SimonUK
asked on
Active Directory & DNS new user
Hi all
I've just installed my first Windows 2003 Server. This is my first experience of 2003, Active Directory and DNS (where connected to AD). I've got a couple of questions which I'll post as separate threads in the interests of awarding fair points.
All seems to have gone well. I can work with Active Directory Users and Computers OK, I'm creating users and testing logins, security policies etc and I'm feeling my way around (I've got a mountain of books on the topic).
I expect I'll get to the cause of this problem at some point but if a genius out there could solve it for me faster I'd be really grateful.
Actually opening the Active Directory Users and Computers snap-in takes ages - say 10 seconds. When using it, it also stops responding for the same length of time depending on what I'm doing. For example, I can look at a list of users but I know as soon as I right-click on one, or click Action, it'll stop for 5 or 10 seconds before the context menu appears. It'll then be OK for what seems a few operations (or it might be a certain amount of time, or a certain amount of time between operations) then the same thing will happen. This happens in all areas of that snap-in, and also in other snap-ins that I think are referencing AD.
Any other open apps are fine and don't freeze, task manager shows CPU usage etc to be mostly nothing although it reports the snap-in as not responding for the duration of the delay.
What I suspect is related is the time it takes for clients to log in. If I log them into the server itself (I added Domain Users group to the Print Operators group to temporarily allow this), everything works fine, and very quickly. If I log in from, say a laptop, the interaction with the server seems OK (if I force a password reset the client instantly requests it when I try and log in, and instantly accepts the change), but the client stops at APPLYING personal settings for ages - over 1 or 2 minutes - every time I log in from a client machine.
I'm almost certain this is all to do with DNS, and I'm not surprised it causes confusion for new users like me; working with DNS as a local name resolution service is the opposite of what we're used to - I'm still getting my head around the implications of using my "public" domain names as internal ones, but every book offers differing advice - some say use a non-internet top level domain like .local - others say stick to the rules.
Anyway, back to topic - any ideas ?
Many thanks
Simon
I've just installed my first Windows 2003 Server. This is my first experience of 2003, Active Directory and DNS (where connected to AD). I've got a couple of questions which I'll post as separate threads in the interests of awarding fair points.
All seems to have gone well. I can work with Active Directory Users and Computers OK, I'm creating users and testing logins, security policies etc and I'm feeling my way around (I've got a mountain of books on the topic).
I expect I'll get to the cause of this problem at some point but if a genius out there could solve it for me faster I'd be really grateful.
Actually opening the Active Directory Users and Computers snap-in takes ages - say 10 seconds. When using it, it also stops responding for the same length of time depending on what I'm doing. For example, I can look at a list of users but I know as soon as I right-click on one, or click Action, it'll stop for 5 or 10 seconds before the context menu appears. It'll then be OK for what seems a few operations (or it might be a certain amount of time, or a certain amount of time between operations) then the same thing will happen. This happens in all areas of that snap-in, and also in other snap-ins that I think are referencing AD.
Any other open apps are fine and don't freeze, task manager shows CPU usage etc to be mostly nothing although it reports the snap-in as not responding for the duration of the delay.
What I suspect is related is the time it takes for clients to log in. If I log them into the server itself (I added Domain Users group to the Print Operators group to temporarily allow this), everything works fine, and very quickly. If I log in from, say a laptop, the interaction with the server seems OK (if I force a password reset the client instantly requests it when I try and log in, and instantly accepts the change), but the client stops at APPLYING personal settings for ages - over 1 or 2 minutes - every time I log in from a client machine.
I'm almost certain this is all to do with DNS, and I'm not surprised it causes confusion for new users like me; working with DNS as a local name resolution service is the opposite of what we're used to - I'm still getting my head around the implications of using my "public" domain names as internal ones, but every book offers differing advice - some say use a non-internet top level domain like .local - others say stick to the rules.
Anyway, back to topic - any ideas ?
Many thanks
Simon
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Oops ignore the bits under my name, forgot to clean up my post !!!
I didn't mean the "Forward lookup zones" tree itself, but your domain's forward lookup zone(s). But you've found the properties I meant already, as you were able to determine that your zones are AD integrated.
Oh, and never mind the UPN logon. You can use an AD domain name of company.local, and still add company.com as allowed UPN suffix:
HOW TO: Add UPN Suffixes to a Forest
http://support.microsoft.com/?kbid=243629
Oh, and never mind the UPN logon. You can use an AD domain name of company.local, and still add company.com as allowed UPN suffix:
HOW TO: Add UPN Suffixes to a Forest
http://support.microsoft.com/?kbid=243629
ASKER
Brilliant!!!!!!
ASKER
Thank you VERY much - in one page you fixed the problems.
- Changing the DC/DNS so the only DNS listed in the TCP/IP properties is itself fixed the AD snap-in problem immediately.
- To sort out the settings in the clients I disabled my router DHCP and switched it on in the server, and gave it the right scope settings so that the clients got the correct DNS server. Now the clients log on instantly as if they were using a local account... (once I'd realised that the DHCP server has to be authorised to actually do anything!)
- DNS external resolution was already working, there was no single dot in the forward lookup zone - but there were no forwarders set up so I've done that now.
- The forwarders were already set to Active Directory integrated, just as you said they should.
- Dynamic updates were already enabled (secure only)
Thanks also for your comments on the domain name. I'm using .local but this is only a test rig, I'm going to wipe it all and start again proper once I've tested it and understand it properly. One or two books say it's worth using your external domain "so that users can use their e-mail address to login" which seems a pretty strange reason to me!
I'll go through all the links you kindly provided now, but I wanted to take the time to feedback first.
Once again, EE experts have the answers!!!
Simon
ONE slight remaining question - if I right click the forward and reverse lookup zones I don't get a properties option.
answered the most difficult to master questions, that I couldn't find details of, in FOUR Server 2003 / AD books. Next time I'll just post the question here, "How to set up Server 2003" and save myself £50.