So we have a branch office that is connected via 10Mb fiber to the main office. Logging on a Windows 7 (pro, 32 bit) domain pc is very slow. The first time it takes up to 7 minutes. After that, it takes ~2 minutes to login and ~3-5 minutes to log out.
I checked everything I could and saw nothing special:
- DNS settings
- Tracert to domain
- There are no extreme loads on the server during log in/out
- Downloading a file from the server to the local computer does not show low speeds (1.2MB/s) (or is that too slow?)
- Updated network driver
- GPO settings such as
- wait for network at startup and logon
- use a clean GPO (with no roaming profiles options set)
- set max wait time
- only allow local user profiles
- disabled Offline files on the roaming profile share
- disabled IPv6 on local PC
- disabled firewall on local PC
- disabled indexing services on local PC
- the computer does have a wallpaper (see http://support.microsoft.com/kb/977346)
The event log shows warnings with event ID 6005 and 6006:
The winlogon notification subscriber took 284 second(s) to handle the notification event (Logon)
So I did a boot logging as mentioned here and it showed a lot of NotifyChangeDirectory operations that took a long time.
I've run out of options. Is there anything else that might fix this?
Update
I think the problem is more bandwidth related. Copying a 100mb file from the server to the client takes about 3 minutes. Copying from a win 7 client in the main office to the client in the branch office takes 1.5 minutes. So there are most likely some performance issues with the win2003 server.
Update 1 year later
I've now disabled roaming profiles for these users. This has given a huge speed boost. This works for us since users have their own workstation.
Assuming that you don't have the branch office subnet associated with the main office "site" in Active Directory Sites & Services....
If the above statement is true, your problem is that your branch office PCs are on a different subnet than the DC you are expecting them to authenticate to. Your branch office PCs are going to spend time looking for a DC in their own subnet before failing and using the one in the Main office subnet.
To resolve this, you could associate the branch office subnet with the main office "site" that contains the DC you expect them to authenticate to.
Or you could add a DC at the branch office (on the branch office subnet). If not already setup, add a new site in ADs&S for the branch office and associate the branch office subnet with this site.
Create a subnet:
Open Active Directory Sites and Services. In the console tree, right-click Subnets, and then click New Subnet. In Address, type the subnet address. In Mask, type the subnet mask that describes the range of addresses included in this subnet. Under Select a site object for this subnet, click the site to associate with this subnet (main site), and then click OK.
You must be in the domain admin group to do this.
A network packet capture at the client would probably help here. It would show you the total amount of data transferred during logon, and for sysvol/gpo operations, you could determine if the client is spending an unusual amount of time on a specific gpo(s).
After installing Microsoft Network Monitor 3.4, save the following to a cmd file, and run it as a scheduled task at system startup. That will create a capture file that you can analyze after the logon has completed.
Here are some registry settings that you can test on the client workstation to determine if they help:
More information:
319440 - Logon delays occur over a slow connection if opportunistic locking is not granted for the policy file in Windows
http://support.microsoft.com/kb/319440
http://blogs.technet.com/b/mrsnrub/archive/2009/09/03/windows-server-2003-x86-tuning-for-performance-based-on-role.aspx
Microsoft Network Monitor 3.4 Open Source Windows Parsers 3.4.2654
http://nmparsers.codeplex.com/
After downloading and installing the Windows Parsers, in Network Monitor, under Tools > Options > Parser Profiles, select Windows, and click Set As Active.
When viewing the capture, in the Frame Summary window, the SMB/SMB2 protocol packets will display the UNC path to the location where the Group Policies are being read. You can further refine the display by applying a filter such as
SMB2 && tcp.DstPort == 445
(or SMB if SMB2 is not being used). This should provide a fairly concise display of the GPO processing.Take a look at this blog from sysinternals: http://blogs.technet.com/b/markrussinovich/archive/2012/07/02/3506849.aspx It has detailed info on how to debug slow logons