Solved

Slow authentication for client server with user account from trusted domain

Posted on 2013-02-05
6
351 Views
Last Modified: 2015-06-23
Hi.

We have set up an enviroment where we have a small domain in our DMZ, consisting of a Windows 2008 R2 domain controller for our DMZ domain and a client server running IIS (webserver) on another Windows 2008 R2 server and is a DMZ domain member.

The DMZ domain trusts our internal domain, and the AD in our internal domain is running on 2003 servers.

The trust works as it should between the two domain controllers, and login on the DMZ domain controller using a useraccount from our internal domain works well and login time is appr. 4 seconds. DNS works.

Using the same internal domain useraccount to login to the DMZ webserver also works, but no it takes 35 seconds. The extra 30 seconds the welcome screen is showing.

All ports between the two zones are open at the moment for testing purposes, so no traffic is being blocked. All authentication works, but for some reason the login is always slow on the client server and never on the domain controller.

What causes this behavior?
0
Comment
Question by:RuneT
  • 2
  • 2
6 Comments
 
LVL 9

Expert Comment

by:Zenvenky
ID: 38858244
I think there might be some replication errors on the DMZ DC, provide us dcdiag /v and repadmin /replsum. We need replsum complete log and DCDiag's failed logs. Also check ipconfig /all and if you see 127.0.0.1 remove it from NIC properties.
0
 

Author Comment

by:RuneT
ID: 38858329
Here is the dcdiag /v output from the domain controller in the DMZ:


Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\Administrator>dcdiag /v

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   * Verifying that the local machine DMZ-DC, is a Directory Server.
   Home Server = DMZ-DC
   * Connecting to directory service on server DMZ-DC.
   * Identified AD Forest.
   Collecting AD specific global data
   * Collecting site info.
   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=dmz,DC=DMZ-Domain,D
C=local,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
   The previous call succeeded
   Iterating through the sites
   Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name
,CN=Sites,CN=Configuration,DC=dmz,DC=DMZ-Domain,DC=local
   Getting ISTG and options for the site
   * Identifying all servers.
   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=dmz,DC=DMZ-Domain,D
C=local,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
   The previous call succeeded....
   The previous call succeeded
   Iterating through the list of servers
   Getting information for the server CN=NTDS Settings,CN=DMZ-DC,CN=Servers,CN
=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dmz,DC=DMZ-Domain,DC=local
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   * Identifying all NC cross-refs.
   * Found 1 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\DMZ-DC
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         Determining IP4 connectivity
         Determining IP6 connectivity
         * Active Directory RPC Services Check
         ......................... DMZ-DC passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\DMZ-DC
      Starting test: Advertising
         The DC DMZ-DC is advertising itself as a DC and having a DS.
         The DC DMZ-DC is advertising as an LDAP server
         The DC DMZ-DC is advertising as having a writeable directory
         The DC DMZ-DC is advertising as a Key Distribution Center
         The DC DMZ-DC is advertising as a time server
         The DS DMZ-DC is advertising as a GC.
         ......................... DMZ-DC passed test Advertising
      Test omitted by user request: CheckSecurityError
      Test omitted by user request: CutoffServers
      Starting test: FrsEvent
         * The File Replication Service Event log test
         Skip the test because the server is running DFSR.
         ......................... DMZ-DC passed test FrsEvent
      Starting test: DFSREvent
         The DFS Replication Event Log.
         ......................... DMZ-DC passed test DFSREvent
      Starting test: SysVolCheck
         * The File Replication Service SYSVOL ready test
         File Replication Service's SYSVOL is ready
         ......................... DMZ-DC passed test SysVolCheck
      Starting test: KccEvent
         * The KCC Event log test
         Found no KCC errors in "Directory Service" Event log in the last 15 min
utes.
         ......................... DMZ-DC passed test KccEvent
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=DMZ-DC,CN=Servers,CN=Default-
First-Site-Name,CN=Sites,CN=Configuration,DC=dmz,DC=DMZ-Domain,DC=local
         Role Domain Owner = CN=NTDS Settings,CN=DMZ-DC,CN=Servers,CN=Default-
First-Site-Name,CN=Sites,CN=Configuration,DC=dmz,DC=DMZ-Domain,DC=local
         Role PDC Owner = CN=NTDS Settings,CN=DMZ-DC,CN=Servers,CN=Default-Fir
st-Site-Name,CN=Sites,CN=Configuration,DC=dmz,DC=DMZ-Domain,DC=local
         Role Rid Owner = CN=NTDS Settings,CN=DMZ-DC,CN=Servers,CN=Default-Fir
st-Site-Name,CN=Sites,CN=Configuration,DC=dmz,DC=DMZ-Domain,DC=local
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=DMZ-DC,CN=Serv
ers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dmz,DC=DMZ-Domain,DC=loca
l
         ......................... DMZ-DC passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         Checking machine account for DC DMZ-DC on DC DMZ-DC.
         * SPN found :LDAP/DMZ-DC.dmz.DMZ-Domain.local/dmz.DMZ-Domain.local
         * SPN found :LDAP/DMZ-DC.dmz.DMZ-Domain.local
         * SPN found :LDAP/DMZ-DC
         * SPN found :LDAP/DMZ-DC.dmz.DMZ-Domain.local/DMZ
         * SPN found :LDAP/f78f2865-656e-40b8-9350-80a38d281009._msdcs.dmz.DMZ-Domain
.local
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/f78f2865-656e-40b8-93
50-80a38d281009/dmz.DMZ-Domain.local
         * SPN found :HOST/DMZ-DC.dmz.DMZ-Domain.local/dmz.DMZ-Domain.local
         * SPN found :HOST/DMZ-DC.dmz.DMZ-Domain.local
         * SPN found :HOST/DMZ-DC
         * SPN found :HOST/DMZ-DC.dmz.DMZ-Domain.local/DMZ
         * SPN found :GC/DMZ-DC.dmz.DMZ-Domain.local/dmz.DMZ-Domain.local
         ......................... DMZ-DC passed test MachineAccount
      Starting test: NCSecDesc
         * Security Permissions check for all NC's on DC DMZ-DC.
         * Security Permissions Check for
           DC=ForestDnsZones,DC=dmz,DC=DMZ-Domain,DC=local
            (NDNC,Version 3)
         * Security Permissions Check for
           DC=DomainDnsZones,DC=dmz,DC=DMZ-Domain,DC=local
            (NDNC,Version 3)
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=dmz,DC=DMZ-Domain,DC=local
            (Schema,Version 3)
         * Security Permissions Check for
           CN=Configuration,DC=dmz,DC=DMZ-Domain,DC=local
            (Configuration,Version 3)
         * Security Permissions Check for
           DC=dmz,DC=DMZ-Domain,DC=local
            (Domain,Version 3)
         ......................... DMZ-DC passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         Verified share \\DMZ-DC\netlogon
         Verified share \\DMZ-DC\sysvol
         ......................... DMZ-DC passed test NetLogons
      Starting test: ObjectsReplicated
         DMZ-DC is in domain DC=dmz,DC=DMZ-Domain,DC=local
         Checking for CN=DMZ-DC,OU=Domain Controllers,DC=dmz,DC=DMZ-Domain,DC=local
 in domain DC=dmz,DC=DMZ-Domain,DC=local on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=DMZ-DC,CN=Servers,CN=Default-First-S
ite-Name,CN=Sites,CN=Configuration,DC=dmz,DC=DMZ-Domain,DC=local in domain CN=Configu
ration,DC=dmz,DC=DMZ-Domain,DC=local on 1 servers
            Object is up-to-date on all servers.
         ......................... DMZ-DC passed test ObjectsReplicated
      Test omitted by user request: OutboundSecureChannels
      Starting test: Replications
         * Replications Check
         * Replication Latency Check
         ......................... DMZ-DC passed test Replications
      Starting test: RidManager
         * Available RID Pool for the Domain is 1600 to 1073741823
         * DMZ-DC.dmz.DMZ-Domain.local is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 1100 to 1599
         * rIDPreviousAllocationPool is 1100 to 1599
         * rIDNextRID: 1126
         ......................... DMZ-DC passed test RidManager
      Starting test: Services
         * Checking Service: EventSystem
         * Checking Service: RpcSs
         * Checking Service: NTDS
         * Checking Service: DnsCache
         * Checking Service: DFSR
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... DMZ-DC passed test Services
      Starting test: SystemLog
         * The System Event log test
         Found no errors in "System" Event log in the last 60 minutes.
         ......................... DMZ-DC passed test SystemLog
      Test omitted by user request: Topology
      Test omitted by user request: VerifyEnterpriseReferences
      Starting test: VerifyReferences
         The system object reference (serverReference)
         CN=DMZ-DC,OU=Domain Controllers,DC=dmz,DC=DMZ-Domain,DC=local and
         backlink on
         CN=DMZ-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configura
tion,DC=dmz,DC=DMZ-Domain,DC=local
         are correct.
         The system object reference (serverReferenceBL)
         CN=DMZ-DC,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,
CN=System,DC=dmz,DC=DMZ-Domain,DC=local
         and backlink on
         CN=NTDS Settings,CN=DMZ-DC,CN=Servers,CN=Default-First-Site-Name,CN=S
ites,CN=Configuration,DC=dmz,DC=DMZ-Domain,DC=local
         are correct.
         The system object reference (msDFSR-ComputerReferenceBL)
         CN=DMZ-DC,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,
CN=System,DC=dmz,DC=DMZ-Domain,DC=local
         and backlink on
         CN=DMZ-DC,OU=Domain Controllers,DC=dmz,DC=DMZ-Domain,DC=local are
         correct.
         ......................... DMZ-DC passed test VerifyReferences
      Test omitted by user request: VerifyReplicas

