I have observed that a temporary loss of a domain controller can cause
problems creating new ado connections between a client machine running
ado and a separate sql server machine that are members of the domain.
I understand why this happens when creating connections with windows
authentication. What is a mystery is that it also sometimes effects
new connections that use "sql authentication". Below is a description
of my test scenario.
a. Setup 3 machines.
i. one domain controller machine. windows 2000 based. I have tried
both a regular domain setup and a domain setup in compatibility mode.
ii. one sql server machine that is a member of the domain. windows
2000.
iii. one client machine running an ado test program that communicates
with the sql server machine. I have tried both 2000 and xp.
b. Start your test ado program and create a connection.
c. Fire a query.
d. It should work.
e. Unplug the network cord on the domain controller.
f. Create a new connection and fire a new connection about a minute or
so after.
g. It should work. Apparently the client caches account information
from the domain controller for a certain amount of time. The time
seems to be shorter by default in xp than 2000.
h. Wait 20 minutes or more.
i. Create another new connection. You will notice a timeout error.
If your using windows authentication the timeout will happen 100% of
the time. That is to be expected. If your using sql authentication
the timeout seems to happen about 50% of the time. I can't explain it
other than some strange Microsoft bug. I speculate that it may be
some bug with the way ado caches connections. Perhaps a previously
setup windows authentication connection gets reused by a request for a
sql authentication connection. However I haven't been able to prove
it.
Any insight you can offer would be appreciated. I also have a test
program you can use to reproduce this behavior if you are interested.
Thanks,
Frank"Frank" <frank@.policecentral.com> wrote in message
news:c148e27c.0401120604.7d0b3c0f@.posting.google.com...
> I have observed that a temporary loss of a domain controller can cause
> problems creating new ado connections between a client machine running
> ado and a separate sql server machine that are members of the domain.
> I understand why this happens when creating connections with windows
> authentication. What is a mystery is that it also sometimes effects
> new connections that use "sql authentication". Below is a description
> of my test scenario.
> a. Setup 3 machines.
> i. one domain controller machine. windows 2000 based. I have tried
> both a regular domain setup and a domain setup in compatibility mode.
> ii. one sql server machine that is a member of the domain. windows
> 2000.
> iii. one client machine running an ado test program that communicates
> with the sql server machine. I have tried both 2000 and xp.
> b. Start your test ado program and create a connection.
> c. Fire a query.
> d. It should work.
> e. Unplug the network cord on the domain controller.
> f. Create a new connection and fire a new connection about a minute or
> so after.
> g. It should work. Apparently the client caches account information
> from the domain controller for a certain amount of time. The time
> seems to be shorter by default in xp than 2000.
> h. Wait 20 minutes or more.
> i. Create another new connection. You will notice a timeout error.
> If your using windows authentication the timeout will happen 100% of
> the time. That is to be expected. If your using sql authentication
> the timeout seems to happen about 50% of the time. I can't explain it
> other than some strange Microsoft bug. I speculate that it may be
> some bug with the way ado caches connections. Perhaps a previously
> setup windows authentication connection gets reused by a request for a
> sql authentication connection. However I haven't been able to prove
> it.
> Any insight you can offer would be appreciated. I also have a test
> program you can use to reproduce this behavior if you are interested.
> Thanks,
> Frank
This is a complete guess, and may be an overly obvious question, but could
the 50% failure rate be due to unsuccessful name resolution, and not an
MSSQL login issue? So in the cases where the SQL authenticated connection
fails, can you still resolve the name of the SQL server? Certainly in
theory, losing the domain controller shouldn't affect SQL logins, provided
that the client can actually find the server to begin with.
Simon|||Which network library are you using to establish the
connection? Named pipes will require an underlying
NetBIOS connection to the SQL Server, which may result in
the "cache-ing" behavior you are seeing. NetBIOS
connections will require NT user account authentication
and the use of a domain controller.
If you refer to the SQL Server by IP Address in your
connectino string, you can force the client to connect
using TCP/IP which does not require an underlying Named
Pipe connection.
I don't know if this will help, but it is one possible
explanation.
Matthew Bando
BandoM@.CSCTGI(remove this).com
>--Original Message--
>I have observed that a temporary loss of a domain
controller can cause
>problems creating new ado connections between a client
machine running
>ado and a separate sql server machine that are members
of the domain.
>I understand why this happens when creating connections
with windows
>authentication. What is a mystery is that it also
sometimes effects
>new connections that use "sql authentication". Below is
a description
>of my test scenario.
>a. Setup 3 machines.
> i. one domain controller machine. windows 2000
based. I have tried
>both a regular domain setup and a domain setup in
compatibility mode.
> ii. one sql server machine that is a member of
the domain. windows
>2000.
> iii. one client machine running an ado test
program that communicates
>with the sql server machine. I have tried both 2000 and
xp.
>b. Start your test ado program and create a connection.
>c. Fire a query.
>d. It should work.
>e. Unplug the network cord on the domain controller.
>f. Create a new connection and fire a new connection
about a minute or
>so after.
