none
AD - Slow Login Issues

    Question

  • Hi,

    We are facing Slow login issues over Active Directory in one of the branch offices as the users faces delays of upto 30 minutes in logging from secondary DC

    Topology as below

    Head Office (Primary DC) > MPLS > Branch Office (Secondary DC) > End User

    As soon as the user is disconnected the wired / wireless connectivity of their machine, user is logged into the network but unable to login using the connectivity options (wired/wireless)

    Is there any way to check the root cause of the issue

    Thanks

    Tuesday, July 10, 2018 7:25 AM

All replies

  • Hello,

    What you can check first is AD subnet configuration.

    Is it possible for you to tell us which subnet configuration you have on the Branch Office in Active Directory Sites and Services ?

    Which network address (DHCP) do you use in this Branch Office ?

    Best Regards,

    Tuesday, July 10, 2018 8:40 AM
  • Validate your location DC's all necessary events. Once logged into any client machine then check the logon server using "SET L", in case if it is pointing any different location DC then you need to check the AD subnet and topology. Sometimes this might cause due to bad DNS configuration.

    And Make sure the location DC updated with latest patches.

    Tuesday, July 10, 2018 9:31 AM
  • Hello,

    What you can check first is AD subnet configuration.

    Is it possible for you to tell us which subnet configuration you have on the Branch Office in Active Directory Sites and Services ?

    Which network address (DHCP) do you use in this Branch Office ?

    Best Regards,

    Hi Dokoh,

    AD Subnet configuration as below

    172.16.0.0/16 is used at Head Office

    Rest both are used at Branch Office

    AD 

    Tuesday, July 10, 2018 12:07 PM
  • Ok can you try a nltest /dsgetdc:contoso.com at one of your slowly computer in the BranchOffice and send us the result ?

    Best Regards,

    Tuesday, July 10, 2018 12:38 PM
  • Hi Dokoh,

           

       DC: \\ADC.domain.pk
          Address: \\172.17.10.2
         Dom Guid: 3a39b9bd-f037-463a-9993-81042ce33e37
         Dom Name: domain.pk
      Forest Name: domain.pk
     Dc Site Name: LHR
    Our Site Name: LHR
            Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE FULL_SECRET WS
    The command completed successfully

    ----

    C:\Windows\system32>SET L
    LOCALAPPDATA=C:\Users\userID\AppData\Local
    LOGONSERVER=\\PDC

    PDC is located at Head Office

    ADC is located at Branch Office


    • Edited by srguy Wednesday, July 11, 2018 10:24 AM
    Wednesday, July 11, 2018 9:05 AM
  • // C:\Windows\system32>SET L
    LOCALAPPDATA=C:\Users\userID\AppData\Local
    LOGONSERVER=\\PDC

    PDC is located at Head Office

    ADC is located at Branch Office//

    So users are getting authenticating through PDC, that is the reason it is taking long time to login each location user. What is primary DNS of branch user? 

    Check whether you have configured the site and services and topology configured properly.


    • Edited by Partha1012 Wednesday, July 11, 2018 9:21 AM
    Wednesday, July 11, 2018 9:11 AM
  • The command nltest you run it when you was connected to wired or wireless ?

    If possible run it at both and send us an output of ipconfig too at both

    Best Regards,

    Wednesday, July 11, 2018 11:35 AM
  • The command nltest you run it when you was connected to wired or wireless ?

    If possible run it at both and send us an output of ipconfig too at both

    Best Regards,

    Wireless

               DC: \\ADC.domain.pk
          Address: \\172.17.10.2
         Dom Guid: 3a39b9bd-f037-463a-9993-81042ce33e37
         Dom Name: domain.pk
      Forest Name: domain.pk
     Dc Site Name: LHR
    Our Site Name: LHR
            Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE FULL_SECRET WS
    The command completed successfully

    Wired

               DC: \\ADC.domain.pk
          Address: \\172.17.10.2
         Dom Guid: 3a39b9bd-f037-463a-9993-81042ce33e37
         Dom Name: domain.pk
      Forest Name: domain.pk
     Dc Site Name: LHR
    Our Site Name: LHR
            Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE FULL_SECRET WS
    The command completed successfully

    IPConfig using Wireless

    C:\Users\ali.zeeshan>IPconfig /all

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : ALIZEESHAN
       Primary Dns Suffix  . . . . . . . : domain.pk
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : domain.pk

    Ethernet adapter Local Area Connection 10:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Fortinet SSL VPN Virtual Ethernet Adapter

       Physical Address. . . . . . . . . : 00-09-0F-AA-00-01
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Wireless LAN adapter Wireless Network Connection 8:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter #
    5
       Physical Address. . . . . . . . . : 00-21-6B-26-30-A5
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes

    Wireless LAN adapter Wireless Network Connection 7:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter #
    4
       Physical Address. . . . . . . . . : 00-21-6B-26-30-A5
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes

    Wireless LAN adapter Wireless Network Connection 6:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Intel(R) WiFi Link 5100 AGN #2
       Physical Address. . . . . . . . . : 00-21-6B-26-30-A4
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv4 Address. . . . . . . . . . . : 172.17.1.101(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 172.17.1.1
       DNS Servers . . . . . . . . . . . : 172.17.10.2
                                           172.16.0.2
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Ethernet adapter Local Area Connection 6:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Broadcom NetLink (TM) Gigabit Ethernet #2

