Citrix Session Start-up Details Test

Figure 1 depicts a typical user logon process to Citrix Virtual Apps.

Figure 1 : Citrix user logon process

The process depicted by Figure 1 above has been described below:

  1. User provides his/her credentials to the web interface.
  2. Web interface forwards the credentials to controller for verification process.
  3. Delivery controller transfers these credentials to the domain controller to check if the user is present in the active directory.
  4. Once it gets the successful confirmation from AD then controller communicates with site database to check what type of application is available for current user.
  5. Controller then interacts with Citrix Virtual Apps server to gather information about the availability of application.
  6. Controller then passes the ICA file for user and all the connection information is present inside ICA file so that client can establish the connection.
  7. After all the process is complete, the user is assigned the application.
  8. Once the application is assigned, the user establishes connection with that application.
  9. The Citrix Virtual Apps server again communicates with controller for verification of licensing.
  10. Controller checks for license from license server about what type of license is available for user in this current session. License server then communicates back with controller providing the licensing information.
  11. Information obtained from license server is then passed to the Citrix Virtual Apps server.

From the discussion above, it can be inferred that login processing happens at two different places - at the delivery controller, and inside the Citrix Virtual Apps server. While login, authentication, and application brokering happen on the delivery controller, session creation and setup happens inside the Virtual Apps server. A problem in any of these places can result in a poor user experience. Inevitably, these issues result in service desk calls and complaints that “Citrix is slow”. Diagnosing login problems has traditionally been a difficult, time-consuming, manual process due to the large number of steps involved. The key to resolving user experience issues therefore, lies in tracking each user’s sessions end-to-end, ascertaining the time spent by the session at each step of the logon process - be it on the delivery controller or on the Virtual Apps server - and accurately identifying where and at what step of the logon process, the slowdown occurred.

To determine the time taken by the entire logon process of a user, isolate logon slowness, and understand where the process was bottlenecked – whether on the delivery controller or on the Virtual Apps server – use the User Logon Performance test mapped to the Citrix Virtual App/Desktop Site component. If the User Logon Performance test reveals a problem in session start-up on the Virtual Apps server, then use the Citrix Session Start-up Details test.

With the Citrix Session Start-up Details test, administrators can receive deep visibility into the Virtual Apps end of the Citrix logon process. This test takes an administrator into the Virtual Apps server, reveals the users who are currently logged on to the server, and accurately reports the average time it took for the sessions of each user to start inside the server. This way, administrators can rapidly identify which user’s sessions are experiencing undue start-up delays.

In addition, the test also provides a break-up of the session start-up duration. This way, the test precisely pinpoints where the delay occurred - when user credentials were obtained? when credentials were validated? during profile loading? during login script execution? when mapping drives or creating printers?

For this purpose, the test categorizes its metrics into client start-up metrics and server start-up metrics.

The client start-up metrics are concerned with timing the operations that occur from the point when the user requests an application, e.g., by clicking an icon, to the point at which an instance of the ICA client has finished opening a connection to Presentation Server. While connection-brokering mechanisms, such as Web Interface for Citrix Virtual Apps server or Program Neighborhood Agent, involve components that are not on the physical client device, the tasks these systems perform have a direct impact on the performance of the connection start-up and are recorded as part of the client-side process.

The server start-up metrics are concerned with timing the operations that occur when creating a new session on the Virtual Apps server. This includes user authentication, client device mapping, profile loading, login scripts execution, and finally, starting the user’s application (in the case of a desktop this will be explorer.exe). If a session already exists and a new application is being started through session sharing, only the application start stage will be considered as part of server start-up.

Target of the test : A Citrix Virtual Apps

Agent deploying the test : An internal agent

Outputs of the test : One set of results for each user who is currently logged on to the Citrix Virtual Apps server that is being monitored.

