RowlandITD
asked on
Why is AD login slow over VPN?
We have installed a number of domain member computers running server 2012 R2 into remote offices in third party locations. The majority of these installations have been fine without any issues, but with one particular network provider we are having issues with extremely slow login with AD user accounts. At present member systems take over two minutes to complete login to the system with RDP.
The remote offices in question are connecter to our network using a VPN tunnel. I have completed the following tests to try and diagnose the issues.
[1] Confirmed that firewall rules and either end of our network do not have any restrictive rules.
[2] Confirmed that the third part firewall rules are not blocking any traffic between the domain controllers and the remote office.
[3] Confirmed that no NAT is in place between the remote office and head office.
[4] Used PortQry to run tests in either direction between DC and Client.
[5] The third party has lowered the encryption level on the VPN tunnel.
[6] The third party has configured the maximum segment size on the router LAN interface to 1360.
[7] Configured the AD member computer to use TCP for Kerberos.
So far nothing we have tried has had any effect on the speed of login using AD accounts.
Regards,
SWilson
The remote offices in question are connecter to our network using a VPN tunnel. I have completed the following tests to try and diagnose the issues.
[1] Confirmed that firewall rules and either end of our network do not have any restrictive rules.
[2] Confirmed that the third part firewall rules are not blocking any traffic between the domain controllers and the remote office.
[3] Confirmed that no NAT is in place between the remote office and head office.
[4] Used PortQry to run tests in either direction between DC and Client.
[5] The third party has lowered the encryption level on the VPN tunnel.
[6] The third party has configured the maximum segment size on the router LAN interface to 1360.
[7] Configured the AD member computer to use TCP for Kerberos.
So far nothing we have tried has had any effect on the speed of login using AD accounts.
Regards,
SWilson
You need a fast internet connection with not only fast download, but also fast upload speeds on both sides of the tunnel. Probably the ISP of the slow office has a slow upload speed. Check their internet offers, and make sure you get one that has a fast upload speed. Often they offer fast downloads and slow uploads...
ASKER
The network speed on circuits for the issue sites is comparable to that of the sites that do not have issues and better in some cases.
What is the relative distance between the remote site with problem and the main site compared with other remote sites.
How many users are in the problematic site compared with others.
I noticed you mention that you have domain member servers. Are these servers just members or are they secondary DCs. If they are DCs, enable Global Catalog on the one with issues or all of them as desired. If they are not DCs, you may want to promote them and then enable GC
I hope this helps
How many users are in the problematic site compared with others.
I noticed you mention that you have domain member servers. Are these servers just members or are they secondary DCs. If they are DCs, enable Global Catalog on the one with issues or all of them as desired. If they are not DCs, you may want to promote them and then enable GC
I hope this helps
ASKER
Each remote office location has a small number of users, generally less than ten, but the slow login is there one a server with no other users connected when it's located within the specific network providers infrastructure.
The servers are domain member servers and not DC's or RODC's, and I would not want to manage one DC per remote office as there would be hundreds of them.
The servers are domain member servers and not DC's or RODC's, and I would not want to manage one DC per remote office as there would be hundreds of them.
The bottom line is the DNS query for authentication request or response is taking too long.
Most of the relevant items have been taken care of from your description above in terms of speed (MTU size, Authentication) etc.
I'm curious why the MTU (MSS) was reduced to 1360.
Other things I can think of is if your tunnel is a GRE (for optimum routing through VPN)
10 devices may not pose that much of traffic issues unless heavy streaming or file transfer happens constantly.
These led me to suggesting GC. You have a server there anyways, it won't hurt to promote it to a DC at least for the trouble site (maybe as a last resort)
Try flushing the DNS and see if that changes.
Just in case, is the DNS server setting pointing to the DC? do an IPconfig /all to check.
Most of the relevant items have been taken care of from your description above in terms of speed (MTU size, Authentication) etc.
I'm curious why the MTU (MSS) was reduced to 1360.
Other things I can think of is if your tunnel is a GRE (for optimum routing through VPN)
10 devices may not pose that much of traffic issues unless heavy streaming or file transfer happens constantly.
These led me to suggesting GC. You have a server there anyways, it won't hurt to promote it to a DC at least for the trouble site (maybe as a last resort)
Try flushing the DNS and see if that changes.
Just in case, is the DNS server setting pointing to the DC? do an IPconfig /all to check.
ASKER
The VPN is just a site to site VPN, not GRE.
The DNS all seems fine, I tried a flush DNS and it made no difference to the speed to connect.
In regards to the MSS value, it as a suggested number to improve VPN performance and reduce fragmentation.
The DNS all seems fine, I tried a flush DNS and it made no difference to the speed to connect.
In regards to the MSS value, it as a suggested number to improve VPN performance and reduce fragmentation.
GRE enhances route over VPN
With all the information you provided, the only solution I can proffer at this point is a local DC with GC enabled.
You can always promote the DC and demote it if you don't want to keep it. Unless you have network lag issues, it will definitely speed up your login time
With all the information you provided, the only solution I can proffer at this point is a local DC with GC enabled.
You can always promote the DC and demote it if you don't want to keep it. Unless you have network lag issues, it will definitely speed up your login time
ASKER
The issue with this would be that in the long run we would end up with over 150 domain controllers.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
II found the resolution myself without assistance from experts exchange.