Slow workstation when one of two DCs is down

I have two 2003 standard edition DCs that are on the same subnet. I am
hosting DFS on these two machines and each user has a redirect folder policy
set for My Documents and Desktop. In addition, the users in this domain were
migrated from a seperate 2000 forest. The accounts are still active in the
old domain, but SID history was migrated and SID filtering is turned off in
the trust between old domain and new domain. Everything is working
fantastic...EXCEPT when the second DC is offline. The DFS seems to failover
with no problems, and I have access to all files, but workstations are VERY
slow when browsing DFS shares (namely My Documents) as well as My Computer
(each user has X mapped to their chunk of the DFS root). Even non-related
things like the Control Panel, Firefox, Office apps, etc...seem slow as well.

Any ideas what is going on here? Is it related to the DFS failover? Old
domain accounts still being active? Authentication in the new domain?
Authentication to the old domain? Trusts?

I have checked all of those settings, and all seems well.

One other note: After migrating three users, we changed the NETBIOS name on
the new domain. The DNS stayed the same, JUST the netbios name. I re-created
trusts, and fixed GPO and all that jazz to the T. I have seen no difference,
and the slow workstations seem to have been happening before AND after the
rename. BUT, I did see some strange leftover evidence of the old NETBIOS name
in WINS if that helps.

Thanks,

The IP# of both DCs need to be entered into the TCP/IP settings of the
Client. It can't find a DC if it doesn't have the DNS for it because it will
keep looking at the DNS that is "down".


--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/pro...isaserver.mspx
-----------------------------------------------------



"Edog" <(E-Mail Removed)> wrote in message
news:A7B778EF-DFA9-4777-9A53-(E-Mail Removed)...
> I have two 2003 standard edition DCs that are on the same subnet. I am
> hosting DFS on these two machines and each user has a redirect folder
policy
> set for My Documents and Desktop. In addition, the users in this domain
were
> migrated from a seperate 2000 forest. The accounts are still active in the
> old domain, but SID history was migrated and SID filtering is turned off
in
> the trust between old domain and new domain. Everything is working
> fantastic...EXCEPT when the second DC is offline. The DFS seems to
failover
> with no problems, and I have access to all files, but workstations are
VERY
> slow when browsing DFS shares (namely My Documents) as well as My Computer
> (each user has X mapped to their chunk of the DFS root). Even non-related
> things like the Control Panel, Firefox, Office apps, etc...seem slow as
well.
>
> Any ideas what is going on here? Is it related to the DFS failover? Old
> domain accounts still being active? Authentication in the new domain?
> Authentication to the old domain? Trusts?
>
> I have checked all of those settings, and all seems well.
>
> One other note: After migrating three users, we changed the NETBIOS name
on
> the new domain. The DNS stayed the same, JUST the netbios name. I
re-created
> trusts, and fixed GPO and all that jazz to the T. I have seen no
difference,
> and the slow workstations seem to have been happening before AND after the
> rename. BUT, I did see some strange leftover evidence of the old NETBIOS
name
> in WINS if that helps.
>
> Thanks,

Our DNS setup is much more complicated then that. The MS portion of our
network is a simply for workstations, and therefore we have BIND DNS to serve
all of the network. So the workstation isn't polling a down DNS server.

Though I have noticed that on MY workstation (which I did point DNS to the
new domain controllers on) the problem doesn't seem as evident. But it still
happens.

