This topic is resolved

Share
Viewing 8 reply threads
  • Author
    Posts
    • #1554002
      Steven
      Participant
      Post count: 21
      Member Points: 653
      Rank: Level 2

      Hello Folks,

      I am seeking some help from you and your experience. I need to point out that I haven’t done the configuration, I am just facing what’s been there fore years now.

      Issue: Computer is really slow to authenticate – could be up to 15 minutes before login.

      I know, it is really vague. So far, we’ve done some tweeking here and there, nothing works.

      I decided to look through DNS and Active Directory. The machine that is really slow to authenticate has a different Computer name than its DNS name on Active Directory Object. From there, I opened up DNS and I saw lots and lots of object with different names tag to the same IP Address – different time stamp.

      From my understanding, it should not affect the authentication since it is properly seen by the object. Am I wrong ?

      Cheers,
      Steven

      0
    • #1554005
      Michael Pietroforte
      Keymaster
      Post count: 1852
      Member Points: 23,714
      Author of the year 2018
      Rank: Level 4

      When you say computer authentication is slow,  what exactly do you experience? From your description it seems that it takes 15 minutes until the login prompt appears?

      DNS issues usually prevent authentication but rarely cause such long delays.

      What you could try is logon as local admin on that machine, remove the computer from AD, reboot and then add the machine again.

      If that doesn’t help I would search for error messages in the event log.

      1+

      Users who have liked this topic:

      • avatar
    • #1554006
      Leos Marek
      Moderator
      Post count: 133
      Member Points: 6,405
      Rank: Level 3

      Hi Steven,

      please provide more details. Do you mean it takes 15 minutes from entering your credentials till you get the desktop? What is shown on the screen in the meantime.

      L

      0
    • #1554023
      Steven
      Participant
      Post count: 21
      Member Points: 653
      Rank: Level 2

      Hello folks,

      Thanks for the answers.

      I will ask the users more detail today. It is something that has been reported to me yesterday with no much more info. From my understanding, it takes several minutes for the login to proceed when they have entered their credentials.

      I will also go through the event logs when they will attempt to login – to see from the AD perspective.

       

      My first thought was what you pointed Michael, I will give it a go too. Hence why I wanted to make sure that DNS name and Computer name could cause issue.

       

      Cheers,

      Steven

      0
    • #1554024
      Andres Corredor
      Participant
      Post count: 1
      Member Points: 25
      Rank: Level 1

      Hi Steven, when you say “The machine that is really slow to authenticate has a different Computer name than its DNS name on Active Directory Object” , what do you mean exactly ?

      Indeed DNS and AD , Specially Sites and Services will be 2 good places to start looking for. Please provide more details

      Also take a look at the DC you are authenticating with , if you have several sites you must review if you are pointing to a remote DC via Sites and Services.

      Best regards, Andres.

      0
    • #1554047
      Paolo Maffezzoli
      Participant
      Post count: 398
      Member Points: 38,045
      4sysops member of the year 2018Member of the Year 2019
      Rank: Level 4

      I had similar problems a while ago with some Windows 7 clients who were waiting to logon for a long time. The solution was change the registry entry “Set maximum network waiting time if a user has a roaming user profile or a remote home directory” to 0 seconds.

      I found a similar solution for Windows 10 and Windows Server 2016 :  Set maximum wait time for the network if a user has a roaming user profile or remote home directory

       

      2+

      Users who have liked this topic:

      • avatar
    • #1554073
      Steven
      Participant
      Post count: 21
      Member Points: 653
      Rank: Level 2

      Hello,

       

      Thanks Paolo for the suggestion. I think that the very next thing I will try.

       

      I prevent startup programs and small stuff here and there. We will see. Maybe the user is to sensitive to ‘slowness’.

       

      Cheers,

      Steven

      0
    • #1554155
      PowerMe!
      Participant
      Post count: 24
      Member Points: 1,157
      Rank: Level 3

      Some time back I was trying to understand AD logon with the help of Wireshark  packet captures. The way I did the lab was as follows.

      1. Run Wireshark

      The following course of events happen.

      1. Host reads the IPConfig and finds out the DNS suffix (e.g., MyDomain.local). It queries the DNS server for that domain.

      2. In particular, it searches for an SRV record in the DNS-query: _ldap._tcp.dc._msdcs.MyDomain.local

      3. The DNS server sends a list of DCs in the domain. In this lab, I have three AD sites, which are listed in the “Answers”.

      4. The host sends LDAP request to a DC from the list. The DC will determine which site the host is in based on the IP subnet. If the host is from a different site, it will advise the host about the nearest DC.

      Once the host in communication with the DC, actual authentication and Kerberos  ticket granting happens.

      Troubleshooting “Slowness” in Authentication:

      1. Process is happening to individuals:

      • 2. I would check the logonserver  (PowerShell $env:logonserver):
      • 3. I would Pathping/Traceroute the DNS and DC to see if there is a network issue.
      • 4. I would Clear the logon cache

      2. Process happening to all hosts in a domain:

      • echo %logonserver% to see if the hosts are authenticating to the DCs in the local network
      • I’d check the network connectivity
      • If multi site, I would check the subset definitions in the ADSites.
      1+

      Users who have liked this topic:

      • avatar
    • #1554169
      Steven
      Participant
      Post count: 21
      Member Points: 653
      Rank: Level 2

      Thanks a lot for sharing your train of thought on this issue and how you would tackle it. It does help to have other point of view.

      1+

      Users who have liked this topic:

      • avatar
Viewing 8 reply threads
  • You must be logged in to reply to this topic.
© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account