RuneT
asked on
Slow authentication for client server with user account from trusted domain
Hi.
We have set up an enviroment where we have a small domain in our DMZ, consisting of a Windows 2008 R2 domain controller for our DMZ domain and a client server running IIS (webserver) on another Windows 2008 R2 server and is a DMZ domain member.
The DMZ domain trusts our internal domain, and the AD in our internal domain is running on 2003 servers.
The trust works as it should between the two domain controllers, and login on the DMZ domain controller using a useraccount from our internal domain works well and login time is appr. 4 seconds. DNS works.
Using the same internal domain useraccount to login to the DMZ webserver also works, but no it takes 35 seconds. The extra 30 seconds the welcome screen is showing.
All ports between the two zones are open at the moment for testing purposes, so no traffic is being blocked. All authentication works, but for some reason the login is always slow on the client server and never on the domain controller.
What causes this behavior?
We have set up an enviroment where we have a small domain in our DMZ, consisting of a Windows 2008 R2 domain controller for our DMZ domain and a client server running IIS (webserver) on another Windows 2008 R2 server and is a DMZ domain member.
The DMZ domain trusts our internal domain, and the AD in our internal domain is running on 2003 servers.
The trust works as it should between the two domain controllers, and login on the DMZ domain controller using a useraccount from our internal domain works well and login time is appr. 4 seconds. DNS works.
Using the same internal domain useraccount to login to the DMZ webserver also works, but no it takes 35 seconds. The extra 30 seconds the welcome screen is showing.
All ports between the two zones are open at the moment for testing purposes, so no traffic is being blocked. All authentication works, but for some reason the login is always slow on the client server and never on the domain controller.
What causes this behavior?
I think there might be some replication errors on the DMZ DC, provide us dcdiag /v and repadmin /replsum. We need replsum complete log and DCDiag's failed logs. Also check ipconfig /all and if you see 127.0.0.1 remove it from NIC properties.
ASKER
Here is the dcdiag /v output from the domain controller in the DMZ:
I have substituted the real servername with "DMZ-DC", and the domain name with "DMZ-Domain".
This is the output from repadmin /replsum on the DMZ domain controller:
There is only one DC in the DMZ, and only a one way trust to the internal domain (no replication between DMZ and internal DC) so I guess this is as expected.
There was indeed a 127.0.0.1 record for DNS on the DMZ DC, I have removed that but this gave no effect on login time on the client server.
Just to be absolutely clear, everything works perfect on the DMZ DC when logging in with a username from the trusted internal domain, but takes 30 seconds longer on the client server in the DMZ domain using the same trusted account.
One more thing, in the host file on the DMZ client server we also tried with this line for the internal domain:
I have replaced the real domain name with "internal".
One other interesting thing:
If i log on to the client server with the trusted account, and then log off, and then log in again straight away the login is instant every other time. When i just logged in and out 10 times in a row as quick as i could, every other login was quick (under 4 seconds) and every other login was slow (34-35-seconds).
Obviously the DMZ client server has a different way of authenticating the trusted user accounts from the internal domain than the DMZ DC, but I'm at a loss to understand what this is...
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\Administrator>dcdiag /v
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
* Verifying that the local machine DMZ-DC, is a Directory Server.
Home Server = DMZ-DC
* Connecting to directory service on server DMZ-DC.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld,CN=Sites,C N=Configur ation,DC=d mz,DC=DMZ- Domain,D
C=local,LDAP_SCOPE_SUBTREE,(objectCa tegory=ntD SSiteSetti ngs),..... ..
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name
,CN=Sites,CN=Configuration,DC=dmz,DC =DMZ-Domai n,DC=local
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld,CN=Sites,C N=Configur ation,DC=d mz,DC=DMZ- Domain,D
C=local,LDAP_SCOPE_SUBTREE,(objectCl ass=ntDSDs a),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=DMZ-DC,CN=Servers,CN
=Default-First-Site-Name,CN=Sites,CN =Configura tion,DC=dm z,DC=DMZ-D omain,DC=l ocal
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 1 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\DMZ-DC
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
Determining IP6 connectivity
* Active Directory RPC Services Check
......................... DMZ-DC passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\DMZ-DC
Starting test: Advertising
The DC DMZ-DC is advertising itself as a DC and having a DS.
The DC DMZ-DC is advertising as an LDAP server
The DC DMZ-DC is advertising as having a writeable directory
The DC DMZ-DC is advertising as a Key Distribution Center
The DC DMZ-DC is advertising as a time server
The DS DMZ-DC is advertising as a GC.
......................... DMZ-DC passed test Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Starting test: FrsEvent
* The File Replication Service Event log test
Skip the test because the server is running DFSR.
......................... DMZ-DC passed test FrsEvent
Starting test: DFSREvent
The DFS Replication Event Log.
