Solved

Problem with Slow logon after entering username and password in Active directory environment (W2K3)

Posted on 2009-07-04
30
1,658 Views
Last Modified: 2012-05-07
Hello,

We have a relatively small active directory environment (70 users).When a user logs onto the network, their computers have hard disk activity anywhere from 3-7 minutes. This is especially predominant on laptops and less so on desktops.

Upon further investigation, part of the problem seems to be due to our anti-virus program (Trend Micro Worry Free version 5.2) which scans every process on start up. Uninstalling Trend (temporarily) does result in reduced log on times, but there is still room for improvement.

Performing an uninstall of Trend, rebooting, and then a reinstall result in improvement but logon process is still not great.

Another complaint associated with slow logon process is the time it takes to load email through Outlook, as we use Exchange 2003 for Email. We are configured for "Microsoft Exchange Server" in cached mode (.ost files) and pop is not allowed. It even takes time until users get the "connected" message when launching Outlook immediately after logging on.

Another issue to note is that we were hit hard at the beginning of February with the DownAd A virus. At this time, I upgraded to Trend Worry Free. Polling users seem to indicate that the problems started at this time.

What really has me stumped is why the process is so unbearably slow on laptops as compared to desktops.

Anyone have any suggestions? At this point I am considering scrapping Trend and using a different Anti-Virus solution, although I am not certain this is the only problem.
0
Comment
Question by:mbudman
  • 11
  • 8
  • 6
  • +3
30 Comments
 
LVL 74

Expert Comment

by:Glen Knight
ID: 24776678
Are you using roaming profiles, when a user logs into a computer their roaming profile is downloaded from the server, if they are using OST files and or PST files then there is a possibility they could be stored in your roaming profile, the OST less likely unless the location has been changed.

Check the size of the profile being stored on the network, you can confirm this by creating a new user with a clean roaming profile and see what the login time is.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 24776683
Also are the laptops connecting via wireless? If so the download speed is obviously going to be a lot slower than using a desktop machine connected via the wired network.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 24776686
Also are the laptops connecting via wireless? If so the download speed is obviously going to be a lot slower than using a desktop machine connected via the wired network.
0
 
LVL 1

Author Comment

by:mbudman
ID: 24776779
The laptops support Wireless connection, but in this particular problem are logging in connected via copper cable.

The slow logon exists even if they are disconnected from the network


thanks,

Mark
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 24776786
Check the size of the user profiles on the local Documents & Settings folder.
Also check the environmental settings under properties of my computer advanced to see if there are any network paths in here that no longer exist?
0
 
LVL 1

Author Comment

by:mbudman
ID: 24777133
By the way, we don't user roaming profiles
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 24777137
OK, can you check for path entries for UNC names or network locations that no longer exist?
This will slow logins down
0
 
LVL 7

Expert Comment

by:ms-pro
ID: 24777453
how many dc's do you have in your ad environment? is your DNS 100%i ntegrated with AD?
and wich os are you running on the laptops??
are you using static or dynamic ip-add, on your dc and dns???
 
 
 
0
 
LVL 4

Expert Comment

by:jkockler
ID: 24777465
This is a DNS problem.  You must do the following:

-  Your W2k3 server must be the ONLY DNS server listed on the client's network cards

-  Your W2k3 server, must be listed as it's own DNS server, and no external servers, on the servers loca area connection.

-  Then in your DNS server snap in, configure your DNS server for forwarders to the external DNS servers.  You must set it to resolve all internal requests itself, and then forward all else to the external DNS servers.

0
 
LVL 4

Expert Comment

by:jkockler
ID: 24777470
This is of course assuming that this is the only DC in the domain, and the only local DNS server in the domain.  
0
 
LVL 4

Expert Comment

by:jkockler
ID: 24777476
The reason why it takes so long if you have external DNS listed on the clients is, when the clients attempt to resolve authentication information at logon, the request is attempting to use external DNS servers first, to resolve authentication, which takes forever to fail, and then finally going to the internal server.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 24777489
I am not convinced it is DNS if it were then you would also be experiencing lots of other issues, explore tha path options from a command prompt type PATH and hit return, are there any UNC names in there?

I also had a case a few months ago when a lot of machines were updated from wayback they received another tab when you right cluck on properties of network card there is an authentication tab and the check box to use smartcard and IeEE 802.x were enabled and for some reason this impacted on performace, if your not using smartcards try unchecking this box and see if it helps.
0
 
LVL 4

Expert Comment

by:jkockler
ID: 24777542
We'll see I guess, but I am betting DNS all the way.  Incorrect DNS configurations are the number one cause of all MS related network problems.  Most admins will put external DNS on the clients, so their users can still get the Internet in the event the internal DNS server goes down.  This almost always causes slooooooow logons.  Since he is not using roaming profiles here, incorrect DNS is most certainly the problem.  Keep it local, and use forwarders on the DNS server.  
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 24777588
I agree and most networks that have been configured correctly will be setup as you describe.

However if it was a DNS problem it would have always been there and wouldn't have happened suddenly but also it wouldn't effect laptops when they are nit attatched to the network as DNS doesn't come into it.

The reason I am discounting DNS is because the requester has advised they are not using roaming profiles so nothing is being loaded from servers it's all local.

I think the UNC path in the environmental settings is the way to go especially as it happened since a new piece of virus software went on as this is probably updating from a server and maybe put a Inc path in the search path which is probably unnecessary.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 4

Expert Comment

by:jkockler
ID: 24777618
I see what you are saying, but it seems any request that is to the local network is slow.  The Outlook clients are taking a long time to connect to Exchange.  I would think that is because they are not easily resolving the internal exchange address.  In addition Trend Micro worry free biz security clients are controlled server side, so again they could be looking for an internal server address but the DNS is sending them outside first.  If he has network drives mapped, they too will cause a performance problem until they can reconnect....