Configurable parameters for the test
  1. Test period - How often should the test be executed
  2. Host - The host for which the test is to be configured.
  3. port The port number at which the specified HOST listens to. By default, this is 1494.
  4. REPORT USING MANAGERTIME – By default, this flag is set to Yes. This indicates that the user login time displayed in the detailed diagnosis page for this test and in the Thin Client reports will be based on the eG manager's time zone by default. Set this flag to No if you want the login times displayed in the  detailed diagnosis page for this test and in the Thin Client reports to be based on the Citrix server’s local time.
  5. REPORT BY DOMAIN NAME - By default, this flag is set to Yes. This implies that by default, the detailed diagnosis of this test will display the domainname\username of each user session that logged out. This default setting ensures that administrators are able to quickly determine the domains to which the users who logged out belonged. You can set this flag to No if you want detailed diagnosis to display only the username of the users who logged out.
  6. Report Summary - By default, this flag is set to Yes indicating that this test will report metrics for the Summary descriptor, by default. However, if you do not want this test report the metrics for the Summary descriptor, then st this flag to No.
  7. DD FREQUENCY - Refers to the frequency with which detailed diagnosis measures are to be generated for this test. The default is 1:1. This indicates that, by default, detailed measures will be generated every time this test runs, and also every time the test detects a problem. You can modify this frequency, if you so desire. Also, if you intend to disable the detailed diagnosis capability for this test, you can do so by specifying none against dd frequency.

  8. DETAILED DIAGNOSIS – To make diagnosis more efficient and accurate, the eG Enterprise embeds an optional detailed diagnostic capability. With this capability, the eG agents can be configured to run detailed, more elaborate tests as and when specific problems are detected. To enable the detailed diagnosis capability of this test for a particular server, choose the On option. To disable the capability, click on the Off option.

    The option to selectively enable/disable the detailed diagnosis capability will be available only if the following conditions are fulfilled:

    • The eG manager license should allow the detailed diagnosis capability
    • Both the normal and abnormal frequencies configured for the detailed diagnosis measures should not be 0.
Measurements made by the test
Measurement Description Measurement Unit Interpretation

New sessions

Indicates the number of sessions currently open for this user on the Virtual Apps server.

Number

Compare the value of this measure across users to know which user has the maximum number of open sessions. In the event of an overload, this will point you to that user who is contributing the most to the workload of the Virtual Apps server.

Use the detailed diagnosis of this measure to view the complete details of each user session. Such details includes the name and IP address of the client from which every session was launched, when session creation started, and when it ended. With the help of this information, administrators can quickly pinpoint those sessions that may have taken too long to be created.

Session start-up duration

Indicates the average time taken by the sessions of this user to complete start-up activities.

Seconds

Compare the value of this measure across users to know which user’s sessions took the longest to start-up. To know what is causing this slowness, compare the values reported by all the other ‘duration’ measures of this test for that user. This will quickly lead you to where that user’s session start-up process is spending the maximum time.

Profile processing duration

Indicates the time taken to process this user's profile.

Seconds

 

Group policy processing duration

Indicates the time taken by this user’s session to process group policies.

Seconds

Compare the value of this measure across users to know which user’s sessions took the longest time to process group policies. If that user’s Session start-up duration is high, you may want to compare the value of this measure with that of the other ‘duration’ measures reported for this user to figure out if a delay in group policy processing is what is really ailing that user’s logon experience. In such a case, you can also use the detailed diagnosis of this measure to figure out the names of the group policy client-side extensions (CSE), the time each CSE took to run, the status of every CSE, and errors (if any) encountered by each CSE. Using these in-depth metrics, Citrix administrators can accurately pinpoint which CSE is impeding speedy group policy processing.

Logon performance improves when fewer Group Policies are applied. Merge GPOs when possible instead of having multiple GPOs.

Logon script execution duration

Indicates the time taken for the login script to execute for this user.

Seconds

Compare the value of this measure across users to know for which user the login script took the longest time to execute.

If this user complains of slowness, then, you can compare the value of this measure with that of the other ‘duration’ measures of that user to figure out what could have really caused the slowness.

