HELP-XPPro workstation & XP Server 2003

[Qui-Gon John]

I was helping someone with a computer that is slow logging a user in. It hangs for an unusual amount of time on "Applying Personal Settings" when a user logs on, (abt 3 mins). But then it finally finsihes loading up. Otherwise the computer seems to function normally. I tried different users (profiles) all do the same thing. The lan is connected at 100MB, not 10MB.

Any help would be greatly appreciated.

[Prey521]

I'd check the DNS server that the PC is pointing to. Make sure that the primary dns server is a local one.

[Qui-Gon John]

Shouldn't the DNS server be on the Windows XP Server? Remember I'm not talking about Internet being slow, but logging onto the PC over the local network.

[Prey521]

Yes, but on the PC with the problem, make sure that the IP under your primary DNS is pointing to the local dns server.

[Qui-Gon John]

I tried that, this did not help. This is an AD Domain. They have a Sonic Firewall which handles DHCP for the network. Before we put in the Sonic, DHCP on the XP Server did this function, but when I set up the Sonic, I disabled the scope on the Server. The Sonic also assigns DNS to the individual computers dynamically, but this all worked for about 10 months before they started having this problem. I tried changing the "automatic search for network folders and printers" on the server as well, and I also tried disabling DNS Server on the Server, none of this helps. The DNS the computers are getting is for a DNS Server out on the web, presumably at Bellsouth since it is Bellsouth DSL. Again, the Sonic handles PPPoE authentication with Bellsouth, as well as managing DHCP for the local network.

Now they also say they are seeing the same delay on other computers.

One more thing, I found that if the AD Server is down, login is much faster, like normal. This was discovered when I attempted to login while the server was rebooting. I guess in that case, it used the cached profile.

Any ideas?

[nightowl]

goto your domain controller then start/administrative tools/DNS

under there there should be a folder called forward lookup zones

expand it go to then next folder down then right click and delete it

go back to forward lookup zones and recreate it.


I had this problem for a long time until a co-worker told me how to fix it

[hoov]

From your last message the problem seems to be that you are giving out DNS ip's from your Sonic which is getting them from the ISP. You should be letting the AD server run DNS and have your workstations point to the AD server for DNS. That is causing your slow logins because the DNS that the ISP is handing out know nothing about your local LAN setup. Your best bet is to have the AD server handle DHCP which then could dish out the AD DNS entries along with the DHCP ip's.

[YeOldeStonecat]

See my article here
http://www.speedguide.net/read_articles.php?id=1660

[Qui-Gon John]

hoov, as explained by Sonic Tech Support, the Sonic Firewall has to handle DHCP for the network. That is why I had to turn it off on the AD Server to begin with. This worked fine for like 9 months.

[YeOldeStonecat]

There's no reason your Sonicwall HAS to run DHCP for your network. I'm baffled why some Sonicwall tech person would tell you that..that person needs to be slapped in the head and demoted to mailboy for the office.

From Windows 2000 server on up....for active directory to function properly...your workstations HAVE TO...HAVE to...use the IP address of your domain controllers...as their one and only DNS server. You cannot use your router as your DNS server...and you cannot use your ISPs DNS servers (that your router obtains on the WAN interface) as your DNS server.

DNS must must MUST run on your domain controllers..and be setup properly, for active directory to function.

Why this worked for 9 months..well, it really wasn't working...I bet your event viewer logs are filled with red entries, on the server, and workstations.

[ErikD]

Yep, there is no reason the Sonicwall NEEDS to handle DHCP. My guess is whoever you were talking to gave it out as a quick and simple answer to avoid a lot of troubleshooting and problem solving across multiple platforms.

Anyway you do need to have your Server 2003 (no such thing as XP Server BTW) setup as the DHCP server for the network. It needs to handout its own IP as the primary DNS (and only DNS unless you have multiple server). You then need to set the option for a router and point that to your Sonicwall. Until you do that any problems with network resolution can almost certainly be attributed to that.

If there are still issues once that is changed then you need to look into that one PC and see if there is anything wrong with it.

