none
GPO network issue

    Question

  • I have an issue where Citrix servers will take 30 mins to process GPOs and login if the 2008 domain controller that holds the PDC role is inaccessible. I've identified that its a particular GPO that is being applied to the Citrix servers that causes this issue. If that GPO is removed the servers login fine even when the PDC is inaccessible.

    The domain controller in question holds all the FSMO roles and all our site configurations are correct, with correct subnets, etc

    What I can't figure out is why this would be the case. Can anyone give me a clue as to why a particular GPO is being accessed or is depending the PDC and not the local site DC?


    Wednesday, July 27, 2016 5:32 PM

Answers

  • The issue ended up requiring a hotfix, for reference here is the KB article

    https://support.microsoft.com/en-us/kb/2937429

    • Marked as answer by bradley4681 Tuesday, August 16, 2016 3:16 PM
    Tuesday, August 16, 2016 3:16 PM

All replies

  • Hi,

    Thanks for your post.

    Did you configure the Allow processing across a slow network connection for GPO?

    Group Policy is implemented almost entirely as a series of client-side extensions, such as security, administrative templates, and folder redirection. There is a computer policy that allows configuring slow-link behavior for each client-side extension. You can use these policy settings to specify the behavior of client-side extensions when processing Group Policy. There is a maximum of three options for each policy setting. The Allow processing across a slow network connection policy option controls processing policy settings across slow links. The other two options can be used to specify that policy should not be processed in the background, or that policy be updated and reapplied even if policy settings have not changed. For more information about policy for client-side extensions, see "Specifying Group Policy for Slow Link Detection" earlier in this chapter.

    Some extensions move large amounts of data, so processing across a slow link can affect performance. By default, only the administrative templates and security-related settings are processed over a slow link.

    For more information, you could refer to the article below.

    Specifying Group Policy for Slow Link Detection

    https://technet.microsoft.com/en-us/library/cc781031(v=ws.10).aspx

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, July 28, 2016 6:58 AM
    Moderator
  • I understand that but there are domain controllers local to the site that the Citrix servers are in and the DC in question is in a different site both physically and in AD. I'm trying to figure out why this one particular GPO will cause the servers to take 30 mins or more when a certain domain controller is unreachable.

    Why is this GPO depending on a particular domain controller? If a site has local domain controllers and they are up, shouldn't servers still process policies without issues? The policies exist on the local sysvol and are in sync and replication is working correctly.

    There is nothing in the GPO that points directly to the domain controller in question either.

    Just to add more info, we discovered that is we remove the drive mappings under the user prefs from the GPO, the citrix servers will login normally even when the domain controller in question is down. I still don't understand what the drive mappings have to do with the domain controller holding the FSMO and PDC roles. Its not mapping drives to the DC.
    • Edited by bradley4681 Thursday, July 28, 2016 1:39 PM
    Thursday, July 28, 2016 12:52 PM
  • Hi,

    The article below may be helpful to you to find the problem.

    Root Causes for Slow Boots and Logons

    http://social.technet.microsoft.com/wiki/contents/articles/10130.root-causes-for-slow-boots-and-logons-sbsl.aspx

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Jay GuModerator Sunday, August 07, 2016 11:12 AM
    • Marked as answer by Jay GuModerator Monday, August 08, 2016 9:27 AM
    • Unmarked as answer by bradley4681 Monday, August 08, 2016 12:15 PM
    Friday, July 29, 2016 8:00 AM
    Moderator
  • > me a clue as to why a particular GPO is being accessed or is depending
    > the PDC and not the local site DC?
     
    Check for startup scripts in this particular GPO...
     
    • Proposed as answer by Jay GuModerator Sunday, August 07, 2016 11:12 AM
    • Marked as answer by Jay GuModerator Monday, August 08, 2016 9:27 AM
    • Unmarked as answer by bradley4681 Monday, August 08, 2016 12:15 PM
    Monday, August 01, 2016 2:21 PM
  • There are no startup scripts and after further testing its not the drive mapping portion of the GPO.

    We determined something else very weird. If you disable the computer portion of the GPO and then make the domain controller in question unavailable, the Citrix machines will still login normally. So for testing we enabled the user portion and disabled the computer portion, this also allows the citrix servers to login normally when the domain controller is unavailable. We split the computer and user portions into 2 separate GPOs to test and when they are both enabled and the domain controller is unavailable, the citrix servers hang on login for several minutes as originally described.

    This makes absolutely no sense...

     

    Monday, August 08, 2016 12:19 PM
  • > controller is unavailable, the citrix servers hang on login for several
    > minutes as originally described.
     
    will tell you which part of GPO processing takes what amount of time.
    Best "quick analysis" tool for GPO timing issues I've ever seen :)
     
    Monday, August 08, 2016 2:37 PM
  • The issue ended up requiring a hotfix, for reference here is the KB article

    https://support.microsoft.com/en-us/kb/2937429

    • Marked as answer by bradley4681 Tuesday, August 16, 2016 3:16 PM
    Tuesday, August 16, 2016 3:16 PM