Client side session start-up processing duration

This is the high-level client-side connection start-up metric. It starts at the time of the request (mouse click) and ends when the ICA connection between this user’s client device and Virtual Apps server has been established.

Seconds

In the case of a shared session, this duration will normally be much shorter, as many of the set-up costs associated with the creation of a new connection to the server are not incurred.

Backup URL count

When any user complains of slowness, you may want to compare the value of this measure with that of the Server side session start-up processing duration measure of that user to know whether a client-side issue or a server-side issue is responsible for the slowness.

If this comparison reveals that the Client side session start-up processing duration of the user is high, it indicates a client-side issue that is causing long start times. In this case therefore, compare the value of the client start-up metrics such as the Application enumeration duration, Configuration file download duration, User credential obtention by client duration, ICA file download duration, Launch page web server duration, Name resolution duration, Name resolution web server duration, Session lookup duration, Session creation at client duration, Ticket response web server duration, Reconnect enumeration duration, and Reconnect enumeration web server duration to know what client-side issue is causing the Client side session start-up processing duration to be high.

Backup URL count

This measure is relevant when the Virtual Apps plugin is the application launch mechanism. It records the number of back-up URL retries before a successful launch. Note that this is the only start-up metric that is a measure of attempts, rather than time duration.

Number

If this metric has a value higher than 1, it indicates that the Web Interface server is unavailable and the Virtual Apps Plugin (formerly known as Program Neighborhood Agent) is attempting to connect to back-up Web Interface servers to launch the application.

A value of 2 means that the main Web Interface server was unavailable, but the Virtual Apps Plugin managed to the launch the application successfully using the first back-up server that it tried.

A value higher than 2 means that multiple Web Interface servers are unavailable. Probable reasons for the non-availability of the Web Interface servers include (in order of likelihood):

  • Network issues between the client and the server. So the administrator should make sure that the Web Interface server is on the network and accessible to the clients.
  • An overloaded Web Interface server that is not responding (or has crashed for another reason). Try to log on to the server and check the Windows Performance Monitor/Task Manager to see how much memory is in use and so on. Also, review the Event Logs to see if Windows logged any serious errors.

Application enumeration duration

This measure is relevant when the Virtual Apps plugin is the application launch mechanism. It measures the time needed by this user’s sessions to retrieve the list of applications from the Web Interface service.

Seconds

If the Client side session start-up processing duration measure reports a high value for a user, then compare the value of this measure with that of the other client-side metrics such as Configuration file download duration, User credential obtention by client duration, ICA file download duration, Launch page web server duration, Name resolution duration, Name resolution web server duration, Session lookup duration, Session creation at client duration, Ticket response web server duration, Reconnect enumeration duration, and Reconnect enumeration web server duration to know whether/not slowness in application enumeration is the precise reason why it took the user a long time to establish an ICA session with the Virtual Apps server.

Configuration file download duration

This measure is relevant when the Virtual Apps plugin is the application launch mechanism. It measures the time this user’s sessions took to retrieve the configuration file from the XML server.

Seconds

If the Client side session start-up processing duration measure reports a high value for a user, then compare the value of this measure with that of the other client-side metrics such as Application enumeration duration, User credential obtention by client duration, ICA file download duration, Launch page web server duration, Name resolution duration, Name resolution web server duration, Session lookup duration, Session creation at client duration, Ticket response web server duration, Reconnect enumeration duration, and Reconnect enumeration web server duration to know whether/not slowness in retrieving the configuration file from the XML server is the precise reason why it took the user a long time an ICA session with the Virtual Apps server.

User credential obtention by client duration

This measure is relevant when the Virtual Apps plugin is the application launch mechanism. It measures the time required by this user’s sessions to obtain the user credentials.

Seconds

Note that this is only measured when the credentials are entered manually by the user. Because this metric may be artificially inflated if a user fails to provide credentials in a timely manner, it is subtracted from the Start-up client duration.

However, in the event that the user manually inputs the credentials, and the value of this measure is higher than that of all the other client start-up metrics that this test reports, it is a clear indicator that any connection delay that the user may have experienced is owing to slowness in obtaining user credentials.

ICA file download duration

This measure is relevant when the Virtual Apps plugin or Web Interface is the application launch mechanism. This is the time it takes for this user’s client to download the ICA file from the web server.

Seconds

The overall process here is:

  1. The user clicks on application icon.
  1. The user's browser requests the Web Interface launch page.
  2. The Web Interface launch page receives the request and starts to process the launch, communicating with Virtual Apps server and potentially other components such as Secure Ticket Authority (STA).
  3. The Web Interface generates ICA file data.
  4. The Web Interface sends the ICA file data back to the user's browser.
  5. The browser passes ICA file data to the plugin (client).

This measure represents the time it takes for the complete process (step 1 to 6). The measure stops counting time when the client receives the ICA file data.

The Launch page web server duration measure on the other hand, covers the Web server portion of the process (that is, steps 3 and 4).

If the ICA file download duration is high, but the Launch page web server duration is normal, it implies that the server-side processing of the launch was successful, but there were communication issues between the client device and the Web server. Often, this results from network trouble between the two machines, so investigate potential network issues first.

Launch page web server duration

This measure is relevant when the Web Interface is the application launch mechanism. It measures the time needed by this user’s sessions to process the launch page (launch.aspx) on the Web Interface server.

Seconds

If the value of this measure is high, it indicates at a bottleneck on the Web Interface server. Possible causes include:

  • High load on the Web Interface server. Try to identify the cause of the slow down by checking the Internet Information Services (IIS) logs and monitoring tools, Task Manager, Performance Monitor and so on.
  • Web Interface is having issues communicating with the other components, such as the Virtual Apps server. Check to see if the network connection between Web Interface and Virtual Apps is slow or some Virtual Apps servers are down or overloaded. If the Web server seems okay, consider reviewing the Virtual Apps farm for problems.

Name resolution duration

This is the time it takes the XML service to resolve the name of a published application to an IP address.

Seconds

This metric is collected when a client device directly queries the XML Broker to retrieve published application information stored in IMA (for example, when using the Virtual Apps Plugin or a Custom ICA Connection). This measure is only gathered for new sessions since session sharing occurs during startup if a session already exists.

When this metric is high, it indicates the XML Broker is taking a lot of time to resolve the name of a published application to an IP address. Possible causes include a problem on the client, issues with the XML Broker, such as the XML Broker being overloaded, a problem with the network link between the two, or a problem in IMA. Begin by evaluating traffic on the network and the XML Broker.

Name resolution web server duration

This measure is relevant when the Virtual Apps plugin or Web Interface is the application launch mechanism. It is the time it takes the XML service to resolve the name of a published application to a Virtual Apps Server address.

Seconds

When this metric is high, there could be an issue with the Web Interface server or the Virtual Apps plugin site (formerly known as the Neighborhood Agent site), the XML Service, the network link between the two, or a problem in IMA.

Like the Name resolution client duration measure, this metric indicates how long it takes the XML service to resolve the name of a published application to a Virtual Apps IP address. However, this metric is collected when a Web Interface site is performing this process on behalf of a launch request it has received from either the Virtual Apps plugin (previously known as Program Neighborhood Agent) or from a user clicking a Web Interface page icon. This metric applies to all sessions launched through the Web Interface or the Virtual Apps plugin (formerly, the Program Neighborhood Agent).

Session lookup duration

Indicates the time this user’s sessions take to query every ICA session to host the requested published application.

Seconds

The check is performed on the client to determine whether the application launch request can be handled by an existing session. A different method is used depending on whether the session is new or shared.

Session creation at client duration

Indicates the new session creation time, from the moment wfica32.exe is launched to the establishment of the connection.

Seconds

In the event of slowness, if the Client side session start-up processing duration of a user session is found to be higher than the Server side session start-up processing duration, you may want to compare the value of this measure with all other client start-up measures to determine whether/not session creation is the process that is slowing down the application launch.

