Mapped drives cause a logon delay when no domain connection exists
Hi
I have been puzzling over this for a while.
We connect our remote laptops via VPN to the workplace. The user usually has a wireless setup so without preconnect, the VPN is started after the user has logged on once a wireless connection is established. Then he runs a local login.bat to map the user environment suitable for his location.
When the user logs on via a cabled connection he can use the VPN from logon screen as connectivity exists. In such case the logon is very fast (less than 10scs) but in above case it takes 50-60secs sometimes longer.
It all boils down to Windows trying to reconnect the network drives which have been mapped previously. the notification icon (windows could not connect...) does come up after login.
This also happens if the script is set to 'non-persistent' or if I run a net delete before reboot/logoff.
Under XP there was a neat option to stop this by hiding connected devices (I cannot remember the exact command) but apparently under Windows Vista and above the network code has been improved by MS to make this unnecessary.
How do you deal with this? Is there a particular way of configuring VPN? I cannot run the script from the server as the script is different for some of the locations, i.e. the user may be travelling or have a home server....
many thanks
capt.
I have been puzzling over this for a while.
We connect our remote laptops via VPN to the workplace. The user usually has a wireless setup so without preconnect, the VPN is started after the user has logged on once a wireless connection is established. Then he runs a local login.bat to map the user environment suitable for his location.
When the user logs on via a cabled connection he can use the VPN from logon screen as connectivity exists. In such case the logon is very fast (less than 10scs) but in above case it takes 50-60secs sometimes longer.
It all boils down to Windows trying to reconnect the network drives which have been mapped previously. the notification icon (windows could not connect...) does come up after login.
This also happens if the script is set to 'non-persistent' or if I run a net delete before reboot/logoff.
Under XP there was a neat option to stop this by hiding connected devices (I cannot remember the exact command) but apparently under Windows Vista and above the network code has been improved by MS to make this unnecessary.
How do you deal with this? Is there a particular way of configuring VPN? I cannot run the script from the server as the script is different for some of the locations, i.e. the user may be travelling or have a home server....
many thanks
capt.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If the shares are attempting to reconnect when the user logs in, the setting is likely /persistent:yes or if mapped manually, has the reconnect at login.
i.e. the mapped drives are part of the HKEY_current_user registry entry.
i.e. the mapped drives are part of the HKEY_current_user registry entry.
ASKER
hm...
OK, seems that the scripts I inherited consist of two elements, standard .bat scripts and Kixtart scripts. I suspect the persistent flag in kix is different to the standard scripts.
Also the 'network' subkey in HKCU lists a bunch of drives...
So I should probably del the keys in the registry and rewrite the kix scripts.
The kix is called from the login.bat and the kix script only seems to map by group member criteria:
IF INGROUP("Projects")
USE K: /DELETE
USE K: "\\server01\Share01" /persistent:no
ENDIF
AS my colleague who wrote this is not here anymore, I have no idea why this is that way, but is this kix part necessary? Or can this be done using standard scripting alone?
thx
OK, seems that the scripts I inherited consist of two elements, standard .bat scripts and Kixtart scripts. I suspect the persistent flag in kix is different to the standard scripts.
Also the 'network' subkey in HKCU lists a bunch of drives...
So I should probably del the keys in the registry and rewrite the kix scripts.
The kix is called from the login.bat and the kix script only seems to map by group member criteria:
IF INGROUP("Projects")
USE K: /DELETE
USE K: "\\server01\Share01" /persistent:no
ENDIF
AS my colleague who wrote this is not here anymore, I have no idea why this is that way, but is this kix part necessary? Or can this be done using standard scripting alone?
thx
Not sure you can use a bat file to map drives based on group membership.
You would either continue to use KIX or have to use a VBscript that will check the user's AD parameters for group membership and then go through the script.
The other more common way I saw scripts of this type are for each group condition there is a check run against the AD. This could add to the processing and could take longer to process.
You could use GPO based login scripts.
You would use user OU and set the GPOs on it with the user group to which it applies
GPO group1 limited to group1 map drive z:
GPO group2 limited to group2 map drive y:
The problem with this is that on login multiple sequential login scripts will be run and when you have many group based arbitrations, it could lead to a longer login process if you have the domain based GPO to run login script synchronously. I.e. user will not be able to do anything on the workstation until all login scripts ran.
You would either continue to use KIX or have to use a VBscript that will check the user's AD parameters for group membership and then go through the script.
The other more common way I saw scripts of this type are for each group condition there is a check run against the AD. This could add to the processing and could take longer to process.
You could use GPO based login scripts.
You would use user OU and set the GPOs on it with the user group to which it applies
GPO group1 limited to group1 map drive z:
GPO group2 limited to group2 map drive y:
The problem with this is that on login multiple sequential login scripts will be run and when you have many group based arbitrations, it could lead to a longer login process if you have the domain based GPO to run login script synchronously. I.e. user will not be able to do anything on the workstation until all login scripts ran.
ASKER
Hm, thanks I think I stick with KIX as I don't want to implement GPO just for mapping drives.
Does anyone know how to create non-persistent connections in KIX:?
