Richard Parmiter

Virtualisation blog and Knowledge Base

  • You are here: 
  • Home
  • Slow logons at ‘applying registry policy’ stage on a Windows 2003 Citrix Server

Slow logons at ‘applying registry policy’ stage on a Windows 2003 Citrix Server

Posted on September 24th, 2008

Problem

When a user logs onto a Citrix server, it can take up to 10 minutes at ‘applying registry policy’ during the logon process.

Background

The server specification was as follows:

  • Windows 2003 R2 x64 Standard Edition
  • Citrix Presentation Server 4.5 HFRP02.

The server was member of an Windows 2003 Active Directory domain with many DC’s spread amongst different sites. It was in an Active Directory ‘sites and services’ site group along with many other Citrix servers and configured for 3 DC’s split over 2 physical locations.

Troubleshooting

Initially I thought that the specific group policies were causing a problem, so the server was moved to other OU’s to therefore pick up other GP’s, but the same thing happened. Other servers in the same OU were fine.

I also used HP iLo/RiB to connect to the server to remove any dependance on Citrix and got the same results.

User Environment Debug Logging

I enabled User Environment Debug Logging (see here for details on how to enable this) with full debug logs. I spotted the following in these logs:

On the server with the slow logons

USERENV(1d9c.1ce0) 14:15:26:796 SetRegistryValue: NoComponents => 1  [OK]
USERENV(1d9c.1ce0) 14:15:27:218 SetRegistryValue: NoManageMyComputerVerb => 1  [OK]
USERENV(1d9c.1ce0) 14:15:27:656 SetRegistryValue: LinkResolveIgnoreLinkInfo => 1  [OK]
USERENV(1d9c.1ce0) 14:15:28:046 SetRegistryValue: NoHardwareTab => 1  [OK]
USERENV(1d9c.1ce0) 14:15:28:390 SetRegistryValue: NoDFSTab => 1  [OK]
USERENV(1d9c.1ce0) 14:15:28:765 SetRegistryValue: NoSecurityTab => 1  [OK]
USERENV(1d9c.1ce0) 14:15:29:171 SetRegistryValue: NoComputersNearMe => 1  [OK]
USERENV(1d9c.1ce0) 14:15:29:593 SetRegistryValue: RecycleBinSize => 1  [OK]
USERENV(1d9c.1ce0) 14:15:29:984 SetRegistryValue: NoWindowsUpdate => 1  [OK]
USERENV(1d9c.1ce0) 14:15:30:343 SetRegistryValue: NoSMHelp => 1  [OK]
USERENV(1d9c.1ce0) 14:15:30:781 SetRegistryValue: ForceStartMenuLogOff => 1  [OK]
USERENV(1d9c.1ce0) 14:15:31:140 SetRegistryValue: NoClose => 1  [OK]

On another server with normal logons

USERENV(1a1c.12cc) 10:04:14:015 SetRegistryValue: NoComponents => 1  [OK]
USERENV(1a1c.12cc) 10:04:14:062 SetRegistryValue: NoManageMyComputerVerb => 1  [OK]
USERENV(1a1c.12cc) 10:04:14:109 SetRegistryValue: LinkResolveIgnoreLinkInfo => 1  [OK]
USERENV(1a1c.12cc) 10:04:14:156 SetRegistryValue: NoHardwareTab => 1  [OK]
USERENV(1a1c.12cc) 10:04:14:203 SetRegistryValue: NoDFSTab => 1  [OK]
USERENV(1a1c.12cc) 10:04:14:234 SetRegistryValue: NoSecurityTab => 1  [OK]
USERENV(1a1c.12cc) 10:04:14:281 SetRegistryValue: NoComputersNearMe => 1  [OK]
USERENV(1a1c.12cc) 10:04:14:328 SetRegistryValue: RecycleBinSize => 1  [OK]
USERENV(1a1c.12cc) 10:04:14:390 SetRegistryValue: NoWindowsUpdate => 1  [OK]
USERENV(1a1c.12cc) 10:04:14:421 SetRegistryValue: NoSMHelp => 1  [OK]
USERENV(1a1c.12cc) 10:04:14:468 SetRegistryValue: ForceStartMenuLogOff => 1  [OK]
USERENV(1a1c.12cc) 10:04:14:515 SetRegistryValue: NoClose => 1  [OK]

The server that was working normally was processing upto 25 ‘SetRegistryValue’ settings per second but the server with slow logons was only processing 2 or 3 a second.