Ticket response web server duration

This measure is relevant when the Virtual Apps plugin or Web Interface is the application launch mechanism. This is the time this user’s sessions take to get a ticket (if required) from the STA server or XML service.

Seconds

When this metric is high, it can indicate that the Secure Ticket Authority (STA) server or the XML Broker are overloaded.

Reconnect enumeration duration

This measure is relevant when the Virtual Apps plugin is the application launch mechanism. This is the time it takes this user’s client to get a list of reconnections.

Seconds

Compare the value of this measure with that of other client start-up metrics for a user to know what is the actual cause for the client start-up delay.

Reconnect enumeration web server duration

This measure is relevant when the Virtual Apps plugin or Web Interface is the application launch mechanism. This is the time it takes the Web Interface to get the list of reconnections for this user from the XML service.

Seconds

Compare the value of this measure with that of other client start-up metrics for a user to know what is the actual cause for the client start-up delay.

Server side session start-up processing duration

This is the high-level server-side connection start-up metric. It includes the time spent on the Virtual Apps server to perform the entire start-up operation.

Seconds

In the event of an application starting in a shared session, this metric is normally much smaller than when starting a completely new session, which involves potentially high- cost tasks such as profile loading and login script execution.

When this metric is high, it indicates that there is a server-side issue increasing session start times. To zero-in on this issue, compare the values of the server start-up metrics such as Session creation server duration, User credential obtention by server duration, Program neighbourhood credentials obtention server duration, Pass-through credentials duration, Credential authentication duration, Profile load server duration, Session creation processing duration, Endpoint resources mapping duration, Endpoint printers mapping duration.

Session creation server duration

Indicates the time spent by the server in creating the session for this user.

Seconds

This duration starts when the ICA client connection has been opened and ends when authentication begins. This should not be confused with ‘Server side session start-up processing duration.

Note:

When monitoring Citrix Virtual Apps servers below v7.6, this measure may sometimes report abnormally high values. If you want to disregard such values, then do the following:

  • Edit the eg_tests.ini file (in the <EG_INSTALL_DIR>\manager\config directory).
  • Look for the CitrixEuemMaxSCSD parameter in the file.
  • By default, this parameter is set to 600 (seconds). This means that, if the Session creation server duration measure reports a value that is higher than 600 seconds (by default), then eG Enterprise will hide this measure from the UI. You can change the value of the CitrixEuemMaxSCSD parameter to suit your needs.
  • Finally, save the eg_tests.ini file.

When monitoring Citrix Virtual Apps servers above v7.6 however, this test will not report such abnormal values for the Session creation server duration measure. So, the CitrixEuemMaxSCSD parameter is not applicable in this case.

User credential obtention by server duration

Indicates the time taken by the server to obtain the credentials of this user.

Seconds

This time is only likely to be a significant if manual login is being used and the server-side credentials dialog is displayed (or if a legal notice is displayed before login commences). Because this metric may be artificially inflated if a user fails to provide credentials in a timely manner, it is not included in the Server side session start-up processing duration.

However, in the event that the user manually inputs the credentials, and the value of this measure is higher than that of all the other client start-up metrics that this test reports, it is a clear indicator that any connection delay that the user may have experienced is owing to slowness in obtaining user credentials.

 

Pass-through credentials duration

Indicates the time spent by the server performing network operations to obtain credentials for this user.

Seconds

This only applies to a Security Support Provider Interface login (a form of pass-through authentication where the client device is a member of the same domain as the server and Kerberos tickets are passed in place of manually entered credentials).

Program neighbourhood credentials obtention server duration

Indicates the time needed for the server to cause the Program Neighborhood instance running on the client (“Program Neighborhood Classic”) to obtain this user’s credentials.

Seconds

As in the case of the User credential obtention by server duration metric, because this metric may be artificially inflated if a user fails to provide credentials in a timely manner, it is not included in the Server side session start-up processing duration.

