RE: Slow user logon on Terminal server after migration to Windows 2003
- From: "Chris Rutledge" <ChrisRutledge@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 29 Jul 2005 01:24:01 -0700
Hey SP, we have a ton of variables to look at here. There may be too many to
point definatively to one solution, but here are some troubleshooting paths
to look down, I hope it helps.
Based on your problem description and the error messages from the NT4
domain's Terminal Servers, I assume:
The Terminal Servers are 2000 or 2003.
LMHosts files are being used on the NT4 PDC and the 2003 PDCe for the trust.
When you say the user/groups were migrated with their NT4 Domain SID's you
are referring to SIDHistory being preserved with the migration tool.
"Inside the firewall zone" means that the Citrix Servers have a firewall
facing them and it is between them and the 2K3 AD forest.
Possibilities:
135 RPC
137 NetBIOS Name
139 NetBIOS Session
445 SMB
1025 An Ephemeral RPC port?
No mention of whether or not ICMP is being blocked. AD needs ICMP enabled
in order to properly process Group Policies.
Also, I wonder if the slowness of application launch is the lack of
available RPC ports?
How to configure a firewall for domains and trusts
http://support.microsoft.com/kb/179442/
Network Address Translators (NATs) can block Netlogon traffic
http://support.microsoft.com/kb/172227/
How to configure RPC dynamic port allocation to work with firewalls
http://support.microsoft.com/kb/154596/
The downside to all of this is that by the time you open all of the
necessary ports, you have so many holes in the firewall it may as well not be
there.
The upside! Pretty much all the better enterprise level firewall devices
that I know of can be configured to allow VPN tunnels. You then only need
PPTP port TCP/1723 and IP PROTOCOL 47 (GRE).
A great resource for resolving issues with this type of environment..
Active Directory in Networks Segmented by Firewalls
http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0-4caf-9767-a9166368434e&displaylang=en
That really only addresses the slow application load, and the domain
connection errors you see on the TS's. Also, if I remember correctly, 0x0
means success, or 'no error'. Are you sure about that error code? I would
have expected a 5, 1355, or something relating to failed DC resolution.
As to the other two errors regarding Loopback policy processing. And now
that I think more about it, this is loosely related to the firewall as well.
Since you have not enabled cross forest group policy processing and you have
loopback on the Terminal Servers to overwrite the GPO's applied to the users'
account with the ones specifically applied to the machines, those error
messages would be expected.
You can get around all this so long as your DC's, TS's and Clients are at
least 2KSP4 and/or XPSP2 and you can actually see where this failure is
actually occuring by running simultaneous netmon traces from both the
Terminal Server and the AD Domain Controllers.
Oddly enough, running a VPN connection through the firewall might solve this
problem as well.
"Loopback-Replace does not work in cross forest environment"
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/5bc451ca-3b65-4b7c-9f09-fc528e52007b.mspx
In place of running the Netmon traces from both ends, another quick way to
run a quick check would be to use portqryui from the TS and the DC. Run the
Domains and Trusts test, look for ports 'NOT LISTENING'. Portqryui will also
query the remote servers RPC database in this test which would show the list
of ephemeral ports (1024-65535) that it is using.
"PortQryUI - User Interface for the PortQry Command Line Port Scanner"
http://www.microsoft.com/downloads/details.aspx?FamilyID=8355e537-1ea6-4569-aabb-f248f4bd91d0&DisplayLang=en
Hopefully all this will help. Seriously consider using a VPN tunnel to
resolve these issues. It may very well be the simplest answer. Let me know
how it goes.
Thanks!
Chris Rutledge
"SP" wrote:
> Current Scenario
> NT4.0 Domain .
> Citrix Server farm in side the Firewall zone .All the citrix server member
> of the NT4.0 Domain.
>
> Windows 2003 Migration Scenario.
> 1..Wanted a phased mgration approach .So brought up a new widnows 2003 domain.
>
> 2.Brought up a new Windows 2003 Domain. With Root and child domain.Kept the
> root domain empty.The Child is the Active domain.The Child domain has 3
> Domain controllers .All the DOmain controllers have been configured as the
> new DNS servers for the Active directory.Raised the Forest and Domain
> Functinality level to Windows 2003 .
>
> 3. Established trust between the old NT4.0 Domain and the new Windows 2003
> AD domain.
>
> 4.Succefully migrated Select users/groups to the new domain with OLD
> user/group SID's. The Select users/groups/computers have all been succfully
> migrated the new domain.They can access their old Shares /printer/profiles
> without any problem.
>
> Issues:
>
> The same users who have been migrated have thier Citrix Profiles mapped .The
> citrix server are inside the Firewall zone.The Applications in citrix are
> remapped to the migrated user in the new domain. The necessary ports
> ,135,137,139,445,1025 have been opened from the citrix servers to the new
> domain controllers.(remember the citrix servers are not yet migratd to the
> new domain,they are still a part of the old domain). The issues is the users
> take extraordinarily long time to open their applications in side citrix .
>
> Below are some of the errors that i see in the citirx servers.
>
> "Windows cannot connect to domain xyz.com.com with (0x0). "
>
> "The logged on user's forest is different from the machine's forest. Cross
> Forest Group Policy processing is disabled and loopback processing has been
> enforced in this forest for this user account. "
>
> "Windows cannot do loopback processing when the computer is joined to a
> downlevel domain or is a member of a workgroup. Loopback processing will be
> disabled. "
>
> Please help!
.
- References:
- Prev by Date: Re: Problems when accessing server on other domain
- Next by Date: Which ports are to open on firewall for domain login?
- Previous by thread: Slow user logon on Terminal server after migration to Windows 2003
- Next by thread: Problems when accessing server on other domain
- Index(es):
Relevant Pages
|