"Phillip Windell" wrote:

> The IP# of both DCs need to be entered into the TCP/IP settings of the
> Client. It can't find a DC if it doesn't have the DNS for it because it will
> keep looking at the DNS that is "down".
>
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
> -----------------------------------------------------
> Understanding the ISA 2004 Access Rule Processing
> http://www.isaserver.org/articles/IS...cessRules.html
>
> Microsoft Internet Security & Acceleration Server: Guidance
> http://www.microsoft.com/isaserver/t...dance/2004.asp
> http://www.microsoft.com/isaserver/t...dance/2000.asp
>
> Microsoft Internet Security & Acceleration Server: Partners
> http://www.microsoft.com/isaserver/partners/default.asp
>
> Deployment Guidelines for ISA Server 2004 Enterprise Edition
> http://www.microsoft.com/technet/pro...isaserver.mspx
> -----------------------------------------------------
>
>
>
> "Edog" <(E-Mail Removed)> wrote in message
> news:A7B778EF-DFA9-4777-9A53-(E-Mail Removed)...
> > I have two 2003 standard edition DCs that are on the same subnet. I am
> > hosting DFS on these two machines and each user has a redirect folder
> policy
> > set for My Documents and Desktop. In addition, the users in this domain
> were
> > migrated from a seperate 2000 forest. The accounts are still active in the
> > old domain, but SID history was migrated and SID filtering is turned off
> in
> > the trust between old domain and new domain. Everything is working
> > fantastic...EXCEPT when the second DC is offline. The DFS seems to
> failover
> > with no problems, and I have access to all files, but workstations are
> VERY
> > slow when browsing DFS shares (namely My Documents) as well as My Computer
> > (each user has X mapped to their chunk of the DFS root). Even non-related
> > things like the Control Panel, Firefox, Office apps, etc...seem slow as
> well.
> >
> > Any ideas what is going on here? Is it related to the DFS failover? Old
> > domain accounts still being active? Authentication in the new domain?
> > Authentication to the old domain? Trusts?
> >
> > I have checked all of those settings, and all seems well.
> >
> > One other note: After migrating three users, we changed the NETBIOS name
> on
> > the new domain. The DNS stayed the same, JUST the netbios name. I
> re-created
> > trusts, and fixed GPO and all that jazz to the T. I have seen no
> difference,
> > and the slow workstations seem to have been happening before AND after the
> > rename. BUT, I did see some strange leftover evidence of the old NETBIOS
> name
> > in WINS if that helps.
> >
> > Thanks,
>
>
>

"Edog" <(E-Mail Removed)> wrote in message
news:4C36CEA5-7CA9-4D60-95AE-(E-Mail Removed)...
> Our DNS setup is much more complicated then that. The MS portion of our
> network is a simply for workstations, and therefore we have BIND DNS to
serve
> all of the network. So the workstation isn't polling a down DNS server

Can't do that. Every single living breathing Windows machine that is a
domain member must *only* use the AD/DNS,..and it must include the IP# of
every DC (AD/DNS), not just one of them.

You would then make the BIND DNS the only "Forwarder" in the config of the
AD/DNS. It would be up to your BIND DNS to handle things properly from
there.

> Though I have noticed that on MY workstation (which I did point DNS to the
> new domain controllers on) the problem doesn't seem as evident. But it
still
> happens.

There is going to be some delay before it figures out that the first DNS it
lists is "dead" before it drops to the next one on the list,...that is just
the way it is.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/pro...isaserver.mspx
-----------------------------------------------------

Clarify for me where the slow down comes into play, and why things like
expanding the control panel on the workstation are also impacted. I can see
how looking at your redirected files on the DFS root would suffer if DNS
wasn't resolving, but local processes shouldn't be impacted.

Second, once the machine determines we are dealing with a dead DNS server
and it jumps to the next one, this problem should be over. From that point
forward it should only use the DNS server that was giving answers back. That
being the case, the slow down should happen once, and then not again.

Again, FYI re: the DNS setup. Each client is configured with the primary DNS
servers on our network which are BIND servers (that support secure updates
since this is an Active Directory requirement) and have forwarders configured
to point queries for new.domain.com to the new Domain Controllers. Meanwhile,
it hosts old.domain.com records for the old W2K based domain. It does so with
no problems.