       Physical Address. . . . . . . . . : 00-22-64-72-01-05
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Teredo Tunneling Pseudo-Interface:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter isatap.{3D532F34-B264-41F8-ACE4-C4AE5A1EC083}:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes


    IPConfig from Wired

    C:\Users\ali.zeeshan>IPconfig /all

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : ALIZEESHAN
       Primary Dns Suffix  . . . . . . . : domain.pk
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : domain.pk

    Ethernet adapter Local Area Connection 10:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Fortinet SSL VPN Virtual Ethernet Adapter

       Physical Address. . . . . . . . . : 00-09-0F-AA-00-01
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Wireless LAN adapter Wireless Network Connection 8:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter #
    5
       Physical Address. . . . . . . . . : 00-21-6B-26-30-A5
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes

    Wireless LAN adapter Wireless Network Connection 7:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter #
    4
       Physical Address. . . . . . . . . : 00-21-6B-26-30-A5
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes

    Wireless LAN adapter Wireless Network Connection 6:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Intel(R) WiFi Link 5100 AGN #2
       Physical Address. . . . . . . . . : 00-21-6B-26-30-A4
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Ethernet adapter Local Area Connection 6:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Broadcom NetLink (TM) Gigabit Ethernet #2

       Physical Address. . . . . . . . . : 00-22-64-72-01-05
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv4 Address. . . . . . . . . . . : 172.17.1.211(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 172.17.1.1
       DNS Servers . . . . . . . . . . . : 172.17.10.2
                                           172.16.0.2
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter isatap.{50296FDF-8A7C-4ECD-89BB-9D00CF0B6412}:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Teredo Tunneling Pseudo-Interface:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter isatap.{3D532F34-B264-41F8-ACE4-C4AE5A1EC083}:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    C:\Users\ali.zeeshan>

    • Edited by srguy Wednesday, July 11, 2018 12:30 PM
    Wednesday, July 11, 2018 12:18 PM
  • Hi, Primary DNS is the secondary DC
    Wednesday, July 11, 2018 12:32 PM
  • Regarding the configuration everything seems to be OK.

    Can you run this command : nltest /dsgetsite

    Correct me if I'm wrong but your user experience the issue when they disconnect from wireless/wired network and not during the first logon

    Best Regards,

    Wednesday, July 11, 2018 1:20 PM
  • No the user is facing issues at the time of first logon mostly during start of the day

    After that it is resolved by disconnecting Wireless/Wired

    nltest /dsgetsite

    LHR
    The command completed successfully

    which is showing the correct output

    • Edited by srguy Wednesday, July 11, 2018 1:31 PM
    Wednesday, July 11, 2018 1:24 PM
  • Hello,

    Can you check which value you have in these 2 registries :

    • DynamicSiteName
    • SiteName

    https://blogs.technet.microsoft.com/arnaud_jumelet/2010/07/11/domain-controller-locator-in-depth/

    Best Regards,

    Thursday, July 12, 2018 7:46 AM
  • Hi,

    SiteName entry is not available in registry

    Thursday, July 12, 2018 10:32 AM
  • Ok so the last point we can check is what you have on the DNS servers can you try on one of your faulty client :

    • Nslookup
    • Set type=srv
    • _ldap._tcp.lhr._sites.contoso.com

    Send us an output

    Best Regards,

    Thursday, July 12, 2018 11:49 AM
  • Hi,

    >nslookup
    Default Server:  UnKnown
    Address:  172.17.10.2

    > Set type=srv
    *** Can't find address for server type=srv: Non-existent domain
    > _ldap._tcp.lhr._sites.domain.pk
    Server:  UnKnown
    Address:  172.17.10.2

    Name:    _ldap._tcp.lhr._sites.domain.pk

    Thursday, July 12, 2018 12:38 PM
  • As i mentioned very first message, it seems DNS issue from location DC. 

     - Make sure PTR has been created for the location DC

     - validate the all DNS server listed in NS

     - Check if any DNS port blocking or routing issue 

    Thursday, July 12, 2018 1:15 PM
  • type set type=srv instead of Set type=srv

    And retry the rest

    Best Regards,

    Thursday, July 12, 2018 1:23 PM
  • Hi Dokoh,

    It's giving the same output on nslookup

    Friday, July 13, 2018 6:11 AM
  • Hello,

    Are you sure about that because in the first one he is trying to resolve type=srv ?

    Have a look below :

    Best Regards,

    Friday, July 13, 2018 8:59 AM
  • Hi,

    Thrice attempted around 10 mins for getting Login after restart & 5 to 8 mins after logoff and then login

    Friday, July 13, 2018 1:22 PM
  • Ok so your DNS server and SRV configuration seems to be ok.

    Our last hope is to use a network trace using netsh, below an article on how to do it :

    https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/

    Note : If possible send the output using OneDrive

    Best Regards,

    Friday, July 13, 2018 3:03 PM
  • Hi,

    Please find below link

    https://1drv.ms/f/s!AmfFZ6z8rN2ogRB6MrHXzVyJd5Z-

    Tuesday, July 17, 2018 7:23 AM