|
I believe this is required to be done from the client side.
I seem to recall a bunch of hoo ha about it.
You generally don't want to force all of this traffic to
TCP because it is considerably more traffic than UDP. You might use it say at a
site level that has an older router or is behind some device that has issues
with fragmented UDP - I seem to recall the Cisco CSM having an issue with this
several years back too.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Saturday, January 28, 2006 7:49 AM To: [email protected] Subject: RE: [ActiveDir] Logon issue I’ve read this KB a few times and wonder if it is enough to apply this registry change on the authentication servers? If that were done, wouldn’t a client (say XP) be forced to communicate via TCP with a DC during the logon process? Thoughts/comments?
Mike Thommes
-----Original
Message-----
Funny… I just (5 minutes ago) sent an FYI to our End Us er Support team regarding this issue.
Here’s the KB: http://support.microsoft.com/?id=244474
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of joe
I have seen that several times and it always tied back to some network device dropping kerberos UDP packets because they got too large and they started fragmenting. You see lots of kerb traffic going on, it is just some key critical packets aren't making it through. There is a KB that allows you to force all kerb traffic to be through TCP instead of UDP. Next time you encounter that I would slap the reg hack into place and see if it clears it up. The best way would be to do network traces from the client and the DC being used but that can be a bit of a trick especially if you have to call in others to do the tracing.
-- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Creamer,
Mark We have an unusual situation I can’t find a solution for and I wanted to see if others had experienced it. A few of our remote locations connect to corporate via DSL and VPN. We normally have a logon script engine (ScriptLogic) that runs for each logon. PCs run Windows XP, and get DHCP and logon services from the corporate location. In several cases, when a specific user (and there are more than one) logs on to a PC with the problem, the logon takes up to 20 minutes to log on. When another user logs on to the same PC in the same location, the logon is instantaneous. The same symptoms are happening in several locations, involving different users, but in each case, a different user can log on fine on the affected PC. Our networks folks watched the traffic in Compuware and determined that in the logons that are a problem, there is significant Kerberos traffic, back and forth, back and forth. My first thought was corrupt or excessively large profile, but we don’t use roaming profiles, and the PC has been re-imaged. We also recreated accounts for a couple of users. The problem goes away for a couple of weeks, and then it’s back. I’m just now getting involved because the network team initially thought it was their issue. Is there anything you can suggest I can look at? Thanks, Systems Engineer Cintas Corporation | 6800 Cintas Boulevard | Mason, OH 45040 Email: [EMAIL PROTECTED] | http://www.cintas.com
|
Title: Logon issue
