Re: Slow AD logon from remote offices .......
- From: "Al Mulnick" <amulnick_No_SPAM@xxxxxxxxxxx>
- Date: Wed, 8 Mar 2006 22:09:20 -0500
Sure, but did you do that during the trouble occurring?
2 minutes? Hmm... Is that outside the range you expected?
Have you had a look at GPO troubleshooting steps to ensure that you don't
have a GPO with a lot of data or something?
If the problem is not every time, I'd still want to look at it on the wire
AT THE TIME OF THE ISSUE. Not normal times.
So if you get long logon times once, then it runs a lot faster the next
logon (and does the same processing) then you'll want to have a look at the
wire during the trouble vs. any other time. You'll need to confirm that the
workstation is having the issue. You may want to capture network traffic
during that time for further analysis. You may also want to capture GPO
processing information during that time.
Al
"Mugen" <Mugen@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:085E574A-C50A-4AB9-B534-36B5DE7A2210@xxxxxxxxxxxxxxxx
Site configurations? Are you talking about Active Directoy sites and
services? I did not change anything and just leave it as default. Since I
am
running single domain and not placing any DCs in remote office.
I did tracert and ping test during business hour while users logging on to
AD domain. As you metioned from previous post, if there are errors or
something prevents the traffic from reaching the DC Domain...... i should
not
able to logon to DC domain instead of just slow, but i always albe to
logon
from remote office (UK and Canada) but just take 55 seconds to 2 minutes
to
logon to DC Domain.
"Al Mulnick" wrote:
Something else to check then is the site configurations. Make sure they
are
correct and that nothing is being logged in the event logs. Also, a
network
trace during the slow logon might now be warranted as it sounds like
something is going on that prevents the traffic from reaching the dc at
some
times. That statement about a PIX concerns me and raises all kinds of
warning flags. The first thing that comes to mind is to find out if you
have tried the network latency during a slow logon episode? What were the
results?
Have you verified that the PIX and other routers don't have any errors
going
on during that episode? Have you verified that during the problem
episode,
that your network devices are not overloaded (should show up in the
increased latency during the episode as well)?
If your site configuration and DNS configuration are correct and you
don't
have any problems with GPO's (remove all GPO's to ensure this is the
case),
and no third party applications are causing this, that pretty much leaves
the network. Checking the network during non-episode times and getting
160ms
is expected. But getting it during the time the episode occurs, could be
totally different. A network trace would also be different and worth
getting.
My thoughts,
Al
"Mugen" <Mugen@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:20DC0821-FB5A-44B4-BDC0-BF5EA76C3E85@xxxxxxxxxxxxxxxx
I have already checked with the network guy and UK office has 2 T1s
line,
The
latency ping repsone time is "160ms" to AD Domain and router interface
of
US
office side here. I think the latency is very reasonable for a WAN
link.
Also, I have the network to check that in the PIX/Router.... there is
nothing being blocked for netbios traffic or other traffic.
It does not looks like network traffic causing the
problem..............
"Al Mulnick" wrote:
You'll need to check with your network folks for more detailed
information
regarding the latency and available bandwidth. In the meantime, some
rudimentary checks would be to ping the Ca server and see what the
latency
is and how consistently you get information back. Same for the
routers.
That may give you a good idea if it's a network issue or if it's a
server
issue.
Check with your networking team though, and get that information as
well
as
error logs. You'll be glad you checked with them.
Al
"Mugen" <Mugen@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:ABD42069-131C-41B2-9B11-91EBB9D4E810@xxxxxxxxxxxxxxxx
UK >>>>>> US here is 2 T1 Link and Canada >>>>>>> US here is Frame
Relay
(768kbps). What can i do to get latency metrics for the long?
There is NO GPO setup in this Domain
Ths UK member server seems doing everything fine after slow login
successfully. Able to browse all the domain group/user and able to
add
to
local group.
But the Canada server always to be very slow o because of a lot of
download
and upload during office hour. Also, I just try do add a Domain
group
to
local group in Canada server but i got a error message "The RPC
server
is
unavailable", i was able to browse each Domain group and user but
not
able
to
add them into local group.
Thanks.
"Al Mulnick" wrote:
Something you have yet to mention is what the links are and how
saturated
they are?
Can you give us an idea of the available network bandwidth and the
latency
metrics for those links at logon?
Slow logon? There're are many things that can cause this and name
resolution is certainly at the top of the list. Lots of GPO's and
GPO
settings such as "Wait for computer logon to network" (that type)
can
also
impact perceived performance. Based on what you've said so far,
it's
not
possible to tell if this is the case or not.
Do you need a server in each site? Can't tell from the information
you've
posted. Maybe. But there are all kinds of considerations for that
type
of
DC placement decision. Let's see the answers to the network
questions
first
and bring up the DC placement after that.
