Windows 2003 Domain with XP Clients in Workgroup

I have a single Windows 2003 Server with an AD domain setup, and Windows XP clients that are not using a domain login. They are in a workgroup of the same name as the domain and have matching usernames & passwords on the server, where they are configured as domain users.

We figured out that the workstation login and file access was much faster using this method. I am assuming that we are not subject to a 10-user limitation due to the fact that AD is installed and in use on the server.

The users in this environment will not change their passwords so we don't have to worry about a mismatch. We don't need to do alot of tweaking or management, so the faster login and file access was what we opted for.

Are there any major problems headed our way?

Why does a domain login slow everything down so much?
Who is Participating?
Rob WilliamsCommented:
A domain login does not usually "slow everything down". Perhaps you had a configuration problem. Most often slow logons and slow access to files is due to incorrectly configured DNS. A domain offers so much more functionality, security, and central management, I would recommend reconsidering your decision. There is little advantage in having a domain if your computers are not members of the domain.

Some guidelines with configuring DNS if you should like to look into the problems you were having:
Assuming you have completed the server installation, installed Active Directory, and joined the workstations to the Domain, make sure DNS is configured as follows, assuming a single network adapter:
-The server's NIC should be configured with a static IP, the Internet router as the gateway, and only the server itself as the DNS server. Do not use an ISP DNS server here
-Each workstation should be configured using DHCP (obtain and IP address and DNS automatically) or if configured with static addresses; a static IP in the same subnet as the server, same subnet mask as the server, the gateway pointing to your Internet router, and the DNS server pointing ONLY to the server/domain controller. Again do not put an ISP's DNS server here
-In the DNS management console under Administrative tools, right click on the server name and choose properties. On the Forwarders tab add your ISP's DNS servers
-If the workstations are using DHCP, open the DHCP management console on the server under Administrative tools and click on the server name to expand it, click on the scope to expand it, right click on scope options and choose configure options. On the general tab add the Internet router's IP in #003 router, the server's IP in #006 DNS Servers, and the domain name and suffix under #015 such as mydomain.local
-If  DHCP is enabled on the router, rather than the server, it should really be disabled on the router and configured on the server. Enabling DHCP on the server assists with dynamic updates to DNS, allows for central management, and far more scope options.
-The DHCP client service should be running on servers and workstations even where you are not using DHCP assignments. The DHCP client service controls the dynamic DNS updates

If you have been having DNS problems, on the workstations that have been having problems you should clear the DNS cache by entering at a command line  
  ipconfig  /flushdns
and then
  ipconfig  /registerdns

This should help with the slow logons. If you have the ISP's DNS's anywhere in the NIC's, the workstations will often go to the Internet to try to resolve names and cause them to "hang".

CaptWillAuthor Commented:

Thanks for the advise. We will retry with the ISP nameservers as forwarders only. Right now we have them set as secondary and tertiary nameservers.

We also originally arrived at this situation when we removed a Windows 2000 server and replaced with a 2003 server. We have messages about invalid SIDs and had to go around "re-establishing" the SID, which effectively meant rebuilding the desktops on 20 computers... After seeing how painful that was we "opted out" on the domain login, as we do not have a secondary DC.
Rob WilliamsCommented:
The SID problem is usually as a result of cloning workstations without running the Sysprep utility, which is part of the windows Install CD under support tools. Sysinternals (now Microsoft) has a utility to change the SID, which might be useful to you:

I can't imagine managing a workgroup environment. Too complicated for me :-)
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Lee W, MVPTechnology and Business Process AdvisorCommented:
What you have is a horrible mess, with horrible security, and possibly in violation of licensing terms if you do not have appropriate Client Access Licenses.  As RobWill suggested, your problems were most likely due to DNS issues as well as other serious misconfiguration issues.  A domain does not slow things down unless it's not configured appropriately.
CaptWillAuthor Commented:

We have a 25 CAL server with 20 users, so I cannot see why we we be in violation of any licensing terms.

I would not call our security "horrible", as we have file access permissions in place that work well.

You should remember that smaller organizations typically do not share the same requirements as large corporations. This is an environment where wireless APs are typically installed without security turned on.

Less than perfect, I agree. Horrible, I don't think so.

I am sure that RobWill's DNS fix will do the trick. As far as other "serious misconfigurastion issues"- I do not believe that is the case.
CaptWillAuthor Commented:

Thank you for your expert advice!


I have read your response three times and have not found a single piece of useful advice. In fact, I found it to be somewhat insulting....
Rob WilliamsCommented:
Thanks CaptWill, good luck with it. If you can get it running smoothly it does allow you to lock down your network and users quite nicely as you can make use of group policy once the systems are part of the domain. On that note, make sure you download the group policy management console from Microsoft if you haven't done so already. Makes life much easier.
Cheers !
Lee W, MVPTechnology and Business Process AdvisorCommented:
I'm sorry if you found it insulting... what precisely did you take offense at -- I'm guessing it was my statement of it being "horrible security"

What is horrible about the security is that there is that the password policies are EXTREMELY weak.  "The users in this environment will not change their passwords so we don't have to worry about a mismatch." -- but you do have to worry about other users getting those passwords and being unable to easily change them.  A good password policy has a change every 30-60 days as well as password complexity requirements.  Passwords are important - no one ever needs to know another person's password.  As a consultant I go out of my way to ensure I don't know my client's passwords and when I was a systems administrator before that, I never asked for and in fact forced people to change their passwords if they ever told me.  

As for useful comments, I was merely trying to agree with RobWill's analysis.
  I am having the same problem on connecting to a AD Virtual Machine that is being hosted by a Cloud provider. I have not found a solution other then those folks who have suggested to run various test. Which all have pass on the AD Virtual Server.  
   Does any one have some white papers on how  to connect to a virtual machine at a colo from a desktop in a specific office?
Rob WilliamsCommented:
dod1450 you will need to open a new question of your own, but access resources on a cloud based server presents different issues as many services are not routable via the Internet.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.