I've been trying to diagnose slow logins to my domain. One of my first stops was Domain login very slow 10+ minutes.
So far I've been able to tell it has to do with my policy that applies folder redirection and administratively assigns offline files. Enabling this policy reliably adds from 30 - 90 seconds to the login.
This happens even on profiles that only have 20 megabytes in the redirected folders.
I went through a number of articles including suggestions of using procmon to see if a hangup is occurring. I did find and fix a few second hangup on an old scheduled task, but nothing near explaining this long of a lag.
I also looked at a couple of the active installer suggestions - such as the mail app.
What else can / should I check out before I break out Wireshark?
Edit for the questions:
- This is occurring every log on. Software settings / etc persist as they should. There are no temporary, mandatory, etc profiles in the mix.
- I see activity via procmon, but nothing that indicates a gap. No gaps event times, no processes with extended duration.
- I previously turned up the verbosity on the file redirection logs. Based on the folder redirection operational logs it takes under 1 second for the policy to process (event 1000 to event 1001)
- The group policy operational log shows a couple of my more complex policies clocking in at about 1 second each.
I tracked down the culprit. The same group policy that applied the folder redirection / offline files also took care of drive mappings.
We had set up a mapped drive that only was supposed to map to certain people, and then only from specific workstations. The server in question started using IPsec a while ago. Instead of the mapping failing silently it was taking 30 seconds to time out each time someone tried to map it, longer if the user had recently tried accessing a resource on that server.
Adding a improved conditional logic to my gpp targeting fixed it - 3 seconds to log in instead of 90.
Hopefully this will help someone else in the same boat.