Windows 2008 DC in Windows 2003 domain = slow logons , warning long story

I was helping a coworker with a client of his to replace an aging Dell
PE1600SC running Windows 2003 Standard SP1 with a new Dell PE running
Windows 2008 Standard SP1 64 bit with dual Intel Quad Core processors, 6G of
RAM, and two SAS RAID arrays - RAID1 system and RAID5 for data. New and old
server are domain controllers and only servers on the network that consists
of about a dozen workstations and laptops running XP Pro SP3. Objective is
to add new server to domain and dcpromo it to doamin controller. Move needed
data files over to shares, etc. When all is well dcpromo to demote old
server/domain controller and remove from network. Server is used as file
server and for Quickbooks Enterprise database.

Started by adprep on old Windows 2003 server (named Apollo1) and then
dcpromo new Windows 2008 server (named dc-1) to the domain named
apollo.cyberbond.com . All that went well and Active Directory seemed to
replicate just fine. Created test users and GPOs on new server and they
showed up old server. Deleted them on old server and then showed as deleted
on new server.

After that pointed new server running Windows 2008 only to itself as DNS
server, disabled DHCP on old server, and configured DHCP on new server. DHCP
scope options have ONLY new domain controller IP as WINS and DNS server.
Moved 5 FSMO roles to new server and verified it was a global catalog server
as the old server was. Made sure both servers were in the only subnet in the
only site. Moved all data/shares/printers over to new server and then took
old server off the network by unplugging the network cable. Disabled the
Windows Firewall on the new Windows 2008 server. Did not want to dcpromo to
demote the old server/domain controller to make sure we had a fallback plan
"just in case".

While everyting was working after that including joining some new computers
to the domain most if not all computers were VERY slow logging onto their
domain accounts taking from 2 to 8 minutes for the desktop to show after
logon. Scratching our heads trying to figure out what was going on I finally
decided to plug the old server/domain controller into the network and then
the domain users were able to logon almost immediately. Unplugged it and
slow logons again. Used netdiag to make sure domain computers had good
computer accounts, etc and ran ipconfig /all on them to make sure they were
pointing only to new server/domain controller as WINS and DNS server. Also
found that even with the normal speed logons with the old server/domain
controller on the network using the set command it showed that most the
users were logged onto the new server/domain controller dc-1.

I have done similar installs before and can never remember such a problem
with unplugging a domain controller from the network when another one
existed and was running well. Maybe this has something to do with Windows
2008??

So I decided to open DNS and find all the SRV records for the old
server/domain controller and change the priority to 10 from 0 and restarted
DNS on both servers. Tried that but did not seem to help. I double checked
the SRV records and lo and behold there were new identical SRV records for
the old server that had been created with priority back at 0.

There are a few warnings in the application log on the server that seem
unrelated and could not find anything in the application/system logs on the
domain member workstations that provided a clue as to why the logons take so
long when the old server/domain controller is off the network though when I
get a chance I am going to try debug userenv logging.

Below is some settings and tests on the new server/domain controller. If
anyone has any thoughts on what to check for as to why SLOW logons happen
when only new server/domain controller is in the network it would be GREATLY
appreciated. Probably later this week we are going to dcpromo the old
server/domain controller and hopefully that will resolve the problem but I
still would like to try and fix the issue before then and feel more
comfortable doing the dcpromo.

I noticed sysvol failures in dcdiag logs but that may be due to the old
server/domain controller being offline for all night and most the morning. I
did create test GPO and it did replicate with settings between servers.
There is only 2 non default GPOs in AD with very few settings. Also not sure
about DNS failure due to server apollo1 not having A glue record. As far as
I can tell A record exists for it in the forward lookup zone.

Thanks for reading this!

Steve

********************************************************************************************

C:\Users\Administrator.APOLLO>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : dc-1
Primary Dns Suffix . . . . . . . : apollo.cyberbond.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : apollo.cyberbond.com
cyberbond.com

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom BCM5709C NetXtreme II GigE
(NDIS
VBD Client)
Physical Address. . . . . . . . . : 00-24-E8-79-B4-D3
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 172.16.2.5(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.2.2
DNS Servers . . . . . . . . . . . : 172.16.2.5
Primary WINS Server . . . . . . . : 172.16.2.5
NetBIOS over Tcpip. . . . . . . . : Enabled



C:\Users\Administrator.APOLLO>netdom query FSMO
Schema master dc-1.apollo.cyberbond.com
Domain naming master dc-1.apollo.cyberbond.com
PDC dc-1.apollo.cyberbond.com
RID pool manager dc-1.apollo.cyberbond.com
Infrastructure master dc-1.apollo.cyberbond.com
The command completed successfully.