AD Site configuration

My attention turned towards the AD site configuration. The problematic server was in Site 2 but picking up the logon server (%logonserver%) in site 1.

The working server was in site 1 and picking up the logon server in the same Site 1.

The AD site configuration meant that only the DC’s in Site 1 were acting as logonservers for these server. However, as there were several hundred other servers using the same configuration, this was unlikely to be the issue.

I changed the lmhosts file to force my problematic server to use it’s local DC for the logon server, but this made no difference.

Sysvol configuration

When Group Policies are applied, they are read and applied from the sysvol share on the DC’s. This is referenced by:

  • \\domainname.fdqn\sysvol

This is essentially a DFS share, hosted on all DC’s.

DNS initially does a look up on this address and resolves to one of the DC’s. The first to respond becomes the server hosting this share. Due to the AD Site configuration, the 2 DC’s in Site 1 service this request.

To check which server is hosting the sysvol share do the following:

Start | Run

\\domainname.fqdn\sysvol

Right click on the blank space and select properties

DFS tab

A list of all servers are listed and the active is shown.

The active server can be changed from this screen if required.

I Changed the Active server for the sysvol share to a server in the same physical location as my problematic server (Site 2).

and SUCCESS!!!  The logons were now back to normal time. However, after each reboot the server re-selected a server in the other location and the logons were slow again.

Network troubleshooting

I did lots of testing by copying files (1 large and many small files) from server to DC to try and spot a network problem, but there was no issue. I pretty much already knew this as no other Citrix server in this AD site had any problems.

I also thought that it was being detected as a ‘slow link’ but Ping tests were showing a great resonse time (4ms or less). UserEnvDebug log shows the link speed as fast.

USERENV(220.1ffc) 14:15:25:093 PingComputer: PingBufferSize set as 2048
USERENV(220.1ffc) 14:15:25:093 PingComputer: Adapter speed 10000000 bps
USERENV(220.1ffc) 14:15:25:093 PingComputer:  First time:  0
USERENV(220.1ffc) 14:15:25:093 PingComputer:  Fast link. Exiting.

Server build troubleshooting

I had come to the conclusion that something in this particular server build was causing the problem.

Resolution

Looking into the server build a bunch of settings were applied which generally improve performance on a Citrix server. One of these settings was the following:

HKLM\SYSTEM\CurrentControlSet\Services\MRXSmb\Parameters\OplocksDisabled, 1
“REG_DWORD”

This setting is generally set to improve network performance on terminal servers, however in this case the reverse was hapenning. I will write another article about opotunistic locking at a later date.

Removal of this registry entry resolved the problem. (i.e. the enabling of oportunistic locking)

The server can now use a server in the other location to service the sysvol share and does not present any slow logons.

Conclusion

Why the OpLocks settings affected group policy processing from a server in a differnet location I don’t know.

If I find out, i’ll update this post.

Useful Links

Configuring opportunistic locking in Windows
How a slow link is detected for processing user profiles and Group Policy
Default Behavior for Group Policy Extensions with Slow Link

  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks
  • Add to favorites
  • FriendFeed
  • Google Buzz
  • LinkedIn
  • Live
  • MySpace
  • Reddit
  • RSS

Tags: , , , , , , , , , , , , , ,
Filed under Windows 2003 |

3 Responses to “Slow logons at ‘applying registry policy’ stage on a Windows 2003 Citrix Server”

  1. Dimitri Says:
    January 27th, 2009 at 12:25 pm

    Am havind EXACT the same problem, but the specified HKLM\SYSTEM\CurrentControlSet\Services\MRXSmb\Parameters\OplocksDisabled setting is not to be found on the server! Will do some more internet searchesif I find a solution I will post it here.

  2. RP Says:
    July 6th, 2009 at 6:13 pm

    Another fix for this problem according to Microsoft. I haven’t tried this though.

    http://support.microsoft.com/kb/319440

  3. Arnout Says:
    August 14th, 2009 at 10:29 am

    Cool, I had the same problem. I’m in a migration stage where some DC’s are behind a firewall which caused the troubles.

    Thx.

Leave a Reply

*