Network shares issue

I hope that this is the correct NG for this question. I will state that as
far as networking and security, I know only enough to be dangerous.

We have two departmental networks ("A" and "B"), each with it's own domain
(win2003 Server) controller. There is one server on domain "A" that needs
to be shared between the two departments. This server is an NT4 box running
oracle and OTG software and hosts an accounting package. Initially, the two
domains were interconnected via a managed switch and a two-way trust was
established between the domains. For reasons that are not worth going into,
a decision was made to physically segregate the networks. However, the
accounting server still needs to be accessible from both networks. To solve
the problem, a second NIC was added to the shared machine.

My question is whether the established trust relationship is still valid
since neither domain controller can see the other. If it is, how. If not,
how can this be accomplished.

Another issue is that when the users of the domain "B" access the network
shares on the shared server, there is a 1 to 2 minute delay when first
accessing the network share, then everything seem ok for a while. After a
period on inactivity, usually 15 to 20 minutes, there is again a delay
accessing the share. Does anyone know what may be causing the delay and any
way to fix it.

TIA,
--
Al Reid

The trust can still be valid even if the domain cannot see each other. For
a Windows computer to "share" resources and be "seen" by other computers on
the network, 'File and Printer Sharing for Microsoft Networks' must be
enabled and no host-based firewall running on it should be blocking any of
the NetBIOS ports (137,138,139). Also routers block broadcasts in between
networks so unless you have WINS in this environment or use lmhosts the
browsing list between the domains will be empty. These two networks are not
completely separate otherwise you would not be able to get to the machine in
domain A at all. But has two NICs in it and this will effect the networking
between that machine and the others in domain B. I'm not sure you should
attempt to alter this initial delay. You can perhaps speed up the initial
delay by doing one of two things.

1) Make sure NetBIOS over TCP/IP is enabled on each NIC.
2) Change the binding order of the NICs on that machine or alter the metric
of the two NICs. Bindings is found under Right-click My Network Places,
select Properties, click Advanced, select Advanced Settings.

--
Todd J Heron, MCSE
Windows Server 2003/2000/NT; CCA
----------------------------------------------------------------------------
This posting is provided "as is" with no warranties and confers no rights

"Al Reid" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I hope that this is the correct NG for this question. I will state that as
>far as networking and security, I know only enough to be dangerous.
>
> We have two departmental networks ("A" and "B"), each with it's own domain
> (win2003 Server) controller. There is one server on domain "A" that needs
> to be shared between the two departments. This server is an NT4 box
> running oracle and OTG software and hosts an accounting package.
> Initially, the two domains were interconnected via a managed switch and a
> two-way trust was established between the domains. For reasons that are
> not worth going into, a decision was made to physically segregate the
> networks. However, the accounting server still needs to be accessible
> from both networks. To solve the problem, a second NIC was added to the
> shared machine.
>
> My question is whether the established trust relationship is still valid
> since neither domain controller can see the other. If it is, how. If
> not, how can this be accomplished.
>
> Another issue is that when the users of the domain "B" access the network
> shares on the shared server, there is a 1 to 2 minute delay when first
> accessing the network share, then everything seem ok for a while. After a
> period on inactivity, usually 15 to 20 minutes, there is again a delay
> accessing the share. Does anyone know what may be causing the delay and
> any way to fix it.
>
> TIA,
> --
> Al Reid
>
>

Todd,

Thanks for the info. I will check out your suggestions.

You stated that " I'm not sure you should attempt to alter this initial delay." That delay of up to two minutes is the crux of the
user complaints. It seems that the database connections stay alive and responsive, however, any time a file needs to be accessed,
there is a delay. This is driving the users and their management crazy and causing me a lot of grief. Since my application is the
only one running under this scenario, they are blaming the application (and subsequently the developer). Is there any way to
increase the timeout (if that is what it is) and thus reduce the impact? It seems that 15 to 20 minutes between file access
attempts is enough to introduce the long delay.

BTW, on one user machine I installed a small app that copies a 20 byte file every couple of minutes and the problem is masked. I
don't see this as a solution, however.