......................... DMZ-DC passed test DFSREvent
Starting test: SysVolCheck
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... DMZ-DC passed test SysVolCheck
Starting test: KccEvent
* The KCC Event log test
Found no KCC errors in "Directory Service" Event log in the last 15 min
utes.
......................... DMZ-DC passed test KccEvent
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=DMZ-DC,CN=Servers,CN=Def ault-
First-Site-Name,CN=Sites,CN=Configur ation,DC=d mz,DC=DMZ- Domain,DC= local
Role Domain Owner = CN=NTDS Settings,CN=DMZ-DC,CN=Servers,CN=Def ault-
First-Site-Name,CN=Sites,CN=Configur ation,DC=d mz,DC=DMZ- Domain,DC= local
Role PDC Owner = CN=NTDS Settings,CN=DMZ-DC,CN=Servers,CN=Def ault-Fir
st-Site-Name,CN=Sites,CN=Configurati on,DC=dmz, DC=DMZ-Dom ain,DC=loc al
Role Rid Owner = CN=NTDS Settings,CN=DMZ-DC,CN=Servers,CN=Def ault-Fir
st-Site-Name,CN=Sites,CN=Configurati on,DC=dmz, DC=DMZ-Dom ain,DC=loc al
Role Infrastructure Update Owner = CN=NTDS Settings,CN=DMZ-DC,CN=Serv
ers,CN=Default-First-Site-Name,CN=Si tes,CN=Con figuration ,DC=dmz,DC =DMZ-Domai n,DC=loca
l
......................... DMZ-DC passed test KnowsOfRoleHolders
Starting test: MachineAccount
Checking machine account for DC DMZ-DC on DC DMZ-DC.
* SPN found :LDAP/DMZ-DC.dmz.DMZ-Domain.local/dm z.DMZ-Doma in.local
* SPN found :LDAP/DMZ-DC.dmz.DMZ-Domain.local
* SPN found :LDAP/DMZ-DC
* SPN found :LDAP/DMZ-DC.dmz.DMZ-Domain.local/DM Z
* SPN found :LDAP/f78f2865-656e-40b8-9350-80a38d 281009._ms dcs.dmz.DM Z-Domain
.local
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD 2/f78f2865 -656e-40b8 -93
50-80a38d281009/dmz.DMZ-Domain.local
* SPN found :HOST/DMZ-DC.dmz.DMZ-Domain.local/dm z.DMZ-Doma in.local
* SPN found :HOST/DMZ-DC.dmz.DMZ-Domain.local
* SPN found :HOST/DMZ-DC
* SPN found :HOST/DMZ-DC.dmz.DMZ-Domain.local/DM Z
* SPN found :GC/DMZ-DC.dmz.DMZ-Domain.local/dmz. DMZ-Domain .local
......................... DMZ-DC passed test MachineAccount
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC DMZ-DC.
* Security Permissions Check for
DC=ForestDnsZones,DC=dmz,DC=DMZ-Doma in,DC=loca l
(NDNC,Version 3)
* Security Permissions Check for
DC=DomainDnsZones,DC=dmz,DC=DMZ-Doma in,DC=loca l
(NDNC,Version 3)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=dmz,DC =DMZ-Domai n,DC=local
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=dmz,DC=DMZ-Domai n,DC=local
(Configuration,Version 3)
* Security Permissions Check for
DC=dmz,DC=DMZ-Domain,DC=local
(Domain,Version 3)
......................... DMZ-DC passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\DMZ-DC\netlogon
Verified share \\DMZ-DC\sysvol
......................... DMZ-DC passed test NetLogons
Starting test: ObjectsReplicated
DMZ-DC is in domain DC=dmz,DC=DMZ-Domain,DC=local
Checking for CN=DMZ-DC,OU=Domain Controllers,DC=dmz,DC=DMZ-Domain,DC= local
in domain DC=dmz,DC=DMZ-Domain,DC=local on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=DMZ-DC,CN=Servers,CN=Def ault-First -S
ite-Name,CN=Sites,CN=Configuration,D C=dmz,DC=D MZ-Domain, DC=local in domain CN=Configu
ration,DC=dmz,DC=DMZ-Domain,DC=local on 1 servers
Object is up-to-date on all servers.
......................... DMZ-DC passed test ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Starting test: Replications
* Replications Check
* Replication Latency Check
......................... DMZ-DC passed test Replications
Starting test: RidManager
* Available RID Pool for the Domain is 1600 to 1073741823
* DMZ-DC.dmz.DMZ-Domain.local is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 1100 to 1599
* rIDPreviousAllocationPool is 1100 to 1599
* rIDNextRID: 1126
......................... DMZ-DC passed test RidManager
Starting test: Services
* Checking Service: EventSystem
* Checking Service: RpcSs
* Checking Service: NTDS
* Checking Service: DnsCache
* Checking Service: DFSR
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: w32time
* Checking Service: NETLOGON
......................... DMZ-DC passed test Services
Starting test: SystemLog
* The System Event log test
Found no errors in "System" Event log in the last 60 minutes.