      Test omitted by user request: DNS
      Test omitted by user request: DNS

   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : dmz
      Starting test: CheckSDRefDom
         ......................... dmz passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... dmz passed test CrossRefValidation

   Running enterprise tests on : dmz.DMZ-Domain.local
      Test omitted by user request: DNS
      Test omitted by user request: DNS
      Starting test: LocatorCheck
         GC Name: \\DMZ-DC.dmz.DMZ-Domain.local
         Locator Flags: 0xe00031fd
         PDC Name: \\DMZ-DC.dmz.DMZ-Domain.local
         Locator Flags: 0xe00031fd
         Time Server Name: \\DMZ-DC.dmz.DMZ-Domain.local
         Locator Flags: 0xe00031fd
         Preferred Time Server Name: \\DMZ-DC.dmz.DMZ-Domain.local
         Locator Flags: 0xe00031fd
         KDC Name: \\DMZ-DC.dmz.DMZ-Domain.local
         Locator Flags: 0xe00031fd
         ......................... dmz.DMZ-Domain.local passed test LocatorCheck
      Starting test: Intersite
         Skipping site Default-First-Site-Name, this site is outside the scope
         provided by the command line arguments provided.
         ......................... dmz.DMZ-Domain.local passed test Intersite

C:\Users\Administrator>

I have substituted the real servername with "DMZ-DC", and the domain name with "DMZ-Domain".

This is the output from repadmin /replsum on the DMZ domain controller:


Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\Administrator>repadmin /replsum
Replication Summary Start Time: 2013-02-06 07:43:39

Beginning data collection for replication summary, this may take awhile:
  ....


Source DSA          largest delta    fails/total %%   error


Destination DSA     largest delta    fails/total %%   error



C:\Users\Administrator>


There is only one DC in the DMZ, and only a one way trust to the internal domain (no replication between DMZ and internal DC) so I guess this is as expected.

There was indeed a 127.0.0.1 record for DNS on the DMZ DC, I have removed that but this gave no effect on login time on the client server.

Just to be absolutely clear, everything works perfect on the DMZ DC when logging in with a username from the trusted internal domain, but takes 30 seconds longer on the client server in the DMZ domain using the same trusted account.

One more thing, in the host file on the DMZ client server we also tried with this line for the internal domain:
192.168.110.9 primary #PRE #DOM:internal.local #PDC for internal.local
There is no difference with or without this line in the host file.
I have replaced the real domain name with "internal".


One other interesting thing:
If i log on to the client server with the trusted account, and then log off, and then log in again straight away the login is instant every other time. When i just logged in and out 10 times in a row as quick as i could, every other login was quick (under 4 seconds) and every other login was slow (34-35-seconds).

Obviously the DMZ client server has a different way of authenticating the trusted user accounts from the internal domain than the DMZ DC, but I'm at a loss to understand what this is...
0
 
LVL 9

Expert Comment

by:Zenvenky
ID: 38904316
I suggest you to enable debug logging in registry to check what exactly is taking time. As it is an intermittent issue, we need to check the server performence issues aswell. Check the following links for reference.

http://support.microsoft.com/kb/221833

http://blogs.technet.com/b/instan/archive/2008/04/17/troubleshooting-the-intermittent-slow-logon-or-slow-startup.aspx

http://blogs.technet.com/b/askds/archive/2009/09/23/so-you-have-a-slow-logon-part-1.aspx

http://blogs.technet.com/b/askds/archive/2009/09/24/so-you-have-a-slow-logon-part-2.aspx
0
 

Accepted Solution

by:
RuneT earned 0 total points
ID: 38955326
No solution found on this. In the end, the DMZ network was removed in preference of a different configuration.
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40845610
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Join & Write a Comment

Resolve DNS query failed errors for Exchange
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now