Windows 2003 Domain with XP Clients in Workgroup

Posted on 2006-11-27
Last Modified: 2011-04-06
I have a single Windows 2003 Server with an AD domain setup, and Windows XP clients that are not using a domain login. They are in a workgroup of the same name as the domain and have matching usernames & passwords on the server, where they are configured as domain users.

We figured out that the workstation login and file access was much faster using this method. I am assuming that we are not subject to a 10-user limitation due to the fact that AD is installed and in use on the server.

The users in this environment will not change their passwords so we don't have to worry about a mismatch. We don't need to do alot of tweaking or management, so the faster login and file access was what we opted for.

Are there any major problems headed our way?

Why does a domain login slow everything down so much?
Question by:CaptWill
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
LVL 77

Accepted Solution

Rob Williams earned 500 total points
ID: 18025500
A domain login does not usually "slow everything down". Perhaps you had a configuration problem. Most often slow logons and slow access to files is due to incorrectly configured DNS. A domain offers so much more functionality, security, and central management, I would recommend reconsidering your decision. There is little advantage in having a domain if your computers are not members of the domain.

Some guidelines with configuring DNS if you should like to look into the problems you were having:
Assuming you have completed the server installation, installed Active Directory, and joined the workstations to the Domain, make sure DNS is configured as follows, assuming a single network adapter:
-The server's NIC should be configured with a static IP, the Internet router as the gateway, and only the server itself as the DNS server. Do not use an ISP DNS server here
-Each workstation should be configured using DHCP (obtain and IP address and DNS automatically) or if configured with static addresses; a static IP in the same subnet as the server, same subnet mask as the server, the gateway pointing to your Internet router, and the DNS server pointing ONLY to the server/domain controller. Again do not put an ISP's DNS server here
-In the DNS management console under Administrative tools, right click on the server name and choose properties. On the Forwarders tab add your ISP's DNS servers
-If the workstations are using DHCP, open the DHCP management console on the server under Administrative tools and click on the server name to expand it, click on the scope to expand it, right click on scope options and choose configure options. On the general tab add the Internet router's IP in #003 router, the server's IP in #006 DNS Servers, and the domain name and suffix under #015 such as mydomain.local
-If  DHCP is enabled on the router, rather than the server, it should really be disabled on the router and configured on the server. Enabling DHCP on the server assists with dynamic updates to DNS, allows for central management, and far more scope options.
-The DHCP client service should be running on servers and workstations even where you are not using DHCP assignments. The DHCP client service controls the dynamic DNS updates

If you have been having DNS problems, on the workstations that have been having problems you should clear the DNS cache by entering at a command line  
  ipconfig  /flushdns
and then
  ipconfig  /registerdns

This should help with the slow logons. If you have the ISP's DNS's anywhere in the NIC's, the workstations will often go to the Internet to try to resolve names and cause them to "hang".


Author Comment

ID: 18025526

Thanks for the advise. We will retry with the ISP nameservers as forwarders only. Right now we have them set as secondary and tertiary nameservers.

We also originally arrived at this situation when we removed a Windows 2000 server and replaced with a 2003 server. We have messages about invalid SIDs and had to go around "re-establishing" the SID, which effectively meant rebuilding the desktops on 20 computers... After seeing how painful that was we "opted out" on the domain login, as we do not have a secondary DC.
LVL 77

Expert Comment

by:Rob Williams
ID: 18025560
The SID problem is usually as a result of cloning workstations without running the Sysprep utility, which is part of the windows Install CD under support tools. Sysinternals (now Microsoft) has a utility to change the SID, which might be useful to you:

I can't imagine managing a workgroup environment. Too complicated for me :-)
Don't miss ATEN at NAB Show April 24-27!

Visit ATEN at NAB Show to learn how our "Seamlessly Entertaining" solutions deliver fast, precise video streaming without delays for the broadcasting and media environment. ATEN will showcase its 16x16 Modular Matrix Switch (VM1600) and KVM Over IP Solution (KE6900 series).

LVL 95

Expert Comment

by:Lee W, MVP
ID: 18025590
What you have is a horrible mess, with horrible security, and possibly in violation of licensing terms if you do not have appropriate Client Access Licenses.  As RobWill suggested, your problems were most likely due to DNS issues as well as other serious misconfiguration issues.  A domain does not slow things down unless it's not configured appropriately.

Author Comment

ID: 18025616

We have a 25 CAL server with 20 users, so I cannot see why we we be in violation of any licensing terms.

I would not call our security "horrible", as we have file access permissions in place that work well.

You should remember that smaller organizations typically do not share the same requirements as large corporations. This is an environment where wireless APs are typically installed without security turned on.

Less than perfect, I agree. Horrible, I don't think so.

I am sure that RobWill's DNS fix will do the trick. As far as other "serious misconfigurastion issues"- I do not believe that is the case.

Author Comment

ID: 18025640

Thank you for your expert advice!


I have read your response three times and have not found a single piece of useful advice. In fact, I found it to be somewhat insulting....
LVL 77

Expert Comment

by:Rob Williams
ID: 18025671
Thanks CaptWill, good luck with it. If you can get it running smoothly it does allow you to lock down your network and users quite nicely as you can make use of group policy once the systems are part of the domain. On that note, make sure you download the group policy management console from Microsoft if you haven't done so already. Makes life much easier.
Cheers !
LVL 95

Expert Comment

by:Lee W, MVP
ID: 18025696
I'm sorry if you found it insulting... what precisely did you take offense at -- I'm guessing it was my statement of it being "horrible security"

What is horrible about the security is that there is that the password policies are EXTREMELY weak.  "The users in this environment will not change their passwords so we don't have to worry about a mismatch." -- but you do have to worry about other users getting those passwords and being unable to easily change them.  A good password policy has a change every 30-60 days as well as password complexity requirements.  Passwords are important - no one ever needs to know another person's password.  As a consultant I go out of my way to ensure I don't know my client's passwords and when I was a systems administrator before that, I never asked for and in fact forced people to change their passwords if they ever told me.  

As for useful comments, I was merely trying to agree with RobWill's analysis.

Expert Comment

ID: 35336316
  I am having the same problem on connecting to a AD Virtual Machine that is being hosted by a Cloud provider. I have not found a solution other then those folks who have suggested to run various test. Which all have pass on the AD Virtual Server.  
   Does any one have some white papers on how  to connect to a virtual machine at a colo from a desktop in a specific office?
LVL 77

Expert Comment

by:Rob Williams
ID: 35336379
dod1450 you will need to open a new question of your own, but access resources on a cloud based server presents different issues as many services are not routable via the Internet.

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

FIPS stands for the Federal Information Processing Standardisation and FIPS 140-2 is a collection of standards that are generically associated with hardware and software cryptography. In most cases, people can refer to this as the method of encrypti…
An article on effective troubleshooting
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question