't before.

A DC in 2000/2003 by virtue of being a DC is an auth server - if Sites and subnets are configured properly, the console logon will authenticate itself.

Local DNS is not a big issue.  Make all your DNS AD Integrated, each site should point to itself and forward to the Internet.  Clients point to their local DNS server.  If you have the server in place, this is the best scenario as all lookups (including AD/GC) are done in the local site not across the WAN.

You'll have to convince them to try a site and see.

0
 
LVL 67

Author Comment

by:sirbounty
ID: 11710845
Reading your reply, I need to restate it a bit...
Our file and print servers are in one domain and the user accounts are in another...perhaps that's the problem.
Yes, they are both DC/Auth servers, but the F&P dc will not authenticate the user logging in at the console, so that will happen off-site.

To be honest, I'm not sure that I understand it completely either - and no one seems to be able to explain it to me... : {
But upper-management (got in the way again...) and wants to hold off on the migration schedule for our smaller offices...
Oh well.
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 51

Accepted Solution

by:
Netman66 earned 500 total points
ID: 11710891
Ok...that does make a difference.  What they are doing - and I can't say I agree - is mirroring the old NT4 Account and Resource Domain model.

It makes no sense to do this - in fact, they're stifling the technology that they paid good money for.

To make this work correctly, they will need to install DNS locally and a stub zone (or conditional forwarding) at each site - the DNS server will clear up WAN resolution and the Stub Zone will tell any account logon where the other Domain's DNS SOA is located.

0
 
LVL 67

Author Comment

by:sirbounty
ID: 11711002
I knew there was a arbitrary limit of accounts per domain in NT 4, but thought that was done away with in 2k.
I don't know that they are necessarily mirroring the same model, but would presume there's some other reason for doing so.  We're no where near a small organization, and I must say our server engineers are top-notch, but this is supposedly a 'feature' in MS 2k3 that is "only resolvable" by the items listed in the KB, topmost being add a local login dc....

Found some more information that it has to do with copying down the profile, although that still doesn't quite make sense to me...
I'll see if I can get even more teeth pulled here (sheesh)...
0
 
LVL 67

Author Comment

by:sirbounty
ID: 11776105
Oh well - guess I won't get a valid response from our engineering team on this, but I thank you for your time and suggestions... :)
0
 
LVL 51

Expert Comment

by:Netman66
ID: 11780001
Too bad - post a blurb if you find out what is the motive behind this.

Thanks for the Q.
0
 
LVL 67

Author Comment

by:sirbounty
ID: 11953272
Just in case you're still curious - apparently this is the resolution found.  The kb states for xp/2k - but it works for 2003 as well.  Thanx again! : )

http://support.microsoft.com/?id=812599
0
 
LVL 67

Author Comment

by:sirbounty
ID: 11953285
Guess I should've mentioned sysprep - doh!   Sorry about that... ; )
0
 
LVL 51

Expert Comment

by:Netman66
ID: 11960522
Interesting - yes, Sysprep causes lots of these types of things.

Glad it has been resolved.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
In this video I am going to show you how to back up and restore Office 365 mailboxes using CodeTwo Backup for Office 365. Learn more about the tool used in this video here: http://www.codetwo.com/backup-for-office-365/ (http://www.codetwo.com/ba…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now