Re: Win2k3 and Slow Logons

From: Herb Martin (news_at_LearnQuick.com)
Date: 12/07/04

  • Next message: Rudy Steyaert: "Re: MX-resolve problem ..."
    Date: Tue, 7 Dec 2004 02:12:57 -0600
    
    

    <anonymous@discussions.microsoft.com> wrote in message
    news:185501c4dbca$f2169720$a301280a@phx.gbl...
    > Ok, I have taken some screenshots of various things
    > concerning my issue. Hopefully you guys can figure out my
    > problem with these. I have shots of the TCP/IP properties,
    > various DNS settings from the server and my router set up.
    > If you guys feel you need anymore, please let me know.
    >
    > You can browse the index of pics here:
    >
    > http://www.thevoiceless.net/dns/
    >

    This setup will not work correctly and reliably for you.

    This type of router cannot really work for AD clients and
    serves, ever. It can be the forwarder (which you have set)
    for internal DNS servers, but it must NOT be listed on any
    DNS clients, including DCs and other servers, NIC-IP
    settings (as you have it.)

    First, to the router: you need a router which can be a
    secondary -- this one (probably) does not do that from
    what I can see.

    If it could function as a Secondary DNS server this could
    work by making it a secondary to your internal AD DNS
    zone/domain, e.g., yourcompany.com.

    As it much not be listed on the IP properties of any machine
    you must change (at least) two things:

        1) On the DC (and any other manual IP assignment, you
            must remove it from the NIC->IP client DNS settings
            The DC must ONLY specific itself or other internal
            DNS servers.

        2) Since it is being used as your DHCP server to hand out
            IP addresses and configuration, it must NOT list itself
            in the setup it gives to clients, but rather list ONLY the
            INTERNAL DNS servers that know about your internal
            Domain/zone.

    The problem is that any client that uses this router directly
    will no nothing about the internal DNS names you need to
    resolve -- and to register, even you DC is set (incorrectly)
    this way and will not register itself with the internal DNS
    server domain/zone.

    Even trying to specify both an internal and this (external)
    router-DNS server will NOT work reliably.

    You must either install another DNS server internally
    or do without fault tolerance when the DC is down.

    There are DNS servers than can run on workstations if
    cost is an issue.

    Otherwise, you must manually make such changes if you
    only have one or two machines and want DNS to work
    then the DC-DNS server is down for most than a few
    minutes.