Credential authentication duration

Indicates the time spent by the server when authenticating the user’s credentials against the authentication provider, which may be Kerberos, Active Directory or a Security Support Provider Interface (SSPI).

Seconds

Where server-side issues are causing user experience to deteriorate, you can compare the value of this measure with that of all the other server start-up metrics that this test reports – i.e., Session creation server duration, User credential obtention by server duration, Program neighbourhood credentials obtention server duration, Pass-through credentials duration, Profile load server duration, Session creation processing duration, Endpoint resources mapping duration, and Endpoint printers mapping duration – to know what is the root-cause of delays in server start-up.

Profile content processing duration

Indicates the time required by the server to load this user’s profile.

Seconds

If this metric is high, consider your Terminal Services profile configuration. Citrix Consulting has found that when customers have logon times greater than 20 seconds, in most cases, this can be attributed to poor profile and policy design. Roaming profile size and location contribute to slow session starts. When a user logs onto a session where Terminal Services roaming profiles and home folders are enabled, the roaming profile contents and access to that folder are mapped during logon, which takes additional resources. In some cases, this can consume significant amounts of the CPU usage.

Consider using the Terminal Services home folders with redirected personal folders to mitigate this problem. In general, consider using Citrix Profile management to manage user profiles in Citrix environments. This tool also provides logging capabilities to help isolate profile issues.

If you are using Citrix profile management and have slow logon times, check to see if your antivirus software is blocking the Citrix profile management tool.

Session creation processing duration

Indicates the time needed by the server to run this user’s login script(s).

Seconds

If the value of this measure is abnormally high for any user, consider if you can streamline this user or group's login scripts. Also, consider if you can optimize any application compatibility scripts or use environment variables instead.

Endpoint resources mapping duration

Indicates the time needed for the server to map this user’s client drives, devices and ports.

Seconds

Make sure that, when possible, your base policies include settings to disable unused virtual channels, such as audio or COM port mapping, to optimize the ICA protocol and improve overall session performance.

Endpoint printers mapping duration

Indicates the time required for the server to synchronously map this user’s client printers.

Seconds

If the configuration is set such that printer creation is performed asynchronously, no value is recorded for this measure as it is does not impact completion of the session start-up.

On the other hand, if excessive time is spent mapping printers, it is often the result of the printer autocreation policy settings. The number of printers added locally on the users' client devices and your printing configuration can directly affect your session start times. When a session starts, Virtual Apps has to create every locally mapped printer on the client device. Consider reconfiguring your printing policies to reduce the number of printers that get created - especially if users have a lot of local printers.

Has user's session been reconnected?

Indicates whether/not this user session reconnected.

 

The values that this measure can report and their corresponding numeric values are discussed in the table above:

Measure Value Numeric Value
Yes 1
No 0

Note:

By default, this measure reports the Measure Values listed in the table above. In the graph of this measure however, the value of this measure is represented using their numeric equivalents only.

Profile provider

Indicates the provider who handles this user's profile.

 

The values reported by this measure and their corresponding numeric equivalents are described in the table below:

Measure Values Numeric Values
Citrix Profile management 0
Microsoft Roaming profile 1
Others 2

Note:

By default, this measure reports the above-mentioned Measure Values while indicating the provider who handles this user's profile. However, in the graph of this measure, the values will be represented using the corresponding numeric equivalents i.e., 0 to 2.

Profile type

Indicates the type of this user's profile.

 

The values reported by this measure and their corresponding numeric equivalents are described in the table below:

Measure Values Numeric Values
Managed profile 0
Temporary profile 1
Mandatory profile 2
Roaming profile 3
Unknown type 4

Note:

By default, this measure reports the above-mentioned Measure Values while indicating the profile type of this users. However, in the graph of this measure, the values will be represented using the corresponding numeric equivalents i.e., 0 to 4.

Group Policy processing status

Indicates the current status of the Group policy that is applied for this user.

