Slow D.C.

[twwabw]

Maybe.... but 2-3 minutes is just horrid. This is all 100Mbit Lan?? I'm just having a hard time swallowing that the server, that can other wise function OK, can delay logon this much. There just isn't that much info that passes back and forth, unless you have tons of mapped drives; logon scripts; and offline files enabled (you don't have any of these do you??? )

Without being there to touch it / feel it / look at it, it's a tough call for me. The clients (spec-wise) are certainly not the issue. A PIII 550 is more than enough for 2K or XP (that's my fastest PC in the office, except for my laptop )

I've got several PII 350's and 400's, and several PIII 450 and 500's that all do just fine.

I just rebooted a dual boot PII 400 and timed it:

Windows 2000 Pro
OS boot to logon screen: 30 seconds
Login to desktop: 15 seconds

XP Pro
OS boot to logon screen: 20 seconds
Login to desktop: 10 seconds

Wanna keep playing? Wanna set up DHCP and turn off router DHCP, or have you had enough already??

[anaheim99]

You guys have being real great and I thank you, I have to leave right now for a few hour, but when I get home I will test it out and see what happens, If it still does not work I just might have to live with it or find something else. Againg thanks to all for your great help and I will post later today.

[anaheim99]

Hey guys, I have some interesting news,My friend just told me that before I checked the event viewer log on the client xp box that he cleared it and that is why I saw no error message, so I went back to the winxp client and on the enet viewer I say this:

ERROR: Usernv
DESCRIPTION: Windows cannot determine the user or computer name(The specific domain either does not exits or could not be reached) Group Policy processing aborted.

ERROR: Auto enrollment
DESCRIPTION: Automatic certificate enrollment for local system failed to contact the active directory(0x8007054b) The specific domain either does not exist or could not be reached.

Now when I log in to the pc I can use and see the resources on the domain and the network, So i really dont understand the error message.

[YeOldeStonecat]

Originally posted by anaheim99
ERROR: Auto enrollment
DESCRIPTION: Automatic certificate enrollment for local system failed to contact the active directory(0x8007054b) The specific domain either does not exist or could not be reached.

Autoenrollment and userenv errors are common when there is a problem in the network connectivity, or TCP.

1) Double check your TCP settings on the server, and the workstations. That's what most of this thread has been about.

2) The physical network itself..meaning network card on server and workstations, network cables, and hubs/switches/routers, etc. Do you have home made network cables? Or if factory made...old?

[twwabw]

Sooooo many variables. I figured there had to be some errors there.

Assuming there is good connectivity, (which you have NOT ruled out yet!!) sometimes a machine account can become corrupt. It's simple to remedy, if that's the case. Through My Computer, remove the it from the domain, and set it to some workgroup name.

Delete the machine account from active directory users and computers.

Shut the pc down, reboot, and rejoin the domain. See if this clears it up.

[anaheim99]

The cables are factory made, all connectivity hardware looks good, meaning I can ping everything on my network and get to the net, I have uninstalled and reinstalled tcp/ip and removed it from the domain and rejoined it, when I did that the first log on was less than a 1min, after that I rebooted and then it took againg about 2 min to log in, should I just format the clients, I also have a win2k pro that has the same error message.

[YeOldeStonecat]

Pinging isn't a test of a solid network....quality of signal wise. But if cables are quite new, terminated at the factory..then probably good. No home-made terminations, right? Cables running under anything with foot traffic? Those plastic rug protectors that people put behind their desk so the chairs on wheels don't carve a groove into the carpet...stuff like that?

If all clients act the same...it's probably not anything formatting the workstations would do. If one workstation acted up...sure, I'd think about that. But not all of them. If all of them act up...I'd also focus on something network related...cable or NIC on the server side. Or the hub/switch that you use to connect them all. Look for something common that would affect all workstations.

Are they all service packed? That error that you saw..it is network related...meaning the workstations are losing connection to the server, or have a very poor connection. Could be the server is just so darned slow...it's hung up...and not responding quick enough for the workstations.

You've poured through Event Viewer on the server in detail...system and application and DNS?

[twwabw]

removed it from the domain and rejoined it, when I did that the first log on was less than a 1min, after that I rebooted and then it took againg about 2 min to log in

This kind of says it all to me. I also bet if you go back to the exact time you logged in that 1st time, there are no errors. It shows the server and client are capable of normal logon. But then the errors return.

