Re: Member Server Login Slow DMZ-Internal Subnet

From: Steve K. (skonde_at_hotmail.)
Date: 05/01/03 

Date: Thu, 1 May 2003 17:31:35 -0400

But did I mention that the firewall log showed a successful port 53
connection to each DC from the DMZ machine? Though I do see what you are
saying about AD subnet-sites and services. The only DNS server specified in
the DMZ machine is the closest AD DC DNS. Should I put a reference to the
other two DNS servers in?

BTW, Member Server which was originally installed in the internal subnet
(10.) now has a 192. address.

Do you think I need to put a DC on my DMZ subnet in order to speed up login
time?

Steve

"Dmitry Korolyov" <d__k@mail.ru> wrote in message
news:eH3tNaCEDHA.2704@TK2MSFTNGP11.phx.gbl...
> Long logins usually indicate DNS or site misconfiguration. In your case,
the
> server most likely was unable to determine the site it belongs to, since
the
> DMZ's subnet was not added to any site in AD. Therefore, it was impossible
> to determine the closest domain controller which should perform
> authentication, and random DC was selected. Since you have 2 remote DCs
and
> 1 local its 66% probability that remote DC is used.
> Talking about DNS, the server might first try to perform resulution (for
AD)
> in external DNS and was unable to find anything, and only then tried
> internal. This usually gets fixed by changing adapter bindings or DNS
server
> orders.
>
> --
> Dmitry Korolyov
>
>
> "Steve K." <skonde@hotmail.,com> wrote in message
> news:#CwhaVCEDHA.1840@TK2MSFTNGP10.phx.gbl...
> > I had a requirement to place a member server on my DMZ and have it login
> to
> > AD across the firewall. I set up a rule containing this machine and the
> > three DC's on my internal subnet.
> >
> > During login it it took a LONG time (over 5 minutes) after entering a
user
> > name and password (and hitting enter immediately :) ) seemingly hanging
on
> > "Please Wait...Loading your personal settings...".
> >
> > Eventually the account was able to login and I was even able to browse
AD.
> >
> > My question is two part.
> >
> > 1: In my firewall log I noticed that this member server was attempting
to
> > establish a connection to all three of my DC's even though two of them
are
> > remote. Why isn't it just getting what it needs from the local DC
(local
> > being attached to the third nic in the firewall as opposed to a T1)?
> >
> > 2: Why the long login time?
> >
> > Here are the ports opened in the rule between the member server and the
> > three DC's. Our DMZ is set up behind our firewall not in front. We are
> not
> > using a NAT firewall, we are using an application proxy and routing.
> >
> > - 123 tcp
> >
> > - 135 tcp
> >
> > - 137 udp
> >
> > - 138 udp
> >
> > - 139 tcp
> >
> > - 53 udp
> >
> > - 53 tcp
> >
> > - 88 udp
> >
> > - 88 tcp
> >
> > - 389 tcp
> >
> > - 389 udp
> >
> > - 445 tcp
> >
> > - 3269 tcp
> >
> > - 8 icmp (ping)
> >
> >
> >
> > Thanks in Advance
> >
> > Steve K.
> >
> >
> >
>
>

Relevant Pages

  • Re: For Microsoft Partners and Customers Who Cant Download or Access
    ... to reconfigure the firewall, but to use a static IP on your client ... and to make sure that the DNS server entries on the client are ... Microsoft for msdn2.microsoft.com. ... use a static IP and set the DNS server addresses to the DNS ...
    (microsoft.public.dotnet.general)
  • Re: loss of SOME connectivity
    ... I "think" it is DNS. ... Yes, I can ping the router, AND the ISP DNS. ... I cannot connect the inet cable directly to the server because the inet is ... MS firewall not started. ...
    (microsoft.public.windows.server.sbs)
  • Re: E-Mail Address Cant Receive E-Mail from *Some* External Organizations
    ... The fact that _some_ messages are delivered is because they are sent from different IPs, so double-check your firewall settings. ... So, that looks right to me, anyway; both resolve to the proper IP address of the external interface for our firewall, and the only difference is that for "company.org" our ISP's mail server acts as a backup server in case our internal mail server is down. ... However, if I send a message to "me@xxxxxxxxxxxxxxxx" from my Yahoo e-mail account, I get an NDR returned to my Yahoo account. ... I have checked with our ISP who handles our DNS settings, and they indicate that all appears to be in order with our DNS and MX records. ...
    (microsoft.public.exchange.admin)
  • RE: Firewall Rule Set not allowing access to DNS servers?
    ... I changed the DNS rules as you suggested, and the firewall works perfectly - ... > # Allow out access to my ISP's Domain name server. ... > so your udp packets never match this rule and default to ...
    (freebsd-questions)
  • RE: [fw-wiz] Backup exec agent in dmz
    ... named.conf file and the zonefiles off the the NT box in the DMZ. ... on the Apache server, ... backup tape library in this DMZ and backup all your servers to the new DMZ. ... what do you really need to back up on the DNS and web servers? ...
    (Firewall-Wizards)