Extremely slow win2k domain.....

[jazzman42379]

Hey everyone....

I've got a win2k domain running, and a win2k desktop. The desktop joined the domain no problem, but when I try to log on, it takes FOREVER (nearly 10 minutes)!!!! This is a bit odd, since the other system I have on the domain is MUCH faster loading. This system is a WinXP laptop. THe slow one is a 200MMX (it was free) that runs Win2k surprising well, and is pretty quick loading a local profile, but when it tries to load a domain profile, it just takes forever and a day!!! The profile is less than 1MB, and it's on a fast ethernet connection with a PCI network card. It's got 128MB RAM, and like I said, for what it is, it runs Win2k extremely well.

Just can't explain the S L O W domain loading.

THanx in advance,
Jazzman

 

[jazzman42379]

OK...scrath part of that last post. Apparently, the WinXP machine is also equally as slow loading into the domain. Here's the rundown on how everything is connected:

All the computers on hooked up on a campus, DHCP connection through a hub. All of them have identical netoworking settings on the network, and so there shouldn't be any huge difference.

So why so slow? Any suggestions?

Jazzman

 

[Shadow07]

What kind of hub are you using? Why not a switch?

Also, do you have any GPO policies that enable IPSec? Are you running any network applications at the same time as the client is logging in? What type of PCI NIC do you have installed? If it is a 3Com or Intel, have you installed the latest drivers? Have you installed the NIC Diagnostic software? If you have, launch it and see if see any hardware or link errors. Do you have any AntiVirus software installed? Any PC management software?

Check the System and Application Event logs on your laptop, workstation, and your DC. Do you see any errors?

Also, have you checked the physical wiring? Are you sure that you have CAT5e cable? Did you make it yourself?

 

[Woodie]

Check DNS.
Recheck DNS.

Is the DNS server part of the Domain? or does it do other stuff too?

 

[Santa]

Another vote for checking the DNS,

2k domains are highly dependent on DNS when it comes to 2K or XP or beyond clients.

You will need to check the settings underneath the Adapter connected to the network and make sure the same DNS server that operates the 2K domain is in there so that the workstation can register itself to active directory, Most times the delay is from the workstation trying to register itself and failing over and over.

If you use DHCP from a router you will need to manually enter the DNS record in for most consumer grade routers won't allow you to enter in such information to pass on to the clients. If you run a 2K DHCP server make sure it is setup to dish out the correct DNS server and domain name (dns zone name)

 

[Shadow07]

Yes, I would check DNS too. But he said that creating the computer account by joining the domain only took a few seconds. I wouldn't say that the issue is DNS, but I wouldn't rule it out also.

 

[jazzman42379]

Thanx for all the help so far. Again, all of these systems are branching off a hub to my DHCP resnet connection. It's a campus service provider with ethernet connection. So right now all of the settings are identical on all of the machines to run on Resnet. I only have a hub cuz I got it a year ago before I knew what the benefits of a switch were.

As far as DNS, the DC machine does indeed have a DNS server running. But the proper settings to run on Resnet has them automatically find IP and DNS. There are 2 DNS servers available to Resnet (BTW...resnet firewalled us from everything else, so we're pretty isolated).

Should the DNS server running on the DC be put into the list manually on the workstations? Or should I just turn off the DNS server on the DC. When I was trying to get the workstations to even connect to the domain, I found that the DHCP server on the DC was running, so I disabled it. But I think it actually installed and started DNS when I started active directory. Is having a DNS server running on a domain controller necessary? Or can I turn it off.....

Keep the ideas coming. What else in DNS could be the problem?

Thanx,
Jazzman

 

[netsysadmin]

9 times out of 10 a problem with Win2k Server is DNS related...try opening up your event viewer and look under DNS...I will bet you that you will see tons of errors...your own DNS needs to be setup on your DC...and it needs to be configured properly...first mistake of most people is that when they DCPROMO there DC they have the DNS servers of there ISP in the network setting....you have to make sure those DNS numbers are pointed back at your DC that you are promoting otherwise it will NOT configure properly...thats usually the biggest mistake I see...oh and make sure your Win2k Server has a staic adress...if it doesnt that will wreak havoc with your DNS

Good Luck

 

[Shadow07]

Looks like DNS is the problem guys.

First off, AD REQUIRES DNS to function properly, so don't even try to disable it.

Secondly, why are you not running your workstations behind a firewall? Is this a company network, school campas, or something else? Who's network is this that you are trying to get working? Your clients need to get a DHCP address that has the local DC's IP address as the DNS server for them to log in and authenticate.

Like Santa said, if they are coinfigured for a non-DDNS server, then they will continously time-out trying to update thier DNS records, and this is what's causing your "slow login."

