Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1115
  • Last Modified:

SIDs slow to resolve

Our Windows Server 2003 machines in our DMZ are very slow to resolve SIDs when we look at the properties of a folder.  It takes up to 3 minutes to resolve the domain user and group names in the security or sharing properties of folders.  I have tried putting entries into the LMHOSTS file for the DC based on this MS article http://support.microsoft.com/kb/314108 with no luck.  Our network guys say they don't see any traffic being blocked between the DMZ machines and the Domain Controller.  Does anyone have any suggestions?
0
InvoiceInsight
Asked:
InvoiceInsight
  • 4
  • 3
1 Solution
 
Chris DentPowerShell DeveloperCommented:

LMHosts won't help really. How is DNS configured for those hosts?

Chris
0
 
InvoiceInsightAuthor Commented:
The Domain Controllers are also the DNS servers, and they are configured as the primary and secondary DNS servers for the hosts.
0
 
Chris DentPowerShell DeveloperCommented:

I take it there's no NAT? And while I know you mentioned that nothing was blocked... RPC is permitted?

Chris
0
Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

 
InvoiceInsightAuthor Commented:
I guess I should clarify.  My firewall admin didn't see any traffic getting blocked while the SIDs are resolving.  Looks like port 135 is open between the hosts and the DC.
0
 
Chris DentPowerShell DeveloperCommented:

You need a lot over 1024 open as well, RPC isn't exactly conservative unless you've set the registry keys to limit the ports used?

Chris
0
 
InvoiceInsightAuthor Commented:
We have configured the DCs to use port 1600 by adding a DWORD TCP/IP value to:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters

Port 1600 is open from the DC to the host as well.
0
 
InvoiceInsightAuthor Commented:
Turns out our firewall was denying some traffic between the host and the dc.  The first firewall admin i talked to said there was nothing getting denied, the second guy i talked to saw traffic getting blocked and fixed the issue.  SIDs are resolving normally now.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now