Solved

Why is AD login slow over VPN?

Posted on 2014-11-12
10
477 Views
Last Modified: 2014-12-06
We have installed a number of domain member computers running server 2012 R2 into remote offices in  third party locations. The majority of these installations have been fine without any issues, but with one particular network provider we are having issues with extremely slow login with AD user accounts. At present member systems take over two minutes to complete login to the system with RDP.

The remote offices in question are connecter to our network using a VPN tunnel. I have completed the following tests to try and diagnose the issues.

[1] Confirmed that firewall rules and either end of our network do not have any restrictive rules.
[2] Confirmed that the third part firewall rules are not blocking any traffic between the domain controllers and the remote office.
[3] Confirmed that no NAT is in place between the remote office and head office.
[4] Used PortQry to run tests in either direction between DC and Client.
[5] The third party has lowered the encryption level on the VPN tunnel.
[6] The third party has configured the maximum segment size on the router LAN interface to 1360.
[7] Configured the AD member computer to use TCP for Kerberos.

So far nothing we have tried has had any effect on the speed of login using AD accounts.

Regards,

SWilson
0
Comment
Question by:RowlandITD
  • 6
  • 3
10 Comments
 
LVL 87

Expert Comment

by:rindi
ID: 40437167
You need a fast internet connection with not only fast download, but also fast upload speeds on both sides of the tunnel. Probably the ISP of the slow office has a slow upload speed. Check their internet offers, and make sure you get one that has a fast upload speed. Often they offer fast downloads and slow uploads...
0
 

Author Comment

by:RowlandITD
ID: 40437259
The network speed on circuits for the issue sites is comparable to that of the sites that do not have issues and better in some cases.
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 40439307
What is the relative distance between the remote site with problem and the main site compared with other remote sites.
How many users are in the problematic site compared with others.

I noticed you mention that you have domain member servers. Are these servers just members or are they secondary DCs. If they are DCs, enable Global Catalog on the one with issues or all of them as desired. If they are not DCs, you may want to promote them and then enable GC

I hope this helps
0
 

Author Comment

by:RowlandITD
ID: 40439403
Each remote office location has a small number of users, generally less than ten, but the slow login is there one a server with no other users connected when it's located within the specific network providers infrastructure.

The servers are domain member servers and not DC's or RODC's, and I would not want to manage one DC per remote office as there would be hundreds of them.
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 40441659
The bottom line is the DNS query for authentication request or response is taking too long.

Most of the relevant items have been taken care of from your description above in terms of speed (MTU size, Authentication) etc.

I'm curious why the MTU (MSS) was reduced to 1360.

Other things I can think of is if your tunnel is a GRE (for optimum routing through VPN)

10 devices may not pose that much of traffic issues unless heavy streaming or file transfer happens constantly.

These led me to suggesting GC. You have a server there anyways, it won't hurt to promote it to a DC at least for the trouble site (maybe as a last resort)

Try flushing the DNS and see if that changes.
Just in case, is the DNS server setting pointing to the DC? do an IPconfig /all to check.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:RowlandITD
ID: 40442354
The VPN is just a site to site VPN, not GRE.

The DNS all seems fine, I tried a flush DNS and it made no difference to the speed to connect.

In regards to the MSS value, it as a suggested number to improve VPN performance and reduce fragmentation.
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 40451340
GRE enhances route over VPN

With all the information you provided, the only solution I can proffer at this point is a local DC with GC enabled.
You can always promote the DC and demote it if you don't want to keep it. Unless you have network lag issues, it will definitely speed up your login time
0
 

Author Comment

by:RowlandITD
ID: 40462220
The issue with this would be that in the long run we would end up with over 150 domain controllers.
0
 

Accepted Solution

by:
RowlandITD earned 0 total points
ID: 40473414
The problems have now been resolved by disabling the TCP offload features on the NIC and within Windows.
0
 

Author Closing Comment

by:RowlandITD
ID: 40484444
II found the resolution myself without assistance from experts exchange.
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now