Solved

Domain Authentication Slow when IP range / subnet different then DC

Posted on 2013-12-05
6
865 Views
Last Modified: 2013-12-06
I am having issues with what I think is Domain Authentication slowing down some client software.  The issue on happens when using Intergrated Authentication with SQL server.  There is a lot happening so I will explain what happened to get to this point.

Every thing was working fine prior to the next things.

We had three DC's in our domain.  One is a new machine Server 2008 r2 64bit, the other two have been in service for 4 years, Server 2003, 32 bit.

We de-promoted on of the older DC last night.   It also was a DHCP and DNS Server.  Those functions had been migrated to the new server about a week ago with no issue.

Our network has three ip ranges 192.168.2.x 192.168.3.x and 10.192.21.x.

All DC are on 192.168.2.x subnet.   All client PC on this subnet work fine.

If I take a client PC that is in the 192.168.3.x subnet and try to access SQL (in 192.168.2.x subnet) every operation takes about 10-30 seconds per DB call.

If I switch from Intergrated Authenticaion to a saved password the app runs at normal speed.

If I access an internal website that is in the 2.x subnet with the PC while it is on the 3.x subnet the website is fast as it usually is.

If I move the client NIC cable to a port on the same switch (we have Cisco with a three VLans) and it is in the 2.x subnet, everything runs at normal speed.

I don't see any issues in the event viewer of the DC's, the client PC, or the SQL Server Box.

Ping times and bandwidth checks all look normal.

The firewalls are turned off on the DC's, SQL box, and the client.

Does anyone have an idea of what I should be looking for?
0
Comment
Question by:pamsauto
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 25

Accepted Solution

by:
Lionel MM earned 250 total points
ID: 39700699
You may just have to flush the dns for each PC--the router tables may also have a path in memory, a path that has no changed and so it is going to the old server first and then when it does not find the DHCP it goes to the new DHCP server. You may have to turn your router/switches off or force a refresh. On the PCs you can try IPCONFIG from a command prompt ipconfig /? will display help message
I would try ipconfig /all to see what the configuration information is
The try ipconfig /flushdns followed by ipconfig /registerdns. See below for details.
/release     Release the IP address for the specified adapter.
/renew       Renew the IP address for the specified adapter.
/flushdns    Purges the DNS Resolver cache.
/registerdns Refreshes all DHCP leases and re-registers DNS names
/displaydns  Display the contents of the DNS Resolver Cache.
/showclassid Displays all the dhcp class IDs allowed for adapter.
/setclassid  Modifies the dhcp class id.
0
 
LVL 19

Assisted Solution

by:Delphineous Silverwing
Delphineous Silverwing earned 250 total points
ID: 39700913
I assume the new DC/DNS server has a different IP address from the demoted server.

Was DHCP updated to use the new DNS server IP?
0
 
LVL 19

Expert Comment

by:Delphineous Silverwing
ID: 39700921
Have the SQL servers been updated to reflect the DNS and DC changes?


If DNS resolution fails, then the system will go to a broadcast mode for resolution of the name to IP address.  Crossing subnets is an issue for broadcast resolution, causing a delay.  I think your issue has to do with name resolution; something hasn't been updated with the new address - it could be server, client, or network component related.  Managed Switches and Routers have "helper"s that all the passing of certain traffic that does not normally cross over subnets.
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 

Author Comment

by:pamsauto
ID: 39701068
All great ideas.  Here is what has been done.

DHCP was updated to reflect the new DNS server IP address.    The DNS that was on the old server was shut off one week prior to demoting the DC.

All of the affected PC's and servers have been rebooted a few times, and all DNS and IP addresses in them are correct.

The routing on out main switch has the IP Helper Address repointed at the new DHCP server also.   That change has been in place for a week also before the demoting of the server.

I had stated yesterday that the event logs on the servers and clients we clean.  That is not true.

The SQL box is working against the older DC and the clients are working against the New DC.   On the old DC I am seeing a lot of these errors.

Pre-authentication failed:
       User Name:      ASUS-A52F-1$
       User ID:            STCLOUD\ASUS-A52F-1$
       Service Name:      krbtgt/STCLOUD.PAMSAUTO.COM
       Pre-Authentication Type:      0x0
       Failure Code:      0x19
       Client Address:      192.168.3.68

Followed by this error.

Service Ticket Request:
       User Name:            
       User Domain:            
       Service Name:            
       Service ID:            -
       Ticket Options:            0x2
       Ticket Encryption Type:      -
       Client Address:            192.168.3.68
       Failure Code:            0x20
       Logon GUID:            -
       Transited Services:      -
0
 
LVL 19

Expert Comment

by:Delphineous Silverwing
ID: 39701105
I assume there is a configuration change needed within SQL to start using the new DC, but I have no idea what it would be.  I know little about SQL; I'm lucky I know how to spell SQL.
0
 

Author Comment

by:pamsauto
ID: 39701210
I found the issue.  The DNS Settings were wrong on the old DC and it was pointing at the non existent DNS server.  I had assumed that the DC was pulling its config from a reservation in the DHCP server, but it was not, it was configured on the DC itself....

Grrr..   Thanks for the help.  I am splitting the points because you both pointed me in the same direction.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
forward schedule of change and individual change comms 3 66
HTTPSendRequest with WinINet delays on first call 11 84
802.1x and RDP Issues 6 80
DNS/WINS in a domain 10 48
Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
Resolve DNS query failed errors for Exchange
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question