[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2962
  • Last Modified:

Computers take a long time to login to the domain

So for a while we have had the issue where the computers that are connected to the domain are taking an unusually long time to login to the domain (around 2-3 minutes). We have checked the DNS Settings on the workstations and they are correct.

Given that everyone has been saying that slow logins are always either DNS or Group Policy, and I had already checked the DNS Settings on the workstations, I was delving into Group Policy. We found an issue with our policies where the User Configuration portion (which was the bulk of our settings) was being applied twice. So we split our policy into two policies, one which contained the User Config Items, and one that contained the Computer Config Items. We linked them so that the User Policy was linked to the Users OU and the Workstation Policy was linked to the Workstations OU. But the logins are still slow (it only runs about 10 seconds faster if that). So, on a hunch, I unlinked the Default Domain Policy from the OU I am testing with, and it did not run any faster. So I Blocked Inheritance on the Test OU so that NO policies are being run on this computer, and it still takes around 2 minutes to login. I verified using rsop.msc that no policies are being run on that computer or user.

So, any ideas on what could be causing these slow logins? The bulk of the login time is spent at the "Applying Computer Settings" portion and the workstations are Windows XP SP3 and the domain controllers are Windows Server 2008 R2
0
Grasty86
Asked:
Grasty86
  • 8
  • 6
  • 2
  • +1
1 Solution
 
TasmantCommented:
You can activate Group Policy debugging: http://support.microsoft.com/kb/221833
Once done, you can use Group Policy Reporter (http://www.sysprosoft.com/policyreporter.shtml) to analyze your log files, especially the time to process anything.

Are your sure AD sites are configured properly with correct subnets?
Are all your sites within a site link?
Did you take a look on event logs on DC and computers ?

In large environment (i don't know your), if a computer query a DC on the other side of the world, this can be your issue. You can use your client logon server using the command line:
Set L

0
 
Darius GhassemCommented:
Looks like DNS issue. Make sure DNS settings only point to Domain Controllers for DNS.

Post dcdiag.

What AV are you running?

Do you have SP2 installed?
0
 
Grasty86Author Commented:
We are using Sophos AntiVirus, but we get the same result on computers with no AntiVirus Installed

AD Sites are configured with proper subnets

Primary DNS on the workstation is pointing to the local domain controller and the secondary DNS is pointing to the 2nd local dns server (Each building has 2 domain controllers)

Event Logs dont show anything major

Attached are the dcdiag results for both domain controllers.
dc1diag.txt
dc2diag.txt
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
Grasty86Author Commented:
Also, using set L on my computer, my logon server was DC2 in the local network.

You will have to explain what you mean when you say "are all your sites within a site link". Im not sure what you mean.

I will run the Group Policy Diagnostics and see what it yields, though I did mention that it is still rather slow with NO policies being applied
0
 
itubafCommented:
GO to clients computer where you faced problem, GO to cmd and try echo %logonserver% and check which DC. may be ONE DC responding to all clients.

may know ehich servers u r using for DC, you can also check network setting may be your network card has some issue ie, half or full duplex, or auto, you can also check your network switch logs may be switch port connected to server has some issues.

you can also check is any Firewall connection between the server or not, may be firewall. since you checked DNS than i assume everything is fine in DNS and AD.
0
 
Grasty86Author Commented:
We have 7 buildings, each building had 2 Domain Controllers (DC1 and DC2). Every workstation is configured to have its DNS point to DC1 first, and DC2 second. On my computer, sometimes I get DC1, sometimes I get DC2 as my logon server, but I always get the slow login issue.
0
 
itubafCommented:
all buildling are connected to each other?, if yes than how?

are BOTH DC connected to one single network switch or seprated? have you define any replication cost between DC's.

can you monitor your DC network properties and check how many packets your DC is senind VIA NIC in 10 min, you can also use windows montoring tool for this.

may i know what AV you are using and what features are enable, i want to know if yo ping your DC from client what is the ping responce and if you ping from 1DC to other what is the ping responce, as AV can also cause network slowness.
0
 
Grasty86Author Commented:
Each building is connected via a 20mb WAN link to the district office (the building im in). Each building has two DCs, both are VMWare virtual servers running on an ESX Server.

Sophos AntiVirus (but we have tested on machines with no Sophos, and it is still slow.

0
 
Darius GhassemCommented:
Here is the error I believe is causing you the problem

A warning event occurred.  EventID: 0x00000458

            Time Generated: 05/11/2011   12:08:46

            Event String:

            The Group Policy Client Side Extension Folder Redirection was unable to apply one or more settings because the changes must be processed before system startup or user logon. The system will wait for Group Policy processing to finish completely before the next startup or logon for this user, and this may result in slow startup and boot performance.

         A warning event occurred.  EventID: 0x00000458

            Time Generated: 05/11/2011   12:38:34

            Event String:

            The Group Policy Client Side Extension Folder Redirection was unable to apply one or more settings because the changes must be processed before system startup or user logon. The system will wait for Group Policy processing to finish completely before the next startup or logon for this user, and this may result in slow startup and boot performance.
0
 
Grasty86Author Commented:
If I was getting that error. Would it be in the server or the workstation
0
 
Darius GhassemCommented:
Could be both or just one
0
 
Grasty86Author Commented:
I have found the error on our local DC1, but I have not found it on any workstations or on DC2.

We are already setting the Always wait for the network at computer startup and logon policy in the building I am in as we found documentation saying that it would help.

So then how do I clear up that error on the Domain Controller?
0
 
Darius GhassemCommented:
Are you still seeing the issues with the long logins?
0
 
Grasty86Author Commented:
yes, we set the policy over two weeks ago and it has not helped
0
 
Grasty86Author Commented:
This still has not been resolved, but we will revisit the issue this summer after we switch to Windows 7
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

  • 8
  • 6
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now