RE: Slow user logon on Terminal server after migration to Windows
- From: "SP" <SP@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sun, 31 Jul 2005 21:37:01 -0700
Thanks Mate ..I added those dynamic ports and additional ports on my firewall
and it worked fine.
I have another issue .
The Citrix Application clients used to get their raoming profiles from a
network shared server in the same firewall zone as that of the Citrix servers.
A migrated user do not seem to be getting access to his old profile
Any CLues Pal?
SP
"Chris Rutledge" wrote:
> Hey SP, we have a ton of variables to look at here. There may be too many to
> point definatively to one solution, but here are some troubleshooting paths
> to look down, I hope it helps.
>
>
> Based on your problem description and the error messages from the NT4
> domain's Terminal Servers, I assume:
>
> The Terminal Servers are 2000 or 2003.
>
> LMHosts files are being used on the NT4 PDC and the 2003 PDCe for the trust.
>
> When you say the user/groups were migrated with their NT4 Domain SID's you
> are referring to SIDHistory being preserved with the migration tool.
>
> "Inside the firewall zone" means that the Citrix Servers have a firewall
> facing them and it is between them and the 2K3 AD forest.
>
>
> Possibilities:
>
> 135 RPC
> 137 NetBIOS Name
> 139 NetBIOS Session
> 445 SMB
> 1025 An Ephemeral RPC port?
>
> No mention of whether or not ICMP is being blocked. AD needs ICMP enabled
> in order to properly process Group Policies.
> Also, I wonder if the slowness of application launch is the lack of
> available RPC ports?
>
> How to configure a firewall for domains and trusts
> http://support.microsoft.com/kb/179442/
>
> Network Address Translators (NATs) can block Netlogon traffic
> http://support.microsoft.com/kb/172227/
>
> How to configure RPC dynamic port allocation to work with firewalls
> http://support.microsoft.com/kb/154596/
>
> The downside to all of this is that by the time you open all of the
> necessary ports, you have so many holes in the firewall it may as well not be
> there.
> The upside! Pretty much all the better enterprise level firewall devices
> that I know of can be configured to allow VPN tunnels. You then only need
> PPTP port TCP/1723 and IP PROTOCOL 47 (GRE).
>
> A great resource for resolving issues with this type of environment..
>
> Active Directory in Networks Segmented by Firewalls
> http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0-4caf-9767-a9166368434e&displaylang=en
>
> That really only addresses the slow application load, and the domain
> connection errors you see on the TS's. Also, if I remember correctly, 0x0
> means success, or 'no error'. Are you sure about that error code? I would
> have expected a 5, 1355, or something relating to failed DC resolution.
>
> As to the other two errors regarding Loopback policy processing. And now
> that I think more about it, this is loosely related to the firewall as well.
> Since you have not enabled cross forest group policy processing and you have
> loopback on the Terminal Servers to overwrite the GPO's applied to the users'
> account with the ones specifically applied to the machines, those error
> messages would be expected.
>
> You can get around all this so long as your DC's, TS's and Clients are at
> least 2KSP4 and/or XPSP2 and you can actually see where this failure is
> actually occuring by running simultaneous netmon traces from both the
> Terminal Server and the AD Domain Controllers.
>
> Oddly enough, running a VPN connection through the firewall might solve this
> problem as well.
>
> "Loopback-Replace does not work in cross forest environment"
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/5bc451ca-3b65-4b7c-9f09-fc528e52007b.mspx
>
> In place of running the Netmon traces from both ends, another quick way to
> run a quick check would be to use portqryui from the TS and the DC. Run the
> Domains and Trusts test, look for ports 'NOT LISTENING'. Portqryui will also
> query the remote servers RPC database in this test which would show the list
> of ephemeral ports (1024-65535) that it is using.
>
> "PortQryUI - User Interface for the PortQry Command Line Port Scanner"
> http://www.microsoft.com/downloads/details.aspx?FamilyID=8355e537-1ea6-4569-aabb-f248f4bd91d0&DisplayLang=en
>
> Hopefully all this will help. Seriously consider using a VPN tunnel to
> resolve these issues. It may very well be the simplest answer. Let me know
> how it goes.
>
> Thanks!
>
> Chris Rutledge
>
>
> "SP" wrote:
>
> > Current Scenario
> > NT4.0 Domain .
> > Citrix Server farm in side the Firewall zone .All the citrix server member
> > of the NT4.0 Domain.
> >
> > Windows 2003 Migration Scenario.
> > 1..Wanted a phased mgration approach .So brought up a new widnows 2003 domain.
> >
> > 2.Brought up a new Windows 2003 Domain. With Root and child domain.Kept the
> > root domain empty.The Child is the Active domain.The Child domain has 3
> > Domain controllers .All the DOmain controllers have been configured as the
> > new DNS servers for the Active directory.Raised the Forest and Domain
> > Functinality level to Windows 2003 .
> >
> > 3. Established trust between the old NT4.0 Domain and the new Windows 2003
> > AD domain.
> >
> > 4.Succefully migrated Select users/groups to the new domain with OLD
> > user/group SID's. The Select users/groups/computers have all been succfully
> > migrated the new domain.They can access their old Shares /printer/profiles
> > without any problem.
> >
> > Issues:
> >
> > The same users who have been migrated have thier Citrix Profiles mapped .The
> > citrix server are inside the Firewall zone.The Applications in citrix are
> > remapped to the migrated user in the new domain. The necessary ports
> > ,135,137,139,445,1025 have been opened from the citrix servers to the new
> > domain controllers.(remember the citrix servers are not yet migratd to the
> > new domain,they are still a part of the old domain). The issues is the users
> > take extraordinarily long time to open their applications in side citrix .
> >
> > Below are some of the errors that i see in the citirx servers.
> >
> > "Windows cannot connect to domain xyz.com.com with (0x0). "
> >
> > "The logged on user's forest is different from the machine's forest. Cross
> > Forest Group Policy processing is disabled and loopback processing has been
> > enforced in this forest for this user account. "
> >
> > "Windows cannot do loopback processing when the computer is joined to a
> > downlevel domain or is a member of a workgroup. Loopback processing will be
> > disabled. "
> >
> > Please help!
.
- Prev by Date: Re: Disable OWA access by default without using a template account
- Next by Date: Re: Active directory across geography
- Previous by thread: Re: Login Script Replication Quandry
- Next by thread: Re: Authentication process in Active Directory
- Index(es):
Relevant Pages
|
