Solved

Windows 2003 Domain with XP Clients in Workgroup

Posted on 2006-11-27
10
399 Views
Last Modified: 2011-04-06
I have a single Windows 2003 Server with an AD domain setup, and Windows XP clients that are not using a domain login. They are in a workgroup of the same name as the domain and have matching usernames & passwords on the server, where they are configured as domain users.

We figured out that the workstation login and file access was much faster using this method. I am assuming that we are not subject to a 10-user limitation due to the fact that AD is installed and in use on the server.

The users in this environment will not change their passwords so we don't have to worry about a mismatch. We don't need to do alot of tweaking or management, so the faster login and file access was what we opted for.

Are there any major problems headed our way?

Why does a domain login slow everything down so much?
0
Comment
Question by:CaptWill
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 18025500
A domain login does not usually "slow everything down". Perhaps you had a configuration problem. Most often slow logons and slow access to files is due to incorrectly configured DNS. A domain offers so much more functionality, security, and central management, I would recommend reconsidering your decision. There is little advantage in having a domain if your computers are not members of the domain.

Some guidelines with configuring DNS if you should like to look into the problems you were having:
Assuming you have completed the server installation, installed Active Directory, and joined the workstations to the Domain, make sure DNS is configured as follows, assuming a single network adapter:
-The server's NIC should be configured with a static IP, the Internet router as the gateway, and only the server itself as the DNS server. Do not use an ISP DNS server here
-Each workstation should be configured using DHCP (obtain and IP address and DNS automatically) or if configured with static addresses; a static IP in the same subnet as the server, same subnet mask as the server, the gateway pointing to your Internet router, and the DNS server pointing ONLY to the server/domain controller. Again do not put an ISP's DNS server here
-In the DNS management console under Administrative tools, right click on the server name and choose properties. On the Forwarders tab add your ISP's DNS servers
-If the workstations are using DHCP, open the DHCP management console on the server under Administrative tools and click on the server name to expand it, click on the scope to expand it, right click on scope options and choose configure options. On the general tab add the Internet router's IP in #003 router, the server's IP in #006 DNS Servers, and the domain name and suffix under #015 such as mydomain.local
-If  DHCP is enabled on the router, rather than the server, it should really be disabled on the router and configured on the server. Enabling DHCP on the server assists with dynamic updates to DNS, allows for central management, and far more scope options.
-The DHCP client service should be running on servers and workstations even where you are not using DHCP assignments. The DHCP client service controls the dynamic DNS updates

If you have been having DNS problems, on the workstations that have been having problems you should clear the DNS cache by entering at a command line  
  ipconfig  /flushdns
and then
  ipconfig  /registerdns


This should help with the slow logons. If you have the ISP's DNS's anywhere in the NIC's, the workstations will often go to the Internet to try to resolve names and cause them to "hang".

0
 

Author Comment

by:CaptWill
ID: 18025526
RobWill:

Thanks for the advise. We will retry with the ISP nameservers as forwarders only. Right now we have them set as secondary and tertiary nameservers.

We also originally arrived at this situation when we removed a Windows 2000 server and replaced with a 2003 server. We have messages about invalid SIDs and had to go around "re-establishing" the SID, which effectively meant rebuilding the desktops on 20 computers... After seeing how painful that was we "opted out" on the domain login, as we do not have a secondary DC.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18025560
The SID problem is usually as a result of cloning workstations without running the Sysprep utility, which is part of the windows Install CD under support tools. Sysinternals (now Microsoft) has a utility to change the SID, which might be useful to you:
http://www.microsoft.com/technet/sysinternals/Security/NewSid.mspx

I can't imagine managing a workgroup environment. Too complicated for me :-)
0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 18025590
What you have is a horrible mess, with horrible security, and possibly in violation of licensing terms if you do not have appropriate Client Access Licenses.  As RobWill suggested, your problems were most likely due to DNS issues as well as other serious misconfiguration issues.  A domain does not slow things down unless it's not configured appropriately.
0
 

Author Comment

by:CaptWill
ID: 18025616
leew:

We have a 25 CAL server with 20 users, so I cannot see why we we be in violation of any licensing terms.

I would not call our security "horrible", as we have file access permissions in place that work well.

You should remember that smaller organizations typically do not share the same requirements as large corporations. This is an environment where wireless APs are typically installed without security turned on.

Less than perfect, I agree. Horrible, I don't think so.

I am sure that RobWill's DNS fix will do the trick. As far as other "serious misconfigurastion issues"- I do not believe that is the case.
0
 

Author Comment

by:CaptWill
ID: 18025640
RobWill:

Thank you for your expert advice!

Leew:

I have read your response three times and have not found a single piece of useful advice. In fact, I found it to be somewhat insulting....
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18025671
Thanks CaptWill, good luck with it. If you can get it running smoothly it does allow you to lock down your network and users quite nicely as you can make use of group policy once the systems are part of the domain. On that note, make sure you download the group policy management console from Microsoft if you haven't done so already. Makes life much easier.
http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en
Cheers !
--Rob
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 18025696
I'm sorry if you found it insulting... what precisely did you take offense at -- I'm guessing it was my statement of it being "horrible security"

What is horrible about the security is that there is that the password policies are EXTREMELY weak.  "The users in this environment will not change their passwords so we don't have to worry about a mismatch." -- but you do have to worry about other users getting those passwords and being unable to easily change them.  A good password policy has a change every 30-60 days as well as password complexity requirements.  Passwords are important - no one ever needs to know another person's password.  As a consultant I go out of my way to ensure I don't know my client's passwords and when I was a systems administrator before that, I never asked for and in fact forced people to change their passwords if they ever told me.  

As for useful comments, I was merely trying to agree with RobWill's analysis.
0
 

Expert Comment

by:dod1450
ID: 35336316
  I am having the same problem on connecting to a AD Virtual Machine that is being hosted by a Cloud provider. I have not found a solution other then those folks who have suggested to run various test. Which all have pass on the AD Virtual Server.  
   Does any one have some white papers on how  to connect to a virtual machine at a colo from a desktop in a specific office?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 35336379
dod1450 you will need to open a new question of your own, but access resources on a cloud based server presents different issues as many services are not routable via the Internet.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question