 

[jazzman42379]

Well, that nixes the turning off the DNS solution.

To clarify what network I'm on: on our college campus, the residence halls and on campus housing has what we call Resnet. It's part of the campus's bandwidth for personal use by the on-campus residents. Where I am at, I am behind a firewall, so nothing can get any access to Resnet, though I can get to the rest of campus. The home network I am trying to set up is totally a personal endeavor in my on campus appartment. (I'm a CS major hoping to get into the IT field, so I'm just trying to teach myself as much out of the classroom as I can) Like any ISP, I pay them a certain amount each semester for them to activate the jack in my appartment. I plugged a hub into that, and then have running a Win2k box, WinXP laptop, Win2k Advanced Server, and my XBox. All connections on resnet are DHCP, with automatic IP and DNS. All 3 PCs have their network settings configured identical to run on resnet. None of the workstations are configured to use the Server for DNS, which it is also providing....they, as well as the server, automatically find the 2 DNS servers available for Resnet users through DHCP.

Curious, though....obviously from what I've seen here, AD is dependant on DNS. But does it have to be the DNS server?? I was reading over Santa's post...he said to make sure that the DNS that operates the server is on the workstations too. The network that these systems are on already has 2 DNS servers, and both the server and workstations register with those. The DC server, though, that I am running, is also running a DNS server that configured itself when I configured AD. If I disable the DNS server running on the DC, would they all use the Resnet DNS?

One more thing I find funny about the problem itself...If there was a DNS problem, and it timed-out when trying to log onto the domain, why did it first join the domain so quickly? And then why do the profiles and domain settings eventiually successfully load? Wouldn't it just not be able to connect? Instead, it just takes a LONG time.... And finally, once a profile has loaded from the domain (verified as a roaming profile like it should be) and is running on a workstaiton, when I go to log off, it saves all the settings to the server and logs off rather quickly like it should.

Very wierd.

When it comes to the DNS settings, I recall the settings having a forward and backward lookup. Would/should either of these link it to the DNS servers that the system gets configured to use through the DHCP (from resnet)?

Thanx all....I've got a pretty good place to start from....keep 'em coming!!!
Jazzman

 

[Poontos]

If you really want to track down the problem, try the following suggestions if they have not already been mentioned:


-Disconnect your PC's trying to login to your DC and your DC from the resnet. Plug them in so they all can see eachother, but just disconnect from that dusty little RJ-45 ethernet jack behind your desk, or wherever it is. Try logging into the domain again.

-Your DC is getting DNS, IP, etc. from the Resnet DHCP server(s), which can conflict with the information it should be providing locally to your clients trying to login to your private/local domain.

-Your PC's are probably trying to figure out if they should be getting their IP, DNS, etc. from Resnet or your domain controller, but since you are not logged into the domain quite perfectly, they are getting their IP's, DNS, etc. from Resnet, which would not be sufficent information for the clients to login to your domain, due to the fact they are getting lost, cause they are trying to login to a domain part of the Resnet network, not your little LAN.

-For your setup, you should be either hardcoding the IP, DNS information of your DC, (not DHCP from Resnet), or setting up full DHCP on YOUR DC, so your PC's can grab the correct information to enable them to successfully login to your private domain.


Hope this helps and do not write back until you have tried ALL of the above, unless the quick scanning I did through your last post, left me a la-la land with out of place suggestions. However, I think I am on the right track.

GOOD LUCK!

 

[Tallgeese]

Agree with Poontos on what to do. Here's some further explanation:

Any server that uses DHCP to receive its addressing info runs the risk of becoming a "moving" target. Since servers need to be known to clients at all times, consistency is the key to good network performance. A server should not use DHCP to receive its addressing info. Some of your delay could be your clients broadcasting to find your server, especially if your school's Resnet is set for high address turnover (to discourage folks from running public servers).

It's highly important for you to learn the difference between internal DNS and external DNS if you are pursuing a career in networking. The idea of public and private, as it relates to networks and IP addresses is also a good topic to study.

Because of this public/private issue, a firewall is also very important. It doesn't matter if your school's Resnet has a firewall or not, you need to protect your own machines from unauthorized use by other students who have access to Resnet just like you.

My suggestion:
* Purchase a SOHO router/firewall box (or build a free Linux based firewall, your choice)
* Attach the public (WAN) side of the firewall to your Resnet connection
* Attach the private (LAN) side of the firewall to your machines.
* Assign a static private IP address to your DC.
* Set DNS servers as follows on your DC: itself, Resnet DNS1, Resnet DNS2 (DNS servers are checked in order).
* Use either statically or dynamically assigned private addresses for your workstations. DNS servers should be set as listed in previous step.

BTW: The error logs on your server and workstations will probably show the error, especially if it involves AD.

 

[jazzman42379]

Thanx for all the help everyone. I eventually solved the problem by manually setting the DNS servers on the workstations to look at the DC server first, and then the 2 resnet DNS servers. No all is well and loads quite nicely, roaming profiles and all!

Great suggestions! I definately need to learn more about DNS. When I started up AD, I pretty much used the defaults provided in the wizard. When I was looking for problems last night, I didn't even want to mess with anything until I understood it more.

Eventually, when funds are better, I do want to get a firewall/router to isolate my little network, and make it easier to move to an off-campus DSL connection next year. Right now, though, I'm stuck just using my little hub and resnet. But now all seems to be working.

Thanx again, everyone!
Jazzman

 

[Shadow07]

I agree. You need to learn more about how DNS plays its role within AD.

"* Set DNS servers as follows on your DC: itself, Resnet DNS1, Resnet DNS2 (DNS servers are checked in order)."

I don't really agree with this. I would set the DNS servers on the local DC as follows:

PRIMARY: localdc
SECONDARY: localdc

Then, within the DNS MMC, I would enable DNS Forwarding, and enter in RESNET DNS1 and RESNET DNS2 here.

Make sure that you are not using a domain name that can and is in use on the Internet, as this will cause problems if you want to visit that site, or send an email to that domain.

Also, just an FYI. If you rebuild your AD domain and have it disconnected from the Internet, or if you specify the sever you are running DCPROMO on it as the DNS server in the local TCP/IP settings, you will notice a "." in the DNS MMC. Once you have your DC connected to the local network, and you provide a means of Internet access, you will need to delete the "." from the DNS MMC. Otherwise, you will not resolve any FQDN locally, except your local domain.

 

[Tallgeese]

Originally posted by: Shadow07
"* Set DNS servers as follows on your DC: itself, Resnet DNS1, Resnet DNS2 (DNS servers are checked in order)."

I don't really agree with this. I would set the DNS servers on the local DC as follows:

PRIMARY: localdc
SECONDARY: localdc

Then, within the DNS MMC, I would enable DNS Forwarding, and enter in RESNET DNS1 and RESNET DNS2 here.

corrected. Don't know what I was thinkin on that one. Still should use that for client settings tho.

Make sure that you are not using a domain name that can and is in use on the Internet, as this will cause problems if you want to visit that site, or send an email to that domain.

good point

Also, just an FYI. If you rebuild your AD domain and have it disconnected from the Internet, or if you specify the sever you are running DCPROMO on it as the DNS server in the local TCP/IP settings, you will notice a "." in the DNS MMC. Once you have your DC connected to the local network, and you provide a means of Internet access, you will need to delete the "." from the DNS MMC. Otherwise, you will not resolve any FQDN locally, except your local domain.

Even better point. Have seen that on more client setups (ones we've inherited from other consultants) than I care to think about.

Still, I'm betting that a good bit of the acronyms you've quoted (especially FQDN) are like Greek to jazzman right now.

 

[Woodie]

Wow, Jazzman got some real heavies in here.

As encouragement, I've installed W2K DNS at least 4 times for just 2 (small isolated) networks. My efficiency is going up though, I haven't had to reinstall/rebuild in at least 4 months.

 

[jazzman42379]

Now that you mention it, what are some of these acronyms? The ones I can't figure out are DCPROMO and FQDN.

 

[spidey07]

I'm just a plumber but...

Fully Qualified Domain Name - entire host name like www.anandtech.com or toby.subdomain.myplace.com

Domain Controller PROMOte - app used to promote 2000 servers to a different role.

Also - Does Contain Problems Related tO Microsoft Only.

 

[Tallgeese]

Originally posted by: spidey07
I'm just a plumber but...

which is a bit like Michelangelo saying "I'm just a painter but...."

Domain Controller PROMOte - app used to promote 2000 servers to a different role.

Domain Controller PROMOte - app used to promote/demote/remove DC roles of 2000 servers.

Also - Does Contain Problems Related tO Microsoft Only.

That's a given when talking about M$ products.

 

[jazzman42379]

Make sure that you are not using a domain name that can and is in use on the Internet, as this will cause problems if you want to visit that site, or send an email to that domain.

Isn't that what the domain is? I have the domain www.mydomain.com. That's what I set the domain to be....mydomain.com. And the computers in it are computername.mydomain.com. Is this wrong? What do you use as the domain name? I know it asked for both the domain name (mydomain.com) and what to call it (DOMAIN\login....). What should it be for a domain and why don't you name the domain controller after the domain?

I'll have to try hjitting my web site when I get home....