    -- 
    Herb Martin
    >
    > >-----Original Message-----
    > ><anonymous@discussions.microsoft.com> wrote in message
    > >news:15a101c4db72$3616b8f0$a301280a@phx.gbl...
    > >> Well I am going to need some help again, because the
    > >> problem is back. It was only good for a few logins on my
    > >> main workstation and not on the others which have the same
    > >> settings.
    > >>
    > >> You guys are using some big terms which I am not quite
    > >> understanding.
    > >
    > >Then pull out each term and ask for a definition (or Google it
    > >if you are in a hurry.)
    > >
    > >Chances are it is not because they are "big" but rather they
    > >are being used for their technical accuracy.
    > >
    > >DNS isn't really very hard, at least not the basics, but the
    > >using the terminology correct can make it much easier to
    > >understand and to follow directions for design and repair
    > >when it doesn't work.
    > >
    > >> I get what you mean by using the router as a
    > >> backup
    > >
    > >That's mostly optional but you cannot do this if
    > >you don't put a copy of the zone on the router.
    > >
    > >All DNS servers used by the clients directly must
    > >be able to return the same answers -- clients assume
    > >that all DNS servers will return the same, correct
    > >answers.
    > >
    > >(Clients don't try a different DNS server if they get
    > >a wrong, or even a negative answer.)
    > >
    > >> and setting it up so the DC never really touches the
    > >> net.
    > >
    > >That's mostly for security (of the DC) and also for
    > >efficiency in some case.
    > >
    > >> I do not know how to go about setting this up though.
    > >
    > >On each DNS server in Windows, right click for the Property
    > >sheet and pick Forwarding:  set the exteran (or router)
    > >DNS as the forwarder for your internal machine.
    > >
    > >For non-Windows there is something similar in the config.
    > >
    > >> It is the problem every time, I am not as savy in a server
    > >> enviornment as I am in a workstation enviornment. This is
    > >> the first server I have maintained.
    > >
    > >My guess is that your router is not holding a copy of the
    > >zone -- this will mean that when clients switch over to
    > >using the router-DNS they will be unable to resolve
    > >internal names.
    > >
    > >This is incorrect -- either setup the forwarding on the
    > >main server OR take the router out of the listings.
    > >
    > >You are likely going to need the Forwarding setup.
    > >
    > >
    > >-- 
    > >Herb Martin
    > >
    > >
    > >> >-----Original Message-----
    > >> >"Daniel" <anonymous@discussions.microsoft.com> wrote in
    > >> message
    > >> >news:156801c4dabc$c9949040$a401280a@phx.gbl...
    > >> >> I set things up the way you said to and it works. Putting
    > >> >> the router as a secondary DNS server and putting it into
    > >> >> the forward zone made things much faster. Thank you very
    > >> >> much for your suggestions.
    > >> >>
    > >> >
    > >> >Do you mean you have the router holding a copy of the
    > >> >forward zone for you internal network, e.g., as a Secondary
    > >> >for that zone?
    > >> >
    > >> >If so, that is fine and a good method (as Ulf said) for
    > when
    > >> >your DC or other main DNS is down (even being rebooted).
    > >> >
    > >> >It is NOT a good method if it doesn't hold that zone.
    > While
    > >> >it is true that with the (sole) DC down there is not
    > >> authentication
    > >> >anyway but you cannot absolutely depend on the "Primary"
    > >> >DNS server (on the client settings) to used in favor of the
    > >> >"Alternate".
    > >> >
    > >> >Make sure you client machines, including the DCs and DNS
    > >> >servers themselves as DNS clients, ALL use ONLY the
    > >> >DNS servers which can resolve the full internal domain or
    > >> >set of domains.
    > >> >
    > >> >In most cases you should:
    > >> >Forward the DNS-DC to the router DNS, and have it do
    > >> >the public resolution through physical recursion or in
    > >> >most cases have it also forward to the ISP.
    > >> >
    > >> >This way you internal, sensitive DC never visits the big,
    > >> >bad world of the Internet.
    > >> >
    > >> >-- 
    > >> >Herb Martin
    > >> >
    > >> >
    > >> >> >-----Original Message-----
    > >> >> >"Daniel" <daniel1213@msn.com> wrote in message
    > >> >> news:daniel1213@msn.com:
    > >> >> >> I am trying to set up a domain on a Win2k3 box at
    > home to
    > >> >> >> automate the tasks of the 8 computers in my house.
    > I can
    > >> >> >> get all the computers added to the domain without a
    > >> >> >> problem. My problem is, they all log in VERY
    > slowly. It
    > >> >> >> will sit on 'Loading personal settings' for a few
    > >> minutes.
    > >> >> >> I know this is a DNS issue and I have read alot on
    > this,
    > >> >> >> but I still can not get it to work, so I am here.
    > >> >> >>
    > >> >> >> The set up goes like this: The cable modem connects
    > >> to the
    > >> >> >> linksys router, which connects to my switch and
    > then all
    > >> >> >> computers are connected to the switch. I let the
    > router
    > >> >> >> handle DHCP (all computers have a static IP
    > though). The
    > >> >> >> DNS settings on the client machines are all set to
    > the DC
    > >> >> >> IP as well. Do I need to setup DNS info in the router
    > >> since
    > >> >> >> it is acting as the DHCP server?
    > >> >> >>
    > >> >> >> I am willing to try some more walk throughs, but would
    > >> >> >> really like some remote connection help. I am
    > hitting my
    > >> >> >> head on the desk here, it is annoying.
    > >> >> >>
    > >> >> >>
    > >> >> >> PS: Sometimes, I can not log into the domain on my
    > main
    > >> >> >> workstation, it says my u/p is not correct. Then I
    > >> try the
    > >> >> >> same u/p on my laptop and it works fine. It is
    > >> bothering me
    > >> >> >> much, just another issue.
    > >> >> >
    > >> >> >Hello Daniel,
    > >> >> >
    > >> >> >DNS should be configured that your clients and your
    > DC is
    > >> >> using the DC
    > >> >> >as DNS-Server, the DNS-Server on the DC should be
    > >> >> configured to forward
    > >> >> >to the linksys-router (to enable all computers resolving
    > >> >> external
    > >> >> >computers). You configure that in the DNS Management
    > >> >> console on the
    > >> >> >properties of the computer (Forwarders-Tab).
    > >> >> >
    > >> >> >If you sometimes don't run your DC you could also put
    > >> in the
    > >> >> >linksys-router as secondary DNS-Server on all machines.
    > >> >> >
    > >> >> >And make sure that the DC is working correctly, there
    > >> >> might be issues
    > >> >> >in DNS there. Just run dcpromo /v out of the support
    > tools
    > >> >> and parse
    > >> >> >the output for failed stuff.
    > >> >> >
    > >> >> >-- 
    > >> >> >Gruesse - Sincerely,
    > >> >> >
    > >> >> >Ulf B. Simon-Weidner
    > >> >> >
    > >> >> >  MVP-Book "Windows XP - Die Expertentipps":
    > >> >> http://tinyurl.com/44zcz
    > >> >> >  Weblog: http://msmvps.org/UlfBSimonWeidner
    > >> >> >  WebSite: http://www.windowsserverfaq.org
    > >> >> >.
    > >> >> >
    > >> >
    > >> >
    > >> >.
    > >> >
    > >
    > >
    > >.
    > >
    

  • Next message: Rudy Steyaert: "Re: MX-resolve problem ..."

    Relevant Pages

    • Re: Urgent! New router and big disaster
      ... Both NICs should point to his internal IP for DNS. ... forward ports to it reliably in the router. ... I should have been more clear about internet connection.. ...
      (microsoft.public.windows.server.sbs)
    • Re: Urgent! New router and big disaster
      ... Both NICs should point to his internal IP for DNS. ... You should give your SBS a fixed external address so you can forward ports to it reliably in the router. ... I should have been more clear about internet connection.. ...
      (microsoft.public.windows.server.sbs)
    • Re: Urgent! New router and big disaster
      ... The SBS DNS server, running on ... its IP it means that your problem is now DNS. ... forward ports to it reliably in the router. ... I should have been more clear about internet connection.. ...
      (microsoft.public.windows.server.sbs)
    • Re: Confusion, chaos and more!
      ... A DNS VPN server should normally be configured to pass out an INTERNAL ... I have managed to work out that in the LAN setup of the router at work ... As long as you are using the router as a DNS address on either side, it will ALWAYS resolve to the internet names and addresses. ...
      (microsoft.public.windows.server.dns)
    • Re: Windows cannot find the network path error message in GPMC
      ... Preferred DNS server. ... bar of the Network Connections window, ... sure you have Forwarders to your ISP DNS servers Enabled. ... preventing access to this computer from the Internet" is Not checked on this ...
      (microsoft.public.windows.group_policy)