[Qui-Gon John]

YOS & Erik, thanks. I would like to try to get it all setup like that, but fear I don't know how to do all the steps. YOS, will the article you posted above give me all the steps to do this?

[YeOldeStonecat]

YOS & Erik, thanks. I would like to try to get it all setup like that, but fear I don't know how to do all the steps. YOS, will the article you posted above give me all the steps to do this?

Pretty much...yes....did you read it?

[Qui-Gon John]

YOS, yes I went thru it, but I need to print it out and read it in detail to see if there are any steps I am unsure of. The thing is, I looked over my notes when I setup the Sonic Firewall and they, (Sonic), specifically told me to set it up the other way, (Firewall assigning DHCP). I guess once I get the 2003 Server set as per your instructions, I would just log onto the Sonic Firewall and disable DHCP for the LAN side.

Thanks!!!

[YeOldeStonecat]

I guess once I get the 2003 Server set as per your instructions, I would just log onto the Sonic Firewall and disable DHCP for the LAN side.

Thanks!!!

You would disable DHCP on the router....and then enable it (install first if it's not) on the server...create your scope...authorize it..and start the service. There is a DHCP wizard to do such. So may want to do this task outside of hte clients product hours....or at least be prepared to be quick about it. The service would not start if it detected another DHCP service running on the network...Windows DHCP will not run if it detects another one...as you don't want conflicting DHCP services on the same network.

Now...we know for a fact that incorrect DNS is your problem. Your opening post states the client has long log in times. This is a classic symptom of the improper setup you have. You can search this forum for many similar posts..or Google it. If you're running a domain, and DHCP is handing out the ISPs DNS servers instead of your domain controllers IP address...clients will eventually have resolution problems and painfully long log ins. Some people let their networks run like this forever...just dealing with a slow network..and it works for them if they're doing just basic things like file sharing. But if you do more advanced things ...databases/ODBC, Exchange Server, manage clients from the server, etc etc....because active directory across the network isn't running properly (since it relies on DNS)....you'll find things won't work properly.

Now...you "can" technically run DHCP from a router or another non-server source. Most of the business grade routers and better routers will allow you to modify their DHCP properties...so that you can enter your own DNS servers of choice...and also add a WINS server. This would work, and bring proper active directory functionality back...workstations would get a nice quick login like they should, etc. But I still prefer to let a server run DHCP...that's part of what it's supposed to do.."serve things". Makes things run a bit tighter.

[twwabw]

I'll only add to what YOSC has told you about the SonicWALL and DHCP.... IF your SW is a wireless unit. If it is (TZ-170 or 150 W), the wireless clients need to pull from DHCP running on the SW, as they are a different subnet. But, this is the only interface that should be running DHCP on the SW. And, in the DHCP settings, you set your local DNS server for the clients, NOT isp DNS.

[YeOldeStonecat]

I'll only add to what YOSC has told you about the SonicWALL and DHCP.... IF your SW is a wireless unit. If it is (TZ-170 or 150 W), the wireless clients need to pull from DHCP running on the SW, as they are a different subnet. But, this is the only interface that should be running DHCP on the SW. And, in the DHCP settings, you set your local DNS server for the clients, NOT isp DNS.

Yup...I should have put a side note for the SW wireless..thanks for adding that point TW. On the client I have....you can specify the DHCP for the wireless...I have it pointing to my SBS server at the one site I have the SW wireless setup...tell it to pull the DHCP properties from the SBS servers IP address.

[Qui-Gon John]

Thanks for all the help guys. The SW does NOT have wireless, so no issue there. I will talk to them about doing this on a Saturday, so I have plenty of time to work out the bugs.

[Qui-Gon John]

YoS, I finally got around to making the changes as you mentioned. A couple minor anomolies did come up, if you can help with either one, especially number 2.

1. After setting the Sonic Firewall not to do DHCP and changing it's static IP to the new subnet I intented to use for this LAN, 192.168.1.x, I was unable to communicate with it. I tried all sorts of things, a regular port, the console port, the Firewall was configured to 192.168.1.1 with the Windows Server 2003 being 192.168.1.11, as you suggested. So, at least for the short-term, we just removed the Sonic Firewall from the network.
Anyway, I will be back there Monday and see if I can get any support on that from Sonic.

