Solved

Mapped drives cause a logon delay when no domain connection exists

Posted on 2010-09-11
31
1,190 Views
Last Modified: 2012-05-10
Hi

I have been puzzling over this for a while.

We connect our remote laptops via VPN to the workplace. The user usually has a wireless setup so without preconnect, the VPN is started after the user has logged on once a wireless connection is established. Then he runs a local login.bat to map the user environment suitable for his location.

When the user logs on via a cabled connection he can use the VPN from logon screen as connectivity exists. In such case the logon is very fast (less than 10scs) but in above case it takes 50-60secs sometimes longer.

It all boils down to Windows trying to reconnect the network drives which have been mapped previously. the notification icon (windows could not connect...) does come up after login.

This also happens if the script is set to 'non-persistent' or if I run a net delete before reboot/logoff.

Under XP there was a neat option to stop this by hiding connected devices (I cannot remember the exact command) but apparently under Windows Vista and above the network code has been improved by MS to make this unnecessary.

How do you deal with this? Is there a particular way of configuring VPN? I cannot run the script from the server as the script is different for some of the locations, i.e. the user may be travelling or have a home server....

many thanks
capt.
0
Comment
Question by:captain
  • 18
  • 13
31 Comments
 
LVL 78

Accepted Solution

by:
arnold earned 500 total points
ID: 33653113
To deal with this is to use login scripts to map drives for the session rather than have persistantly mapped drives.
Usually if the system does not have any active network connection, it should login fast.
The issue is when the system is connected and a network connection is present, it has a timeout window when it tries to contact a DC.

An explicitly set net use F: \\domain\share /persistent:no

I think the /persistent:yes is the default.
0
 
LVL 30

Author Comment

by:captain
ID: 33653146
Thanks, I think all shares are set to /persistent:no, but will verify that.
0
 
LVL 78

Expert Comment

by:arnold
ID: 33653721
If the shares are attempting to reconnect when the user logs in, the setting is likely /persistent:yes or if mapped manually, has the reconnect at login.

i.e. the mapped drives are part of the HKEY_current_user registry entry.

0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 30

Author Comment

by:captain
ID: 33655232
hm...

OK, seems that the scripts I inherited consist of two elements, standard .bat scripts and Kixtart scripts. I suspect the persistent flag in kix is different to the standard scripts.

Also the 'network' subkey in HKCU lists a bunch of drives...

So I should probably del the keys in the registry and rewrite the kix scripts.

The kix is called from the login.bat and the kix script only seems to map by group member criteria:

IF INGROUP("Projects")
      USE K: /DELETE
      USE K: "\\server01\Share01" /persistent:no
ENDIF

AS my colleague who wrote this is not here anymore, I have no idea why this is that way, but is this kix part necessary? Or can this be done using standard scripting alone?

thx
0
 
LVL 78

Expert Comment

by:arnold
ID: 33656366
Not sure you can use a bat file to map drives based on group membership.
You would either continue to use KIX or have to use a VBscript that will check the user's AD parameters for group membership and then go through the script.
The other more common way I saw scripts of this type are for each group condition there is a check run against the AD.  This could add to the processing and could take longer to process.

You could use GPO based login scripts.
You would use user OU and set the GPOs on it with the user group to which it applies
GPO group1 limited to group1 map drive z:
GPO group2 limited to group2 map drive y:

The problem with this is that on login multiple sequential login scripts will be run and when you have many group based arbitrations, it could lead to a longer login process if you have the domain based GPO to run login script synchronously. I.e. user will not be able to do anything on the workstation until all login scripts ran.
0
 
LVL 30

Author Comment

by:captain
ID: 33684756
Hm, thanks I think I stick with KIX as I don't want to implement GPO just for mapping drives.