 

The values reported by this measure and their corresponding numeric equivalents are described in the table below:

Measure Values Numeric Values
Success 1
Warning 2
Error 3

Note:

By default, this measure reports the above-mentioned Measure Values while indicating the current status of the Group policy. However, in the graph of this measure, the values will be represented using the corresponding numeric equivalents i.e., 1 to 3.

User account discovery

Indicates the amount of time taken by the LDAP call for this user to connect and bind to Active Directory during the last measurement period.

Secs

Compare the value of this measure across users to know which user’s logon process spent maximum time in retrieving account information.

To know which domain controller and DNS is being used, use the detailed diagnosis of this measure.

LDAP bind time to active directory

Indicates the amount of time taken by the LDAP call for this user to connect and bind to Active Directory during the last measurement period.

Secs

Compare the value of this measure across users to know which user’s logon process spent maximum time in connecting to Active Directory. Besides impacting authentication time, high LDAP bind time may also affect group policy processing.

Domain Controller discovery time

Indicates the time taken to discover the domain controller to be used for processing group policies for this user during the last measurement period.

Secs

Compare the value of this measure across users to know which user’s logon process spent maximum time in domain controller discovery.

Total Group Policy Object file access time

Indicates the amount of time the logon process took to access group policy object files for this user during the last measurement period.

Secs

Compare the value of this measure across users to know which user’s logon process spent maximum time in accessing the group policy object file.

To know which files were accessed and the time taken to access each file, use the detailed diagnosis of this measure. With the help of the detailed diagnostics, you can identify the Group Policy that is associated with the user, accurately isolate the object file that took the longest to access, and thus delayed the logon process.

Total Client-side extensions applied

Indicates the total number of client side extensions used for processing group policies for this user during the last measurement period.

Number

 

Client-side extensions with success state

Indicates the number of client side extensions that were successfully used for processing group policies for this user during the last measurement period.

Number

Use the detailed diagnosis of this measure to know which were the successful client side extensions for a user, and which group policy was processed by each extension.

Client-side extensions with warning state

Indicates the number of warnings received when client side extensions were used for processing group policies for this user during the last measurement period.

Number

Use the detailed diagnosis of this measure to know which were the client side extensions that resulted in the generation of warning events at the time of processing. You will also know which group policies were processed by each extension.

Client-side extensions with error state

Indicates the number of errors registered when client side extensions were used for processing group policies for this user during the last measurement period.

Number

Ideally, the value of this measure should be zero. A sudden/gradual increase in the value of this measure is a cause of concern.

If a non-zero value is reported for this measure, then use the detailed diagnosis of this measure to know which client side extensions resulted in processing errors. You will also know which group policies were processed by each such extension. Moreover, the error code will also be displayed as part of detailed diagnostics, so that you can figure out what type of error occurred when processing the client side extensions.

Total Client-side extension processed time

Indicates the amount of time that client side extensions took for processing group policies for this user during the last measurement period.

Secs

Compare the value of this measure across users to know which user's logon process spent maximum time in client side extension processing.

If this measure reports an unusually high value for any user, then, you may want to check the value of the LDAP bind time to active directory measure for that user to figure out if a delay in connecting to AD is affecting group policy processing. This is because, group policies are built on top of AD, and hence rely on the directory service's infrastructure for their operation. As a consequence, DNS and AD issues may affect Group Policies severely. One could say that if an AD issue does not interfere with authentication, at the very least it will hamper group policy processing.

You can also use the detailed diagnosis of this measure to know which client side extension was used to process which group policy for a particular user. Detailed diagnostics also reveal the processing time for each client side extension. This way, you can quickly identify the client side extension that took too long to be processed and thus delayed the user logon.

Estimated network bandwidth between VM and Domain Controller

Indicates the estimated network bandwidth between the VM and domain controller for this user during the last measurement period.

Kbps

 

Is link between VM and Domain Controller slow?

Indicates whether/not the network connection between the VM and domain controller is currently slow for this user.