Thanks,

--
Al Reid

"Todd J Heron" <todd_heron(delete)@hotmail.com> wrote in message news:(E-Mail Removed)...
> The trust can still be valid even if the domain cannot see each other. For
> a Windows computer to "share" resources and be "seen" by other computers on
> the network, 'File and Printer Sharing for Microsoft Networks' must be
> enabled and no host-based firewall running on it should be blocking any of
> the NetBIOS ports (137,138,139). Also routers block broadcasts in between
> networks so unless you have WINS in this environment or use lmhosts the
> browsing list between the domains will be empty. These two networks are not
> completely separate otherwise you would not be able to get to the machine in
> domain A at all. But has two NICs in it and this will effect the networking
> between that machine and the others in domain B. I'm not sure you should
> attempt to alter this initial delay. You can perhaps speed up the initial
> delay by doing one of two things.
>
> 1) Make sure NetBIOS over TCP/IP is enabled on each NIC.
> 2) Change the binding order of the NICs on that machine or alter the metric
> of the two NICs. Bindings is found under Right-click My Network Places,
> select Properties, click Advanced, select Advanced Settings.
>
> --
> Todd J Heron, MCSE
> Windows Server 2003/2000/NT; CCA
> ----------------------------------------------------------------------------
> This posting is provided "as is" with no warranties and confers no rights
>
> "Al Reid" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> >I hope that this is the correct NG for this question. I will state that as
> >far as networking and security, I know only enough to be dangerous.
> >
> > We have two departmental networks ("A" and "B"), each with it's own domain
> > (win2003 Server) controller. There is one server on domain "A" that needs
> > to be shared between the two departments. This server is an NT4 box
> > running oracle and OTG software and hosts an accounting package.
> > Initially, the two domains were interconnected via a managed switch and a
> > two-way trust was established between the domains. For reasons that are
> > not worth going into, a decision was made to physically segregate the
> > networks. However, the accounting server still needs to be accessible
> > from both networks. To solve the problem, a second NIC was added to the
> > shared machine.
> >
> > My question is whether the established trust relationship is still valid
> > since neither domain controller can see the other. If it is, how. If
> > not, how can this be accomplished.
> >
> > Another issue is that when the users of the domain "B" access the network
> > shares on the shared server, there is a 1 to 2 minute delay when first
> > accessing the network share, then everything seem ok for a while. After a
> > period on inactivity, usually 15 to 20 minutes, there is again a delay
> > accessing the share. Does anyone know what may be causing the delay and
> > any way to fix it.
> >
> > TIA,
> > --
> > Al Reid
> >
> >
>

Possible causes/Solutions (in order of likelihood):

#1 Mapped Drive Connection to Network Share May Be Lost:
http://support.microsoft.com/?kbid=297684

Windows clients may lose their network connection to a domain Server if the
computer is idle for 15 minutes (the default timeout). For no client
disconnect, follow the below instructions:

1) Open the registry editor
2) Navigate to
HKLM\SYSTEM\CurrentControlSet\Services\LanmanServe r\Parameters
3) Set the Reg_DWord hex value of "autodisconnect"=ffffffff
Note: If "autodisconnect" doesn't exist, add it.

Alternative solution to registry edit:
Open a command prompt on the workstation and run:

net config server /autodisconnect: -1

Note: Setting this from the command line will turn off auto tuning for the
server service. Editing the registry is the generally recommended solution.
The command: net config server /autodisconnect:-1 must be run on the server
with the shares on it, not the client accessing the shares. Windows NT and
Windows 2000+ use two different Autodisconnect parameters; one for
disconnecting Remote Access Service (RAS) connections and another for
disconnecting LAN connections. The RAS Autodisconnect parameter is
documented in the Microsoft Knowledge Base article Q153944, but the LAN
version is undocumented. The only published reference to this Autodisconnect
is in the Windows NT Resource Kit NT Registry Entries help file, in an
overview of entries for the LanmanServer Parameters section.

How Autodisconnect Works in Windows NT and Windows 2000:
http://support.microsoft.com/default...b;EN-US;138365

Server Service Configuration and Tuning (2000):
http://support.microsoft.com/Default.aspx?kbid=128167

Server Service Configuration and Tuning (XP):
http://support.microsoft.com/kb/314498/EN-US/

REG: Server Service Entries, PART 1
http://support.microsoft.com/kb/102967/EN-US/

REG: Server Service Entries, PART 2
http://support.microsoft.com/kb/102969/EN-US/

-----------------------------------------------------------------------------------------
#2 Check the NIC properties on the server to make sure that there are no
power saving settings or "Allow this computer to turn off power to the NIC"
type settings.

#3 Update the drivers for the network card.

-or-

#4 The problem may be SMB signing or LAN Manager authentication level. In
Windows 2003, default server policy forces all SMB traffic to be digitally
signed which seems to cause a problem in some configurations of XP Pro. In
Local Security Policy (Start > Run > secpol.msc > OK) navigate to security
options (Security settings > Local policies > Security) and try disabling
the option for Microsoft network server:digitally sign
communications(always). Ensure you do this on all machines involved (such
as via a GPO for an OU). Run gpupdate /force on the server after making the
change and do the same on the client machine afterwards.

