-
Title
Joining client to Active Directory takes a long time -
Description
In an environment with many Domain Controllers (DCs) behind firewalls, the vastool join command might take a very long time to complete.
The join may appear to hang with the following, misleading, message:
Applying VAS Related Group Policy Settings ... -
Cause
During a vastool join, Authentication Services will attempt to contact 2 in-site DCs and 2 out-of-site DCs. If these DCs cannot be contacted it might take a long time for Authentication Services to enumerate the DCs it requires for a solid/stable configuration.
-
Resolution
WORKAROUND 1:
Join to a specific domain controller by adding the DC name at the end of the join line, e.g.:
/opt/quest/bin/vastool -u <adadmin> join <yourdomain.com> <dc1.yourdomain.com>WORKAROUND 2:
Configure the site-only-usn parameter in vas.conf. This will tell Authentication Services to only contact DCs that are within the same Active Directory site.
# /opt/quest.bin/vastool configure vas vasd site-only-usn trueWORKAROUND 3:
Caching a large amount of users and group can make the join time slower. To not cache the users and groups at join time use workstation-mode flag on the join statement:
/opt/quest/bin/vastool -u <adadmin> join -w <yourdomain.com>