Arghh - XP and Active Directory

[spidey07]

ARggghhhh..


Looks like I have to fix some server stuff cause the server guys are clueless. Turn out XP is taking a long time to login. I throw a sniffer on the station and low and behold XP is talking to EVERY SINGLE 2000 SERVER IN THE WORLD. Strange cause there is a data center no more than 50 feet away with domain controllers.

I'm seeing a lot of DNS qry for SRV _ldap._tcp.Louisville._sites.dc._msdcs.(our domain).net but the DNS server is returning an error. More DNS queries, some sucessful, some not including some reverse-lookups.

After what seems to be 25-20 DNS queries the stations sends a netlogon to every 2000 server in our network at which point these server respond with "Unkown Command:17"

Its quite a mess. Problem is we have a mixed NT/2000 domain. Clients are pointed to the NT DNS server which have forwarders to the 2000 servers (don't ask...not my project).

Anybody have any experience with fubarred DNS and how to troubleshoot? Are there any good DNS docs from microsoft for AD specific stuff?

Thanks a bunch. As always it MUST be a network problem because logons take so long. It must be that "slow ass" network.

 

[cerial]

Make sure your XP box is registered into the DNS. If you have DHCP Client running, Dynamic DNS should automatically register itself into the domain. Of course, make sure the XP box is pointing to your AD DNS servers. You can type ipconfig /registerdns to force a dynamic registration (DHCP client must be running). If you do not want to use DHCP client, you will need to create a host record manually.

A common problem with Windows 2000 domain controllers is as soon as your run DCPROMO and reboot, the box will hang at the first logon (Netlogon is causing it to hang). This is because the DNS wasn't updated properly after dcpromo ran. It takes about 5 minutes but you can finally log into the box. Then I usually do an ipconfig /registerdns and then restart the Netlogon service, reboot and it is fine.

Most problems with AD usually have something to do with DNS.

Hope this helps. If this doesn't help, let me know how the DNS is set-up on the XP box and we'll go from there. I'm taking for granted the DNS on the AD domain is fine with the other severs, so it must be this XP server.

As a Network Admin/Security type of guy, it is always the Network/Firewall... ) I'm having t-shirts made for the special day...
Firewall Free Day. )


-Cerial

 

[spidey07]

Thanks for the help.

But unfortunately the DNS servers are NT 4.0 and are in a different NT domain.

Its pretty fubarred. Four DNS servers - two 2000, two NT, both are for separate DNS domains. All XP machines point to the NT DNS servers. I've tried to explain to the server guys that they need to run 2000 AD and DNS together and not have this hodge podge. But they insist on configuring XP images to point to the old NT 4.0 servers.

Problem comes from the fact that we are a large SUN shop as well and the search domain is still pointed to NT servers.

 

[cerial]

Geezzzzzz...

Have these server guys ever created a AD Domain before? I think there is a Registry entry that you can use to make XP use a certain DC.

This may clear that up. Haveing a AD with the DNS set-up you describe is going to keep those server guys, as well as you busy as hell.

XP of all the OS's is the biggest pain in a mixed-mode Domain.

The first thing they drill into you in the AD course if to make sure your DNS is prestine and controlled by AD. if not, you'll have nothing but troubles... Sounds like the server guys are trying for job security.

I'll see if I can find that reg entry and send it off to you... That may help.

-Cerial

 

[AKA]

Let me make sure Im understanding your issue.


WinXP Client is taking a long time to log into the domain, but it eventually does get there.
And you verified that its because its trying to communicate with other servers outside your network.


This domain is mixed, but you have the clients pointing to NT DNS server?


Is the WinXP Client trying to log into a NT Server or Win2K Server?

 

[spidey07]

XP client is logging onto 2000 AD, but is pointing to NT4.0 DNS servers.

I've run traces of the login and see a ton of DNS queries being returned with errors. The 2000 servers are all over the world - syndey, new york, korea, prague.