C:\Users\Administrator.APOLLO>dsquery server -isgc
"CN=APOLLO1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=a
pollo,DC=cyberbond,DC=com"
"CN=DC-1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=apol
lo,DC=cyberbond,DC=com"

netsh dhcp server>show optionvalue

DHCP Standard Options :
General Option Values:
OptionId : 6 DNS server
Option Value:
Number of Option Elements = 1
Option Element Type = IPADDRESS
Option Element Value = 172.16.2.5
OptionId : 44 WINS server
Option Value:
Number of Option Elements = 1
Option Element Type = IPADDRESS
Option Element Value = 172.16.2.5
OptionId : 15 domain name
Option Value:
Number of Option Elements = 1
Option Element Type = STRING
Option Element Value = apollo.cyberbond.com
OptionId : 3 router
Option Value:
Number of Option Elements = 1
Option Element Type = IPADDRESS
Option Element Value = 172.16.2.2
Command completed successfully.
netsh dhcp server>


Directory Server Diagnosis

Performing initial setup:
Trying to find home server...
Home Server = dc-1
* Identified AD Forest.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\DC-1
Starting test: Connectivity
......................... DC-1 passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\DC-1
Starting test: Advertising
......................... DC-1 passed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after
the
SYSVOL has been shared. Failing SYSVOL replication problems may
cause
Group Policy problems.
......................... DC-1 passed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after
the
SYSVOL has been shared. Failing SYSVOL replication problems may
cause
Group Policy problems.
......................... DC-1 failed test DFSREvent
Starting test: SysVolCheck
......................... DC-1 passed test SysVolCheck
Starting test: KccEvent
......................... DC-1 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... DC-1 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... DC-1 passed test MachineAccount
Starting test: NCSecDesc
......................... DC-1 passed test NCSecDesc
Starting test: NetLogons
......................... DC-1 passed test NetLogons
Starting test: ObjectsReplicated
......................... DC-1 passed test ObjectsReplicated
Starting test: Replications
......................... DC-1 passed test Replications
Starting test: RidManager
......................... DC-1 passed test RidManager
Starting test: Services
......................... DC-1 passed test Services
Starting test: VerifyReferences
......................... DC-1 passed test VerifyReferences


Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation

Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation

Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation

Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test
CrossRefValidation

Running partition tests on : apollo
Starting test: CheckSDRefDom
......................... apollo passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... apollo passed test CrossRefValidation

Running enterprise tests on : apollo.cyberbond.com
Starting test: LocatorCheck
......................... apollo.cyberbond.com passed test
LocatorCheck
Starting test: Intersite
......................... apollo.cyberbond.com passed test
Intersite

C:\Users\Administrator.APOLLO>

C:\Users\Administrator.APOLLO>dcdiag /test:dns

Directory Server Diagnosis

Performing initial setup:
Trying to find home server...
Home Server = dc-1
* Identified AD Forest.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\DC-1
Starting test: Connectivity
......................... DC-1 passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\DC-1

Starting test: DNS

DNS Tests are running and not hung. Please wait a few minutes...
......................... DC-1 passed test DNS

Running partition tests on : ForestDnsZones

Running partition tests on : DomainDnsZones

Running partition tests on : Schema

Running partition tests on : Configuration

Running partition tests on : apollo

Running enterprise tests on : apollo.cyberbond.com
Starting test: DNS
Test results for domain controllers:

DC: dc-1.apollo.cyberbond.com
Domain: apollo.cyberbond.com


TEST: Delegations (Del)
Error: DNS server: apollo1.cyberbond1.com.
IP:<Unavailable>
[Missing glue A record]

TEST: Dynamic update (Dyn)
Warning: Failed to delete the test record
_dcdiag_test_record
in zone apollo.cyberbond.com

Summary of DNS test results:

Auth Basc Forw Del Dyn RReg
Ext
_________________________________________________________________
Domain: apollo.cyberbond.com
dc-1 PASS PASS PASS FAIL WARN PASS
n/a

......................... apollo.cyberbond.com failed test DNS

C:\Users\Administrator.APOLLO>







































.

Relevant Pages