Page 1 of 2 12 LastLast
Results 1 to 15 of 19

Thread: Network connection Slow, and high security

  1. #1
    Junior Member
    Join Date
    Mar 2005
    Location
    Southampton, UK
    Posts
    9

    Network connection Slow, and high security

    Hi all, I am rather new to this so please bare with me.

    I started an IT Job at LPGF a few months ago, prior to me starting there the was no domain, everything was in mulitple workgroups. but now that everything is on a domain (apart from the client servers), the network connection is slow, and you are asked for athentication everytime you try to connect to a server/ PC, this is happening to the client servers (which I was expecting), and the servers/PC on the domain, any suggestions to solve this?

    Thanks in advance.

  2. #2
    Security Intelligence TZ Veteran cash_site's Avatar
    Join Date
    Jul 2002
    Location
    Software Paradise
    Posts
    3,852
    It sounds like some Active Directory and Kerberos Authentication issues...

    Can you give some more details about the Network layout and server/client PC versions etc...

    I dont know LPGF, so not sure about size, are you running Small Business Server or just plain Server 2003? Are client PCs XP or mixed with some 98/ME? When the new server was installed and configured, were each client PC 'connected' to domain?

    --- 0wN3D by 3gG ---

  3. #3
    Junior Member
    Join Date
    Mar 2005
    Location
    Southampton, UK
    Posts
    9
    we are running XP on all the PC's, and server 2003 on all the servers. All the PC's are connected to the domain. we have about 40 PC's and 8 servers on the domain.
    Last edited by Bullett23; March 9th, 2005 at 13:26 PM.

  4. #4
    Security Intelligence TZ Veteran cash_site's Avatar
    Join Date
    Jul 2002
    Location
    Software Paradise
    Posts
    3,852
    Definitely sounds like some GPO settings, check your domain controller server, and see what type and when authentication occurs... do users login to the domain or local machine?

    --- 0wN3D by 3gG ---

  5. #5
    Junior Member
    Join Date
    Mar 2005
    Location
    Southampton, UK
    Posts
    9
    The users logon to the domain. I'm not sure how I check authentication types, but in event viewer my security logs are consently filling up, not sure if that helps.

  6. #6
    Member Hawkers's Avatar
    Join Date
    Feb 2005
    Location
    Seattle, WA
    Posts
    59
    What's the backend hardware like? Switches/hubs ect... you may have a hardware bottleneck somewhere

  7. #7
    Triple Platinum Member Curio's Avatar
    Join Date
    Nov 2004
    Location
    London
    Posts
    899
    Have you joined all the PCs to the domain?
    Are all the PC clocks synchronised in any way?
    How many client machines and how many DCs?
    There are a lot of issues to consider but it sounds like you don't have the infrastructure for SSO (single sign on) set up correctly. You should only have to log on to the domain then all your servers should be able to authenticate you from the security token given out by the dc you logged on with.
    I'm using Windows 7 - you got a problem with that?

  8. #8
    Junior Member
    Join Date
    Mar 2005
    Location
    Southampton, UK
    Posts
    9
    Sorry took so long to reply been very busy.

    The servers, and computers all join at a central hub.

    All the PC are joined to the domain, theres only one DC which is also the exchange server.

    All the clocks should be synchronised in any way, how should I go about checking?

  9. #9
    Triple Platinum Member Curio's Avatar
    Join Date
    Nov 2004
    Location
    London
    Posts
    899
    They should be in sync if they are all joined to the domain - they sync to the dc so kerberos can work properly. Central hub - you mean switch/switches right? Switches good, hub bad. OK so the other servers are member servers or stand-alone? BTW it was a bad idea (very bad) to put the Exchange Server on the DC, a stinker in fact. Also you should always have at least 2 dcs cos as it stands if the dc is out for any reason your network will be paralysed and if you lose it completely you also don't have any AD or any way to get it back - which is also very bad.
    Last edited by Curio; March 15th, 2005 at 21:49 PM.
    I'm using Windows 7 - you got a problem with that?

  10. #10
    Junior Member
    Join Date
    Mar 2005
    Location
    Southampton, UK
    Posts
    9
    It is a switch that they are all connected to.

    If I move the DC away from the Exchange server, and incorparate the two DC setup should they be on a server with no other roles, or what Servers would you suggest, we have as follows.

    server a = exchange, DC
    server b = data server
    server c = bespoke software webserver
    server d,e = webserver
    server f = dns
    server g = AV
    server h = back up
    server i, j = bespoke software (low specs)

    If I can make two of these the DC's, can you let me know which ones to choose, and if there is anything complicated about synchronising the two server AD's then could you point me to the best knowledge base, that would be fantastic.
    One last question why was it a bad idea to have the Dc and exchange on the same server?

    cheers in advance.

  11. #11
    Triple Platinum Member Curio's Avatar
    Join Date
    Nov 2004
    Location
    London
    Posts
    899
    The exchange server should be on a member server and should really be just for exchange or with a light webserver. As well as being best practice it can cause major problems if the only dc and exchange server goes down - you wouldn't want to experience it. DNS, DHCP and DC are made for each other. You should look at microsoft's website for info - it's all there just occasionally difficult to find. You should only have one forest and one AD - when you use DCPROMO to upgrade a server to a DC it will do it all automagically.
    I'm using Windows 7 - you got a problem with that?

