When we see this issue (or slow logon) it is usually one of the following 1. Subnet information not defined properly 2. Improperly configured clients 3. DNS snookered up and not returning the proper records or not having them 4. DC not in the logical site people think
I almost never get past 1 or 2. 3 happens occasionally especially since we use QIP and don't have scavenging. 4 has happened once or twice in a few years. Those are all things that are fairly quickly checked. After that you jump into netmon and start watching packets flying around and see which ones don't look right. Actually have a fun one right now that the network trace is showing UDP packets are being tossed out once they exceed x size where x is a number I don't remember over the weekend because I don't want to think about it. :oP This is a site in, I think India, and I have tossed to their local network guys to figure out why the DC is sending out UDP packets of size X and they aren't getting to the client (I traced both sides). My initial response I received was that UDP is bad for this and shouldn't be used. I sent that back saying I have some 200,000 users working fine with it and it is just this site, try again. It is in the network hardware somewhere, we had the same issue with a Cisco CSM tossing out larger UDP packets that were fragmented previously and that required firmware updates on the device. But I digress... (as usual). Basic troubleshooting, check configs, if correct, then pull out the network trace software and look to see what is happening that way. Much easier than theorizing most of the time. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Tuesday, February 03, 2004 1:33 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] logon server discovery Thanks all for excellent discussion of this - all of this was borne out of clients at a remote site clients not finding the local DC which i assume was under some sort of load causing it not to respond in a timely manner. GT ----- Original Message ----- From: "GRILLENMEIER,GUIDO (HP-Germany,ex1)" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, February 03, 2004 8:33 AM Subject: RE: [ActiveDir] logon server discovery > Bob pointed out all there was to say to the original post, but some > useful information to add in the whole DC-failover scenario is, how > long does a DC > wait itself for calculating additional connection objects, in case the > original replication partner doesn't react and it needs to look for another > partner? > > There are various settings that can be configured to adapt > appropriately to > a company's infrastructure, configured in the Registry of each DC: > > KCC site generator fail-over (minutes) => how long after the last ISTG > update a DC will wait before nominating a new ISTG > > KCC site generator renewal interval (minutes) => how often the ISTG updates > its role information (Not used when in w2k3 forest mode for the new > istg > algorithm) > > CriticalLinkFailuresAllowed => number of critical link failures the > KCC will > tolerate before recomputing the topology > > MaxFailureTimeForCriticalLink (sec) => time a critical link may be > down before the KCC will recompute the topology > > NonCriticalLinkFailuresAllowed => number of non-critical link failures > the KCC will tolerate before recomputing the topology > > MaxFailureTimeForNonCriticalLink (sec) => time a non-critical link may > be down before the KCC will recompute the topology > > IntersiteFailuresAllowed => number of intersite link failures before > the ISTG will recompute the intersite topology > > MaxFailureTimeForIntersiteLink (sec) => time an intersite link may be > down before the ISTG will recompute the intersite topology > > > I'm actually not sure which key these have to be configured in > (believe it's > HKLM\Sys\CCS\Services\Netlogon\Parameters). > > > /Guido > > -----Original Message----- > From: Free, Bob [mailto:[EMAIL PROTECTED] > Sent: Dienstag, 3. Februar 2004 08:36 > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] logon server discovery > > joe <mailto:[EMAIL PROTECTED]> wrote: > > No one seems to be jumping on this with any authoritative answers, I > > was hoping Guido or Dean would nail it as I was looking to learn > > something. :o) > > I'm hardly authoritative but what I've picked up on the subject :-) > > Blatantly plagiarized from Gil's awesome March 2003 Authentication > Topology paper- > http://www.winnetmag.com/Articles/Index.cfm?ArticleID=37935 or > http://www.netpro.com/forum/files/Authentication_Topology.pdf > > The DNS service responds with a list of SRV records that correspond to > all the DCs in the client's domain. The client takes the records with > the lowest-priority value and issues an AD ping (which is actually an > LDAP-over-UDP query) to each DC in turn. If a DC doesn't respond > within a tenth of a second, the client tries the next DC, and so on, > until a DC responds. > > When a DC receives an AD ping from a client, the DC calculates two > crucial pieces of information before sending a response. First, the DC > determines the site closest to the client; to do so, the DC compares > the IP address in the request packet with an in-memory data structure > that contains the site and subnet associations defined in AD's site objects. > The DC also determines whether it's in the site closest (from an IP > topology point of view) to the client's site. The DC sends this > information and the name of the responding DC's site in a UDP response > to the client. > > When the client receives this response, it determines whether the > responding DC is in the site closest to its site. If so, the client > saves the returned client site name in the > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Paramete > rs registry subkey's DynamicSiteName entry and uses that DC for > further domain-authentication requests. If the DC response indicates > that the DC isn't in the site closest to the client's site, the client > returns to DNS to find a DC in the closest site. This time, because > the client knows its site name, it queries DNS for _ldap SRV records > in the _tcp.sitename.sites.dc._msdcs.domainname domain. DNS responds > with a list of SRV records for DCs in the specified site. The client > again selects those SRV records with the lowest priority and issues AD > pings to each in turn until one responds within a tenth of a second. > > > Sean Deuby had a related article in the December 2003 issue I've been > reading over the weekend- > > Designing for DC Failover- How to create the best AD site topology > possible > http://www.winnetmag.com/Windows/Article/ArticleID/40718/40718.html > > As far as the timeout value, he repeats the 100ms value for W2K and > goes on to say that in 2003 the client waits 400ms between queries for > the first 5 DC's, then 200ms between the next 5 then 100ms for the > remaining DC's in the list. > He further explains the various site coverage scenarios quite well in > the article. > > Between the two articles the subjects are covered very handsomely... > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Graham > > Turner > > Sent: Monday, February 02, 2004 8:33 AM > > To: [EMAIL PROTECTED] > > Subject: [ActiveDir] logon server discovery > > > > As we all know to death by now, local logon server discovery is by > > determination of the DNS RR's for a DC in a computers own site. > > > > qu. how does the client resolve the scenario of a response not being > > received in a timely fashion. ? > > > > what is the timeout value for a client not to receive a response > > from a local DC before it then goes "elsewhere" ? > > > > have read about concept of an AD "ping" - does this use ICMP ? > > > > GT > > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
