[Gekko_uk]

Active Directory Lag
---------------------------------------------------------------------------

Seasonal Greetings Everyone!

I have a strange problem that is happening with my Servers.

I have a server (Dell 2900) with Windows Server 2003 R2 on it.

It is running as a DC, with DHCP,DNS,and Active Directory present.

I have roughly 45 Clients attached, running happily.

BUT.....

I have noticed (and did from day one) that if I am administrating Active Directory ie resetting password, disabling accounts etc it tends to lag.


for example.

I was asked by a user to reset her password, so I went to server, active Director screen>Right clicked her name>properties and ticked "user must change there password at next logon".

So she logged out, then back in again but it didnt prompt her, on loggin in she could access her network drives, so in other words the server/AD was waiting on the passwiord change but it had not instructed the client to prompt for it.

At this point I got her to restart her PC and it prompted her at that stage.

Additionaly, when browsing the AD screen it tend to lock up/take awhile eg if I right click on a user nothing happens then after a short time I get the expected meny appearing.

Now.... the plot gets thicker, I setup another server at a different site (which is in no way connected to this site) and the same thing is happening.

Is it the way I am configuring the Server? I have been following the same template for years now as to my setups so I cant see what I am doing wrong.

Somtimes it seems to be fine, ie I went to server couple of mins ago and could browse AD in "real time" but then after a coulpe of mins it was doing as described above.

Event Logs are all clear...

I am at a loss so if anyone can offer any words of wisdom I woudl greatly appreciate it.

Specs for server are


Del 2900
2 x 2.3Xeon Cpu's
6 x 300GB RAID 5 Disks
4 GB Ram
Windows Server 2003 R2 + all the available secruity updates

Any further info req please ask.

Many Thanks

Gekko

[cluberti]

What are the DNS configurations on the clients, and on the server? Are they all pointing at the same DNS server(s), and if so, what DNS servers are they pointing to?

[Gekko_uk]

Hi, Thanks for the reply.

The Client machines DNS is provided via the DHCP service on the server and points to the DC (192.168.5.5).
The DC network config has its DNS as the Router.

Cheers

Gekko

[fizban2]

is the DC also the router? or do you have a routing device that bring in internet? truly the DC should point to itself for DNS and then have forwarders setup in DNS to direct any queries out too the router if it is needed

[Gekko_uk]

Agh,

Could this possible be where me problem is then?

I have the DC (DNS/DHCP/AD) - 192.168.5.5.

I have the router - 192.168.5.10

On the server the Network config is -

IP - 192.168.5.5
Subnet Mask - 255.255.255.0
Gateway - 192.168.5.10
DNS1 - 192.168.5.10
DNS2 - blank.

The clients are setup as


IP - 192.168.5.X
Subnet Mask - 255.255.255.0
Gateway - 192.168.5.10
DNS1 - 192.168.5.5
DNS2 - blank.

Should the server DNS point to itself then?
Would this be causing the problem detailed above?

Cheers

Gekko

This post has been edited by Gekko_uk: 29 December 2006 - 06:26 AM

[InTheWayBoy]

Yeah, use 127.0.0.1 on the server for DNS1, and configure the DNS service to use 192.168.5.10 as a forwarder.

[fizban2]

correct, with the DC going out to the Router first for DNS queries it will slow things down till it times out on the router and then tries itself for DNS. change it to the 127.0.0.1 and add a forwarder to the router in DNS and see if that fixes the issue

[Gekko_uk]

Thanks Guys,

I will try this over the weekend and report back.

Many Thanks

Gekko

[cluberti]

If your DC doesn't have itself listed as a DNS server, then yes, AD will be slow and unreliable. Almost everything in AD requires a fully-functional DNS infrastructure, and the DC's need to be pointed at themselves or other DCs running DNS - no non-AD machine DNS information should be in any configuration.

[Gekko_uk]

Changed to 127.0.0.1 and all is now good!

Many Thanks to all of you.

Regards

Gekko

[Gekko_uk]

Hi guys,

It has came to my attention that there are still some issues.

The lag on the server has now been fixed, but the user accounts still seem to lag behind the server -

example -

I wanted to do some maintannce on someones account the other day, so I went into AD and right clicked their name and chose reset password and set it to "password".

This worked fine.

Went to their system and installed the software (sage client) and logged out.

I then set in AD for their name - "user must reset password at next login".

So next morning they login with password.... but no prompt.

They then could not access any network resources etc.

If I unticked "user must reset..." and they logged in with password it is fine.

This is mirrored accross all PC's - no matter who/what machine it happens.

ALso, I have noticed that somtimes when they do manage to get a prompt appearing it wont take any password ie they are told it must be 7 characters and not any one of their X number of password - even when I put in ones which have never been used before and meet all the req criteria it still wont let it happen.

Only way around it is to click and un click user must reset password box for that user and the odd restart of the client and it seems to be ok.

But this is obviously not ideal.

Also, when their password expires, they do not get a prompt, but instead are allowed to login but cannot access any network resources.

If they do a ctrl +alt+del and change their password it works.... this is really really weird.

if anyone has a hint as to the cause and solution to this I would appreciate it.

PS the lag in AD on the server ie browsing it etc has disapaeared.

Kind Regards

Gekko