Diagnosing slow active directory logins

login active-directory diagnostic

I'm having a hard time diagnosing intermittent slow logins on domain PCs.

A bit of information about the network that has this problem:

  • My domain spans 5 sites, all with VPN connections.
  • DCs are a mixture of 2003, 2008 and 2012. Domain functional level is 2003.
  • Clients are mostly Windows 7 x64.
  • We use group policies, including ones that use WMI, group preference item level targeting, and GPP printer deployment.
  • We do not use roaming profiles.

For the most part, logins work fine and quickly for people who have used the machine before. The first login to a new computer is always slow, but that's expected.

The problem seems to be mostly with laptops. If they are used at home with a non-domain network connection, or moved to a different location (still on a domain network, but different AD site, and doesn't seem to matter wired or wireless) logins can take as long as 3 minutes from the time the user enters their password, until the time it actually starts showing the desktop. Our terminal server also intermittently experiences slow logins.

Unfortunately, its an intermittent issue, and I haven't found any reliable way to reproduce it. My suspicion is that it has to do with the group policy preferences, but I don't really have any proof of that. I have seen a microsoft KB article blaming certain types of item level targeting for slow logins, but it doesn't give any guidance to determining if that is actually the cause.

What logs and tools can I use to figure out what is causing the slow logins?

What group policy settings should I use or avoid if possible to speed up logins?


Basically, I'm heading in the same direction as joeqwerty

I have experienced the symptoms you are describing at a few companies. In my experience, it usually happens when there is more than one site. One way to troubleshoot a potential issue with sites and services is the following. On a computer which just experienced a slow logon, go to command prompt, type echo %logonserver% If the response is not a server in the same site as the laptop or workstation, then my experience has been that subnets are not set up and assigned the correct site in active directory sites and services.

Another way to troubleshoot is to look at this log file on your domain controllers %SystemRoot%\debug\netlogon.log

If you see entries such as this, the specific subnet needs to be entered into sites and services and assigned a site.
05/16 22:57:31 [4068] AD: NO_CLIENT_SITE: specificserverhostname 172.16.10.104

Microsoft workstations and domain controllers have the ability to make certain that they go to the correct domain controllers for authentication and policies because of sites and services.

If this is the case and it leads to an adjustment of sites and services, please know that the replication of the changes to/from domain controllers can take some time. Also, it will take even more time for the endpoint workstations to see the new changes. The default replication time is set in sites and services for 1 hour between domain controllers. Depending on the distance in geography and size of your AD forest, I usually set it to 15 minutes or so.

Related

Nginx cache shared between multiple servers
How to investigate the cause of a 100% CPU event that lasted for hours?
Is there a way to get spamassassin to score the top lines of a message body more heavily?
Why is Windows 2012 R2 not trusting my self-signed certificate?
ESXcli command timeout at 30 minutes
What happens if I force ZFS to detach a hot spare with no valid replicas?
How does PHP5-FPM send errors to nginx?
HAProxy URL rewrite on 404 error
High load due to I/O wait in Ubuntu 12.04 on EC2 instance
Elasticsearch dies when Logstash attempts to write data
Samba: allow insecure wide links
Need to change system locale on Windows 2012 R2 from en-US to en-GB