Solved

SIDs slow to resolve

Posted on 2008-10-08
7
1,076 Views
Last Modified: 2010-07-07
Our Windows Server 2003 machines in our DMZ are very slow to resolve SIDs when we look at the properties of a folder.  It takes up to 3 minutes to resolve the domain user and group names in the security or sharing properties of folders.  I have tried putting entries into the LMHOSTS file for the DC based on this MS article http://support.microsoft.com/kb/314108 with no luck.  Our network guys say they don't see any traffic being blocked between the DMZ machines and the Domain Controller.  Does anyone have any suggestions?
0
Comment
Question by:InvoiceInsight
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22677014

LMHosts won't help really. How is DNS configured for those hosts?

Chris
0
 

Author Comment

by:InvoiceInsight
ID: 22678154
The Domain Controllers are also the DNS servers, and they are configured as the primary and secondary DNS servers for the hosts.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22678171

I take it there's no NAT? And while I know you mentioned that nothing was blocked... RPC is permitted?

Chris
0
Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

 

Author Comment

by:InvoiceInsight
ID: 22682344
I guess I should clarify.  My firewall admin didn't see any traffic getting blocked while the SIDs are resolving.  Looks like port 135 is open between the hosts and the DC.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22682366

You need a lot over 1024 open as well, RPC isn't exactly conservative unless you've set the registry keys to limit the ports used?

Chris
0
 

Author Comment

by:InvoiceInsight
ID: 22730694
We have configured the DCs to use port 1600 by adding a DWORD TCP/IP value to:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters

Port 1600 is open from the DC to the host as well.
0
 

Accepted Solution

by:
InvoiceInsight earned 0 total points
ID: 22845484
Turns out our firewall was denying some traffic between the host and the dc.  The first firewall admin i talked to said there was nothing getting denied, the second guy i talked to saw traffic getting blocked and fixed the issue.  SIDs are resolving normally now.
0

Featured Post

How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I will assume you are running a non-server version of some sort of Windows throughout this article. There are many flavors of Windows since Windows Server 2000 - 2008, XP Home & Pro, Vista Home & Pro, and Windows 7 Starter, Home, Pro, Ultimate, etc.…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question