I think I'm going to recommend a consultant to fix their problems.

 

[Tallgeese]

Maybe these will help:
How Domain Controllers Are Located in Windows XP
Event ID 1054 Is Logged in the Application Event Log (including slow logon)
Windows 2000 Members Still Authenticate with BDCs After PDC Is Upgraded
Windows NT 4.0 SP6a Is Recommended for Windows XP Clients in a Windows NT 4.0 Domain


Also, the following guide is CRUCIAL when verifying whether a current DNS infrastructure can support AD:
DNS Requirements for Deploying Active Directory

g/l man

 

[ScottMac]

Sounds like the same old loop: "You need to do it this way ....NO, we WANNA do it this way.......No, you MUST do it this way.....NO we WANNA do it this way...." One of those "Don't confuse me with the facts, I know what I wanna do" things...

My (limited) understanding, as pointed out above, is that if you start to go MAD, you gotta go all the way (my next T-shirt) ... and lose the NT4 systems as PDCs, DNS, etc (but I believe they're OK as BDCs and backup systems). Transition / hybrid systems may cause "problems" (no sh!t).

Wait till you get around to serious VoIP ... it's gotta be the biggest political nightmare in the networking world: you have servers (server group), "phones" (desktop group(?) maybe CPE/Voice group(?), infrastructure (ahem) "adjustments" (LAN / WAN routers, switches, etc) connectivity to the PBX (voice group) .... everyone wants the budget, but noone wants to the handle problems (aside from all that, the voice quality "sorta" sucks....).

Maybe you could swing 'em to Novell Netware 6 for the directory systems......(and the file servers, and and and....)

Good luck sir....

Scott

 

[Tallgeese]

Originally posted by: ScottMac
if you start to go MAD, you gotta go all the way (my next T-shirt) ... and lose the NT4 systems as PDCs, DNS, etc (but I believe they're OK as BDCs and backup systems).

Second to that. Saw mucho problems in our testing, until we went with W2K for all PDCs and DNS services.

 

[Saltin]

The DNS should really be hosted by a 2k server in an AD environment, there are many benifits. The XP clients are looking for a SRV record for LDAP. In other words, they are trying to find the Active Directory. If they are failing, you have issues.

Assuming the NT 4 DNS is properly forwarding to the 2k DNS, things should work. What I would suspect is that your DC's SRV records are not properly registerd in DNS. Check you 2k DNS server for the presence of four folders, underneath the forward lookup zone folder. They are named _msdcs, _udp, _tcp, _sites. If they arent there, your DNS is improperly configured.

NT4, and even 2k clients will work ok with a poor DNS infrastructure. XP wont. Make sure those records are there.
If they aren't I would recommend you change all of your 2k DC's primary DNS to your 2k DNS server. Then ipconfig /registerdns (make sure the forward lookup zone is configured to allow dynamic updates too, or the folders will never register).

 

[Santa]

Well one thing you could test and perhaps show to the server/workstation setup folks is to change the settings on the DNS to point to just one of the main 2K DNS servers.

If that 2K DNS server is properly configured and the log in time improves then your case is proven and you leave it at that.

If they chose not to change things there isn't much you can do nor should you because you are now doing their job.

If you can fix it for a few upper managment or personal friends in the company go for it and score some brownie points other than that unless you are ready to fight a political battle i'd just say here is my test and it proves my point but if you chose not to follow it have a good life.

 

[me19562]

Spidey send the Server guys to a boot camp to learn about 2K and AD, AD need a DNS server that supports SRV records and dynamics updates. Without that you are loose.

 

[spidey07]

thanks for the help guys.

I'm drafting an e-mail to their boss and director politely spelling out observations and recommendations.

"I suggest out-sourcing design an implementation of our Active Directory to a third party. The simplicity of our problems and the inability of this team to resolve them demands immediate action"

 

[Tallgeese]

Dayum!

My ass is smarting, and I'm not even one of the folks getting shpanked by that e-mail, my man... :Q