I am just a little fuzzy about the *exact* role DNS can play here aside from
a one-time name resolution problem if the workstation is configured with
these BIND servers as opposed to the Windows DNS servers/Domain Controllers

I appreciate the time with this Mr. Windell

"Edog" <(E-Mail Removed)> wrote in message
news:F268F60D-817C-400D-8259-(E-Mail Removed)...
> Clarify for me where the slow down comes into play, and why things like
> expanding the control panel on the workstation are also impacted. I can
see
> how looking at your redirected files on the DFS root would suffer if DNS
> wasn't resolving, but local processes shouldn't be impacted.

It should not impact that. I don't know what else to make of the issue.

> Again, FYI re: the DNS setup. Each client is configured with the primary
DNS
> servers on our network which are BIND servers (that support secure updates
> since this is an Active Directory requirement)

I'm not familiar with doing that, but it sounds like that should be fine
then. I don't know what else to suggest.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Are both dc's GC's? If not then the clients can be experiencing
authentication slowdowns.

--
aaron
A+,NET+,MCSE 2K/2K3,CNA,CCNA
"Phillip Windell" <@.> wrote in message
news:%23%(E-Mail Removed)...
> "Edog" <(E-Mail Removed)> wrote in message
> news:F268F60D-817C-400D-8259-(E-Mail Removed)...
>> Clarify for me where the slow down comes into play, and why things like
>> expanding the control panel on the workstation are also impacted. I can
> see
>> how looking at your redirected files on the DFS root would suffer if DNS
>> wasn't resolving, but local processes shouldn't be impacted.
>
> It should not impact that. I don't know what else to make of the issue.
>
>> Again, FYI re: the DNS setup. Each client is configured with the primary
> DNS
>> servers on our network which are BIND servers (that support secure
>> updates
>> since this is an Active Directory requirement)
>
> I'm not familiar with doing that, but it sounds like that should be fine
> then. I don't know what else to suggest.
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>

Yes, both DCs are GCs.

As more and more research on this problem has progressed, I am tempted to
blame client referals for the DFS namespace. Clients cache this info, so if I
am the client, I go out to access data on my namespace I will head back to
where I was last. In this case it is the DC that is down...A failover is
initiated pointing me to the DC that is up. The problem that I see is that
the cache isn't updated at this time. I noticed it took about 5 minutes for
my workstation to determine that the replica on the down DC was actually not
available.

I don't know enough about the inner workings of DFS, but what I think I
understand is the client cache expires after 5 minutes, but doesn't attempt
an update until it connects to the servers. So, if I am crusing along, not
accessing DFS data then the delay is present. As soon as I hit a folder, the
timer starts and then 5 minutes later my client cache is updated with correct
information. After this point, all seems well.

"aaron" wrote:

> Are both dc's GC's? If not then the clients can be experiencing
> authentication slowdowns.
>
> --
> aaron
> A+,NET+,MCSE 2K/2K3,CNA,CCNA
> "Phillip Windell" <@.> wrote in message
> news:%23%(E-Mail Removed)...
> > "Edog" <(E-Mail Removed)> wrote in message
> > news:F268F60D-817C-400D-8259-(E-Mail Removed)...
> >> Clarify for me where the slow down comes into play, and why things like
> >> expanding the control panel on the workstation are also impacted. I can
> > see
> >> how looking at your redirected files on the DFS root would suffer if DNS
> >> wasn't resolving, but local processes shouldn't be impacted.
> >
> > It should not impact that. I don't know what else to make of the issue.
> >
> >> Again, FYI re: the DNS setup. Each client is configured with the primary
> > DNS
> >> servers on our network which are BIND servers (that support secure
> >> updates
> >> since this is an Active Directory requirement)
> >
> > I'm not familiar with doing that, but it sounds like that should be fine
> > then. I don't know what else to suggest.
> >
> > --
> > Phillip Windell [MCP, MVP, CCNA]
> > www.wandtv.com
> >
> >
>
>
>