when connected to a domain. takes forever to login

when connected to a domain. takes forever to login

Post by josh » Tue, 07 Sep 2004 07:53:51


We are in an education enviroment. we are testing windows
XP on minium requirement computers without SP2. We have
an active directory set up. and are connecting the winXP
machine to the domain. no we go to test it by first
loging in. but the login process takes a good 5 mins to
login where it really shouldnt take that long. It's only
pulling down at least half a meg of info , so really
shouldnt take that long to do. We currently use win2000
for workstations, these dont have a problem when loging
in. some feedback would be appreciated.
 
 
 

when connected to a domain. takes forever to login

Post by Richard G. » Tue, 07 Sep 2004 08:24:08

Sounds like you need to look at the DNS server settings on your XP
computers. They should be set to look at the DNS server for Active
Directory and no others.

--
Richard G. Harper [MVP Win9x] XXXX@XXXXX.COM
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* HELP us help YOU ... http://www.yqcomputer.com/

 
 
 

when connected to a domain. takes forever to login

Post by anonymou » Tue, 07 Sep 2004 08:33:31

ok, we found the problem but not the solution. Because we
have a roaming profile. we also have an activc desktop.
so we have a school wide desktop. what winXP is doing is
re-writing the desktop as a bmp which is 2.5meg in size.
does anyone know why it is doing this instead of just
keeping the 128kb jpeg file we already have.
 
 
 

when connected to a domain. takes forever to login

Post by josh » Tue, 07 Sep 2004 08:50:22

it has nothing do to with DNS.. if the DNS was wrong.. we
wouldnt even be able to login.. which we are doing... its
just taking long.


on your XP
for Active
replied to.
message

windows
winXP
only
 
 
 

when connected to a domain. takes forever to login

Post by Richard G. » Tue, 07 Sep 2004 11:16:49

Oh, so untrue. You can indeed log into an AD domain with incorrect DNS
settings, but you will note an extended login time. Trust me ... I know.
:-)

What will it hurt to check the settings? Take a minute or so?

--
Richard G. Harper [MVP Win9x] XXXX@XXXXX.COM
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* HELP us help YOU ... http://www.yqcomputer.com/
 
 
 

when connected to a domain. takes forever to login

Post by bG9zdCBzb3 » Tue, 07 Sep 2004 13:29:04

pardon the intrusion, I have a simalar dilemma,
we used to have a w2k server with active directory while clients log in with
win98, no problem. When we begin migrating to new pc with winxp, slow log in.
The thing is the all clients has to set DNS to the ISP DNS IP, that is how
the DSL router work. If I set the DNS to the server's DNS, I lose internet
connection?
Thanks in advance,
 
 
 

when connected to a domain. takes forever to login

Post by Ron Low » Tue, 07 Sep 2004 17:50:12


Richard is 100% correct.

You *must* point the clients to the internal DNS that hosts the AD domain.
Yes, that will break external ( Internet ) name resolution untill you go
configure the internal DNS server to handle that too.

On the Internal DNS server, configure it like this:
1) Delete any root (.) zone if it exists.

Now, it will be able to resolve external names using the Root Nameservers
listed in Root Hints.
Now, your DNS server will do the full nine yards lookup from the root on
down.
You can leave it like this if you want, but you can also:

2) Go to the forwarders tab, and add the IP address of your ISP's DNS
servers.

This will cause it to onpass unresolved ( external ) queries to your ISP's
DNS server, which in turn will do the full nine yards for you. The
advantage of using your ISP as a forwarder is you get the benefit of their
well-populated cache, and so it may be quicker. Also you reduce the load on
the root and TLD nameservers.

Here's my usual lecture on the whole topic:

XP differs from previous versions of windows in that it uses
DNS as it's primary name resolution method for finding domain
controllers:

How Domain Controllers Are Located in Windows XP
http://www.yqcomputer.com/ ;en-us;314861

If DNS is misconfigured, XP will spend a lot of time waiting for it to
timeout before it tries using legacy NT4 sytle NetBIOS.
( Which may or may not work. )

1) Ensure that the XP clients are all configured to point to the local
DNS server which hosts the AD domain. That will probably be the
win2k server itself.
They should NOT be pointing an an ISP's DNS server.
An 'ipconfig /all' on the XP box should reveal ONLY the domain's
DNS server.

