AD authentication and authorisation

Discussion in 'Active Directory' started by Gonzo, Sep 11, 2009.

  1. Gonzo

    Gonzo Guest

    Hi,

    Is there a tool where I can test the speed of our AD authenticating and
    authorising?

    We have a 3rd party app that the vendors say our AD is slow and causing
    their app to slow down. All our other apps are fine, but I do need to check
    this as it it does point ot AD.
     
    Gonzo, Sep 11, 2009
    #1
    1. Advertisements

  2. Howdie!
    Get a network trace of the machine with the app installed and the DC.
    Dissect the trace so that you can see the initial auth request from the
    app and get the time that it's taking to proceed. That's the most
    reliable thing.

    There are a few performance counters for AD, too - you may also check
    those.

    Cheers,
    Florian
     
    Florian Frommherz [MVP], Sep 11, 2009
    #2
    1. Advertisements

  3. And...

    Make sure DNS isn't the reason. Check whether clients can reliably
    resolv DNS queries.

    Cheers,
    Florian
     
    Florian Frommherz [MVP], Sep 11, 2009
    #3

  4. I was going to add this, but you beat me to it!

    For Gonzo:
    If the DCs and clients are using an ISP's DNS as an address in their
    ipconfigs, or using the router as a DNS address, or using some other
    external address. If they are, as Florian said, nothing can resolve the
    internal domain resources reliably. That can be a *major* cause of slowness.
    Same if any of the DCs are multihomed (more than one NIC, more than one IP
    address or RRAS is installed for VPN, etc). Also another cause could be if
    the AD DNS domain name is single label ('domain' vs domain.something).

    If you can provide an ipconfig /all of your DCs and from a sample
    workstation, possibly where the app is running, we can evaluate and offer
    recommendations.

    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Please reply back to the newsgroup or forum for collaboration benefit among
    responding engineers, and to help others benefit from your resolution.

    Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
    Microsoft Certified Trainer

    For urgent issues, please contact Microsoft PSS directly. Please check
    http://support.microsoft.com for regional support phone numbers.
     
    Ace Fekay [MCT], Sep 11, 2009
    #4
  5. Hello Gonzo,

    I agree with the others about DNS as a source problem. Some more info as
    requested will be helpful.

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Sep 11, 2009
    #5
  6. Gonzo

    Gonzo Guest

    users point to 2 internal DNS server which are our DC's. The DC's do have
    forwards to our IPS if the names can't be resovled, is this a good method?
     
    Gonzo, Sep 12, 2009
    #6
  7. Yes, that's the recommended method.

    What operating systems are the DCs, and service pack levels?

    Getting back to your app issue, what type of app is it, and what method does
    it use to authenticate, NTLM or Kerberos?

    If NTLM, which version? The app's docs or support can tell you that. If
    version 1, it may possibly need disabling SMB signing on the DCs.

    Any errors in either DC's event logs?

    Ace
     
    Ace Fekay [MCT], Sep 12, 2009
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.