Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Slow logon after initial promotion in a site without a local authenticating DC

Posted on 2004-08-03
13
Medium Priority
?
875 Views
Last Modified: 2010-04-19
This is our problem: http://support.microsoft.com/?id=319440

We are migrating our servers over to windows 2003 from windows 2000.
Pilot migration occurred this weekend without incident, but they are expecting this weekend's migration to have trouble with the information referenced above.  Apparently, Microsoft's #1 recommendation is to install a local authenticating DC - well, we don't want to do that to eliminate this problem in offices that we've deemed to be too small for two servers (the local server is a DC, but not authenticating, and is used only for File & Print).

So, I understand there's a hotfix available for 2003 servers that resolves an issue with SMB copies, but no one knows if it will definitely fix our problem.

So, I'm hoping some of you other 2003 admins have seen this and found resolution for it?

Thanx, in advance!
0
Comment
Question by:sirbounty
  • 7
  • 6
13 Comments
 
LVL 51

Expert Comment

by:Netman66
ID: 11707799
Just make the existing server a Global Catalog Server.

If it is already a DC and if you have configured Sites and Subnets, then it already authenticates local site users.

0
 
LVL 51

Expert Comment

by:Netman66
ID: 11707946
Oh, hey sir...

Just realized it was you asking.

If each site (physical) contains an AD server (DC) and you have configured (correctly) Sites and associated subnets, then the Site boundary will control authentication - closest server, starting within the same site.  Sites will also help control replication - SYSVOL will replicate along with your Policies - so, this issue should not affect you since these policies will be local to each client.

If you make each remote server a GC, then it will also help speed things up.



0
 
LVL 51

Expert Comment

by:Netman66
ID: 11708010
This could also be a function of no local DNS.  You should have DNS on each remote server as well.  Once all these services are initially setup then they should help ease WAN traffic and speed up everything local.

0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 67

Author Comment

by:sirbounty
ID: 11708350
I believe the local server is a GC (currently, and I believe after the migration).  We also have the sites configured appropriately, but apparently this is an issue with 2003 that wasn't necessarily with 2000.
My (limited) understanding of the problem is that not only will the first console login (not connected clients) create a 45-90 minute login delay, but subsequent/intermittent console logins could see the same problem.  I'm sorry I don't fully understand what the issue is myself, but they are referencing the above KB as the problem ("resolvable" by installing a local auth server).  I don't buy it though, as there's got to be others in this same scenario.  The local DNS 'may' be part of the issue... we don't install local DNS servers (and I doubt they would in sites such as this one - only a handful of employees).  But again, the issue is/would be local login at the server - not the local client's authentication.

As of 30 mins ago, they have effectively halted two of our sites schedule for this weekend (including the one I was schedule to do).

I'd like to leave this open for about a week and if no other responses from anyone - the points are yours for stopping by...  Thanx Netman66! : )
0
 
LVL 51

Expert Comment

by:Netman66
ID: 11710825
Well, I can't say I understand what they are worried about.  I now understand the logon comment as being the server console - which I didn't before.

A DC in 2000/2003 by virtue of being a DC is an auth server - if Sites and subnets are configured properly, the console logon will authenticate itself.

Local DNS is not a big issue.  Make all your DNS AD Integrated, each site should point to itself and forward to the Internet.  Clients point to their local DNS server.  If you have the server in place, this is the best scenario as all lookups (including AD/GC) are done in the local site not across the WAN.

You'll have to convince them to try a site and see.

0
 
LVL 67

Author Comment

by:sirbounty
ID: 11710845
Reading your reply, I need to restate it a bit...
Our file and print servers are in one domain and the user accounts are in another...perhaps that's the problem.
Yes, they are both DC/Auth servers, but the F&P dc will not authenticate the user logging in at the console, so that will happen off-site.

To be honest, I'm not sure that I understand it completely either - and no one seems to be able to explain it to me... : {
But upper-management (got in the way again...) and wants to hold off on the migration schedule for our smaller offices...
Oh well.
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 2000 total points
ID: 11710891
Ok...that does make a difference.  What they are doing - and I can't say I agree - is mirroring the old NT4 Account and Resource Domain model.

It makes no sense to do this - in fact, they're stifling the technology that they paid good money for.

To make this work correctly, they will need to install DNS locally and a stub zone (or conditional forwarding) at each site - the DNS server will clear up WAN resolution and the Stub Zone will tell any account logon where the other Domain's DNS SOA is located.

0
 
LVL 67

Author Comment

by:sirbounty
ID: 11711002
I knew there was a arbitrary limit of accounts per domain in NT 4, but thought that was done away with in 2k.
I don't know that they are necessarily mirroring the same model, but would presume there's some other reason for doing so.  We're no where near a small organization, and I must say our server engineers are top-notch, but this is supposedly a 'feature' in MS 2k3 that is "only resolvable" by the items listed in the KB, topmost being add a local login dc....

Found some more information that it has to do with copying down the profile, although that still doesn't quite make sense to me...
I'll see if I can get even more teeth pulled here (sheesh)...
0
 
LVL 67

Author Comment

by:sirbounty
ID: 11776105
Oh well - guess I won't get a valid response from our engineering team on this, but I thank you for your time and suggestions... :)
0
 
LVL 51

Expert Comment

by:Netman66
ID: 11780001
Too bad - post a blurb if you find out what is the motive behind this.

Thanks for the Q.
0
 
LVL 67

Author Comment

by:sirbounty
ID: 11953272
Just in case you're still curious - apparently this is the resolution found.  The kb states for xp/2k - but it works for 2003 as well.  Thanx again! : )

http://support.microsoft.com/?id=812599
0
 
LVL 67

Author Comment

by:sirbounty
ID: 11953285
Guess I should've mentioned sysprep - doh!   Sorry about that... ; )
0
 
LVL 51

Expert Comment

by:Netman66
ID: 11960522
Interesting - yes, Sysprep causes lots of these types of things.

Glad it has been resolved.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thi…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …

782 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question