2. I set the Windows Server static IP to 192.168.1.11 and also the following functions, DHCP Server, DNS Server. I set the Windows Server's Default Gateway to 192.168.1.254, the DSL modem, (I could not get internet working on the server with any other setting for this). I also had DHCP delivering 192.168.1.11 as the Default Gateway to PC's on the LAN and set Forwarders on the DNS Service as you suggested. Workstations saw Gateway of 192.168.1.11, DHCP of 192.168.1.11, DNS of 192.168.1.11.

However, configured like this, the workstations could not surf the internet. So I modified the DHCP to deliver Default Gateway of 192.168.1.254 to the workstations as well. Now they were able to surf the internet. So far, I have noticed no other unusual network problems like we were seeing before, (long login times, random loss of connection, etc.). But I was just concerned as it doesn't seem like this is completely how you said it should be configured. Yet it is working. Can you give me any idea why it would not work with the workstations having DG: 192.168.1.11, DNS: 192.168.1.11 and Forwarder entered in the DNS Service on the Server?

[YeOldeStonecat]

Unless your server is running multi-homed (meaning..it's LAN NIC is the gateway ...doing RAS/NAT, going out through a WAN NIC)....you wouldn't want your workstations using your server for their gateway.

It seems your server has a single NIC. So...if the LAN IP of your router is 192.168.1.254....for your server..and all workstations...that's correct...192.168.1.254 for the gateway.

[Qui-Gon John]

YoS, yes, just 1 NIC. The router, (DSL Modem actually), is 192.168.1.254. The Server, the Workstations and the DSL Modem, connect to an Ethernet Switch in the phone closet.

So for that configuration, what you seem to be saying is I do have everything setup correctly now.

Next issue is to see if we can put the Firewall back in. On the phone with Sonic on Monday. But if they tell me again that the Firewall has to be the DHCP Server, I'm gonna tell them to get bent, and not use the Firewall.

Thanks again for all your help. I do pretty good with computers, setting up home networks, etc. But all this office environment and the hardware firewall got a bit confusing. Glad to know you and the other gurus around SG are here when things get rough!

[YeOldeStonecat]

YoS, yes, just 1 NIC. The router, (DSL Modem actually), is 192.168.1.254.

That's actually a router...your gateway. The IP address of 192.168.1.254 is a private class C IP address, not your public IP address. That tells me the "modem" is running NAT...which means it's a gateway...a router. A combo box I guess.

If you have a "firewall" in the mix....I'm assuming the "Sonicwall"..that's most likely also a router. So you'd want to disable the router component of your "DSL modem"...flip that to pure bridged mode so that it's indeed just a "modem"..so that your Sonicwall obtains the public IP address.

[Qui-Gon John]

Yes, now that you mention it, the DSL Modem's Bellsouth puts out lately do function as a router regarding NAT and Wan Side/LAN Side. They have 2 basic types, ones with just one ETH, (like this one) and ones that are full routers, (usually 4 ETH's and wireless). When I first started working with the Bellsouth DSL Modems, they did not do NAT and you had to authenticate PPPoE on the PC.

And I do know that I would have to config the DSL Modem/Router to bridged mode, (but thanks for reminding me), if I can even get the Sonic Firewall working. The thing is, somehow the Sonic Firewall limits to 25 connections. It is this fact that made me think I had to configure it for DHCP, as instructed by Sonic when I first installed it. Otherwise how was it to track the 25 connections? However, based on all I have learned with your help, I believe that was incorrect. I'm hoping once I can establish comms to the Firewall, I can configure the PPPoE for Bellsouth WAN, and set the LAN to static IP of 192.168.1.254. This should mean I have to make no changes to any settings or configurations on the Windows Server or the workstations.