Does anyone know how to create non-persistent connections in KIX:?
Check the version of kix you have.
4.53 added support for the persistent flag
http://www.scriptlogic.com/kixtart/
4.53 added support for the persistent flag
http://www.scriptlogic.com/kixtart/
ASKER
I saw that, but the manual does not state the way to set it to non persistent, or is this always the case as long as the persistent flag is not set?
ASKER
I will download and test this version as it is not clear which one we have deployed.
ASKER
The KIX option seems non persistent, after deleting all the keys in the Network environment under HKCU the error message of not being able to connect has disappeared.
However the logon still takes ages. Maybe I am barking up the wrong tree...
However the logon still takes ages. Maybe I am barking up the wrong tree...
after login, run systeminfo | more in a command wind.
Something is being processed, the difficulty is determining what that would/might be.
Do you have GPO/login script application set to synchronous for XP?
Check the Profile type (local/roaming) that may explain things.
i.e. roaming/redirected offline folders. sync is attempted and delays login until timeout.
Something is being processed, the difficulty is determining what that would/might be.
Do you have GPO/login script application set to synchronous for XP?
Check the Profile type (local/roaming) that may explain things.
i.e. roaming/redirected offline folders. sync is attempted and delays login until timeout.
ASKER
systeminfo | more shows pretty standrad local system stuff only the domain and logon server stand out..?
All profiles are local and directory sync is not setup.
The login script is executed locally via batch script on C: drive, this only after logon is successful.
All profiles are local and directory sync is not setup.
The login script is executed locally via batch script on C: drive, this only after logon is successful.
Does the local login script reference any Network resources?
ASKER
non apart from the net use drive mappings
That is likely the cause for the slow logins. the net use trying to access a resource that is nowhere to be found will delay the login I think it is 30-45 seconds per net use. (timeout for attempting the net use directive.)
try:
date; net use X: \\server\share /persistent:no;date
try:
date; net use X: \\server\share /persistent:no;date
ASKER
But the login sript is not executed during logon, the user logs on using cached credentials. Then the VPN connection is dialed and the login script is executed via shortcut to .bat file...
Everything occurs without user intervention?
I.e. there is a local security policy that fires off the VPN connection and part of the vpn connection it has the run this bat file?
The user gains access to the system when the VPN connection attempt fails, correct.
The initiation of the VPN should be up to the user. versus what it sounds you have.
Do the users have access to a terminal server via VPN?
I.e. there is a local security policy that fires off the VPN connection and part of the vpn connection it has the run this bat file?
The user gains access to the system when the VPN connection attempt fails, correct.
The initiation of the VPN should be up to the user. versus what it sounds you have.
Do the users have access to a terminal server via VPN?
ASKER
No, it is all very manual.
The user can either use VPN when he is connected via LAN on Logon, or if he has wireless without preconnect he uses a shortcut on the desktop.
Then once the VPN is up another shortcut with the login.bat is executed mapping the drives.
No Terminal server, only simple file servers, email server via Lotus Notes and Oracle ERM. The latter 2 don't require any special parameters as far as the network is concerned.
The user can either use VPN when he is connected via LAN on Logon, or if he has wireless without preconnect he uses a shortcut on the desktop.
Then once the VPN is up another shortcut with the login.bat is executed mapping the drives.
No Terminal server, only simple file servers, email server via Lotus Notes and Oracle ERM. The latter 2 don't require any special parameters as far as the network is concerned.
Unfortunately, there are no clear paths to the solution. One thing to try is to use a new user on the system. then disconnect the system from the network and see whether the new user takes as long to login as the current user? This will deal with issues with the profile.
you can use regedit to look at the hkcu\software\microsoft\wi
you can use regedit to look at the hkcu\software\microsoft\wi
ASKER
I understand. I had been down this road before. This happens for all users. Whether it is a new laptop setup without any software other than OS or a fully laden graphics machine, it does not make a difference.
If you remove the laptop from the domain, it is fine. Add it and it only connects fast if the VPN is invoked before logon, otherwise it is slow.
Run commands are not altered so they should not affect the boot time in either scenario.
So it is down to domain membership, hence my initial thought of mapped drives...
Baffling...
If you remove the laptop from the domain, it is fine. Add it and it only connects fast if the VPN is invoked before logon, otherwise it is slow.
Run commands are not altered so they should not affect the boot time in either scenario.
So it is down to domain membership, hence my initial thought of mapped drives...
Baffling...
What is the default policy setting for detecting the system is not on the LAN?
The default setting is 500kb, if that rate is reduced it could translate into a longer timeout.
Do you have shares with offline options (sharing tab,caching)?
This could be the issue as well i.e. offlines need to synchronize?
Do you have company specific software that is installed on the system that might explain this issue? i.e. anti-virus application that checks in with the corporate LAN?
Do you have a GPO disabling the windows firewall, which remains on if the GPO is not applied and adds to the overhead of the system. Is the system slow when not dealing with access to the net? The VPN that is established, is it securing all networks or only data for the Corporate LAN is sent through the VPN and the rest goes through the user's local ISP.
i.e. if the user goes to http://whatismyip.com when the VPN is present, is the IP that is displayed the corporate WAN IP?
