- Tue, Dec 10 2019 at 1:30 pm #1554002
I am seeking some help from you and your experience. I need to point out that I haven’t done the configuration, I am just facing what’s been there fore years now.
Issue: Computer is really slow to authenticate – could be up to 15 minutes before login.
I know, it is really vague. So far, we’ve done some tweeking here and there, nothing works.
I decided to look through DNS and Active Directory. The machine that is really slow to authenticate has a different Computer name than its DNS name on Active Directory Object. From there, I opened up DNS and I saw lots and lots of object with different names tag to the same IP Address – different time stamp.
From my understanding, it should not affect the authentication since it is properly seen by the object. Am I wrong ?
- Tue, Dec 10 2019 at 6:52 pm #1554005Michael PietroforteKeymasterMember Points: 32,919Rank: 4
When you say computer authentication is slow, what exactly do you experience? From your description it seems that it takes 15 minutes until the login prompt appears?
DNS issues usually prevent authentication but rarely cause such long delays.
What you could try is logon as local admin on that machine, remove the computer from AD, reboot and then add the machine again.
If that doesn’t help I would search for error messages in the event log.
- Tue, Dec 10 2019 at 10:13 pm #1554006Leos MarekModeratorMember Points: 23,212Rank: 4
please provide more details. Do you mean it takes 15 minutes from entering your credentials till you get the desktop? What is shown on the screen in the meantime.
- Wed, Dec 11 2019 at 4:37 am #1554023
Thanks for the answers.
I will ask the users more detail today. It is something that has been reported to me yesterday with no much more info. From my understanding, it takes several minutes for the login to proceed when they have entered their credentials.
I will also go through the event logs when they will attempt to login – to see from the AD perspective.
My first thought was what you pointed Michael, I will give it a go too. Hence why I wanted to make sure that DNS name and Computer name could cause issue.
- Wed, Dec 11 2019 at 12:31 pm #1554024Andres CorredorParticipantMember Points: 27Rank: 1
Hi Steven, when you say “The machine that is really slow to authenticate has a different Computer name than its DNS name on Active Directory Object” , what do you mean exactly ?
Indeed DNS and AD , Specially Sites and Services will be 2 good places to start looking for. Please provide more details
Also take a look at the DC you are authenticating with , if you have several sites you must review if you are pointing to a remote DC via Sites and Services.
Best regards, Andres.
- Thu, Dec 12 2019 at 4:48 am #1554047Paolo MaffezzoliParticipantMember Points: 66,245Rank: 4
I had similar problems a while ago with some Windows 7 clients who were waiting to logon for a long time. The solution was change the registry entry “Set maximum network waiting time if a user has a roaming user profile or a remote home directory” to 0 seconds.
I found a similar solution for Windows 10 and Windows Server 2016 : Set maximum wait time for the network if a user has a roaming user profile or remote home directory
- Fri, Dec 13 2019 at 12:59 pm #1554073
Thanks Paolo for the suggestion. I think that the very next thing I will try.
I prevent startup programs and small stuff here and there. We will see. Maybe the user is to sensitive to ‘slowness’.
- Sun, Dec 22 2019 at 2:16 am #1554155PowerMe!ParticipantMember Points: 1,217Rank: 3
Some time back I was trying to understand AD logon with the help of Wireshark packet captures. The way I did the lab was as follows.
net stop netlogon
- Run Wireshark
net start netlogon
The following course of events happen.
1. Host reads the IPConfig and finds out the DNS suffix (e.g., MyDomain.local). It queries the DNS server for that domain.
2. In particular, it searches for an SRV record in the DNS-query: _ldap._tcp.dc._msdcs.MyDomain.local
3. The DNS server sends a list of DCs in the domain. In this lab, I have three AD sites, which are listed in the “Answers”.
4. The host sends LDAP request to a DC from the list. The DC will determine which site the host is in based on the IP subnet. If the host is from a different site, it will advise the host about the nearest DC.
Once the host in communication with the DC, actual authentication and Kerberos ticket granting happens.
Troubleshooting “Slowness” in Authentication:
1. Process is happening to individuals:
- 2. I would check the logonserver (PowerShell $env:logonserver):
- 3. I would Pathping/Traceroute the DNS and DC to see if there is a network issue.
- 4. I would Clear the logon cache
net stop netlogon nltest /dsgetdc:MyDomain.local /force net start netlogon
2. Process happening to all hosts in a domain:
- echo %logonserver% to see if the hosts are authenticating to the DCs in the local network
- I’d check the network connectivity
- If multi site, I would check the subset definitions in the ADSites.
- Mon, Dec 23 2019 at 8:57 am #1554169
- You must be logged in to reply to this topic.