Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 729
  • Last Modified:

Why is AD login slow over VPN?

We have installed a number of domain member computers running server 2012 R2 into remote offices in  third party locations. The majority of these installations have been fine without any issues, but with one particular network provider we are having issues with extremely slow login with AD user accounts. At present member systems take over two minutes to complete login to the system with RDP.

The remote offices in question are connecter to our network using a VPN tunnel. I have completed the following tests to try and diagnose the issues.

[1] Confirmed that firewall rules and either end of our network do not have any restrictive rules.
[2] Confirmed that the third part firewall rules are not blocking any traffic between the domain controllers and the remote office.
[3] Confirmed that no NAT is in place between the remote office and head office.
[4] Used PortQry to run tests in either direction between DC and Client.
[5] The third party has lowered the encryption level on the VPN tunnel.
[6] The third party has configured the maximum segment size on the router LAN interface to 1360.
[7] Configured the AD member computer to use TCP for Kerberos.

So far nothing we have tried has had any effect on the speed of login using AD accounts.

Regards,

SWilson
0
RowlandITD
Asked:
RowlandITD
  • 6
  • 3
1 Solution
 
rindiCommented:
You need a fast internet connection with not only fast download, but also fast upload speeds on both sides of the tunnel. Probably the ISP of the slow office has a slow upload speed. Check their internet offers, and make sure you get one that has a fast upload speed. Often they offer fast downloads and slow uploads...
0
 
RowlandITDAuthor Commented:
The network speed on circuits for the issue sites is comparable to that of the sites that do not have issues and better in some cases.
0
 
AkinsdNetwork AdministratorCommented:
What is the relative distance between the remote site with problem and the main site compared with other remote sites.
How many users are in the problematic site compared with others.

I noticed you mention that you have domain member servers. Are these servers just members or are they secondary DCs. If they are DCs, enable Global Catalog on the one with issues or all of them as desired. If they are not DCs, you may want to promote them and then enable GC

I hope this helps
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
RowlandITDAuthor Commented:
Each remote office location has a small number of users, generally less than ten, but the slow login is there one a server with no other users connected when it's located within the specific network providers infrastructure.

The servers are domain member servers and not DC's or RODC's, and I would not want to manage one DC per remote office as there would be hundreds of them.
0
 
AkinsdNetwork AdministratorCommented:
The bottom line is the DNS query for authentication request or response is taking too long.

Most of the relevant items have been taken care of from your description above in terms of speed (MTU size, Authentication) etc.

I'm curious why the MTU (MSS) was reduced to 1360.

Other things I can think of is if your tunnel is a GRE (for optimum routing through VPN)

10 devices may not pose that much of traffic issues unless heavy streaming or file transfer happens constantly.

These led me to suggesting GC. You have a server there anyways, it won't hurt to promote it to a DC at least for the trouble site (maybe as a last resort)

Try flushing the DNS and see if that changes.
Just in case, is the DNS server setting pointing to the DC? do an IPconfig /all to check.
0
 
RowlandITDAuthor Commented:
The VPN is just a site to site VPN, not GRE.

The DNS all seems fine, I tried a flush DNS and it made no difference to the speed to connect.

In regards to the MSS value, it as a suggested number to improve VPN performance and reduce fragmentation.
0
 
AkinsdNetwork AdministratorCommented:
GRE enhances route over VPN

With all the information you provided, the only solution I can proffer at this point is a local DC with GC enabled.
You can always promote the DC and demote it if you don't want to keep it. Unless you have network lag issues, it will definitely speed up your login time
0
 
RowlandITDAuthor Commented:
The issue with this would be that in the long run we would end up with over 150 domain controllers.
0
 
RowlandITDAuthor Commented:
The problems have now been resolved by disabling the TCP offload features on the NIC and within Windows.
0
 
RowlandITDAuthor Commented:
II found the resolution myself without assistance from experts exchange.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 6
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now