Yes, it could be a communication error, but I still bet there's something in the configuration of your server , probably in DNS, and DHCP.

The only thing you never did was stop dhcp on the router, and set it up on the server. I think if I really wanted to be sure I'd covered all the bases, I'd do this. it is the only way to insure your clients are being given the correct network info and logon,. Otherwise, we're just assuming. Again... wish I was there to paw through it myself.

[anaheim99]

I disabled the DHCP on the router but did not set dhcp on the server I gav the computers a static ip address and it did the same thing, now I will set DHCP on the server and see what happens, the computers dont lose signal to the server and all connectivity is good, no packets loose nothing like that.

[twwabw]

Well, I am truly stumped, although I still wish I could see it. So you're still getting the errors?

[anaheim99]

I set up DHCP on the server and computers get an ip address fro m it and the correct DNS but I still get the same error. I also removed one of the computers from the domain and rejoined it and no luck. on the server I checked the error logs for DNS and it has no error, but I checked the error log on the SYSTEM on the server and it has this error.

ERROR: Netlogon EVENT 5774
DESCRITON: Registration of the DNS record 'af8888b4-9f77-4c12-8391-249673ed75ad._msdcs.coral.com. 600 IN CNAME DC.coral.com.' failed with the following error:
DNS name does not exist.

Another thing I did was uninstall and reinstalled DNS. What the hell is going on? I have antoher hardrive thinking of installing server on that one to see if it fixes the issue. what do you guys think?

[YeOldeStonecat]

Coral Chemical in IL?

Well, I generally do a <nameofcompany>.local so that the full DNS name is say coral.local.com

That way your local network resolution separates from any actual domains you have out on public IP's...example, coral.com being an actual website, not your local DC. But that should really only affect www and mail alias (which you easily fix with two edits to DNS). Not local domain resolution. So that really can't be the issue.

I'm really puzzled. I'm curious is your DNS is actually running fine. You said you re-installed it. Can you see the zones populate?

Dunno if we covered this already, but are all machines (including the server)....have they all been scanned with an up to date antivirus program?

Also server and workstations service packed ?

[anaheim99]

I have set norton to run early in the morning once a day and i also did a windows update late last night on the clients and server. I did create the zones. what do you mean if the zones populate.

[YeOldeStonecat]

When you expand your DNS properties, under forward lookup zone, you should be able to expand and see your domain zone. Under that, you usually see other active directory "stuff" (for lack of better words, I'm no DNS guru...know just enough to squeek by). Folders like _msdcs, _sites, _tcp, _udp.

If those don't show up on a DC setup not with other sub domains, you might have a problem.

[twwabw]

DNS, DNS DNS !!!! Active directory requires a perfect DNS configuration. A 5774 error indicates the resource record is not updating. It is almost guaranteed to be an issue in your DNS configuration. And .... BIG and..... for a truly succesful AD rollout, DHCP should be performed by the server, NOT by a broadband router. We can go back and forth all day about whether it used to work OK, or sometimes it seems to work OK, or I have a buddy who does it this way, but the fact remains- it is wrong. AD requires DDNS for AD, updating resource records through DHCP.

Oh well......

[oakfan52]

I also believe this to be a DNS issue. Do you see any host records in the zone for your clients? AD intergrated? when you do an nslookup from the command line what does it say?


on a side no on the xp machines make sure that ICF is turned off.

[anaheim99]

How do I set up DDNS on the server.

[anaheim99]

I cant thank you guys enought for the help, One last thing can you guys post a screenshot or send me a link that has screenshots on how to set up the right way the zones for DNS, i think I narrow it down to that being the problem.

[twwabw]

How to Create a New Zone

[anaheim99]

Hell all. O.k. here are the results and what I did. I installed windows 2003 server to test it out, and did the zones just how the link shows and all error messages are gone, and now my pc that used to take 2-3 min to log in now takes about 10 seconds. again, thanks to everyone.

[twwabw]

You're welcome. Glad it worked out. DNS is the key to Active Directory, and a misconfigured DNS server can really give you grief. I kept telling you that's what it was, 'cause I've seen it too many times.

I know it was getting frustrating for you, but hey- you're a seasoned DNS veteran now!

[YeOldeStonecat]

Whoooooeeeey.. Go TWW!