Solved

Windows 2003 Domain with XP Clients in Workgroup

Posted on 2006-11-27
10
396 Views
Last Modified: 2011-04-06
I have a single Windows 2003 Server with an AD domain setup, and Windows XP clients that are not using a domain login. They are in a workgroup of the same name as the domain and have matching usernames & passwords on the server, where they are configured as domain users.

We figured out that the workstation login and file access was much faster using this method. I am assuming that we are not subject to a 10-user limitation due to the fact that AD is installed and in use on the server.

The users in this environment will not change their passwords so we don't have to worry about a mismatch. We don't need to do alot of tweaking or management, so the faster login and file access was what we opted for.

Are there any major problems headed our way?

Why does a domain login slow everything down so much?
0
Comment
Question by:CaptWill
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
Comment Utility
A domain login does not usually "slow everything down". Perhaps you had a configuration problem. Most often slow logons and slow access to files is due to incorrectly configured DNS. A domain offers so much more functionality, security, and central management, I would recommend reconsidering your decision. There is little advantage in having a domain if your computers are not members of the domain.

Some guidelines with configuring DNS if you should like to look into the problems you were having:
Assuming you have completed the server installation, installed Active Directory, and joined the workstations to the Domain, make sure DNS is configured as follows, assuming a single network adapter:
-The server's NIC should be configured with a static IP, the Internet router as the gateway, and only the server itself as the DNS server. Do not use an ISP DNS server here
-Each workstation should be configured using DHCP (obtain and IP address and DNS automatically) or if configured with static addresses; a static IP in the same subnet as the server, same subnet mask as the server, the gateway pointing to your Internet router, and the DNS server pointing ONLY to the server/domain controller. Again do not put an ISP's DNS server here
-In the DNS management console under Administrative tools, right click on the server name and choose properties. On the Forwarders tab add your ISP's DNS servers
-If the workstations are using DHCP, open the DHCP management console on the server under Administrative tools and click on the server name to expand it, click on the scope to expand it, right click on scope options and choose configure options. On the general tab add the Internet router's IP in #003 router, the server's IP in #006 DNS Servers, and the domain name and suffix under #015 such as mydomain.local
-If  DHCP is enabled on the router, rather than the server, it should really be disabled on the router and configured on the server. Enabling DHCP on the server assists with dynamic updates to DNS, allows for central management, and far more scope options.
-The DHCP client service should be running on servers and workstations even where you are not using DHCP assignments. The DHCP client service controls the dynamic DNS updates

If you have been having DNS problems, on the workstations that have been having problems you should clear the DNS cache by entering at a command line  
  ipconfig  /flushdns
and then
  ipconfig  /registerdns


This should help with the slow logons. If you have the ISP's DNS's anywhere in the NIC's, the workstations will often go to the Internet to try to resolve names and cause them to "hang".

0
 

Author Comment

by:CaptWill
Comment Utility
RobWill:

Thanks for the advise. We will retry with the ISP nameservers as forwarders only. Right now we have them set as secondary and tertiary nameservers.

We also originally arrived at this situation when we removed a Windows 2000 server and replaced with a 2003 server. We have messages about invalid SIDs and had to go around "re-establishing" the SID, which effectively meant rebuilding the desktops on 20 computers... After seeing how painful that was we "opted out" on the domain login, as we do not have a secondary DC.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
The SID problem is usually as a result of cloning workstations without running the Sysprep utility, which is part of the windows Install CD under support tools. Sysinternals (now Microsoft) has a utility to change the SID, which might be useful to you:
http://www.microsoft.com/technet/sysinternals/Security/NewSid.mspx

I can't imagine managing a workgroup environment. Too complicated for me :-)
0
 
LVL 95

Expert Comment

by:Lee W, MVP
Comment Utility
What you have is a horrible mess, with horrible security, and possibly in violation of licensing terms if you do not have appropriate Client Access Licenses.  As RobWill suggested, your problems were most likely due to DNS issues as well as other serious misconfiguration issues.  A domain does not slow things down unless it's not configured appropriately.
0
 

Author Comment

by:CaptWill
Comment Utility
leew:

We have a 25 CAL server with 20 users, so I cannot see why we we be in violation of any licensing terms.

I would not call our security "horrible", as we have file access permissions in place that work well.

You should remember that smaller organizations typically do not share the same requirements as large corporations. This is an environment where wireless APs are typically installed without security turned on.

Less than perfect, I agree. Horrible, I don't think so.

I am sure that RobWill's DNS fix will do the trick. As far as other "serious misconfigurastion issues"- I do not believe that is the case.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:CaptWill
Comment Utility
RobWill:

Thank you for your expert advice!

Leew:

I have read your response three times and have not found a single piece of useful advice. In fact, I found it to be somewhat insulting....
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Thanks CaptWill, good luck with it. If you can get it running smoothly it does allow you to lock down your network and users quite nicely as you can make use of group policy once the systems are part of the domain. On that note, make sure you download the group policy management console from Microsoft if you haven't done so already. Makes life much easier.
http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en
Cheers !
--Rob
0
 
LVL 95

Expert Comment

by:Lee W, MVP
Comment Utility
I'm sorry if you found it insulting... what precisely did you take offense at -- I'm guessing it was my statement of it being "horrible security"

What is horrible about the security is that there is that the password policies are EXTREMELY weak.  "The users in this environment will not change their passwords so we don't have to worry about a mismatch." -- but you do have to worry about other users getting those passwords and being unable to easily change them.  A good password policy has a change every 30-60 days as well as password complexity requirements.  Passwords are important - no one ever needs to know another person's password.  As a consultant I go out of my way to ensure I don't know my client's passwords and when I was a systems administrator before that, I never asked for and in fact forced people to change their passwords if they ever told me.  

As for useful comments, I was merely trying to agree with RobWill's analysis.
0
 

Expert Comment

by:dod1450
Comment Utility
  I am having the same problem on connecting to a AD Virtual Machine that is being hosted by a Cloud provider. I have not found a solution other then those folks who have suggested to run various test. Which all have pass on the AD Virtual Server.  
   Does any one have some white papers on how  to connect to a virtual machine at a colo from a desktop in a specific office?
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
dod1450 you will need to open a new question of your own, but access resources on a cloud based server presents different issues as many services are not routable via the Internet.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now