The default setting is 500kb, if that rate is reduced it could translate into a longer timeout.
Do you have shares with offline options (sharing tab,caching)?
This could be the issue as well i.e. offlines need to synchronize?
Do you have company specific software that is installed on the system that might explain this issue? i.e. anti-virus application that checks in with the corporate LAN?
Do you have a GPO disabling the windows firewall, which remains on if the GPO is not applied and adds to the overhead of the system. Is the system slow when not dealing with access to the net? The VPN that is established, is it securing all networks or only data for the Corporate LAN is sent through the VPN and the rest goes through the user's local ISP.
i.e. if the user goes to http://whatismyip.com when the VPN is present, is the IP that is displayed the corporate WAN IP?
ASKER
Where do I check the default? We have not changed this so I expect that is the same, especially as the same happens when the OS is straight out of the box...
No sync, FW service is manually disabled. AV agent does not make a difference if present (checked this first). No GPO whatsoever.
VPN tunnel is only for corp LAN, all Internet is piped through local DSL/ISP. default gateway is local.
IP is local ISP assigned IP not corp WAN for reasons above.
No sync, FW service is manually disabled. AV agent does not make a difference if present (checked this first). No GPO whatsoever.
VPN tunnel is only for corp LAN, all Internet is piped through local DSL/ISP. default gateway is local.
IP is local ISP assigned IP not corp WAN for reasons above.
There have to be some resources that are only available on the LAN that are causing this issue. What about printers, are there any userenv errors/warnings in the application log dealing with can not access this resource or that resource??
Presumably printers are deployed using GPO per computer/user?
Does the domain admin login to these systems while off the LAN experience the same slow login?
Presumably printers are deployed using GPO per computer/user?
Does the domain admin login to these systems while off the LAN experience the same slow login?
ASKER
Domain admin and local accounts have same delay.
no net printers are connected or mapped on my laptop but still the same delay.
I will search app logs for more info, thanks.
no net printers are connected or mapped on my laptop but still the same delay.
I will search app logs for more info, thanks.
ASKER
OK I have checked the event viewer logs after a clean reboot and logon. The following is a list of errors appearing.
Applog errors:
at logon
Automatic certificate enrollment for DOMAIN\user failed (0x8007003a) The specified server cannot perform the requested operation.
Syslog errors:
at logon
The HomeGroup Listener service terminated with service-specific error %%-2147023143.
and after 10 minutes from logon
The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.
I assume the latter as no VPN ws initiated.
Any ideas?
Applog errors:
at logon
Automatic certificate enrollment for DOMAIN\user failed (0x8007003a) The specified server cannot perform the requested operation.
Syslog errors:
at logon
The HomeGroup Listener service terminated with service-specific error %%-2147023143.
and after 10 minutes from logon
The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.
I assume the latter as no VPN ws initiated.
Any ideas?
ASKER
Just spotted a VMC service error too:
GetLoggedOnUser
GetLoggedOnUser
ASKER
So once my blindness subsided I even spot the main entry...
This computer was not able to set up a secure session with a domain controller in domain DOMAIN due to the following:
There are currently no logon servers available to service the logon request.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.
ADDITIONAL INFO
If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
So I guess the delay is simply because the laptop checks for domain server to authenticate even though it has cached credentials...
Is there a way to disable lookup of the AD server?
I feel dense....
This computer was not able to set up a secure session with a domain controller in domain DOMAIN due to the following:
There are currently no logon servers available to service the logon request.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.
ADDITIONAL INFO
If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
So I guess the delay is simply because the laptop checks for domain server to authenticate even though it has cached credentials...
Is there a way to disable lookup of the AD server?
I feel dense....
Your domain has a PKI setup with autoenroll Is the CA still on line or is the delegated issuing CA server online?
Do you have an EFS policy? Unfortunately it is not clear what certificate is being sought or why.
But if the access of he user to some files on the system relies on an EFS certificate that has expired, this could explain the delay if this same error occurs for every user.
Do you have an EFS policy? Unfortunately it is not clear what certificate is being sought or why.
But if the access of he user to some files on the system relies on an EFS certificate that has expired, this could explain the delay if this same error occurs for every user.
The only way to disable the checks for DC's is not to have any networking connection active (wired or wireless). The timeout kicks in when there is a network connection and windwos searches and waits for a response.
ASKER
I see.
The certificate is the IPSEC Ms enhanced Prov. for the VPN LT2P connection. The CA server is on the corp LAN.
So I guess we are boiling down to "this is normal behaviour if you are on a LAN, for the logon will try to authenticate with DC first before using cache..."
The certificate is the IPSEC Ms enhanced Prov. for the VPN LT2P connection. The CA server is on the corp LAN.
So I guess we are boiling down to "this is normal behaviour if you are on a LAN, for the logon will try to authenticate with DC first before using cache..."
ASKER
Thanks for your patience. Somewhat self explanatory in the end, but neeeded the exploration to understand it...
ASKER