http://blogs.technet.com/guarddog/archive/2006/06/08/434188.aspx
Nothing beats coming into the office on a Monday morning and finding out
that one of your VP’s is complaining about how long it takes to get
logged into his desktop. They usually won’t even give you a chance to
grab some coffee. Let’s talk about how we can get this resolved as
quickly as possible.
The first thing to find out is… what is slow? 30 seconds? 30 minutes?
How fast was it before? A lot of this is perception, but for the
purposes of our discussion we’ll say it’s 15 minutes.
The next thing to find out is if the same user can log on fast on
another machine – this immediately narrows down whether we need to be
concerned about this computer or the user’s account. If the user has a
Roaming Profile configured it may simply be slow due to an enormous
amount of ‘My Documents’ data moving down from a file server (especially
if you have a Group Policy configured to delete local profiles at logoff).
If it’s only slow on this machine, take a look at the machine’s network
settings using IPCONFIG /ALL. Is he pointed to your local DNS servers
<http://support.microsoft.com/kb/304285/en-us>, or has he been pointed
to an ISP (don’t laugh, this happens all the time!). When the client
cannot reach your domain’s DNS SRV records, Kerberos is going to spend a
lot of time trying to work before it gives up and uses NTLM
authentication to get logged in.
If DNS looks good, it gets more complicated. At that point you are going
to want to take a look at some of the built in logs, as well as
configure some additional data collection mechanisms:
*
Check the System event log – seeing a lot of W32Time errors? If
time is out of sync by more than 5 minutes Kerberos will be
failing
<http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx>.
Correcting the computers time to match the DC’s may fix it. Then
you’d want to figure out what went wrong with time to prevent it
from staying in sync.
*
Additionally in the System event log, you may see NETLOGON errors
regarding RPC timed out, failed, was cancelled, or could not
connect. Make sure the client is patched with KB913446
<http://www.microsoft.com/downloads/details.aspx?familyid=7BB21D74-C37B-472B-BB10-71D4680680A7&displaylang=en>
(the DC’s too!).
*
Enable UserEnv Debug Logging
<http://support.microsoft.com/kb/221833/en-us>, then have the user
attempt to logon again. There is more information on understanding
its output here
<http://technet2.microsoft.com/WindowsServer/en/Library/ccd7b430-99a5-40fd-b68a-6c1979e565a21033.mspx?mfr=true>.
The most important parts here to be aware of are:
o
Is it slow at applying group policy and fast everywhere
else? It could be a network problem between client and DC
that makes SMB traffic very pokey. There should be
indicators here, such as very slow gaps between each policy
processing line. It could also be that an errant filter
driver from your antivirus software is slowing things down
(although is very likely to be affecting more than one user).
o
Is everything fast, then when you see USERINIT.EXE loading
nothing happens for a very long time before EXPLORER starts?
It’s likely to be a slow logon script – you can enable
GPTEXT logging
<http://support.microsoft.com/kb/812535/en-us> as well as
examine what scripts this user has been assigned to see if
there’s an issue there.
o
Is all of the above fast then EXPLORER is just very slow to
start? Try booting the machine into Safe Mode with
networking – if it logs right in, there’s some application
or service set to start automatically which is interfering
with the shell starting up. Booting back into normal mode
and using MSCONFIG <http://support.microsoft.com/kb/310560/>
to examine those apps/services and narrow it down should
give you your answer.
*
Finally, getting a network trace (if you are comfortable with
reading them) can yield a lot of interesting data, especially if
you’re now sure it’s not an application slowing the logon. Netmon
Lite is included with the OS, but many people find that there are
excellent free versions on the internet.
There’s the basics. Feel free to share your own scenarios you’ve run
into here and other things you’ve done to troubleshoot the infamous slow
logon.
*
Ned Pyle
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
The SBS product team wants to hear from you:
http://msmvps.com/blogs/bradley/archive/2006/05/18/95865.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx