Question : Domain authentication extremely slow

I should start off by saying we have a very large network, where one side of the company has probably made changes to the AD without my knowledge that is causing these issues.

We have a branch office connected to our network through a site to site VPN, on 192.168.9.0/24, to our main datacenter at 192.168.200.0/24 which hosts our primary DC and primary exchange server. A few months ago the site started to experience issues with logging on and opening outlook, where it would take 1-5 minutes for a user to log in, or outlook to actually connect to exchange.

Our domain users are set up with local administrator accounts on their computers, and any user that has cached credentials can login in less than 2 minutes. When I was at the site, i tried logging in to a PC using my domain admin credentials, and it took about 6-7 minutes to actually log me in for the first time.

With Outlook, the first time outlook is opened on a PC it will almost always fail to connect and pop up saying a connection couldn't be established, where you can choose to retry or work offline. It's about a 50/50 chance that outlook will connect the second time if we try retry, the third try almost always works.

This isn't specific to the computers at the site, as my laptop which works perfectly fine at every other location, has the same problems when i'm on their network.

This part of our network is configured and run by an outside company, who says everything is working 100% and they can't find a problem.

I've tried:

Changing the dhcp subnet from 192.168.9.0 to 10.80.9.0
changing the dhcp to point all clients to a different set of DC's at a different datacenter, & the AD sites and services to point to those dc's
uninstalling our antivirus, symantec endpoint, as it has a network access control feature
Using wireshark to watch what happens when outlook is opened, nothing stood out to me but i'm not a networking guy. (can post a wireshark if someone wants)


Based on a microsoft kb article i found i checked and confirmed that the web client network provider is at the bottom of the list, i have not tried disabling it completely. There is no service running on port 80 on the dc's.

Anyone have any suggestions to things i can try? I pretty much have free access to change anything for the site to try and fix this problem.


edit: Also, once a user has successfully connected to the exchange server, the user can open/close outlook as much as they won't and the problem will not happen again until after a reboot.

Answer : Domain authentication extremely slow

When applying any PPP protocol it add overhead to the packets. The MTU settings for standard windows is 1500 bytes. If the site-to-site connection adds to those packets, they can be too big to go through your VPN pipe. This is called Maximum Segment Size Exceded.

It's like trying to shove a golf ball through a garden hose.

With MSS exceded, you must have ICMP to renegotiate the packet size and split these packets up into smaller chunks. This is called PMTUD (Packet Maximum Transmision Unit Discovery). If ICMP for segement size is disabled, you will end up with a packet that will NOT reach its destination. So, TCP will ask for those packets again and again and again. The problem being is you are flooding the VPN connection with repetitive sending of packets, as well as having to resize the packets.

Also, think of a VPN connection as adding overhead to the packet for 1) routing the packet 2) encrypting the packet.

An article you should look at is this one from Cisco:
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml

The anser can come in two forms:
Allow ICMP to renegotiate the packets
and/or allow your tunneling adapters to route larger packet sizes

Please NOTE: You can seriously hose up network performance by messing with these. In a large business like this with 120 sites, it is worth while to hire a consulting network engineer on this project.