First published on TechNet on Sep 23, 2009
here again after a short blogging hiatus. I have put this two-part blog post together with hope that it will save you countless hours and a few aspirin when troubleshooting a slow logon. I have had the luxury of working many different slow logon cases and I have to say that these can be the most grueling to handle, depending on how they are approached and what information you have. There are multiple reasons why slow logons can occur and sometimes they are a result of multiple issues masked as one.
For this first part in the series I want to cover some well-known causes of slow logons, optimizing logon for your environment, and assist you with documenting your baseline to identify when you really have a slow logon issue. But before I do we need to set some expectations.
The “logon process” (I use this term to encompass both the boot up of the workstation and the user login that is completed with a functioning desktop) has a lot of moving parts. The most important question to address is
“What is an acceptable logon time to you?”
If you have expectations that your logon should only take 3-5 minutes from the time you turn your computer on to the point you get your desktop, you will have a brief window to perform all tasks. Your business requirements will dictate what you will be able to accomplish during the logon, so a thorough understanding of your goals is needed before moving forward.
Once you have your logon task list, then you can start testing the logon time frame. If all is configured and you are over your accepted limit, then an adjustment will need to be made by either limiting your tasks or accepting the lengthier time. There is a saturation point that will be reached when you try to accomplish too much in too little time.
So you want to know what the top items are that will definitely slow your logon process? Here’s a list of configurations that will have an impact on your logon time:
: Your network interface card (NIC) should use the latest drivers installed.
Outdated operating system (OS) patch level
: Your operating system should have the latest service pack installed from
Roaming user profiles
change the way group policy processing is performed. When roaming profiles are configured the processing is changed from “asynchronous” (background processing or multiple at a time) to “synchronous” (foreground processing or one at a time). This disables “Fast logon Optimization” which will delay the user getting the desktop by waiting for the network to initialize first.
This is really important to understand that when roaming profiles are implemented, group policy software installations and folder redirection requires that the user is NOT logged on before the network is initialized and processes policy synchronously-
ONE AT A TIME
. This is the default behavior and changing it could cause inconsistencies with your logon.
: This could impact your logon times because instead of looking at a local location for system DLL’s, the client machine will look for them in the home folder instead. If that mapped network share is across a wide area network (WAN) link that is slow you can bet that your logon time is going to suffer even more.
If home folders are needed with roaming profiles there is a registry key
(SafeDllSearchMode) that can be added that will change the behavior. If you’re not sure that this is an issue in your environment, take a network trace at logon and see if DLL’s are being queried across the network to the home folder. There is also another tweak on the same page (StartRunNoHOMEPATH) that will assist with applications doing this behavior.
Start up applications:
Applications that are configured to automatically run during startup will slow the logon down.
There are many antivirus software applications that will scan profiles at login and at their home location if they are roaming. This is not limited to just antivirus software but other applications will as well. (In the troubleshooting section we will review how to discover if this is happening)
Excessive group policies:
Having a ton of group policies that perform extensive tasks or configurations (like software restrictions) will increase your logon time. A few policies that accomplish everything are better than many policies that do a handful of things each. If possible consolidate your group policies.
Excessive startup/logon scripts:
Scripts that run at logon or start up can delay the process significantly if they perform a lot of tasks or use inefficient code
Excessive WMI filters:
Having excessive WMI filters can slow group policy processing
No local domain controllers:
Not having local domain controllers (users authenticating across a wide area network-WAN) will cause a logon delay
Before we get into troubleshooting a slow login we need to first identify
what is a slow login
. To be able to say a logon or boot up is slow you must know what a normal logon or boot time looks like in
environment. With the above expectations the next step is to document the time a logon takes under normal conditions and under load (morning and afternoon rush hours). This should be done with all the different operating system builds in your environment (desktops, laptops, servers, XP, Vista, Win 7, 2003, 2008, 2008 R2) to have a standard baseline to work with.
Here is a short starter list of things to include in your baseline documentation:
Active Directory Topology
User and computer group membership
Operating system and service pack level
Network bandwidth and latency )
NIC driver information
“UserEnv” log (from several users who are members of different security groups) from XP or 2003, and ETL logs from Vista, 2008 and Win7
Group Policy information (both computer and user)
Once you have a solid baseline of average times, then you will know right away when logon times increase and where to narrow your search for the culprit. With the above documentation in hand the issue will be resolved much quicker. Without the documentation you’re setting yourself up for hours of agony and a costly resolution.
Be sure to check out the next part in the series on slow logon where we actually get into the troubleshooting steps.