Andy Lee
asked on
Slow GPO when referencing DFS shares
Hi,
We're getting really slow log on performance with GPOs - 15 servers, 100+ users, each taking upwards of 3,500 seconds to process GPOs!
Testing I have done:
- Moved a user & a computer object to a test OU & no GPOs applied, works fine
- Added GPOs 1 by 1. Issues manifest when a GPO references our DFS Share
For example, we have a GPO to copy a .ico file (<1KB) from the DFS share to the users desktop, this causes "Applying Shortcut Policies" to hang for more than 500seconds every time. Changing the path of that file to point locally on the server means the entire log on process takes <8seconds.
DFS has no issues in event viewer, the BPA shows a couple of replication issues, but nothing major.
AD & DNS both pass their BPA
Premissions on user directories are all fine (i.e. recreated & inherited)
User roaming & local profiles have been completely blown away
AV disabled on DFS, DCs & these RDS servers
Really struggling where to turn to next at the minute, and this is totally killing us with users waiting 1hr + to get logged into our VDI (RDS) estate..
Anyone got any ideas :S
Thanks very much
Andy
We're getting really slow log on performance with GPOs - 15 servers, 100+ users, each taking upwards of 3,500 seconds to process GPOs!
Testing I have done:
- Moved a user & a computer object to a test OU & no GPOs applied, works fine
- Added GPOs 1 by 1. Issues manifest when a GPO references our DFS Share
For example, we have a GPO to copy a .ico file (<1KB) from the DFS share to the users desktop, this causes "Applying Shortcut Policies" to hang for more than 500seconds every time. Changing the path of that file to point locally on the server means the entire log on process takes <8seconds.
DFS has no issues in event viewer, the BPA shows a couple of replication issues, but nothing major.
AD & DNS both pass their BPA
Premissions on user directories are all fine (i.e. recreated & inherited)
User roaming & local profiles have been completely blown away
AV disabled on DFS, DCs & these RDS servers
Really struggling where to turn to next at the minute, and this is totally killing us with users waiting 1hr + to get logged into our VDI (RDS) estate..
Anyone got any ideas :S
Thanks very much
Andy
ASKER
Did you exclude all Active Directory files from your AntiVirus?
AV (Sophos) is completely disabled - all services stopped & disabled. This is true across Domain Controllers, DFS servers, RDS servers
Did you do some tests directly from SYSVOL/NETLOGON?
No... what do you mean? Anything in particular I should be doing?
Thanks
AV needs to exclude certain files on the clients too like GPT.ini
No... what do you mean? Anything in particular I should be doing?I mean like copying file from DC to workstation to test the connection speed
As mentioned in your previous question roaming folders without folder redirection is going to be slow since the entire profile is loaded to the pc on login and then saved back on logoff.
Again I suggest using procmon or windows performance toolkit and analyse your boot and log in to look for items that take a long time and then optimize the long time items.
Again I suggest using procmon or windows performance toolkit and analyse your boot and log in to look for items that take a long time and then optimize the long time items.
ASKER
Ok, this issue randomly "disappeared". We don't know why and have not been able to recreate it.
@David Johnson
If we strip out all GPOs, speed is fine. If we add a single GPO that copies a shortcut (.lnk) file from a DFS share to the C:\ of the RDS server, login hangs for over 17mins every time (sometimes up to 44mins, quickest was 17mins). Remove the GPO and login is less than 5 seconds.
All AV removed, firewalls off, wireshark running and seeing traffic stop for minutes on end, then start again, attempted out of hours with users forcibly blocked from the system. Very strange
@David Johnson
If we strip out all GPOs, speed is fine. If we add a single GPO that copies a shortcut (.lnk) file from a DFS share to the C:\ of the RDS server, login hangs for over 17mins every time (sometimes up to 44mins, quickest was 17mins). Remove the GPO and login is less than 5 seconds.
All AV removed, firewalls off, wireshark running and seeing traffic stop for minutes on end, then start again, attempted out of hours with users forcibly blocked from the system. Very strange
ok then maybe change that one gpo's script to
cmd /c copy \\server\share\abc.lnk c:\
cmd /c copy \\server\share\abc.lnk c:\
ASKER
Cheers David, it was all GPOs referencing a DFS share. We have maybe 20 GPOs that reference DFS shares, adding each had a cumulative effect - 1x GPO = c.20mins to log in, 10x GPOs = c. 2-3hrs to log in.
Many thanks for the continued replies; after that weekend login times dropped right down to >30seconds again (i.e. acceptable). Given we can not reproduce this, we have documented it as a Known Error along with all troubleshooting attempts and diagnostics collected. Hopefully I won't need to, but will resurrect this thread should we encounter issues again
Thanks very much :)
Many thanks for the continued replies; after that weekend login times dropped right down to >30seconds again (i.e. acceptable). Given we can not reproduce this, we have documented it as a Known Error along with all troubleshooting attempts and diagnostics collected. Hopefully I won't need to, but will resurrect this thread should we encounter issues again
Thanks very much :)
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Did you do some tests directly from SYSVOL/NETLOGON?