>g. It should work. Apparently the client caches account
information
>from the domain controller for a certain amount of
time. The time
>seems to be shorter by default in xp than 2000.
>h. Wait 20 minutes or more.
>i. Create another new connection. You will notice a
timeout error.
>If your using windows authentication the timeout will
happen 100% of
>the time. That is to be expected. If your using sql
authentication
>the timeout seems to happen about 50% of the time. I
can't explain it
>other than some strange Microsoft bug. I speculate that
it may be
>some bug with the way ado caches connections. Perhaps a
previously
>setup windows authentication connection gets reused by a
request for a
>sql authentication connection. However I haven't been
able to prove
>it.
>Any insight you can offer would be appreciated. I also
have a test
>program you can use to reproduce this behavior if you
are interested.
>Thanks,
>Frank
>.
>|||"Simon Hayes" <sql@.hayes.ch> wrote in message news:<4002fd9c$1_1@.news.bluewin.ch>...
> "Frank" <frank@.policecentral.com> wrote in message
> news:c148e27c.0401120604.7d0b3c0f@.posting.google.com...
> > I have observed that a temporary loss of a domain controller can cause
> > problems creating new ado connections between a client machine running
> > ado and a separate sql server machine that are members of the domain.
> > I understand why this happens when creating connections with windows
> > authentication. What is a mystery is that it also sometimes effects
> > new connections that use "sql authentication". Below is a description
> > of my test scenario.
> >
> > a. Setup 3 machines.
> > i. one domain controller machine. windows 2000 based. I have tried
> > both a regular domain setup and a domain setup in compatibility mode.
> > ii. one sql server machine that is a member of the domain. windows
> > 2000.
> > iii. one client machine running an ado test program that communicates
> > with the sql server machine. I have tried both 2000 and xp.
> >
> > b. Start your test ado program and create a connection.
> > c. Fire a query.
> > d. It should work.
> > e. Unplug the network cord on the domain controller.
> > f. Create a new connection and fire a new connection about a minute or
> > so after.
> > g. It should work. Apparently the client caches account information
> > from the domain controller for a certain amount of time. The time
> > seems to be shorter by default in xp than 2000.
> > h. Wait 20 minutes or more.
> > i. Create another new connection. You will notice a timeout error.
> > If your using windows authentication the timeout will happen 100% of
> > the time. That is to be expected. If your using sql authentication
> > the timeout seems to happen about 50% of the time. I can't explain it
> > other than some strange Microsoft bug. I speculate that it may be
> > some bug with the way ado caches connections. Perhaps a previously
> > setup windows authentication connection gets reused by a request for a
> > sql authentication connection. However I haven't been able to prove
> > it.
> >
> > Any insight you can offer would be appreciated. I also have a test
> > program you can use to reproduce this behavior if you are interested.
> >
> > Thanks,
> > Frank
> This is a complete guess, and may be an overly obvious question, but could
> the 50% failure rate be due to unsuccessful name resolution, and not an
> MSSQL login issue? So in the cases where the SQL authenticated connection
> fails, can you still resolve the name of the SQL server? Certainly in
> theory, losing the domain controller shouldn't affect SQL logins, provided
> that the client can actually find the server to begin with.
> Simon
I thought of that and tried doing a ping by name after it failed. It
worked ok. However given the 50% nature of the problem I still don't
totally rule it out.|||I considered that possibility. I did bring up the "Client Network
Utility" on the client and made tcp/ip the only choice. The behavior
did not change. However I am referencing the machine by name and not
ip. I will try the ip technique and report back.
"Matthew Bando" <anonymous@.discussions.microsoft.com> wrote in message news:<062d01c3d9ec$f7e783c0$a001280a@.phx.gbl>...
> Which network library are you using to establish the
> connection? Named pipes will require an underlying
> NetBIOS connection to the SQL Server, which may result in
> the "cache-ing" behavior you are seeing. NetBIOS
> connections will require NT user account authentication
> and the use of a domain controller.
> If you refer to the SQL Server by IP Address in your
> connectino string, you can force the client to connect
> using TCP/IP which does not require an underlying Named
> Pipe connection.
> I don't know if this will help, but it is one possible
> explanation.
> Matthew Bando
> BandoM@.CSCTGI(remove this).com
>
> >--Original Message--
> >I have observed that a temporary loss of a domain
> controller can cause
> >problems creating new ado connections between a client
> machine running
> >ado and a separate sql server machine that are members
> of the domain.
> >I understand why this happens when creating connections
> with windows
> >authentication. What is a mystery is that it also
> sometimes effects
> >new connections that use "sql authentication". Below is
> a description
> >of my test scenario.
> >
> >a. Setup 3 machines.
> > i. one domain controller machine. windows 2000
> based. I have tried
> >both a regular domain setup and a domain setup in
> compatibility mode.
> > ii. one sql server machine that is a member of
> the domain. windows
> >2000.
> > iii. one client machine running an ado test
> program that communicates
> >with the sql server machine. I have tried both 2000 and
> xp.
> >
> >b. Start your test ado program and create a connection.
> >c. Fire a query.
> >d. It should work.
> >e. Unplug the network cord on the domain controller.
