Solved

Mapped drives cause a logon delay when no domain connection exists

Posted on 2010-09-11
31
1,167 Views
Last Modified: 2012-05-10
Hi

I have been puzzling over this for a while.

We connect our remote laptops via VPN to the workplace. The user usually has a wireless setup so without preconnect, the VPN is started after the user has logged on once a wireless connection is established. Then he runs a local login.bat to map the user environment suitable for his location.

When the user logs on via a cabled connection he can use the VPN from logon screen as connectivity exists. In such case the logon is very fast (less than 10scs) but in above case it takes 50-60secs sometimes longer.

It all boils down to Windows trying to reconnect the network drives which have been mapped previously. the notification icon (windows could not connect...) does come up after login.

This also happens if the script is set to 'non-persistent' or if I run a net delete before reboot/logoff.

Under XP there was a neat option to stop this by hiding connected devices (I cannot remember the exact command) but apparently under Windows Vista and above the network code has been improved by MS to make this unnecessary.

How do you deal with this? Is there a particular way of configuring VPN? I cannot run the script from the server as the script is different for some of the locations, i.e. the user may be travelling or have a home server....

many thanks
capt.
0
Comment
Question by:captain
  • 18
  • 13
31 Comments
 
LVL 76

Accepted Solution

by:
arnold earned 500 total points
Comment Utility
To deal with this is to use login scripts to map drives for the session rather than have persistantly mapped drives.
Usually if the system does not have any active network connection, it should login fast.
The issue is when the system is connected and a network connection is present, it has a timeout window when it tries to contact a DC.

An explicitly set net use F: \\domain\share /persistent:no

I think the /persistent:yes is the default.
0
 
LVL 30

Author Comment

by:captain
Comment Utility
Thanks, I think all shares are set to /persistent:no, but will verify that.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
If the shares are attempting to reconnect when the user logs in, the setting is likely /persistent:yes or if mapped manually, has the reconnect at login.

i.e. the mapped drives are part of the HKEY_current_user registry entry.

0
 
LVL 30

Author Comment

by:captain
Comment Utility
hm...

OK, seems that the scripts I inherited consist of two elements, standard .bat scripts and Kixtart scripts. I suspect the persistent flag in kix is different to the standard scripts.

Also the 'network' subkey in HKCU lists a bunch of drives...

So I should probably del the keys in the registry and rewrite the kix scripts.

The kix is called from the login.bat and the kix script only seems to map by group member criteria:

IF INGROUP("Projects")
      USE K: /DELETE
      USE K: "\\server01\Share01" /persistent:no
ENDIF

AS my colleague who wrote this is not here anymore, I have no idea why this is that way, but is this kix part necessary? Or can this be done using standard scripting alone?

thx
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Not sure you can use a bat file to map drives based on group membership.
You would either continue to use KIX or have to use a VBscript that will check the user's AD parameters for group membership and then go through the script.
The other more common way I saw scripts of this type are for each group condition there is a check run against the AD.  This could add to the processing and could take longer to process.

You could use GPO based login scripts.
You would use user OU and set the GPOs on it with the user group to which it applies
GPO group1 limited to group1 map drive z:
GPO group2 limited to group2 map drive y:

The problem with this is that on login multiple sequential login scripts will be run and when you have many group based arbitrations, it could lead to a longer login process if you have the domain based GPO to run login script synchronously. I.e. user will not be able to do anything on the workstation until all login scripts ran.
0
 
LVL 30

Author Comment

by:captain
Comment Utility
Hm, thanks I think I stick with KIX as I don't want to implement GPO just for mapping drives.

Does anyone know how to create non-persistent connections in KIX:?
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Check the version of kix you have.
4.53 added support for the persistent flag
http://www.scriptlogic.com/kixtart/
0
 
LVL 30

Author Comment

by:captain
Comment Utility
I saw that, but the manual does not state the way to set it to non persistent, or is this always the case as long as the persistent flag is not set?
0
 
LVL 30

Author Comment

by:captain
Comment Utility
I will download and test this version as it is not clear which one we have deployed.
0
 
LVL 30

Author Comment

by:captain
Comment Utility
The KIX option seems non persistent, after deleting all the keys in the Network environment under HKCU the error message of not being able to connect has disappeared.

However the logon still takes ages. Maybe I am barking up the wrong tree...
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
after login, run systeminfo | more in a command wind.

Something is being processed, the difficulty is determining what that would/might be.
Do you have GPO/login script application set to synchronous for XP?
Check the Profile type (local/roaming) that may explain things.
i.e. roaming/redirected offline folders. sync is attempted and delays login until timeout.
0
 
LVL 30

Author Comment

by:captain
Comment Utility
systeminfo | more shows pretty standrad local system stuff only the domain and logon server stand out..?

All profiles are local and directory sync is not setup.

The login script is executed locally via batch script on C: drive, this only after logon is successful.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Does the local login script reference any Network resources?
0
 
LVL 30

Author Comment

by:captain
Comment Utility
non apart from the net use drive mappings
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
That is likely the cause for the slow logins. the net use trying to access a resource that is nowhere to be found will delay the login I think it is 30-45 seconds per net use. (timeout for attempting the net use directive.)

try:
date; net use X: \\server\share /persistent:no;date


0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 30

Author Comment

by:captain
Comment Utility
But the login sript is not executed during logon, the user logs on using cached credentials. Then the VPN connection is dialed and the login script is executed via shortcut to .bat file...
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Everything occurs without user intervention?
I.e. there is a local security policy that fires off the VPN connection and part of the vpn connection it has the run this bat file?