Al
"Mugen" <Mugen@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:773B5E6D-9FAC-463F-809C-4B54A3823530@xxxxxxxxxxxxxxxx
We are running Unix for DNS server (For Internet and internal
hosts
resolution). As i said in the begining, I setup a Windows 2003
DNS
for
SRV
record only and every member servers has Unix DNS and Windows DNS
in
DNS
entries as well as WINS entries.
What do i need to do to filter on the domain name in WINS? I
tried
filter
the domain name (xxx.com) "xxx" in WINS server but it gave me a
private
address "10.10.10.1"
and i also tried filter the Netbios domain name and returned with
Type
(1Bh)
Domain Master Broswer.
It is a Single Domain/Single Forest. The problem is domain logon
delay
from
remote offices (UK/Canada).
"Popeye32" wrote:
I may have mis-read your reply - but it appears you did a lookup
on
a
single
box.
Just to confirm - you did a lookup of the domain name (FQDN) and
you
got
a
full list of all the DC's IP's back? And in Wins, when you
filter
on
the
domain name you see all the Wins records for that domain? (would
look
different than a single server would in wins)
Also to clarify something - are these all in a single domain /
single
forest? I see reference to UK/Canada but the concern was about
the
Domain
logon delay, not access to other member servers in either
country.
"Mugen" wrote:
I did nslookup in the UK/Canada member server and resolved the
name
and
ip
correctly. I checked the WINS database (located in US here)
and
found
UK/Canada member servers records.
Again, The DCs/DNS/WINS are located in US office. I was
wondering
is
UK/Canada member servers needs to cross the WAN link for
Domain
login
everytime or it cached it in local server instead crossing WAN
link
everytime?
Anyone else could help?
"Popeye32" wrote:
nslookup domain.whatever.com
Example nslookup us.microsoft.com if you were on a member
machine
of
the
us.microsoft.com domain (not saying there is such a domain
) )
Look in your Wins Database and filter for WINS records for
the
domain
(again with us.microsoft.com example)
Should see several type of records in wins and see the same
results
in both
US and UK side assuming they are all using same wins and DNS
servers
and DNS
suffix list.
"Mugen" wrote:
Hi,
I will remve the host and lmosts file to test.
How can i do FQDN lookup as you metntioned? Also, Is
anything
to
do
becasue
of no DC server place in rermote offices?
"Popeye32" wrote:
Should be able to remove the hosts and lmhosts files if
using
same DNS and
wins servers, that may make matters worse and a best
practice
to
not use them
anyway. (lends itself to typo's - but also if the FSMO
roles
are
moved around
-you may have to change them on the machines you put
local
files
on.)
I would verify that both the US side machines and the UK
machines
get the
same list of server records when a lookup of the FQDN is
done.
I
would also
verify that both see the same 3-4 wins records for the
domain
(1ch, 1bh,
etc...)
From there I would load something like Ethereal and
monitor
the
traffic in
and out of a sample machine in the UK when the machine
is
attempting logon.
Should see it try and open the ports. Could there be
firewall
issues between
the two countries? Sniffer trace would see the denies if
there
was.
"Mugen" wrote:
Yes, They have the same DNS and WINS settings as other
machines
in US office
here. Machines in remote offices are Windows 2K,
Windows
2K3
and XP.
Also, I manually entered domain name and IP address in
Host
and
lmhosts file.
"Popeye32" wrote:
Have you verified you have the correct DNS suffix
and
WINS
settings on your
sysyems? It sounds like it is having problems
finding
the
domain. If these
are win2k3 and XP machines and still having issues,
I
would
focus on your DNS
settings to ensure they match the same used in the
US
side.
"Mugen" wrote:
Hi,
We have a single domain here running Window 2K3
AD.
The
corporate office is
in US here running 2 DCs and also have Window 2K3
Wins
server setup for
Netbios resolustion and Windows 2K3 DNS server for
SRV
record only (We are
.
- References:
- RE: Slow AD logon from remote offices .......
- From: Mugen
- RE: Slow AD logon from remote offices .......
- From: Popeye32
- RE: Slow AD logon from remote offices .......
- From: Mugen
- RE: Slow AD logon from remote offices .......
- From: Popeye32
- RE: Slow AD logon from remote offices .......
- From: Mugen
- Re: Slow AD logon from remote offices .......
- From: Al Mulnick
- Re: Slow AD logon from remote offices .......
- From: Mugen
- Re: Slow AD logon from remote offices .......
- From: Al Mulnick
- Re: Slow AD logon from remote offices .......
- From: Mugen
- Re: Slow AD logon from remote offices .......
- From: Al Mulnick
- Re: Slow AD logon from remote offices .......
- From: Mugen
- RE: Slow AD logon from remote offices .......
- Prev by Date: Re: Single Domain Controller 2003 Disaster Recovery Procedure
- Next by Date: Domain controller server planning
- Previous by thread: Re: Slow AD logon from remote offices .......
- Next by thread: Re: AD that is accessible across internet
- Index(es):
Relevant Pages
|
