Another Slow Login Issue

[Chris]

We've run into a problem where remote users are taking 15-
20 minutes to login. We've gone through the configuration
and opened a call with MS. Everything looks to be fine in
the config of our environment, but the one thing we
noticed is that the users having the issue are either on
the other side of a router, or firewall, which has ICMP
disabled. We've enabled ICMP temporarily and the login
process works just fine.

So my question is, are PINGs really necessary for the AD
login process, or is there a way around this issue?

Any assistance would be greatly appreciated.

 

[Simon Geary]

When a client logs in one of the things it does is to ping the
authenticating DC to determine round trip time. This round trip time value
is in turn used to determine the 'detect slow link' value for applying group
policies. This is used typically for dial up clients so you don't try to
push out huge software updates via GPO on a slow link.

For more information:
http://support.microsoft.com/?id=227260
http://support.microsoft.com/?id=227369

Some common solutions:
Put a DC in every subnet so you don't have authentication traffic crossing
routers.
Use a VPN to authenticate through a firewall. Less ports will be opened and
the pings can travel quite happily through the tunnel.

 

[Chris]

I understand why they're trying to do it, but I don't
think it should take 20 min. to timeout this whole
process. We're not even trying to use GPO's at this time,
we just want the users to get logged in at this time.

Is there anything on the client side (registry) that can
be modified to have this timeout period occur sooner? In
other words assume it's a slow link if pings are being
dropped instead of retrying pings for the next 20 min.