Solved

SIDs slow to resolve

Posted on 2008-10-08
7
1,041 Views
Last Modified: 2010-07-07
Our Windows Server 2003 machines in our DMZ are very slow to resolve SIDs when we look at the properties of a folder.  It takes up to 3 minutes to resolve the domain user and group names in the security or sharing properties of folders.  I have tried putting entries into the LMHOSTS file for the DC based on this MS article http://support.microsoft.com/kb/314108 with no luck.  Our network guys say they don't see any traffic being blocked between the DMZ machines and the Domain Controller.  Does anyone have any suggestions?
0
Comment
Question by:InvoiceInsight
  • 4
  • 3
7 Comments
 
LVL 70

Expert Comment

by:Chris Dent
ID: 22677014

LMHosts won't help really. How is DNS configured for those hosts?

Chris
0
 

Author Comment

by:InvoiceInsight
ID: 22678154
The Domain Controllers are also the DNS servers, and they are configured as the primary and secondary DNS servers for the hosts.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 22678171

I take it there's no NAT? And while I know you mentioned that nothing was blocked... RPC is permitted?

Chris
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:InvoiceInsight
ID: 22682344
I guess I should clarify.  My firewall admin didn't see any traffic getting blocked while the SIDs are resolving.  Looks like port 135 is open between the hosts and the DC.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 22682366

You need a lot over 1024 open as well, RPC isn't exactly conservative unless you've set the registry keys to limit the ports used?

Chris
0
 

Author Comment

by:InvoiceInsight
ID: 22730694
We have configured the DCs to use port 1600 by adding a DWORD TCP/IP value to:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters

Port 1600 is open from the DC to the host as well.
0
 

Accepted Solution

by:
InvoiceInsight earned 0 total points
ID: 22845484
Turns out our firewall was denying some traffic between the host and the dc.  The first firewall admin i talked to said there was nothing getting denied, the second guy i talked to saw traffic getting blocked and fixed the issue.  SIDs are resolving normally now.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now