  12. #12
    Succeded in braking Windo TZ Veteran Dehcbad25's Avatar
    Join Date
    Apr 2002
    Location
    DE - USA
    Posts
    2,406
    Bullet, Curio is right on the Money. What type of DNS are you running? That could also be your bottleneck. AD is very dependant of DNS. You can run DNS on the AD too. Actually running in the AD it will use the directory integrated storage, so DNS, DHCP, and AD tree will work on synch. Your logging problems might be very well a DNS issue.
    Exhcange should not be in a AD. Furthermore, IIS should not be running on an AD. That is a bad idea.
    As a last resource, even if you cannot purchase another server, just use a desktop machine to run the AD. It won't be a performance winner, but you will feel a lot better when your AD fails for a reason (And they do more often that I would like to believe)
    Not only you could have a hardware issue, but remember that the AD is serving the Global catalog, Kerberos, Addressing, and so much more, that it might not be able to respond because it is busy.
    If you want a crash review/course quick and easy, in the Technet web site look for a series of web cast (Active Directory best practices, or something like that).
    It is about 4 webcast (I didn't watch them all, but the parts I watch I thought were good)
    I used to review an Workgroup to Domian migration that I did, and I only had 4 hours to prepare (and man, that workgroup was a mess).
    Also, it will help (from experience) if you restart the computers everyday for a couple of weeks. I say everyday, but you don't need to be that strick. Just tell users that instead of logoff at night, use the restart, which will log them off, and refresh the resources. This mainly if you changed swtich (hubs) with the computers on. They will all raise to be Master browser, and you will have a lot of unecesary talk in the LAN.
    Also, I don't know what type of backup and AV you have. You might be able to have them in the same server. Deploy updates, in different schaedules as you backup. This deppends also of your backup style. We backup at night, so I have SUS and backup in the same server. Backup goes first, starting at 10. Updates start in a random time after 3 AM. Backup had 5 hours to complete (it usually takes 3). Our File Server is also our AV server. Signatures aren't big updates, and program deployments I realize from my PC anyhow. There you should have a couple of servers free. So, know you can have 2 AD, and one Exchange dedicated.
    It would really help, if you post the OS for the servers, and software type for AV, Backup, WEbservers, Data, and DNS.
    Since you could be very well running and IIS and Apache, Linux DNS, NT backup or Amanda, Norton or Symantec or McAfee, etc. There is a lot for us to guess. We can give you a better recomendation having a more detail about the enviroment

  13. #13
    Junior Member
    Join Date
    Mar 2005
    Location
    Southampton, UK
    Posts
    9
    Sorry for the late reply I keep forgetting to check for replies.

    Here is a more detailed list of our servers, what they do, and what programs they use.

    server a = exchange, DC - running windows 2003 server, exchange 2003
    server b = data server - running windows 2003 server
    server c = bespoke software webserver - windows 2003 server, iis v6
    server d,e = webserver - windows 2003 server, iis v6
    server f = dns - windows 2000 teminal server, DNS is running microsoft management console 1.2, version 5 service pack 4
    server g = AV - Windows xp, symantec antivirus v9 (server edition)
    server h = back up - Windows XP, retrospect v6 (multi server edition) back up
    server i, j = bespoke software (low specs) - windows 2000 server

    If you need any more info please let me know, I am very keen to sort this problem out.
    Last edited by Bullett23; March 23rd, 2005 at 14:24 PM.

  14. #14
    Succeded in braking Windo TZ Veteran Dehcbad25's Avatar
    Join Date
    Apr 2002
    Location
    DE - USA
    Posts
    2,406
    the AV and the backup can be in the same machine. I had run the AV (and Veritas backup too) from my desktop even, which I use everyday . I use SAV too. (BTW, how do you like it? I will be changing to McAfee in 2 weeks hopefully. I did not like the reports/management, and a lot less when I got the quote for this year's renewal)
    As for the DNS, there is no reason to have it in that server alone. Have you configured it to integrate with AD?. I think that to be automatically picked up, the DNS has to be set before the AD.
    The problem, is that you need a Windows 2003 server to move Exchange too, so freeing up the DNS server won't be much usefull unless you more the data server, or the bespoke. For the data server, you could take advantage of Volume Shadow copy in 2k3. In the other hand IIS6 is easier and more robust than IIS5 (in W2K), so, you will make a trade with either.
    Now, first of all, you want to fix the integration of DNS with AD. For a quick test, you could even run DNS directly in the AD (set up a new role), and then from the MMC console>DNS, right click the dns server (new one) and set up a replication partner. Use the W2K for the replication partner.
    AD is very dependant of DNS. Also, since you don't have that many PCs, check your DNS entries.
    Make sure you don't have a zone [.] (dot), and that your DNS in the DHCP is the DNS server internal (donot use external DNS address for the company).
    Right click the DNS servers, and check the forwarders, there is where you should have your external DNS (ISP DNS)
    Check DNS event logs for errors. I think your problem is a dns related issue.
    When you get asked to enter the password informacion, also check at that time the log for the client computer, the host, and the AD server.
    I saw a configuration where the exchange server, would make outlook clients enter the login information a lot of times, and sometimes it would still not let you log in. It was just the problem with the forwarder that I explain above. If you can get at least the multiple authentication problem, from there you can work on the re-organizing of the server.
    It seems that the easiest would be to get 2 new servers with Windows 2K3
    Set up the first one as a AD, you have the failsafe, then you set up the other one for Exchange. I never moved an Exchange from one server to another, but 2K3 is a lot easier to recover and install, so I suppouse it should not be as hard as Exchange 2000 was. Exchange.org has good material on Exchange.
    Here is the info in dns thought it is pretty much the same that in the dns server, or the management console if you have installed the adminpack in a client/admintration machine

  15. #15
    Junior Member
    Join Date
    Mar 2005
    Location
    Southampton, UK
    Posts
    9
    Thanks for your help,

    I am also looking at other alternatives to SAV, let me know how you get on with Mcafee.

    I will be putting together a plan of action over the coming weeks on the information that you and the other members of this forum have told me, and I will let you know how it all goes.


    Thanks again.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •