Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Why is AD login slow over VPN?

Posted on 2014-11-12
10
Medium Priority
?
682 Views
Last Modified: 2014-12-06
We have installed a number of domain member computers running server 2012 R2 into remote offices in  third party locations. The majority of these installations have been fine without any issues, but with one particular network provider we are having issues with extremely slow login with AD user accounts. At present member systems take over two minutes to complete login to the system with RDP.

The remote offices in question are connecter to our network using a VPN tunnel. I have completed the following tests to try and diagnose the issues.

[1] Confirmed that firewall rules and either end of our network do not have any restrictive rules.
[2] Confirmed that the third part firewall rules are not blocking any traffic between the domain controllers and the remote office.
[3] Confirmed that no NAT is in place between the remote office and head office.
[4] Used PortQry to run tests in either direction between DC and Client.
[5] The third party has lowered the encryption level on the VPN tunnel.
[6] The third party has configured the maximum segment size on the router LAN interface to 1360.
[7] Configured the AD member computer to use TCP for Kerberos.

So far nothing we have tried has had any effect on the speed of login using AD accounts.

Regards,

SWilson
0
Comment
Question by:RowlandITD
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
10 Comments
 
LVL 88

Expert Comment

by:rindi
ID: 40437167
You need a fast internet connection with not only fast download, but also fast upload speeds on both sides of the tunnel. Probably the ISP of the slow office has a slow upload speed. Check their internet offers, and make sure you get one that has a fast upload speed. Often they offer fast downloads and slow uploads...
0
 

Author Comment

by:RowlandITD
ID: 40437259
The network speed on circuits for the issue sites is comparable to that of the sites that do not have issues and better in some cases.
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 40439307
What is the relative distance between the remote site with problem and the main site compared with other remote sites.
How many users are in the problematic site compared with others.

I noticed you mention that you have domain member servers. Are these servers just members or are they secondary DCs. If they are DCs, enable Global Catalog on the one with issues or all of them as desired. If they are not DCs, you may want to promote them and then enable GC

I hope this helps
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:RowlandITD
ID: 40439403
Each remote office location has a small number of users, generally less than ten, but the slow login is there one a server with no other users connected when it's located within the specific network providers infrastructure.

The servers are domain member servers and not DC's or RODC's, and I would not want to manage one DC per remote office as there would be hundreds of them.
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 40441659
The bottom line is the DNS query for authentication request or response is taking too long.

Most of the relevant items have been taken care of from your description above in terms of speed (MTU size, Authentication) etc.

I'm curious why the MTU (MSS) was reduced to 1360.

Other things I can think of is if your tunnel is a GRE (for optimum routing through VPN)

10 devices may not pose that much of traffic issues unless heavy streaming or file transfer happens constantly.

These led me to suggesting GC. You have a server there anyways, it won't hurt to promote it to a DC at least for the trouble site (maybe as a last resort)

Try flushing the DNS and see if that changes.
Just in case, is the DNS server setting pointing to the DC? do an IPconfig /all to check.
0
 

Author Comment

by:RowlandITD
ID: 40442354
The VPN is just a site to site VPN, not GRE.

The DNS all seems fine, I tried a flush DNS and it made no difference to the speed to connect.

In regards to the MSS value, it as a suggested number to improve VPN performance and reduce fragmentation.
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 40451340
GRE enhances route over VPN

With all the information you provided, the only solution I can proffer at this point is a local DC with GC enabled.
You can always promote the DC and demote it if you don't want to keep it. Unless you have network lag issues, it will definitely speed up your login time
0
 

Author Comment

by:RowlandITD
ID: 40462220
The issue with this would be that in the long run we would end up with over 150 domain controllers.
0
 

Accepted Solution

by:
RowlandITD earned 0 total points
ID: 40473414
The problems have now been resolved by disabling the TCP offload features on the NIC and within Windows.
0
 

Author Closing Comment

by:RowlandITD
ID: 40484444
II found the resolution myself without assistance from experts exchange.
0

Featured Post

Plug and play, no additional software required!

The ATEN UE3310 USB3.1 Gen1 Extender Cable allows users to extend the distance between the computer and USB devices up to 10 m (33 ft). The UE3310 is a high-quality, cost-effective solution for professional environments such as hospitals, factories and business facilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Resolve DNS query failed errors for Exchange
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question