Does anyone know how to create non-persistent connections in KIX:?
0
 
LVL 78

Expert Comment

by:arnold
ID: 33684988
Check the version of kix you have.
4.53 added support for the persistent flag
http://www.scriptlogic.com/kixtart/
0
 
LVL 30

Author Comment

by:captain
ID: 33685005
I saw that, but the manual does not state the way to set it to non persistent, or is this always the case as long as the persistent flag is not set?
0
 
LVL 30

Author Comment

by:captain
ID: 33685032
I will download and test this version as it is not clear which one we have deployed.
0
 
LVL 30

Author Comment

by:captain
ID: 33686006
The KIX option seems non persistent, after deleting all the keys in the Network environment under HKCU the error message of not being able to connect has disappeared.

However the logon still takes ages. Maybe I am barking up the wrong tree...
0
 
LVL 78

Expert Comment

by:arnold
ID: 33686074
after login, run systeminfo | more in a command wind.

Something is being processed, the difficulty is determining what that would/might be.
Do you have GPO/login script application set to synchronous for XP?
Check the Profile type (local/roaming) that may explain things.
i.e. roaming/redirected offline folders. sync is attempted and delays login until timeout.
0
 
LVL 30

Author Comment

by:captain
ID: 33686162
systeminfo | more shows pretty standrad local system stuff only the domain and logon server stand out..?

All profiles are local and directory sync is not setup.

The login script is executed locally via batch script on C: drive, this only after logon is successful.
0
 
LVL 78

Expert Comment

by:arnold
ID: 33686421
Does the local login script reference any Network resources?
0
 
LVL 30

Author Comment

by:captain
ID: 33686450
non apart from the net use drive mappings
0
 
LVL 78

Expert Comment

by:arnold
ID: 33686523
That is likely the cause for the slow logins. the net use trying to access a resource that is nowhere to be found will delay the login I think it is 30-45 seconds per net use. (timeout for attempting the net use directive.)

try:
date; net use X: \\server\share /persistent:no;date


0
 
LVL 30

Author Comment

by:captain
ID: 33686643
But the login sript is not executed during logon, the user logs on using cached credentials. Then the VPN connection is dialed and the login script is executed via shortcut to .bat file...
0
 
LVL 78

Expert Comment

by:arnold
ID: 33687447
Everything occurs without user intervention?
I.e. there is a local security policy that fires off the VPN connection and part of the vpn connection it has the run this bat file?

The user gains access to the system when the VPN connection attempt fails, correct.

The initiation of the VPN should be up to the user. versus what it sounds you have.
Do the users have access to a terminal server via VPN?
0
 
LVL 30

Author Comment

by:captain
ID: 33689360
No, it is all very manual.

The user can either use VPN when he is connected via LAN on Logon, or if he has wireless without preconnect he uses a shortcut on the desktop.

Then once the VPN is up another shortcut with the login.bat is executed mapping the drives.

No Terminal server, only simple file servers, email server via Lotus Notes and Oracle ERM. The latter 2 don't require any special parameters as far as the network is concerned.
0
 
LVL 78

Expert Comment

by:arnold
ID: 33690520
Unfortunately, there are no clear paths to the solution.  One thing to try is to use a new user on the system. then disconnect the system from the network and see whether the new user takes as long to login as the current user?  This will deal with issues with the profile.

you can use regedit to look at the hkcu\software\microsoft\windows\current..\run to see what is this user has in terms of what is supposed to run when this user logs in. Maybe that is the cause for the long login.
0
 
LVL 30

Author Comment

by:captain
ID: 33690732
I understand. I had been down this road before. This happens for all users. Whether it is a new laptop setup without any software other than OS or a fully laden graphics machine, it does not make a difference.

If you remove the laptop from the domain, it is fine. Add it and it only connects fast if the VPN is invoked before logon, otherwise it is slow.

Run commands are not altered so they should not affect the boot time in either scenario.

So it is down to domain membership, hence my initial thought of mapped drives...

Baffling...
0
 
LVL 78

Expert Comment

by:arnold
ID: 33690940
What is the default policy setting for detecting the system is not on the LAN?
The default setting is 500kb, if that rate is reduced it could translate into a longer timeout.

