Solved

Slow logon after initial promotion in a site without a local authenticating DC

Posted on 2004-08-03
13
823 Views
Last Modified: 2010-04-19
This is our problem: http://support.microsoft.com/?id=319440

We are migrating our servers over to windows 2003 from windows 2000.
Pilot migration occurred this weekend without incident, but they are expecting this weekend's migration to have trouble with the information referenced above.  Apparently, Microsoft's #1 recommendation is to install a local authenticating DC - well, we don't want to do that to eliminate this problem in offices that we've deemed to be too small for two servers (the local server is a DC, but not authenticating, and is used only for File & Print).

So, I understand there's a hotfix available for 2003 servers that resolves an issue with SMB copies, but no one knows if it will definitely fix our problem.

So, I'm hoping some of you other 2003 admins have seen this and found resolution for it?

Thanx, in advance!
0
Comment
Question by:sirbounty
  • 7
  • 6
13 Comments
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
Just make the existing server a Global Catalog Server.

If it is already a DC and if you have configured Sites and Subnets, then it already authenticates local site users.

0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
Oh, hey sir...

Just realized it was you asking.

If each site (physical) contains an AD server (DC) and you have configured (correctly) Sites and associated subnets, then the Site boundary will control authentication - closest server, starting within the same site.  Sites will also help control replication - SYSVOL will replicate along with your Policies - so, this issue should not affect you since these policies will be local to each client.

If you make each remote server a GC, then it will also help speed things up.



0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
This could also be a function of no local DNS.  You should have DNS on each remote server as well.  Once all these services are initially setup then they should help ease WAN traffic and speed up everything local.

0
 
LVL 67

Author Comment

by:sirbounty
Comment Utility
I believe the local server is a GC (currently, and I believe after the migration).  We also have the sites configured appropriately, but apparently this is an issue with 2003 that wasn't necessarily with 2000.
My (limited) understanding of the problem is that not only will the first console login (not connected clients) create a 45-90 minute login delay, but subsequent/intermittent console logins could see the same problem.  I'm sorry I don't fully understand what the issue is myself, but they are referencing the above KB as the problem ("resolvable" by installing a local auth server).  I don't buy it though, as there's got to be others in this same scenario.  The local DNS 'may' be part of the issue... we don't install local DNS servers (and I doubt they would in sites such as this one - only a handful of employees).  But again, the issue is/would be local login at the server - not the local client's authentication.

As of 30 mins ago, they have effectively halted two of our sites schedule for this weekend (including the one I was schedule to do).

I'd like to leave this open for about a week and if no other responses from anyone - the points are yours for stopping by...  Thanx Netman66! : )
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
Well, I can't say I understand what they are worried about.  I now understand the logon comment as being the server console - which I didn't before.

A DC in 2000/2003 by virtue of being a DC is an auth server - if Sites and subnets are configured properly, the console logon will authenticate itself.

Local DNS is not a big issue.  Make all your DNS AD Integrated, each site should point to itself and forward to the Internet.  Clients point to their local DNS server.  If you have the server in place, this is the best scenario as all lookups (including AD/GC) are done in the local site not across the WAN.

You'll have to convince them to try a site and see.

0
 
LVL 67

Author Comment

by:sirbounty
Comment Utility
Reading your reply, I need to restate it a bit...
Our file and print servers are in one domain and the user accounts are in another...perhaps that's the problem.
Yes, they are both DC/Auth servers, but the F&P dc will not authenticate the user logging in at the console, so that will happen off-site.

To be honest, I'm not sure that I understand it completely either - and no one seems to be able to explain it to me... : {
But upper-management (got in the way again...) and wants to hold off on the migration schedule for our smaller offices...
Oh well.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 51

Accepted Solution

by:
Netman66 earned 500 total points
Comment Utility
Ok...that does make a difference.  What they are doing - and I can't say I agree - is mirroring the old NT4 Account and Resource Domain model.

It makes no sense to do this - in fact, they're stifling the technology that they paid good money for.

To make this work correctly, they will need to install DNS locally and a stub zone (or conditional forwarding) at each site - the DNS server will clear up WAN resolution and the Stub Zone will tell any account logon where the other Domain's DNS SOA is located.

0
 
LVL 67

Author Comment

by:sirbounty
Comment Utility
I knew there was a arbitrary limit of accounts per domain in NT 4, but thought that was done away with in 2k.
I don't know that they are necessarily mirroring the same model, but would presume there's some other reason for doing so.  We're no where near a small organization, and I must say our server engineers are top-notch, but this is supposedly a 'feature' in MS 2k3 that is "only resolvable" by the items listed in the KB, topmost being add a local login dc....

Found some more information that it has to do with copying down the profile, although that still doesn't quite make sense to me...
I'll see if I can get even more teeth pulled here (sheesh)...
0
 
LVL 67

Author Comment

by:sirbounty
Comment Utility
Oh well - guess I won't get a valid response from our engineering team on this, but I thank you for your time and suggestions... :)
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
Too bad - post a blurb if you find out what is the motive behind this.

Thanks for the Q.
0
 
LVL 67

Author Comment

by:sirbounty
Comment Utility
Just in case you're still curious - apparently this is the resolution found.  The kb states for xp/2k - but it works for 2003 as well.  Thanx again! : )

http://support.microsoft.com/?id=812599
0
 
LVL 67

Author Comment

by:sirbounty
Comment Utility
Guess I should've mentioned sysprep - doh!   Sorry about that... ; )
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
Interesting - yes, Sysprep causes lots of these types of things.

Glad it has been resolved.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now