Slow login with Active Directory
Posted: 3/24/2004 11:04:41 AM
By: Comfortably Anonymous
Times Read: 3,811
0 Dislikes: 0
Topic: Windows Administration
Finally converted the network here to Active Directory. Have been running an NT4 domain here since the last millenium. :)

Ran into an issue after the conversions: Logging into every machine, even the Active Directory server, were taking a lot longer than they used to do with the NT4 domain logins. I did some searching, and found a solution that required changes on all the client (server or workstation) machines logging into AD.

Do the following steps on each machine with a slow login problem, starting with the AD server:

1. Open Control Panel|Administrative Tools|Services
2. Stop the Windows Management Instrumentation (WMI) service. (It needs to be stopped to allow deleting the files in the following steps)
3. Open the directory C:\Windows\System32\wbem\repository
4. Delete all files in this directory. (Make a backup if you're worried about this step)
5. Reboot the machine.

When the machine comes back up, logins should be much quicker!

Enjoy!
Rating: (You must be logged in to vote)
Discussion View:
Replies:

Slow login with Active Directory
Posted: 3/24/2004 11:04:41 AM
By: Comfortably Anonymous
Times Read: 3,811
0 Dislikes: 0
Topic: Windows Administration
I had a domain controller go down, thought everything would be handled by the other domain controller, but logins became very slow again. From doing more research, I found that there are these things called Operations Master Roles on both Win2K and Win2K3 servers.

There are five roles that can be distributed among multiple domain controllers, but the role stays assigned to a single machine and is NOT automatically moved to another machine when the machine with the role assignment goes offline (Either from being shut down, or from a crash).

The five roles are:

1) Infrastructure Owner: The infrastructure master for a given domain maintains a list of the security principals for any linked-value attributes.

2) PDC Owner: Emulates an NT4-style Primary Domain Controller

3) RID Owner: The RID master allocates RID pools to all domain controllers to ensure that new security principals can be created with a unique identifier.

4) Domain Owner: Adds and removes domains and application partitions to and from the forest. (There is one Domain Owner for each 'Forest' in an Active Directory structure, so if you have more than one forest, you will have more than one of these, but only one for each forest.)

5) Schema Owner: Governs all changes to the schema. (The Schema Owner role is another 'one per forest' role, so the same concept applies as for a Domain Owner, as far as how many Schema Owner roles you will have.)

Note that the ONLY time these roles are automatically moved to another server is when you demote a domain controller. So, if you plan to take a domain controller offline permanently, and the machine is in a working state, then just demote it before shutting it off. This will avoid any problems with Operations Master Roles.

However, in the case that you lose a server and cannot properly demote it ahead of time, you can do something called "seizing" the Operations Master Role. Note that once you do this, very bad things will happen if you ever somehow return the lost server to the network with its roles in place, a major battle will occur between the new Operations Master server and the old one that insists that it is the Operations Master.

For info on actually doing the 'seizing', check out the following TechNet article:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/8a378df1-50b5-4a79-986c-364ce6e0cb07.mspx

Another thing that comes in very handy (And what I used to determine that my all my Operations Master Roles were still assigned to the downed server) is a tool from NetIQ called ADCheck
One of the functions of ADCheck is "Show Ops Masters", which will return the machine name assigned for each of the five roles. This comes in very handy in determining which machine each of these roles is assigned to. Definitely run this first to see if there is a problem with your role assignments, and it comes in very handy to gather information before toying with the role assignments. On mine (since I have a small network with only two domain controllers, it showed that all five roles were assigned to the downed server. Moving the roles to the functional server made logins nice and snappy again. Before then, there was apparently some timeout waiting for the down server to response before trying some backup login method. Sorry, no info on how the backup method works.)

Rating: (You must be logged in to vote)

Slow login with Active Directory
Posted: 3/24/2004 11:04:41 AM
By: Comfortably Anonymous
Times Read: 3,811
0 Dislikes: 0
Topic: Windows Administration
We just installed Active Directory in our small business office and we have a couple problems. First log in was painfully slow, this problem seems to be fixed now that I followed Klom Dark's suggestion. The other problem is that AD seems to drop users' credentials once logged on for a prolonged period. After an hour or more of use if a user trys to access other directories or printers stored within the network they get a message asking for username and password but upon entering them an error message appears saying user is already logged in (or something to that affect). Has anyone encountered this problem and know of a solution?
Rating: (You must be logged in to vote)

Slow login with Active Directory
Posted: 3/24/2004 11:04:41 AM
By: Comfortably Anonymous
Times Read: 3,811
0 Dislikes: 0
Topic: Windows Administration
OK, after three years I finally found the 'missing piece' to this puzzle!

Even after doing the above things, my logins were still slower than I had wished. Delays at the 'Applying your personal settings' part of the login.

Turned out I was running into something that only smaller setups like my home network (Or small business networks) would encounter: Although in the old Windows NT days you could do everything with only one primary domain controller, in the modern Active Directory days you MUST have two domain controllers. Turns out that you can run everything but one piece, the Group Policy Object role, on a single server. The Group Policy management role HAS to be on a second domain controller. Not sure why, but after doing three years of research, I found that out.

Add a second Active Directory domain controller, assign it the GPO role, and your logins will be snappy.
Rating: (You must be logged in to vote)