Do you have shares with offline options (sharing tab,caching)?
This could be the issue as well i.e. offlines need to synchronize?

Do you have company specific software that is installed on the system that might explain this issue? i.e. anti-virus application that checks in with the corporate LAN?
Do you have a GPO disabling the windows firewall, which remains on if the GPO is not applied and adds to the overhead of the system. Is the system slow when not dealing with access to the net?  The VPN that is established, is it securing all networks or only data for the Corporate LAN is sent through the VPN and the rest goes through the user's local ISP.
i.e. if the user goes to http://whatismyip.com when the VPN is present, is the IP that is displayed the corporate WAN IP?
0
 
LVL 30

Author Comment

by:captain
ID: 33691034
Where do I check the default? We have not changed this so I expect that is the same, especially as the same happens when the OS is straight out of the box...

No sync, FW service is manually disabled. AV agent does not make a difference if present (checked this first). No GPO whatsoever.

VPN tunnel is only for corp LAN, all Internet is piped through local DSL/ISP. default gateway is local.

IP is local ISP assigned IP not corp WAN for reasons above.



0
 
LVL 78

Expert Comment

by:arnold
ID: 33691073
There have to be some resources that are only available on the LAN that are causing this issue.  What about printers, are there any userenv errors/warnings in the application log dealing with can not access this resource or that resource??

Presumably printers are deployed using GPO per computer/user?
Does the domain admin login to these systems while off the LAN experience the same slow login?
0
 
LVL 30

Author Comment

by:captain
ID: 33691726
Domain admin and local accounts have same delay.

no net printers are connected or mapped on my laptop but still the same delay.

I will search app logs for more info, thanks.
0
 
LVL 30

Author Comment

by:captain
ID: 33705221
OK I have checked the event viewer logs after a clean reboot and logon. The following is a list of errors appearing.

Applog errors:
at logon
Automatic certificate enrollment for DOMAIN\user failed (0x8007003a) The specified server cannot perform the requested operation.

Syslog errors:
at logon
The HomeGroup Listener service terminated with service-specific error %%-2147023143.

and after 10 minutes from logon
The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.

I assume the latter as no VPN ws initiated.

Any ideas?
0
 
LVL 30

Author Comment

by:captain
ID: 33705340
Just spotted a VMC service error too:
GetLoggedOnUser
0
 
LVL 30

Author Comment

by:captain
ID: 33705379
So once my blindness subsided I even spot the main entry...

This computer was not able to set up a secure session with a domain controller in domain DOMAIN due to the following:
There are currently no logon servers available to service the logon request.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.  

ADDITIONAL INFO
If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.

So I guess the delay is simply because the laptop checks for domain server to authenticate even though it has cached credentials...

Is there a way to disable lookup of the AD server?

I feel dense....
0
 
LVL 78

Expert Comment

by:arnold
ID: 33705414
Your domain has a PKI setup with autoenroll Is the CA still on line or is the delegated issuing CA server online?

Do you have an EFS policy? Unfortunately it is not clear what certificate is being sought or why.
But if the access of he user to some files on the system relies on an EFS certificate that has expired, this could explain the delay if this same error occurs for every user.
0
 
LVL 78

Expert Comment

by:arnold
ID: 33705428
The only way to disable the checks for DC's is not to have any networking connection active (wired or wireless). The timeout kicks in when there is a network connection and windwos searches and waits for a response.
0
 
LVL 30

Author Comment

by:captain
ID: 33705498
I see.

The certificate is the IPSEC Ms enhanced Prov. for the VPN LT2P connection. The CA server is on the corp LAN.

So I guess we are boiling down to "this is normal behaviour if you are on a LAN, for the logon will try to authenticate with DC first before using cache..."

0
 
LVL 30

Author Closing Comment

by:captain
ID: 33722987
Thanks for your patience. Somewhat self explanatory in the end, but neeeded the exploration to understand it...
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SonicWall Max Connection Setting 7 37
VPN problems 4 62
HP 2530 switch and routing 4 53
Sonos and 5ghz 14 41
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question