Security settings that can cause a problem with downlevel client access:
http://support.microsoft.com/default...5BLN%5D;811497
http://support.microsoft.com/default...b;en-us;823659

--
Todd J Heron, MCSE
Windows Server 2003/2000/NT; CCA
----------------------------------------------------------------------------
This posting is provided "as is" with no warranties and confers no rights

"Al Reid" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Todd,
>
> Thanks for the info. I will check out your suggestions.
>
> You stated that " I'm not sure you should attempt to alter this initial
> delay." That delay of up to two minutes is the crux of the
> user complaints. It seems that the database connections stay alive and
> responsive, however, any time a file needs to be accessed,
> there is a delay. This is driving the users and their management crazy
> and causing me a lot of grief. Since my application is the
> only one running under this scenario, they are blaming the application
> (and subsequently the developer). Is there any way to
> increase the timeout (if that is what it is) and thus reduce the impact?
> It seems that 15 to 20 minutes between file access
> attempts is enough to introduce the long delay.
>
> BTW, on one user machine I installed a small app that copies a 20 byte
> file every couple of minutes and the problem is masked. I
> don't see this as a solution, however.

Todd,

Thanks. You've given me a lot to look at on Monday.

--
Al Reid

"Todd J Heron" <todd_heron(delete)@hotmail.com> wrote in message
news:%(E-Mail Removed)...
> Possible causes/Solutions (in order of likelihood):
>
> #1 Mapped Drive Connection to Network Share May Be Lost:
> http://support.microsoft.com/?kbid=297684
>
> Windows clients may lose their network connection to a domain Server if
> the computer is idle for 15 minutes (the default timeout). For no client
> disconnect, follow the below instructions:
>
> 1) Open the registry editor
> 2) Navigate to
> HKLM\SYSTEM\CurrentControlSet\Services\LanmanServe r\Parameters
> 3) Set the Reg_DWord hex value of "autodisconnect"=ffffffff
> Note: If "autodisconnect" doesn't exist, add it.
>
> Alternative solution to registry edit:
> Open a command prompt on the workstation and run:
>
> net config server /autodisconnect: -1
>
> Note: Setting this from the command line will turn off auto tuning for
> the server service. Editing the registry is the generally recommended
> solution. The command: net config server /autodisconnect:-1 must be run on
> the server with the shares on it, not the client accessing the shares.
> Windows NT and Windows 2000+ use two different Autodisconnect parameters;
> one for disconnecting Remote Access Service (RAS) connections and another
> for disconnecting LAN connections. The RAS Autodisconnect parameter is
> documented in the Microsoft Knowledge Base article Q153944, but the LAN
> version is undocumented. The only published reference to this
> Autodisconnect is in the Windows NT Resource Kit NT Registry Entries help
> file, in an overview of entries for the LanmanServer Parameters section.
>
> How Autodisconnect Works in Windows NT and Windows 2000:
> http://support.microsoft.com/default...b;EN-US;138365
>
> Server Service Configuration and Tuning (2000):
> http://support.microsoft.com/Default.aspx?kbid=128167
>
> Server Service Configuration and Tuning (XP):
> http://support.microsoft.com/kb/314498/EN-US/
>
> REG: Server Service Entries, PART 1
> http://support.microsoft.com/kb/102967/EN-US/
>
> REG: Server Service Entries, PART 2
> http://support.microsoft.com/kb/102969/EN-US/
>
> -----------------------------------------------------------------------------------------
> #2 Check the NIC properties on the server to make sure that there are no
> power saving settings or "Allow this computer to turn off power to the
> NIC" type settings.
>
> #3 Update the drivers for the network card.
>
> -or-
>
> #4 The problem may be SMB signing or LAN Manager authentication level. In
> Windows 2003, default server policy forces all SMB traffic to be digitally
> signed which seems to cause a problem in some configurations of XP Pro.
> In Local Security Policy (Start > Run > secpol.msc > OK) navigate to
> security options (Security settings > Local policies > Security) and try
> disabling the option for Microsoft network server:digitally sign
> communications(always). Ensure you do this on all machines involved (such
> as via a GPO for an OU). Run gpupdate /force on the server after making
> the change and do the same on the client machine afterwards.
>
> Security settings that can cause a problem with downlevel client access:
> http://support.microsoft.com/default...5BLN%5D;811497
> http://support.microsoft.com/default...b;en-us;823659
>
> --
> Todd J Heron, MCSE
> Windows Server 2003/2000/NT; CCA
> ----------------------------------------------------------------------------
> This posting is provided "as is" with no warranties and confers no rights
>
> "Al Reid" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Todd,
>>
>> Thanks for the info. I will check out your suggestions.
>>
>> You stated that " I'm not sure you should attempt to alter this initial
>> delay." That delay of up to two minutes is the crux of the
>> user complaints. It seems that the database connections stay alive and
>> responsive, however, any time a file needs to be accessed,
>> there is a delay. This is driving the users and their management crazy
>> and causing me a lot of grief. Since my application is the
>> only one running under this scenario, they are blaming the application
>> (and subsequently the developer). Is there any way to
>> increase the timeout (if that is what it is) and thus reduce the impact?
>> It seems that 15 to 20 minutes between file access
>> attempts is enough to introduce the long delay.
>>
>> BTW, on one user machine I installed a small app that copies a 20 byte
>> file every couple of minutes and the problem is masked. I
>> don't see this as a solution, however.
>