> >f. Create a new connection and fire a new connection
> about a minute or
> >so after.
> >g. It should work. Apparently the client caches account
> information
> >from the domain controller for a certain amount of
> time. The time
> >seems to be shorter by default in xp than 2000.
> >h. Wait 20 minutes or more.
> >i. Create another new connection. You will notice a
> timeout error.
> >If your using windows authentication the timeout will
> happen 100% of
> >the time. That is to be expected. If your using sql
> authentication
> >the timeout seems to happen about 50% of the time. I
> can't explain it
> >other than some strange Microsoft bug. I speculate that
> it may be
> >some bug with the way ado caches connections. Perhaps a
> previously
> >setup windows authentication connection gets reused by a
> request for a
> >sql authentication connection. However I haven't been
> able to prove
> >it.
> >
> >Any insight you can offer would be appreciated. I also
> have a test
> >program you can use to reproduce this behavior if you
> are interested.
> >
> >Thanks,
> >Frank
> >.
> >|||Thanks for the help. The mystery has been solved. I ended up opening
a ms support incident and they helped me figure it out. For those
that guessed dns server that was the right idea. However what made it
difficult to pin down is the following.
A. I tried as one person suggested connecting by ip address. I
thought this would eliminate dns issues from the equation. However as
the ms support guy informed me ado does a gethostbyaddr early in the
connection if you pass in an ip address. Therefore if the computer
can't do that your out of business.
B. I also thought that dns was not a factor because I could ping by
name after a connection failure and it would work. However the reason
it worked is because all the machines were on the same subnet and the
broadcast was what made it work. Once the dns server drops out the
first ping response was very slow. if you would do a ping immediately
after the response the 2nd ping would be fast. That behavior was what
was causing the randomness of the connection working. The first time
the connection would time out. However the attempt woke things up and
the second attempt would succeed.
Now that I know this I can route the important machines to a more
isolated and protected dns server or manually edit the hosts files to
eliminate the domain controller / dns controller that I can't control
from the equation.
frank@.policecentral.com (Frank) wrote in message news:<c148e27c.0401131411.32f26332@.posting.google.com>...
> I considered that possibility. I did bring up the "Client Network
> Utility" on the client and made tcp/ip the only choice. The behavior
> did not change. However I am referencing the machine by name and not
> ip. I will try the ip technique and report back.
> "Matthew Bando" <anonymous@.discussions.microsoft.com> wrote in message news:<062d01c3d9ec$f7e783c0$a001280a@.phx.gbl>...
> > Which network library are you using to establish the
> > connection? Named pipes will require an underlying
> > NetBIOS connection to the SQL Server, which may result in
> > the "cache-ing" behavior you are seeing. NetBIOS
> > connections will require NT user account authentication
> > and the use of a domain controller.
> >
> > If you refer to the SQL Server by IP Address in your
> > connectino string, you can force the client to connect
> > using TCP/IP which does not require an underlying Named
> > Pipe connection.
> >
> > I don't know if this will help, but it is one possible
> > explanation.
> >
> > Matthew Bando
> > BandoM@.CSCTGI(remove this).com
> >
> >
> >
> > >--Original Message--
> > >I have observed that a temporary loss of a domain
> controller can cause
> > >problems creating new ado connections between a client
> machine running
> > >ado and a separate sql server machine that are members
> of the domain.
> > >I understand why this happens when creating connections
> with windows
> > >authentication. What is a mystery is that it also
> sometimes effects
> > >new connections that use "sql authentication". Below is
> a description
> > >of my test scenario.
> > >
> > >a. Setup 3 machines.
> > > i. one domain controller machine. windows 2000
> based. I have tried
> > >both a regular domain setup and a domain setup in
> compatibility mode.
> > > ii. one sql server machine that is a member of
> the domain. windows
> > >2000.
> > > iii. one client machine running an ado test
> program that communicates
> > >with the sql server machine. I have tried both 2000 and
> xp.
> > >
> > >b. Start your test ado program and create a connection.
> > >c. Fire a query.
> > >d. It should work.
> > >e. Unplug the network cord on the domain controller.
> > >f. Create a new connection and fire a new connection
> about a minute or
> > >so after.
> > >g. It should work. Apparently the client caches account
> information
> > >from the domain controller for a certain amount of
> time. The time
> > >seems to be shorter by default in xp than 2000.
> > >h. Wait 20 minutes or more.
> > >i. Create another new connection. You will notice a
> timeout error.
> > >If your using windows authentication the timeout will
> happen 100% of
> > >the time. That is to be expected. If your using sql
> authentication
> > >the timeout seems to happen about 50% of the time. I
> can't explain it
> > >other than some strange Microsoft bug. I speculate that
> it may be
> > >some bug with the way ado caches connections. Perhaps a
> previously
> > >setup windows authentication connection gets reused by a
> request for a
> > >sql authentication connection. However I haven't been
> able to prove
> > >it.
> > >
> > >Any insight you can offer would be appreciated. I also
> have a test
> > >program you can use to reproduce this behavior if you
> are interested.
> > >
> > >Thanks,
> > >Frank
> > >.
> > >
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment