active-directorywindows-server-2008windows-server-2008-r2
I have setup users to log in through active directory setup on windows server 2008. When they try to login in to their machines it takes two minutes just to log on. What could be the problem?
The machine only runs active directory no other network services.
Edit:
I see from your comments that you aren't doing the "poor man's trust relationship" with local accounts, but rather are pre-caching credentials on the client computers before shipping them off-site.
With that in mind, you still really, really want a site-to-site VPN solution, rather than running VPN clients on each client computer. That will make the question you're asking be a moot point. Your client computers won't "know" that there's a VPN present, and things like domain logons and group policy, as well as password changes will "just work".
My eyes are nearly bleeding even thinking about having to deal with no site-to-site VPN and cached credentials on client computers in such an environment.
If you want "the easy way" I had some good experiences with system-config-authentication and Winbind doing it the GUI way. Obviously, this is not expressly Kerberos, so downvote me appropriately if you feel inclined. You can do Winbind, but it also expressly allows LDAP if that fits your requirements better. I get an ominous red error about NSS-LDAP libraries,
The /lib64/libnss_ldap.so.2 file was not found, but it is required for LDAP support to work properly. Install the nss-pam-ldapd package, which provides this file.
but I am sure you can install that with yum with a minimal amount of effort. You say you want Kerberos, but than say only NIS/LDAP is allowed. So why not just access AD as if it were LDAP. That is definitely possible in my experience. It also gives you the option of configuring Kerberos. See the screenshot.
Hint, hint, it is Fedora 15, not Fedora Core, and has not been "Core" for quite a while. I will not make jokes about the bloat in relation to the name change (as a pretty dedicated Fedora user myself).
Best Answer
Usually "slow logon" problems are DNS resolution problems at the client's side. Check if the clients are using AD DNS servers (AD DNS servers only, not your provider's DNS servers, not your router's DNS service - really just the ones of your AD).
Also check if the name registrations for your DC(s) are correct - use the
dcdiagtest utility for this.dcdiagis already preinstalled on all Windows Server 2008 DCs.From the Microsoft documentation about dcdiag: