Slow Timesync and NDS Synchronization to BorderManager - July 19, 2001

You may find that certain communications to a NetWare 5.x server running BorderManager are very slow or fail altogether. A classic symptom is running a Time Synchronization check on a non-BorderManager NetWare 5.x server and seeing slow response come back from the BorderManager server. Other symptoms might include slow NDS synchronization to the BorderManager server, and intermittent problems with CLNTRUST talking to the server. If you did not have IPX running on the server, you could find that SLP doesn't work (because it could be binding to the public or VPN tunnel address), and all communications fail.

The reason is (usually) that either the public IP address or the VPN Tunnel IP address are bound first, in the SYS:ETC\TCPIP.CFG file. The server's default NCP over IP address will try to default to the first address bound. Consequently, the server advertises itself as being available to other servers on the public IP address (or the VPN Tunnel IP address). The default BorderManager filters block all traffic from the internal LAN to the public interface, therefore NCP over IP communications are blocked. What happens is that other NetWare 5.x servers try to make Timesync or NDS connections to the BorderManager server using the blocked IP address, time out, and then attempt IPX communications instead. You see this as a very slow response in the DSREPAIR operations involving communications to the BorderManager server.

Fortunately, there is a very easy fix, besides manually editing the TCPIP.CFG file (and NETINFO.CFG file) - include only the private IP address(es) of the BorderManager server for NCP operations. This is something you want to do for added security anyway, for a variety of reasons. Load Monitor at the server console, and do the following:

In Monitor, Server Parameters, go to NCP. Then select NCP Include IP Addresses. Now, add in the private IP address of the BorderManager server. (If you have multiple private IP addresses, such as for multiple private network interface cards, add all of them). Exit Server Parameters.

You should then see, on the server console main screen, that the public IP address has been deregistered from NCP (NetWare 5.x only - NW6 does not show a message). As the server synchronizes its private IP address as the server address, you should see dramatic speed improvements in NDS operations.

Return to the Main Page