Thanx yet again for the info,
Jazzman

 

[Tallgeese]

Originally posted by: jazzman42379

Make sure that you are not using a domain name that can and is in use on the Internet, as this will cause problems...

I have the domain www.mydomain.com. That's what I set the domain to be....mydomain.com.

By "have" do you mean that you registered it with a registrar (like Network Solutions)?

 

[Woodie]

There are 2 "domain" names:
MyDomain.com, which must be registered (ICANN or whomever) which is a TCP/IP domain name.
MYDOMAIN\ which support legacy devices w/ an NT domain structure.

Thus, domain userids in W2K can take the form: MYDOMAIN\userone (NT) or userone@mydomain.com (TCP/IP).

Naming the domain controller (which is really a host) the same name as the domain name would produce a Fully Qualified name of: mydomain.mydomain.com, which is confusing. Also, take this example: We have more than 100 domain controllers, so your naming convention wouldn't work.

There are some common host-names:
ns1(.mydomain.com) is often the primary DNS server.
mail(.mydomain.com) is often the primary POP3 or SMTP server.
ftp(.mydomain.com) is often the ftp server.
etc...

 

[Shadow07]

Ok. To explain this whole "AD and DNS thinggy":


Active Directory uses DNS namespace for naming convention, and to store what is called SRV (or SERVICE) records. Are you familiar with what an A record is? An A record is a type of DNS record that stores a hosts name. Now, this is not to get confused with a NetBIOS host name. But, it is at the same time (only with Windows 2000/XP). (yes, I love adding more confusion!) With WIndows 2000/XP, it still has support for lower-level Windows clients, thus this is why you still need to give the domain name a NetBIOS name. In this case, with Active Directory, a DNS A record IS the hostname, where-as on the Internet an A record just represents a host, and is not necessarily the actual computer name (though, the *NIX world it is, but let's just stay in the MS world for a few minutes).

If you create an Active Directory forest (or tree), you need to give it a DNS name. This name can be a registered domain name from Internic, or it can be a bogus DNS name. Take for instance. You would not want to use INTERNIC.NET as your AD DNS domain name, unless you were really INTERNIC.NET. Now, this will not cause problems with INTERNIC, but only if you were wanting to visit thier website, or send an email to them.

By a bogus DNS name I mean use DOMAIN.TLD, or MYTESTDOMAIN.TLD, or something like that. Or you can use TESTDOMAIN.DOMAIN.

Man, have I confused myself or what?!?!?!?!

If this does not make sense, let me know as I will try to pull my head and foot out of my a$$!

 

[Poontos]

Summarization:

AD = Active Directory

FQDN = Fully Qualified Domain Name (IS www.anandtech.com, but NOT myntdomain.local, or testdomain.teeto) are registered through an acredited domain name registrar (www.netsol.com for e.g.).

DCPROMO = c/o TallGeese "Domain Controller PROMOte - app used to promote/demote/remove DC roles of 2000 servers." In fact, type in
dcpromo (at the command line) /? and play around, even type in dcpromo and see what magic window pops up!

-DNS is key in for everything that you use on the Internet, and coincidentally for MS Active Directory as well.

-The servers (or any server really for that matter) running AD should have static/"hardcoded" IP information (DNS, next Gateway, IP, etc.). E.g. Do not have the server grab IP information via DHCP. The only place DHCP should be involved is serving out IP info to clients on the network, that need to connect to the server, etc. E.g. You can setup Win2K server as a DHCP server (play around with it, it is pretty straightforward).

-Client computers, if there are a few, static IP info will do just fine. In bigger networks, having them (not servers) grab their IP information from a DHCP server is ideal.

-Patch up your Win2K server. Download one of the hotfix checkers from MS.

-Labmice.net (Labmice.net) is excellent resource to expand on some of the stuff mentioned in here and other key "stuff", plus I think there are a few books out there, but books can suck, so I will not bug you about them.


Good luck!

 

[Saltin]

Thanx for all the help everyone. I eventually solved the problem by manually setting the DNS servers on the workstations to look at the DC server first, and then the 2 resnet DNS servers

Did you know if a workstation tries to access the first DNS server in its settings (the primary) and the primary fails to resolve the name, the workstation does not attempt to contact it's secondary DNS? It just fails.

The only time a workstation attempts to contact its secondary DNS is if the first is unavailable.

Some nice pointers in here. I noticed no one has mentioned what I consider to be the real "secret" of WIN2k DNS. It's what I like to call "The Four Folders". Without them, you're still going to have a slow, improperly configured DNS.
These folders contain the SRV records for the DC. Things like Kerberos (logon), LDAP (Active Directory), Global Catalog, etc. They are automatically created underneath your primary lookup zone if you have things set up properly. They indicate a properly configured DNS.