Solved

SIDs slow to resolve

Posted on 2008-10-08
7
1,087 Views
Last Modified: 2010-07-07
Our Windows Server 2003 machines in our DMZ are very slow to resolve SIDs when we look at the properties of a folder.  It takes up to 3 minutes to resolve the domain user and group names in the security or sharing properties of folders.  I have tried putting entries into the LMHOSTS file for the DC based on this MS article http://support.microsoft.com/kb/314108 with no luck.  Our network guys say they don't see any traffic being blocked between the DMZ machines and the Domain Controller.  Does anyone have any suggestions?
0
Comment
Question by:InvoiceInsight
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22677014

LMHosts won't help really. How is DNS configured for those hosts?

Chris
0
 

Author Comment

by:InvoiceInsight
ID: 22678154
The Domain Controllers are also the DNS servers, and they are configured as the primary and secondary DNS servers for the hosts.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22678171

I take it there's no NAT? And while I know you mentioned that nothing was blocked... RPC is permitted?

Chris
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 

Author Comment

by:InvoiceInsight
ID: 22682344
I guess I should clarify.  My firewall admin didn't see any traffic getting blocked while the SIDs are resolving.  Looks like port 135 is open between the hosts and the DC.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22682366

You need a lot over 1024 open as well, RPC isn't exactly conservative unless you've set the registry keys to limit the ports used?

Chris
0
 

Author Comment

by:InvoiceInsight
ID: 22730694
We have configured the DCs to use port 1600 by adding a DWORD TCP/IP value to:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters

Port 1600 is open from the DC to the host as well.
0
 

Accepted Solution

by:
InvoiceInsight earned 0 total points
ID: 22845484
Turns out our firewall was denying some traffic between the host and the dc.  The first firewall admin i talked to said there was nothing getting denied, the second guy i talked to saw traffic getting blocked and fixed the issue.  SIDs are resolving normally now.
0

Featured Post

MS Dynamics Made Instantly Simpler

Make Your Microsoft Dynamics Investment Count  & Drastically Decrease Training Time by Providing Intuitive Step-By-Step WalkThru Tutorials.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question