Solved

Slow user logon with logon server 2008 R2 domain controller

Posted on 2010-11-19
8
3,937 Views
Last Modified: 2012-05-11
I am experiencing intermittent slow logons in my environment.   It is user and computer irrelevant.  The only common variable is the logon server.
I am in a mixed environment domain that consists of the following production DCs:
2003 R2 32bit SP2 (2)
2003 R2 64bit SP2 (1)
2008 R2 Std (Virtual) (2)
The workstation OSs are Windows 7 Ent and XP Pro.  It does not seem to matter what the Client OS is to replicate the issue.
I have enabled verbose logging on various workstations, however, no errors show in the log.  Only when watching the log tailing, that I noticed very long delays in processing GP Path rules.  It would take over one second for each rule to process.  Meanwhile, the user sees “Applying setting” on the screen.  The logon server is one of the 2008 Virtual machines and the processor is pegged at 100%.  (this only occurs on the 2008 R2 VMs) Once the policies are applied to the user session, the CPU is freed. (this sometimes takes up to 20 minutes)
I have expanded the hardware config of the DC to 2 processors and 4GB of memory.  I seems to help a little, but these symptoms will halt my upgrade to a 2008 domain.
I am looking to find out what may be happening to cause the spike in CPU on the 2008 servers during the application of user based GPOs.  I do not think that throwing more hardware at it is the solution.
0
Comment
Question by:TMuro
  • 4
  • 3
8 Comments
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 500 total points
ID: 34175279
Go into the VM and on the Host server Network Cards properties click Advanced make sure you have Large Send Offload or any Offloads listed as disabled

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_26176031.html

Once making the change I would reboot.

Also, post dcdiag as well
0
 

Author Comment

by:TMuro
ID: 34175372

C:\>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = HVDC3
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: 1-CentralHighSchool-Hub\HVDC3
      Starting test: Connectivity
         ......................... HVDC3 passed test Connectivity

Doing primary tests

   Testing server: 1-CentralHighSchool-Hub\HVDC3
      Starting test: Advertising
         ......................... HVDC3 passed test Advertising
      Starting test: FrsEvent
         ......................... HVDC3 passed test FrsEvent
      Starting test: DFSREvent
         ......................... HVDC3 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... HVDC3 passed test SysVolCheck
      Starting test: KccEvent
         ......................... HVDC3 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... HVDC3 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... HVDC3 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... HVDC3 passed test NCSecDesc
      Starting test: NetLogons
         ......................... HVDC3 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... HVDC3 passed test ObjectsReplicated
      Starting test: Replications
         ......................... HVDC3 passed test Replications
      Starting test: RidManager
         ......................... HVDC3 passed test RidManager
      Starting test: Services
         ......................... HVDC3 passed test Services
      Starting test: SystemLog
         An error event occurred.  EventID: 0xC0001B77
            Time Generated: 11/19/2010   13:01:16
            Event String:
            The SMS Agent Host service terminated unexpectedly.  It has done thi
s 4 time(s).  The following corrective action will be taken in 300000 millisecon
ds: Restart the service.
         An error event occurred.  EventID: 0xC0002720
            Time Generated: 11/19/2010   13:06:41
            Event String:
            The application-specific permission settings do not grant Local Laun
ch permission for the COM Server application with CLSID
         A warning event occurred.  EventID: 0x8000001D
            Time Generated: 11/19/2010   13:42:34
            Event String:
            The Key Distribution Center (KDC) cannot find a suitable certificate
 to use for smart card logons, or the KDC certificate could not be verified. Sma
rt card logon may not function correctly if this problem is not resolved. To cor
rect this problem, either verify the existing KDC certificate using certutil.exe
 or enroll for a new KDC certificate.
         ......................... HVDC3 failed test SystemLog
      Starting test: VerifyReferences
         ......................... HVDC3 passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : hvrsd
      Starting test: CheckSDRefDom
         ......................... hvrsd passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... hvrsd passed test CrossRefValidation

   Running enterprise tests on : hvrsd.net
      Starting test: LocatorCheck
         ......................... hvrsd.net passed test LocatorCheck
      Starting test: Intersite
         ......................... hvrsd.net passed test Intersite

C:\>
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 34175419
Looks good
0
 

Author Comment

by:TMuro
ID: 34175786
Ok..  I manually disabled all the IP4 and 6 offloads off all of the NICs on the host.  I also ran the following command on the host and VM.  I will let you know if I experience any change.

netsh int tcp set global chimney=disabled
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 34175811
You needed to do this as well in the VMs
0
 

Author Comment

by:TMuro
ID: 34175848
There is no option to configure on the Virtual Nic to disable any Offloads.  so I only disable the TCP chimney
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 34175917
Ok
0
 
LVL 24

Expert Comment

by:Awinish
ID: 34179821
If your GPO has folder redirection configured & clients are using roaming profile to save data on server with large desktop folder or sync offline file, this can delay while loading the profiles from the server to client & updating the offline files.

The sysvol & ntds.dit should be excluded from scanning from any Antivirus.

http://blogs.technet.com/b/instan/archive/2008/04/17/troubleshooting-the-intermittent-slow-logon-or-slow-startup.aspx

http://blogs.technet.com/b/markrussinovich/archive/2010/01/13/3305263.aspx

If ,its still slow performing above steps, you can user perfmon to troubleshoot the system as it looks to be system issue since CPU is in 100% usage mode.

There can be memory leak on server & yes first you check server then clients.
0

Join & Write a Comment

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now