Slow Network Logon

  • Thread starter Thread starter Anthony
  • Start date Start date
A

Anthony

Hello. I hope someone can help with the issues I have.
Im having problems with machines taking up to 20 minutes to logon to the
network, this does not affect all machines just random ones.(most machines)
We have used a network sniffer to look at the traffic from the client
machines and for some reason the client authenticates fine with the local
domain controller, and know which site it is in, but then goes off talking
to
other domain controllers around the world in other sites. Im not sure if
this
is when it is trying to pull down the group policy, does anyone know why
this
would happen?
Also if I ping my domain name the reply changes every so often, and its
always from a DC in another country site, if we add a host entry for the
local DC to the domain name it fixes the issues on some machines.
Also on almost all machine I get the error in the event log "The Security
System could not establish a secured connection with the server
DNS/blah.blah.blah.com. No authentication protocol was available."
What does this mean?

I know that's all a bit random so any help would be appreciated.

Thanks
 
Anthony said:
Hello. I hope someone can help with the issues I have.
Im having problems with machines taking up to 20 minutes to logon to the
network, this does not affect all machines just random ones.(most
machines)
Click to expand...

Usually such problems are DNS related but taking "20 minutes" they would
usually just fail to authenticate (and logon) completely.
We have used a network sniffer to look at the traffic from the client
machines and for some reason the client authenticates fine with the local
domain controller, and know which site it is in, but then goes off talking
to
other domain controllers around the world in other sites. Im not sure if
this
is when it is trying to pull down the group policy, does anyone know why
this
would happen?
Click to expand...

Are you Sites specifically defined in AD Sites and Services? Are all DCs
located in the correct Site (in Sites and Services)?

Does every DC pass a full "dcdiag" with NO "FAIL" or "WARN" messages?

Do both the clients and servers (esp. DCs) use ONLY the INTERNAL
DNS which can resolve the DCs etc?
Also if I ping my domain name the reply changes every so often, and its
always from a DC in another country site, if we add a host entry for the
local DC to the domain name it fixes the issues on some machines.
Click to expand...

It sounds likely that you have not correctly defined your Sites, Subnets,
and/or located the DCs in the correct Sites.
 
Hi, thanks for the quick response.
In response to your comments:

1)Usually such problems are DNS related but taking "20 minutes" they would
usually just fail to authenticate (and logon) completely.

The machines always authenticate with the correct DC.

2)Are you Sites specifically defined in AD Sites and Services? Are all DCs
located in the correct Site (in Sites and Services)?

Yes, all UK DCs are listed in the UK sites and services

3)Does every DC pass a full "dcdiag" with NO "FAIL" or "WARN" messages?

BTINET Fails, im not sure what this is? that is the only test that does not
pass.

4)Do both the clients and servers (esp. DCs) use ONLY the INTERNAL
DNS which can resolve the DCs etc?

Yes confirmed, the clients pick up the DNS from DHCP.

5)It sounds likely that you have not correctly defined your Sites, Subnets,
and/or located the DCs in the correct Sites.
Point noted, the problem I have is a lot of this is managed in india, and
the staff dont really have a clue, im looking to give them some pointers to
check. I also suspect there is an issue with sites&subnets. But the local
client seems to pick all the correct info. Maybe something else is going on
in the backround? Could it be down to the group policy not coming from the
local site DC perhaps?


thanks again for your reply
 
The last time we saw this the poster had added the country extension to the
domain controller name as in:

myserver.com.au

instead of myserver.local or myserver.lan

Made quite a mess, and only one of our AU MVP's could figure it out.

Please post the results of the following command:

ipconfig /all > c:\iptest.txt

from both the server and a workstation. Please tell us which is which, and
there is no need to change anything if you really want assistance with this,
but you could add some random characters to the server/domain name if you
are worried about bots or zombies picking it up.

as in M*I*C*R*0*S*TdotC*O*M
 
I will check that tomorrow

One other thing I should point out is once I enter the login details the
machine usually sits at "applying computer settings" or "Applying network
settings" for ages (thats where the delay is)

thanks
 
Was I 'the AU MVP' that picked up on that error?

The basic premise is that the OP did a silly thing, named his AD in relation
to his public DNS name space. There is no reason, and some good reasons not,
to do so. If the installation is new and not yet fully committed to I'd
start with 'format C:' and rectify the error by putting the server into its
own namespace. If the install has been committed to I would discuss the pros
and cons with the owner and _most probably_ 'format C:' but maybe 'work
around' the problem.

BTW: This is not an 'SBS' thing, it is 'pure AD + DNS'. There is _no reason_
for your AD DNS name to reflect public records and anyone who wants to argue
this point should 1st consider that I have had this argument with the
highest levels of MS AD design. The argument was not 'conclusive' in that
'we agreed to disagree' on a couple of things which can be done under either
model, naturally working in one and easily worked around in the other.

The problem occurs because people approach it a$$backwards. They ask
themselves 'Why should I create a new DNS domain when I have one which
already exists publicly', the question they should be asking is 'I am
implementing a DNS zone for my own personal use, is there any reason why
this should in any way relate to public records'. The answer is almost
always 'NO'.

The problem won't exist in Cougar. SBS Dev have recognised the need to
address this and without special effort it will be impossible to name your
AD in relation to public DNS. People wishing to do so will _have to_ edit a
file in order to allow it. SBS Dev are smarter than MS Dev.
 
That be you.

I remember because I was floundering not knowing what the strange looking
domain name meant

Don't think I remember the resolution though. FandR (Flatten and Reinstall)
comes to mind.

--
Larry

Please post the resolution to
your issue so that all can benefit.
 
FandR should only happen if it's convenient to fix this _basic error_.
Workarounds work (umm, around the issue).
 
Read inline please.

In
Anthony said:
Hello. I hope someone can help with the issues I have.
Im having problems with machines taking up to 20 minutes to logon to
the network, this does not affect all machines just random ones.(most
machines) We have used a network sniffer to look at the traffic from
the client machines and for some reason the client authenticates fine
with the local domain controller, and know which site it is in, but
then goes off talking to
other domain controllers around the world in other sites. Im not sure
if this
is when it is trying to pull down the group policy, does anyone know
why this
would happen?
Also if I ping my domain name the reply changes every so often, and
its always from a DC in another country site, if we add a host entry
for the local DC to the domain name it fixes the issues on some
machines.
Also on almost all machine I get the error in the event log "The
Security System could not establish a secured connection with the
server DNS/blah.blah.blah.com. No authentication protocol was
available."
What does this mean?
Click to expand...

Is blah.blah.blah.com your internal domain name?
If not, it probably means you are using some external DNS in TCP/IP
properties and the machine is trying to register its addresses in it.
It could also mean that the time is out of sync with the server.





--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps

===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================
 
Do you have correct subnet associated with each site in dssite.msc?
On a problematic client machine, run "set l" after it took 20 mins plus time
to logon, and post the result back. Thanks
 
Back
Top