slow internal DNS / user security resolution
Posted on 2006-11-21
We are experiencing two issues which I think are related. First, when I open properties of DNS, a folder, etc and look at the security tab, the system is extremely slow to resolve account names from the SIDs. It eventually does resolve all of the usernames, but it takes up to a minute or two.
Second, logged on to the DC/DNS server, I open a command prompt and "ping <internal name>". There is a pause of 5 seconds or so, then the name is resolved and the ping is successful. If I ping an IP address of an internal machine, the response is instant. If I use NSLOOKUP to resolve an internal machine name, it is instantaneous.
We are running Active Directory with two Win2k3SP1 servers that are DC's and DNS. Both DNS servers list 127.0.0.1 in tcp/ip settings, and the primary DNS forwards to an Internet DNS server. The secondary does not forward.
The testing I have been doing is from the DC/DNS servers. So, name resolution is slow while logged on directly to the DNS server.