Re: Slow AD logon from remote offices .......
- From: "Al Mulnick" <amulnick_No_SPAM@xxxxxxxxxxx>
- Date: Tue, 7 Mar 2006 22:11:46 -0500
Something else to check then is the site configurations. Make sure they are
correct and that nothing is being logged in the event logs. Also, a network
trace during the slow logon might now be warranted as it sounds like
something is going on that prevents the traffic from reaching the dc at some
times. That statement about a PIX concerns me and raises all kinds of
warning flags. The first thing that comes to mind is to find out if you
have tried the network latency during a slow logon episode? What were the
results?
Have you verified that the PIX and other routers don't have any errors going
on during that episode? Have you verified that during the problem episode,
that your network devices are not overloaded (should show up in the
increased latency during the episode as well)?
If your site configuration and DNS configuration are correct and you don't
have any problems with GPO's (remove all GPO's to ensure this is the case),
and no third party applications are causing this, that pretty much leaves
the network. Checking the network during non-episode times and getting 160ms
is expected. But getting it during the time the episode occurs, could be
totally different. A network trace would also be different and worth
getting.
My thoughts,
Al
"Mugen" <Mugen@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:20DC0821-FB5A-44B4-BDC0-BF5EA76C3E85@xxxxxxxxxxxxxxxx
I have already checked with the network guy and UK office has 2 T1s line,
The
latency ping repsone time is "160ms" to AD Domain and router interface of
US
office side here. I think the latency is very reasonable for a WAN link.
Also, I have the network to check that in the PIX/Router.... there is
nothing being blocked for netbios traffic or other traffic.
It does not looks like network traffic causing the problem..............
"Al Mulnick" wrote:
You'll need to check with your network folks for more detailed
information
regarding the latency and available bandwidth. In the meantime, some
rudimentary checks would be to ping the Ca server and see what the
latency
is and how consistently you get information back. Same for the routers.
That may give you a good idea if it's a network issue or if it's a server
issue.
Check with your networking team though, and get that information as well
as
error logs. You'll be glad you checked with them.
Al
"Mugen" <Mugen@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:ABD42069-131C-41B2-9B11-91EBB9D4E810@xxxxxxxxxxxxxxxx
UK >>>>>> US here is 2 T1 Link and Canada >>>>>>> US here is Frame
Relay
(768kbps). What can i do to get latency metrics for the long?
There is NO GPO setup in this Domain
Ths UK member server seems doing everything fine after slow login
successfully. Able to browse all the domain group/user and able to add
to
local group.
But the Canada server always to be very slow o because of a lot of
download
and upload during office hour. Also, I just try do add a Domain group
to
local group in Canada server but i got a error message "The RPC server
is
unavailable", i was able to browse each Domain group and user but not
able
to
add them into local group.
Thanks.
"Al Mulnick" wrote:
Something you have yet to mention is what the links are and how
saturated
they are?
Can you give us an idea of the available network bandwidth and the
latency
metrics for those links at logon?
Slow logon? There're are many things that can cause this and name
resolution is certainly at the top of the list. Lots of GPO's and GPO
settings such as "Wait for computer logon to network" (that type) can
also
impact perceived performance. Based on what you've said so far, it's
not
possible to tell if this is the case or not.
Do you need a server in each site? Can't tell from the information
you've
posted. Maybe. But there are all kinds of considerations for that
type
of
DC placement decision. Let's see the answers to the network questions
first
and bring up the DC placement after that.
Al
"Mugen" <Mugen@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:773B5E6D-9FAC-463F-809C-4B54A3823530@xxxxxxxxxxxxxxxx
We are running Unix for DNS server (For Internet and internal hosts
resolution). As i said in the begining, I setup a Windows 2003 DNS
for
SRV
record only and every member servers has Unix DNS and Windows DNS in
DNS
entries as well as WINS entries.
What do i need to do to filter on the domain name in WINS? I tried
filter
the domain name (xxx.com) "xxx" in WINS server but it gave me a
private
address "10.10.10.1"
and i also tried filter the Netbios domain name and returned with
Type
(1Bh)
Domain Master Broswer.
It is a Single Domain/Single Forest. The problem is domain logon
delay
from
remote offices (UK/Canada).
"Popeye32" wrote:
I may have mis-read your reply - but it appears you did a lookup on
a
single
box.
Just to confirm - you did a lookup of the domain name (FQDN) and
you
got
a
full list of all the DC's IP's back? And in Wins, when you filter
on
the
domain name you see all the Wins records for that domain? (would
look
different than a single server would in wins)
Also to clarify something - are these all in a single domain /
single
forest? I see reference to UK/Canada but the concern was about the
Domain
logon delay, not access to other member servers in either country.
