Solved

Why is AD login slow over VPN?

Posted on 2014-11-12
10
575 Views
Last Modified: 2014-12-06
We have installed a number of domain member computers running server 2012 R2 into remote offices in  third party locations. The majority of these installations have been fine without any issues, but with one particular network provider we are having issues with extremely slow login with AD user accounts. At present member systems take over two minutes to complete login to the system with RDP.

The remote offices in question are connecter to our network using a VPN tunnel. I have completed the following tests to try and diagnose the issues.

[1] Confirmed that firewall rules and either end of our network do not have any restrictive rules.
[2] Confirmed that the third part firewall rules are not blocking any traffic between the domain controllers and the remote office.
[3] Confirmed that no NAT is in place between the remote office and head office.
[4] Used PortQry to run tests in either direction between DC and Client.
[5] The third party has lowered the encryption level on the VPN tunnel.
[6] The third party has configured the maximum segment size on the router LAN interface to 1360.
[7] Configured the AD member computer to use TCP for Kerberos.

So far nothing we have tried has had any effect on the speed of login using AD accounts.

Regards,

SWilson
0
Comment
Question by:RowlandITD
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
10 Comments
 
LVL 88

Expert Comment

by:rindi
ID: 40437167
You need a fast internet connection with not only fast download, but also fast upload speeds on both sides of the tunnel. Probably the ISP of the slow office has a slow upload speed. Check their internet offers, and make sure you get one that has a fast upload speed. Often they offer fast downloads and slow uploads...
0
 

Author Comment

by:RowlandITD
ID: 40437259
The network speed on circuits for the issue sites is comparable to that of the sites that do not have issues and better in some cases.
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 40439307
What is the relative distance between the remote site with problem and the main site compared with other remote sites.
How many users are in the problematic site compared with others.

I noticed you mention that you have domain member servers. Are these servers just members or are they secondary DCs. If they are DCs, enable Global Catalog on the one with issues or all of them as desired. If they are not DCs, you may want to promote them and then enable GC

I hope this helps
0
Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

 

Author Comment

by:RowlandITD
ID: 40439403
Each remote office location has a small number of users, generally less than ten, but the slow login is there one a server with no other users connected when it's located within the specific network providers infrastructure.

The servers are domain member servers and not DC's or RODC's, and I would not want to manage one DC per remote office as there would be hundreds of them.
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 40441659
The bottom line is the DNS query for authentication request or response is taking too long.

Most of the relevant items have been taken care of from your description above in terms of speed (MTU size, Authentication) etc.

I'm curious why the MTU (MSS) was reduced to 1360.

Other things I can think of is if your tunnel is a GRE (for optimum routing through VPN)

10 devices may not pose that much of traffic issues unless heavy streaming or file transfer happens constantly.

These led me to suggesting GC. You have a server there anyways, it won't hurt to promote it to a DC at least for the trouble site (maybe as a last resort)

Try flushing the DNS and see if that changes.
Just in case, is the DNS server setting pointing to the DC? do an IPconfig /all to check.
0
 

Author Comment

by:RowlandITD
ID: 40442354
The VPN is just a site to site VPN, not GRE.

The DNS all seems fine, I tried a flush DNS and it made no difference to the speed to connect.

In regards to the MSS value, it as a suggested number to improve VPN performance and reduce fragmentation.
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 40451340
GRE enhances route over VPN

With all the information you provided, the only solution I can proffer at this point is a local DC with GC enabled.
You can always promote the DC and demote it if you don't want to keep it. Unless you have network lag issues, it will definitely speed up your login time
0
 

Author Comment

by:RowlandITD
ID: 40462220
The issue with this would be that in the long run we would end up with over 150 domain controllers.
0
 

Accepted Solution

by:
RowlandITD earned 0 total points
ID: 40473414
The problems have now been resolved by disabling the TCP offload features on the NIC and within Windows.
0
 

Author Closing Comment

by:RowlandITD
ID: 40484444
II found the resolution myself without assistance from experts exchange.
0

Featured Post

Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Terminal Server 2012 2 35
Change "enable" password on Cisco Router 7 58
domain controller shut down question 6 71
Network VLAN 3 18
The following article is comprised of the pearls we have garnered deploying virtualization solutions since Virtual Server 2005 and subsequent 2008 RTM+ Hyper-V in standalone and clustered environments.
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question