Hello,

Recently we created a new win2000 server and made it the only domain
controller. The existing clients were on NT4 domain server which had
crashed. So overnite this W2k server was prepared and the clients were
shifted onto the new domain. Since then, the clients take about 4-5 mins to
reach the desktop after logon.
This delay is noticed only on clients with XP Prof. Not on W2K Prof.
The clients which had Adobe Pagemaker 6.5 installed in them, started giving
registry error after being shifted to new 2000 Domain.
The server also has a Cable Internet connection with ISA server installed
and running fine.
The groups created (in the Active Directory Users and Computers) have a
global scope and 'security' as its type.
A group with 'Domain Local' Scope was created and a new user was made its
member. No change. The client still took 4 mins to logon with that new user.

What can be done to speed up the logons?

Will be highly obliged for any help

Devendra

Hi Dev,

Sounds suspiciously like a DNS issue.

Ensure that all clients are pointing to internal DNS servers only.  The only
boxes that should be pointing to public DNS servers are the ISA and/ or the
DNS servers (forwarders tab).


Recently we created a new win2000 server and made it the only domain
controller. The existing clients were on NT4 domain server which had
crashed. So overnite this W2k server was prepared and the clients were
shifted onto the new domain. Since then, the clients take about 4-5 mins to
reach the desktop after logon.
This delay is noticed only on clients with XP Prof. Not on W2K Prof.
The clients which had Adobe Pagemaker 6.5 installed in them, started giving
registry error after being shifted to new 2000 Domain.
The server also has a Cable Internet connection with ISA server installed
and running fine.
The groups created (in the Active Directory Users and Computers) have a
global scope and 'security' as its type.
A group with 'Domain Local' Scope was created and a new user was made its
member. No change. The client still took 4 mins to logon with that new user.

What can be done to speed up the logons?

Will be highly obliged for any help

Devendra

Is that correct for the ISA server?
I've always just pointed them at the AD DNS servers and let the DNS
forwarding or root hints take over for external domain resolution.

I was working under the assumption that ISA required access to the internal
DNS servers to be able to authenticate users against DC's.

The setup's can vary.  Personally, I've always configured it just like
you've said -only configure internal DNS on the internal adapter; however,
I've seen recommendations about make ISA a caching only DNS server (which
means it points to itself and then either internally or externally depending
on whether it's a domain member or stand-alone box).

Some of our ISA boxes are not domain members, they're simply stand-alone
proxy servers; you can then chain these with internal fringe boxes, etc.

There's also many people out there who simply configure it wrong...  <g>


Is that correct for the ISA server?
I've always just pointed them at the AD DNS servers and let the DNS
forwarding or root hints take over for external domain resolution.

I was working under the assumption that ISA required access to the internal
DNS servers to be able to authenticate users against DC's.

I've mainly done it that way for simplicity of the firewall rules and to
allow domain based user authentication on the proxy. The only box allowed out
on ports 80 or 443 is the proxy and the only machines allowed out on port 53
are the DNS servers. Everthing else either goes through the proxy for web, or
uses the internal DNS servers which forward requests on their behalf.

I hadn't thought that through properly. It makes absolute sense for reverse
proxies - eg RPC over HTTP proxy server sitting in the DMZ. You want to keep
as many ports between the DMZ and internal segments closed as possible so why
would you want it pointed at an internal DNS.

There's always that.........

Right.  As pt says you can do it many ways, but
the most secure and least trouble with the firewall
(and perhaps the best performance and least WAN
traffic if you have multiple internal DNS servers)
is to have the internal DNS servers forward strictly
at the firewall/gateway/DMZ caching only DNS,
and allow that firewall DNS to forward strictly
to the ISP.

[This is not cool if the ISP is a small and flaky,
but with big ISPs 95% of all lookups will be in
the caches due to other customers.]

This keeps DNS servers (which frequently DCs)
off the Internet -- and we don't even have to open
the firewall between them and the firewall.

Our caching only DNS server only needs to
activate DNS on the internal NIC (if it is a
multi-homed machine itself) unless it is trying
to provide external (Internet/public) resolution
for our external resources (www, SMTP, etc.)

And generally for companies without a massive
Internet presence the should put external/public
DNS (back) at the Registrar.

[The registrars have multiple/fault tolerant/24-7/
crews for caring for DNS and give a web interface
where one can manage one's own actual records
which are small in number and seldom change for
those on the Internet.]

The thing that many people mess up (to the point
of it being the answer to many FAQs) is that they
really must point all internal DNS clients STRICLY
to internal DNS servers.

And reminding everyone that DCs, and even DNS
and other servers are ALSO DNS CLIENTS.

In that case the ISA might or might not point to
itself as a DNS client.

If the ISA is a domain member, then it is also an
INTERNAL name client and needs to point not
to itself (even though it is a caching only DNS
server) but rather to the INTERNAL DNS servers.

Dear Mr. Williams

Let me profoundly thank you for your help.


Regards
Devendra Panchal




Show quoteHide quote

No problem at all!!!

Glad to have helped ;-)


Dear Mr. Williams

Let me profoundly thank you for your help.


Regards
Devendra Panchal




Show quoteHide quote

Broadcast
need more ip's
Delay logon until IP address is assigned
What is better TightVNC or UltraVNC ?
Does an Add-On exist for Remote Desktop for Win2000->WinXP or WinXP->Win2000 ?