"Mugen" wrote:
I did nslookup in the UK/Canada member server and resolved the
name
and
ip
correctly. I checked the WINS database (located in US here) and
found
UK/Canada member servers records.
Again, The DCs/DNS/WINS are located in US office. I was
wondering
is
UK/Canada member servers needs to cross the WAN link for Domain
login
everytime or it cached it in local server instead crossing WAN
link
everytime?
Anyone else could help?
"Popeye32" wrote:
nslookup domain.whatever.com
Example nslookup us.microsoft.com if you were on a member
machine
of
the
us.microsoft.com domain (not saying there is such a domain
) )
Look in your Wins Database and filter for WINS records for the
domain
(again with us.microsoft.com example)
Should see several type of records in wins and see the same
results
in both
US and UK side assuming they are all using same wins and DNS
servers
and DNS
suffix list.
"Mugen" wrote:
Hi,
I will remve the host and lmosts file to test.
How can i do FQDN lookup as you metntioned? Also, Is anything
to
do
becasue
of no DC server place in rermote offices?
"Popeye32" wrote:
Should be able to remove the hosts and lmhosts files if
using
same DNS and
wins servers, that may make matters worse and a best
practice
to
not use them
anyway. (lends itself to typo's - but also if the FSMO
roles
are
moved around
-you may have to change them on the machines you put local
files
on.)
I would verify that both the US side machines and the UK
machines
get the
same list of server records when a lookup of the FQDN is
done.
I
would also
verify that both see the same 3-4 wins records for the
domain
(1ch, 1bh,
etc...)
From there I would load something like Ethereal and monitor
the
traffic in
and out of a sample machine in the UK when the machine is
attempting logon.
Should see it try and open the ports. Could there be
firewall
issues between
the two countries? Sniffer trace would see the denies if
there
was.
"Mugen" wrote:
Yes, They have the same DNS and WINS settings as other
machines
in US office
here. Machines in remote offices are Windows 2K, Windows
2K3
and XP.
Also, I manually entered domain name and IP address in
Host
and
lmhosts file.
"Popeye32" wrote:
Have you verified you have the correct DNS suffix and
WINS
settings on your
sysyems? It sounds like it is having problems finding
the
domain. If these
are win2k3 and XP machines and still having issues, I
would
focus on your DNS
settings to ensure they match the same used in the US
side.
"Mugen" wrote:
Hi,
We have a single domain here running Window 2K3 AD.
The
corporate office is
in US here running 2 DCs and also have Window 2K3
Wins
server setup for
Netbios resolustion and Windows 2K3 DNS server for
SRV
record only (We are
not doing DNS Dynamic update). In our remote office
in
UK
and Canada, I just
have some Windows 2000 and Windows 2003 server to
join
our
single AD domain.
The remote offices (UK and Canada) don't have any DC,
Wins
or DNS server
setup. Here is the problem, when any one of these
servers
in remote offices
try to logon to the Domain, it takes from 55 seconds
to
3
minutes to logon.
It stay in the screen of "Apply your personal
settings....."
Can someone help me out what can we do to speed up
the
logon process.
Because everything is working fine after logon
successfully. Do we need to
place a DC in each remote office to fix this problem?
Or
Wins and DNS Or
could be other problems? And also, if we need to do
that.
What kind of
setting we need to change in the server like
Replication
timing, router
setting for broadcast traffic etc?
Thanks.
.
- Follow-Ups:
- Re: Slow AD logon from remote offices .......
- From: Mugen
- Re: Slow AD logon from remote offices .......
- References:
- RE: Slow AD logon from remote offices .......
- From: Mugen
- RE: Slow AD logon from remote offices .......
- From: Popeye32
- RE: Slow AD logon from remote offices .......
- From: Mugen
- RE: Slow AD logon from remote offices .......
- From: Popeye32
- RE: Slow AD logon from remote offices .......
- From: Mugen
- Re: Slow AD logon from remote offices .......
- From: Al Mulnick
- Re: Slow AD logon from remote offices .......
- From: Mugen
- Re: Slow AD logon from remote offices .......
- From: Al Mulnick
- Re: Slow AD logon from remote offices .......
- From: Mugen
- RE: Slow AD logon from remote offices .......
- Prev by Date: Re: dedicated root domain issue
- Next by Date: Re: Delegation of Control
- Previous by thread: Re: Slow AD logon from remote offices .......
- Next by thread: Re: Slow AD logon from remote offices .......
- Index(es):
Relevant Pages
|