( you should use the DHCP server to push out the local DNS server
address. )

2) Ensure DNS server on win2k is configured to permit dynamic updates.

3) Ensure the win2k server points to itself as a DNS server.

4) For external ( internet ) name resolution, specify your ISP's DNS server
not on the clients, but in the 'forwarders' tab of the local win2k DNS
server.

On the DNS server, if you cannot access the 'Forwarders' and 'Root Hints'
tabs because they are greyed out, that is because there is a root zone (".")
present on the DNS server. You MUST delete this root zone to permit the
server to forward unresolved queries to yout ISP or the root servers:

HOWTO: Remove the Root Zone (Dot Zone)
http://www.yqcomputer.com/

The following articles may assist you in setting up DNS correctly:

Setting Up the Domain Name System for Active Directory
http://www.yqcomputer.com/ ;en-us;237675
HOW TO: Configure DNS for Internet Access in Windows 2000
http://www.yqcomputer.com/ ;en-us;300202


--
Best Regards,
Ron Lowe
MS-MVP Windows Networking
 
 
 

when connected to a domain. takes forever to login

Post by bG9zdCBzb3 » Fri, 10 Sep 2004 15:57:06

hanks,
My concern is, would this make the w2k server become public on the internet?
It was used for accounting purpose and was intended as an internal server
only. Somehow the contractor set it as domain controller and I inherited all
the mess. Will using it as DNS server make it vulnerable to hackers since it
doesn't have a firewall? Maybe I'll just buy another server as the
proxy...How to join a win2003 server to a win2k server?
(I should have have listened to mom and study medicine)

"Ron Lowe" wrote:

 
 
 

when connected to a domain. takes forever to login

Post by Ron Low » Fri, 10 Sep 2004 17:52:55

>> You *must* point the clients to the internal DNS that hosts the AD


Can I address this in sections:


No, it would not be a Internet-facing DNS server.
It is providing DNS service for internal machines only.

Sure, it needs to make_outbound_ connections to other DNS
servers to query them, but you will not be permitting inbound
connections to you. Your router or firewall will be dropping
any inbound connection attempts to all your LAN except those
which you explicitly permit.

Which brings me to:


Hmm, alarm bells are ringing.

How is it connected to the Internet?
If it's via a broadband router, which provides NAT, then that's not so bad.
That automatically provides stateful inbound firewalling.
This is a common configuration, and is what I expect you would have.

Does the machine have a non-routable IP address ( eg 192.168.x.x )?
That's what the above configuration would give.

If you have a routed subnet of public IP addresses, then you need some form
of firewalling, I'd use a standalone firewall box between the router and
the LAN.

If it's directly conneted, via a modem directly connected to the server,
then again you need some form of firewalling as described above.

In addition to a boreder firewall, you might want to consider host firewalls
on individual machines.
The XP-SP2 windows firewall is perfectly good for this, as are others like
Zone Alarm.

Of your configuration is either a routed subnet of public IP addresses, or a
direct connection, and there is no firewalling, then you are seriously
exposed and you need to bet a firewall installed.

An exposed DNS service would be the least of your worries in this case.


--
Best Regards,
Ron Lowe
MS-MVP Windows Networking
 
 
 

when connected to a domain. takes forever to login

Post by Ron Low » Wed, 15 Sep 2004 18:26:12


In that case, you are safe from unsolicited connections coming in from the
Internet.
An additional border firewall would not add greatly to your protection from
external attacks.

You may wish to consider deploying XP-SP2 on your client machines, and using
the Windows Firewall it provides. Enable the File+Print sharing exception
if you share folders on the client machines.



Google...

http://www.yqcomputer.com/
http://www.yqcomputer.com/


--
Best Regards,
Ron Lowe
MS-MVP Windows Networking