The requestor did not specify if he changed any DNS settings recently.  It is possible he had his head bashed for the clients losing the internet connection, during an internal server outage, and he changed the settings.  : )  who knows, but we shall see ....
0
 
LVL 1

Author Comment

by:mbudman
ID: 24777956
Hi,

Thanks for the comments / discussion. Here is some additional information:

1. Active Directory with 2 DC's
2. DNS installed on each DC
3. Clients have Windows XP installed
4. Exchange 2003 installed on its own box (application server)
5. Each client gets its network information through DHCP
6. DHCP only provides private network settings; e.g. no public DNS, etc.
7. DNS appears ot be configured properly and does not seem to be the issue

0
 
LVL 4

Expert Comment

by:jkockler
ID: 24778030
Well refer to what Dmatzter said then.
0
 
LVL 7

Expert Comment

by:ms-pro
ID: 24779586
Take a look on the dc's event-viewer probably I will recommend that you check the GC (global catalog) DC event-viewer and one client that have the problem.
 
0
 
LVL 14

Expert Comment

by:Shabarinath Ramadasan
ID: 24780348
I prefer to check the following stuffs.

1) To make sure that authentication is fine, you should try running as program using runas from command prompt without loading profile. If that happens within few seconds (I see <10 sec usually, authentication part is fine)

2) Makesure that DNS is fine and the entries for ldap,kerbros and all are pointing to the correct DCs.
Also, I prefer to clear the DNS cache - some times DNS will get affected with DNSPoisioning.

3) Connect a laptop on the same switch which has a DC and configure manual IP address and DNS pointing to that DC. Try logging in and see the perfomance. This is to make sure that the network is absolutely fine.

4) Run netdiag and dcdiag on DCs. Just to make sure that everythign is fine.

5) Make sure that netlogin share is properly accessible from desktops. Also, disable any Grouppolicy just for few hours - to test the perfomance.

Hope this help.

Cheerio
Shaba


0
 
LVL 2

Expert Comment

by:cirlare
ID: 24780434
try this real quick, assign the main dns server ip as a static in client machines, see if the speed improves or not.
0
 
LVL 4

Expert Comment

by:jkockler
ID: 24780581
That is a good call cirlare, as I am still convinced this is a DNS issue.  Using DHCP from the server "should" work but I would always set static information client side, especially the DNS.  

Also make sure you have your forwarders set correctly in the DNS server, and that the setting "DNS domain" in the forwarders tab is set to  "all other domains."

Then make sure you flush dns client side and server side, on all stations, or at least the ones you are testing until you get the fix.  
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 24780586
Hi Guys, there shouldn't be a problen with DHCP assigning DNS servers, I would hate to install static addresses on all of the machines at some of my clients (1200 is the biggest)
The requester has already stated that all DNS is working so we need to look somewhere else.

I am going with the UNC names in the path!
0
 
LVL 4

Expert Comment

by:jkockler
ID: 24780604
There shouldn't be a problem with DHCP, but maybe there is.  It can't hurt to test static on one client, and see the results.  If the issue happens to resolve on that client, then he can TS his DHCP server, and / or assign statics manually.  

I am  also curious to know what kind of errors / warnings are showing in your event logs during the log on sessions.  
0
 
LVL 1

Author Comment

by:mbudman
ID: 24806949
Hi,

I have checked the event viewer on the local pc as well as the DC's (two of them). all are clean.

So I decided to do the following:

1. Rebuild a laptop (Dell Latitude D430) from scratch.
2. Install windows XP with SP3
3. Install Office 2003 SBE, Acrobat 7.0 standard, Winzip 8, Smart Sync pro, and our VPN client
4. Configure system to connect to wireless adapter
5. Connect to network via enternet cable

I did these steps with the Ethernet cable and logon time before disk stopped turning was 20 seconds.

I did the samething with the network cable disconnected (no communications to LAN) and it took almost two minutes ot complete the logon process. The system is searching for the domain and obviously can't find it.

Does anyone have any suggestions on how to speed up domain search when systems is offline?

My next test will involve install anti-virus software and see what impact it has on the logon process.

Thanks,

Mark
0
 
LVL 4

Accepted Solution

by:
jkockler earned 500 total points
ID: 24807555
If the computer is a member of the domain, and attempting to authenticate to the domain controller, it will always search for the domain.  

The only way to skip the domain logon search is to change the third box on the logon screen to "this computer."

0
 
LVL 1

Author Comment

by:mbudman
ID: 24918973
What I really want is for the laptops to be able to log on in cached mode - i.e. they do not search for the domain.

Each user is a domain account, and has  a network logon script which maps a drive.

For remote users, I would like the system to logon them on in cached mode.

They might have a network connection from save a public wifi or even their personal home network. They do not have a connection (cannot communicate) with domain at this point.

Is there anyway at all I can prevent the search for the logon domain when it is not availalble (whenthe local computer detects any network connection)? Seems odd that Micrososoft would not have a value to delay the d0omain logon and go immediately to cached mode

Thanks,

Mark
0
 
LVL 4

Expert Comment

by:jkockler
ID: 24919019
You may want to have the laptop users sign onto "this computer" option at the logon screen instead of the domain, when they are away from a location that is unable to contact the domain controller.
0
 
LVL 1

Author Closing Comment

by:mbudman
ID: 31599755
Thank you for your ideas. Your comments were very helpful
0
 
LVL 4

Expert Comment

by:jkockler
ID: 25105371
Glad to help!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Starting in Windows Server 2008, Microsoft introduced the Group Policy Central Store. This automatically replicating location allows IT administrators to have the latest and greatest Group Policy (GP) configuration settings available. Let’s expl…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now