Re: SIDs in Security Tab slow to resolve

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 10/30/03

• Next message: Hayley: "NEW win32.poza worm"
• Previous message: Bill T: "rstrui.exe"
• In reply to: Mike: "Re: SIDs in Security Tab slow to resolve"
• Next in thread: Mike: "Re: SIDs in Security Tab slow to resolve"
• Reply: Mike: "Re: SIDs in Security Tab slow to resolve"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 29 Oct 2003 19:00:16 -0700

That is interesting, as my experience is that, ounce for
ounce of the same hardware, XP Pro outperforms W2k Pro.
(of course it all depends on the "doing what" equation)

Is this sluggishness to translate the domain SIDs only on
the first access to a security dialog, or every access ?
If it were the domain control locating issue it would only
be on first use.

-- 
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Mike" <switzer12@hotmail.com> wrote in message
news:042801c39e81$a51236f0$a601280a@phx.gbl...
> Roger,
>
> Thanks for the great message.
>
> I just tried this, and it didn't seem to help at all.  It
> may be my imagination, or just a coincidence, but it
> almost seemed worse.   I think you're onto something
> thought, I just don't know what goes on in XP's head.
> 2000 - across the board - is snappier and runs much
> faster, including our host of apps here.   Strange delays,
> sluggish performance - I've been developing XP standard
> desktop images here for the past 12+ months, and it's like
> I've had to fight tooth and nail for each little (minor)
> perforance victory.
>
> The name resolution thing, how NetBIOS names resolve vs.
> DNS, etc. - I think you could be onto something.  Our
> DNS/WINS servers are new too though, and run on 2000.
> Wierd stuff.
>
> Thanks for your help!
>
> Mike
>
>
> >-----Original Message-----
> >One most often sees that type of behavior when the
> >groups used in the grants (in the Security dialog) are
> >domain groups, and the client has a misconfigured
> >networking interface.  When this is so, the client first
> >tries DNS to locate the domain in order to resolve
> >what it knows (the SIDs) to user friendly strings (the
> >account/group names).  When the AD supporting DNS
> >is not used the client first tries and then finally fails
> >over to other NetBT based means.
> >
> >Now, this is not exactly your circumstance, as you do
> >not have an Active Directory environment.  However
> >if the client is following the same course of action this
> >would explain what you experience.
> >
> >One thing that you could try is shutting off the DNS
> >caching resolver on the client.  When this is done, the
> >client will fall back on the older DNS resolver.
> >So as a test, try setting the DNS client that shows in
> >the services mgmt interface to stopped, or at a cmd use
> >net stop dnscache
> >Then, try things out.  To be fair perhaps set the DNS
> >client service to manual, and reboot, and see if there
> >is a significant difference.  If so, this hypothesis has
> >some value, else it is something else.  If this is the
> issue
> >and you decide to not use the caching resolver, then by
> >all means remember to reenable it if/when you move
> >to an Active Directory environment.
> >-- 
> >Roger Abell
> >Microsoft MVP (Windows Server System: Security)
> >MCSE (W2k3,W2k,Nt4)  MCDBA
> >"Mike" <switzer12@hotmail.com> wrote in message
> >news:02c501c39e64$71908240$a501280a@phx.gbl...
> >> NT 4.0 PDC and two BDCs running on new, fast hardware.
> >>
> >> Mix of 9x and XP desktops.
> >>
> >> XP performs fairly well, but I have noticed when doing a
> >> Properties on resources/folders on network shared drives
> >> when I click on the Security tab, I usually see
> >> (immediately) SYSTEM and then a bunch of SIDs, which
> >> (slowly) resolve to names.
> >>
> >> What could cause these delays?  Shouldn't this stuff
> come
> >> up immediately?  We Two of our DCs (in this 4.0 case,
> one
> >> PDC and one BDC) are Gb attached to heavy duty backbone
> >> switches, all duplex settings are kosher, the network is
> >> fast, as is the main PDC and BDC hardware (new Compaq
> >> DL360 servers).
> >>
> >> Any recommendations would be MUCH appreciated.
> >>
> >> Thanks.
> >>
> >> Mike
> >>
> >
> >
> >.
> >

---

• Next message: Hayley: "NEW win32.poza worm"
• Previous message: Bill T: "rstrui.exe"
• In reply to: Mike: "Re: SIDs in Security Tab slow to resolve"
• Next in thread: Mike: "Re: SIDs in Security Tab slow to resolve"
• Reply: Mike: "Re: SIDs in Security Tab slow to resolve"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: DNS-AD integration ... On the client open a command prompt and type "set". ... I have also set up AD-integrated DNS in both of these servers. ... use the first domain controller ip address. ... It will use DNS Round Robin to resolve it. ... (microsoft.public.windows.server.dns) Re: SIDs in Security Tab slow to resolve ... in the Local Policies / Security Options ... >>Is your XP client set to try to use digital signing ... >>Roger Abell ... >>> DNS, etc. - I think you could be onto something. ... (microsoft.public.windowsxp.security_admin) Re: Advice Needed - AD integrated DNS Zone ... >> Trying to trouble shoot a client DNS issue. ... >> but resolve correctly when DNS is set the third server. ... I don't want the DNS that is correctly resolving ... (microsoft.public.windows.server.dns) Re: SIDs in Security Tab slow to resolve ... how NetBIOS names resolve vs. ... DNS, etc. - I think you could be onto something. ... When this is so, the client first ... as is the main PDC and BDC hardware (new Compaq ... (microsoft.public.windowsxp.security_admin) Re: SIDs in Security Tab slow to resolve ... how NetBIOS names resolve vs. ... DNS, etc. - I think you could be onto something. ... When this is so, the client first ... as is the main PDC and BDC hardware (new Compaq ... (microsoft.public.windowsxp.security_admin)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)