Active Directory running slow (When browsing the directory)


Okay, i am having a problem with our domain controllers and it's driving me insane.

It is very periodic (for example within an hour). When browsing down through the AD in OU's it can load a OU either very quickly or it can take like up to 10 seconds. When it takes a long time, if trying to go to another OU it goes into "Not responding"-mode.

It is 2 domain controllers. Both DCs are GC (Is that a problem?).
I have run dcdiag and no critical errors shows (only that dhcp scope is allmost full and a RDS licesening error that it cannot update a licesing attribut for a single computer) on both DCs.

I have cleaned up a large bunch of old computers, ous, users etc.

I believe that syncronization bewtween the servers is okay. By using repadmin /syncall i get success with no errors.

Network on the server seems to be configured correctly. DNS is pointing to the DC it self and the other DC (is this the correct method?) I Do not believe i have other network issues.

When testing DNS queries there seems to be no problems. They reply instantly.
I have been testing using dcdiag /test:dns.

                                       Auth Basc Forw Del  Dyn  RReg Ext
        Domain: domain.tld
           DC1                          PASS PASS PASS PASS WARN PASS n/a  
           DC2                          PASS PASS PASS PASS WARN PASS n/a

The warning in Dyn is:

           TEST: Dynamic update (Dyn)
              Test record dcdiag-test-record added successfully in zone domain.tld
              Warning: Failed to delete the test record dcdiag-test-record in zone domain.tld
              [Error details: 9505 (Type: Win32 - Description: Unsecured DNS packet.)]

Guess thats not a problem (or the problem)?

It is only when using the active directory tools. There is no problems for user login, exchange etc. (I guess, no complaints). But when for example using Exchange Management Console, the same thing can happen – when opening an object it can take up to 10 seconds or longer.

We have a two-way-trust to another domain. It is located on the same network – can this have anything to do with it? On the other domain (which is in another forrest), there is no performance issues.

What is going on? Right now, i was just testing – i could browse around in OUs, open objects, browse further down and so on… Then, suddently an obejct "hangs" and takes about 10 seconds to open.

Need help! What can i do to test further?

Best Answer

Well, there's a lot more to do, since you really haven't done much. The tests you ran don't test performance, and as far as I can tell, you've only tested from one client, so we can't even rule out that it's a client issue.

In order, I would:

  1. Try to replicate the symptoms from other clients to determine if it's client-side issue or not.

  2. Do a high-level check of network utilization when the issue occurs, to make sure there isn't a correlation to a spike in traffic.

  3. Set up performance monitoring on the server(s) in question.

    • It could be that the domain controller you're connected to it running at a high utilization of some resource (bandwidth, concurrent connections, CPU disk queue, etc.) and the delay is a result of your request being queued.

    • In fact, I had the same issue with the main DC in our organization because the CPU was getting tapped out periodically during the work day, so before setting up a full battery of perfmon monitors, I'd RDP into the server, open up task manager and see if RAM, CPU, network or disk I/O are maxing out when this problem surfaces.

If none of that discovers your problem, I'd be surprised, but you'll at least have a better basis for advanced troubleshooting and looking into potential bugs with ADDS and your DC OS versions, scanning through MS hotfixes and looking for KBs that might relate to your situation.