The user gains access to the system when the VPN connection attempt fails, correct.

The initiation of the VPN should be up to the user. versus what it sounds you have.
Do the users have access to a terminal server via VPN?
0
 
LVL 30

Author Comment

by:captain
Comment Utility
No, it is all very manual.

The user can either use VPN when he is connected via LAN on Logon, or if he has wireless without preconnect he uses a shortcut on the desktop.

Then once the VPN is up another shortcut with the login.bat is executed mapping the drives.

No Terminal server, only simple file servers, email server via Lotus Notes and Oracle ERM. The latter 2 don't require any special parameters as far as the network is concerned.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Unfortunately, there are no clear paths to the solution.  One thing to try is to use a new user on the system. then disconnect the system from the network and see whether the new user takes as long to login as the current user?  This will deal with issues with the profile.

you can use regedit to look at the hkcu\software\microsoft\windows\current..\run to see what is this user has in terms of what is supposed to run when this user logs in. Maybe that is the cause for the long login.
0
 
LVL 30

Author Comment

by:captain
Comment Utility
I understand. I had been down this road before. This happens for all users. Whether it is a new laptop setup without any software other than OS or a fully laden graphics machine, it does not make a difference.

If you remove the laptop from the domain, it is fine. Add it and it only connects fast if the VPN is invoked before logon, otherwise it is slow.

Run commands are not altered so they should not affect the boot time in either scenario.

So it is down to domain membership, hence my initial thought of mapped drives...

Baffling...
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
What is the default policy setting for detecting the system is not on the LAN?
The default setting is 500kb, if that rate is reduced it could translate into a longer timeout.

Do you have shares with offline options (sharing tab,caching)?
This could be the issue as well i.e. offlines need to synchronize?

Do you have company specific software that is installed on the system that might explain this issue? i.e. anti-virus application that checks in with the corporate LAN?
Do you have a GPO disabling the windows firewall, which remains on if the GPO is not applied and adds to the overhead of the system. Is the system slow when not dealing with access to the net?  The VPN that is established, is it securing all networks or only data for the Corporate LAN is sent through the VPN and the rest goes through the user's local ISP.
i.e. if the user goes to http://whatismyip.com when the VPN is present, is the IP that is displayed the corporate WAN IP?
0
 
LVL 30

Author Comment

by:captain
Comment Utility
Where do I check the default? We have not changed this so I expect that is the same, especially as the same happens when the OS is straight out of the box...

No sync, FW service is manually disabled. AV agent does not make a difference if present (checked this first). No GPO whatsoever.

VPN tunnel is only for corp LAN, all Internet is piped through local DSL/ISP. default gateway is local.

IP is local ISP assigned IP not corp WAN for reasons above.



0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
There have to be some resources that are only available on the LAN that are causing this issue.  What about printers, are there any userenv errors/warnings in the application log dealing with can not access this resource or that resource??

Presumably printers are deployed using GPO per computer/user?
Does the domain admin login to these systems while off the LAN experience the same slow login?
0
 
LVL 30

Author Comment

by:captain
Comment Utility
Domain admin and local accounts have same delay.

no net printers are connected or mapped on my laptop but still the same delay.

I will search app logs for more info, thanks.
0
 
LVL 30

Author Comment

by:captain
Comment Utility
OK I have checked the event viewer logs after a clean reboot and logon. The following is a list of errors appearing.

Applog errors:
at logon
Automatic certificate enrollment for DOMAIN\user failed (0x8007003a) The specified server cannot perform the requested operation.

Syslog errors:
at logon
The HomeGroup Listener service terminated with service-specific error %%-2147023143.

and after 10 minutes from logon
The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.

I assume the latter as no VPN ws initiated.

Any ideas?
0
 
LVL 30

Author Comment

by:captain
Comment Utility
Just spotted a VMC service error too:
GetLoggedOnUser
0
 
LVL 30

Author Comment

by:captain
Comment Utility
So once my blindness subsided I even spot the main entry...

This computer was not able to set up a secure session with a domain controller in domain DOMAIN due to the following:
There are currently no logon servers available to service the logon request.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.  

ADDITIONAL INFO
If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.

So I guess the delay is simply because the laptop checks for domain server to authenticate even though it has cached credentials...

Is there a way to disable lookup of the AD server?

I feel dense....
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Your domain has a PKI setup with autoenroll Is the CA still on line or is the delegated issuing CA server online?

Do you have an EFS policy? Unfortunately it is not clear what certificate is being sought or why.
But if the access of he user to some files on the system relies on an EFS certificate that has expired, this could explain the delay if this same error occurs for every user.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
The only way to disable the checks for DC's is not to have any networking connection active (wired or wireless). The timeout kicks in when there is a network connection and windwos searches and waits for a response.
0
 
LVL 30

Author Comment

by:captain
Comment Utility
I see.

The certificate is the IPSEC Ms enhanced Prov. for the VPN LT2P connection. The CA server is on the corp LAN.

So I guess we are boiling down to "this is normal behaviour if you are on a LAN, for the logon will try to authenticate with DC first before using cache..."

0
 
LVL 30

Author Closing Comment

by:captain
Comment Utility
Thanks for your patience. Somewhat self explanatory in the end, but neeeded the exploration to understand it...
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now