[YeOldeStonecat]

Yes, now that you mention it, the DSL Modem's Bellsouth puts out lately do function as a router regarding NAT and Wan Side/LAN Side. They have 2 basic types, ones with just one ETH, (like this one) and ones that are full routers, (usually 4 ETH's and wireless). When I first started working with the Bellsouth DSL Modems, they did not do NAT and you had to authenticate PPPoE on the PC..

Same with most DSL ISPs...back in the early days...PPPoE software (such as EnterNET or WinPOET) had to be installed on the PC..or run from the your own router. A few years ago more and more ISPs started sending combo modem/routers...where they did the PPPoE and NAT...so your PC was protected(firewalled)...which is a good thing. Just complicates things for a minute when you want to use your own router.

BTW..most network guys would say that a 1 port "router" is a "full router"...the little home grade 4 port routers are more gateways for the house. Look at higher end Juniper and Cisco routers..they'll have just 1x LAN port.

[Qui-Gon John]

I see what you mean. I guess technically the average home 4 port router is really a router combined with a 4 port ethernet switch.

So, based on everything I have learned from you and your postings, I should be able to connect the Sonic Firewall in the path between the DSL Modem/Router and the Ethernet Switch. If I put the DSL in Bridged Mode and on the Sonic Firewall I configure the PPPoE for Bellsouth WAN Login, and set the LAN side IP of the Firewall to a static IP of 192.168.1.254, everything should work. Do you agree?

[YeOldeStonecat]

Yup...based on the information so far...

Which model SW?

[ErikD]

The 25 connection limit on your SW has nothing to do with DHCP, and is just a licensing issue. Cisco does the same thing with its SOHO model firewalls (PIX 501, ASA 5505) when you buy them. You get a license to have x concurrent users accessing through the device. This is not handled by DHCP at all, and I have setup enough of these and none of them run DHCP on the firewall. They manage connections and license enforcement by monitoring the traffic flowing through it, basically the internal IP being used.

I would agree that it seems you are running into issues because you are trying to double NAT. Setup that ISP supplied modem/router as just a modem and get the real IP assigned to the SW, and all should be fine.

[Qui-Gon John]

YoS, not sure of which model, will be back there on Monday.

Erik, I agree and that all makes sense, just keep in mind, I only set it up with the Sonic Firewall handling DHCP, at the direction of Sonic's Tech Support. My own naivete in these matters allowed me to think they might actually know what they are talking about. Thing is, it worked fine for the first 8 or so months, then they started seeing strange issues, which got worse over the next few months.

But I am glad YoS set me straight on reconfiguring the network. I did all that last Monday and got no crisis calls from that office, so it must be working. Now, as I said, I just have to see about putting the Sonic Firewall back into the path. Which is for this coming Monday.

[Qui-Gon John]

To all who helped me on this THANKS!!!

I went there today, worked with Sonic to re-establish comms to the SonicWall. Configured it as mentioned above, put it back in the network and everything worked.

[reaser]

Did this actually resolve your problem with the delay in applying personal settings?

I have had this problem for some time.

[bilbus]

Every case of this i have seen of this was because somone put a internet dns server inside the server or the workstations dns settings.

Domain controlers should have their own IP in dns settings
Servers should have their own IP in dns settings
Workstations should have their own IP in dns settings

No computer on a AD network should EVER have a internet dns server anywhere on their tcp-ip settings. They should only be pointing to DC/dns servers within the same domain.

if you did this, do a "ping domain.com" (yes i mean just the domain anme, not host.domain.com)

This should return a IP of one of your DCs .. if not thats your problem.

[bilbus]

hoov, as explained by Sonic Tech Support, the Sonic Firewall has to handle DHCP for the network. That is why I had to turn it off on the AD Server to begin with. This worked fine for like 9 months.

Never beleve a sonicwall tech .. Most techs are morons ... or else they would not we still working in helpdesk.

I once had a tech tell me my server was not working because i did not have a valid subnet mask (255.255.192.0) and that i should change it to 255.255.255.0 .... i promptly asked to be transfered to "someone with a clue"

And that is completely wrong .. as long as you setup dhcp to hand out the correct ip, subnet mask, and gateway you could configure a toster to do dhcp.