......................... DMZ-DC passed test SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Starting test: VerifyReferences
The system object reference (serverReference)
CN=DMZ-DC,OU=Domain Controllers,DC=dmz,DC=DMZ-Domain,DC= local and
backlink on
CN=DMZ-DC,CN=Servers,CN=Default-Firs t-Site-Nam e,CN=Sites ,CN=Config ura
tion,DC=dmz,DC=DMZ-Domain,DC=local
are correct.
The system object reference (serverReferenceBL)
CN=DMZ-DC,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSetti ngs,
CN=System,DC=dmz,DC=DMZ-Domain,DC=lo cal
and backlink on
CN=NTDS Settings,CN=DMZ-DC,CN=Servers,CN=Def ault-First -Site-Name ,CN=S
ites,CN=Configuration,DC=dmz,DC=DMZ- Domain,DC= local
are correct.
The system object reference (msDFSR-ComputerReferenceBL)
CN=DMZ-DC,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSetti ngs,
CN=System,DC=dmz,DC=DMZ-Domain,DC=lo cal
and backlink on
CN=DMZ-DC,OU=Domain Controllers,DC=dmz,DC=DMZ-Domain,DC= local are
correct.
......................... DMZ-DC passed test VerifyReferences
Test omitted by user request: VerifyReplicas
Test omitted by user request: DNS
Test omitted by user request: DNS
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : dmz
Starting test: CheckSDRefDom
......................... dmz passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... dmz passed test CrossRefValidation
Running enterprise tests on : dmz.DMZ-Domain.local
Test omitted by user request: DNS
Test omitted by user request: DNS
Starting test: LocatorCheck
GC Name: \\DMZ-DC.dmz.DMZ-Domain.local
Locator Flags: 0xe00031fd
PDC Name: \\DMZ-DC.dmz.DMZ-Domain.local
Locator Flags: 0xe00031fd
Time Server Name: \\DMZ-DC.dmz.DMZ-Domain.local
Locator Flags: 0xe00031fd
Preferred Time Server Name: \\DMZ-DC.dmz.DMZ-Domain.local
Locator Flags: 0xe00031fd
KDC Name: \\DMZ-DC.dmz.DMZ-Domain.local
Locator Flags: 0xe00031fd
......................... dmz.DMZ-Domain.local passed test LocatorCheck
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope
provided by the command line arguments provided.
......................... dmz.DMZ-Domain.local passed test Intersite
C:\Users\Administrator>
I have substituted the real servername with "DMZ-DC", and the domain name with "DMZ-Domain".
This is the output from repadmin /replsum on the DMZ domain controller:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\Administrator>repadmin /replsum
Replication Summary Start Time: 2013-02-06 07:43:39
Beginning data collection for replication summary, this may take awhile:
....
Source DSA largest delta fails/total %% error
Destination DSA largest delta fails/total %% error
C:\Users\Administrator>
There is only one DC in the DMZ, and only a one way trust to the internal domain (no replication between DMZ and internal DC) so I guess this is as expected.
There was indeed a 127.0.0.1 record for DNS on the DMZ DC, I have removed that but this gave no effect on login time on the client server.
Just to be absolutely clear, everything works perfect on the DMZ DC when logging in with a username from the trusted internal domain, but takes 30 seconds longer on the client server in the DMZ domain using the same trusted account.
One more thing, in the host file on the DMZ client server we also tried with this line for the internal domain:
192.168.110.9 primary #PRE #DOM:internal.local #PDC for internal.localThere is no difference with or without this line in the host file.
I have replaced the real domain name with "internal".
One other interesting thing:
If i log on to the client server with the trusted account, and then log off, and then log in again straight away the login is instant every other time. When i just logged in and out 10 times in a row as quick as i could, every other login was quick (under 4 seconds) and every other login was slow (34-35-seconds).
Obviously the DMZ client server has a different way of authenticating the trusted user accounts from the internal domain than the DMZ DC, but I'm at a loss to understand what this is...
I suggest you to enable debug logging in registry to check what exactly is taking time. As it is an intermittent issue, we need to check the server performence issues aswell. Check the following links for reference.
http://support.microsoft.c om/kb/2218 33
http://blogs.technet.com/b /instan/ar chive/2008 /04/17/tro ubleshooti ng-the-int ermittent- slow-logon -or-slow-s tartup.asp x
http://blogs.technet.com/b /askds/arc hive/2009/ 09/23/so-y ou-have-a- slow-logon -part-1.as px
http://blogs.technet.com/b /askds/arc hive/2009/ 09/24/so-y ou-have-a- slow-logon -part-2.as px
http://support.microsoft.c
http://blogs.technet.com/b
http://blogs.technet.com/b
http://blogs.technet.com/b
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.