 

Several components of Group Policy rely on a fast network connection. If a fast connection is unavailable between a VM and the DOC, group policy processing can be delayed. This is why, if the Group Policy processing duration measure reports an abnormally high value, you may want to check the value of the Is link between VM and domain controller slow? measure to determine whether the network connection between the VM and domain controller is slow.

If the network connection between the VM and domain controller is slow for a user, then this measure will report the value Yes. If it is fast, then this measure will report the value No (connection is fast).

The numeric values that correspond to the above-mentioned measure values are as follows:

Measure Value Numeric Value
Yes 1
No (connection is fast) 2

Note:

  • By default, this test reports the Measure Values listed in the table above to indicate the quality of the network link between the VM and the domain controller. In the graph of this measure however, the same is indicated using the numeric equivalents only.
  • To determine whether the network link is slow or fast, the Group Policy service compares the result of the estimated bandwidth to the slow link threshold (configured by Group Policy). A value below the threshold results in the Group Policy service flagging the network connection as a slow link. This measure reports the status of this flag only. To know the slow link threshold that the Group Policy has configured for this link, use the detailed diagnosis of this measure.

Is the user's profile size large?

Indicates whether the profile size of this user exceeds the default profile quota size of 100MB.

Boolean

If this measure shows 0, it indicates that the current profile size has not exceeded the quota size. The value 1 indicates that the current profile size has exceeded the quota size.

Current profile size

Indicates the current profile size of this user.

MB

 

Number of files in user’s profile

Indicates the number of files available in this user profile.

Number

 

Large files in user’s profile

The number of files in this user profile, which exceed the default file size limit of 100 MB.

Number

The detailed diagnosis of this measure, if enabled, lists all the files that have exceeded the default file size limit of 100 MB.

Group Policy applied on

Indicates whether the group policy for this user is applied during foreground processing or background processing.

 

Foreground and background processing are key concepts in Group Policy. Foreground processing only occurs when the machine starts up or when the user logs on. Some policy areas (also called Client Side Extensions (CSEs)) can only run during foreground processing. Examples of these include Folder Redirection, Software Installation and Group Policy Preferences Drive Mapping. In contrast, background processing is that thing that occurs every 90 or so minutes on Windows workstations, where GP refreshes itself periodically. Background processing happens in the background, while the user is working and they generally never notice it. While background processing does not impact performance, foreground processing can extend start and login times.

The values that this measure can report and their corresponding numeric values are listed in the table below:

Measure Value Numeric Value
Background 1
Foreground 2

Note:

By default, this test reports the Measure Values listed in the table above to indicate when the group policy of a user was applied. In the graph of this measure however, the same is indicated using the numeric equivalents only.

Group Policy processing mode

Indicates whether the group policies of this user are processed in the synchronous or asynchronous mode.

 

Foreground processing can operate under two different modes - synchronously or asynchronously. Asynchronous GP processing does not prevent the user from using their desktop while GP processing completes. For example, when the computer is starting up, GP asynchronous processing starts to occur for the computer, and in the meantime, the user is presented the Windows logon prompt. Likewise, for asynchronous user processing, the user logs on and is presented with their desktop while GP finishes processing. The user is not delayed getting either their logon prompt or their desktop during asynchronous GP processing. When foreground processing is synchronous, the user is not presented with the logon prompt until computer GP processing has completed after a system boot. Likewise the user will not see their desktop at logon until user GP processing completes. This can have the effect of making the user feel like the system is running slow. In short, synchronous processing can impact startup time, where asynchronous does not. Foreground processing will run synchronously for two reasons:

  • The administrator forces synchronous processing through a policy setting. This can be done by enabling the Computer ConfigurationPoliciesAdministrative TemplatesSystemLogonAlways wait for the network at computer startup and logon policy setting. Enabling this setting will make all foreground processing synchronous. This is commonly used for troubleshooting problems with Group Policy processing, but does not always get turned back off again.
  • A particular CSE requires synchronous foreground processing. There are four CSEs provided by Microsoft that currently require synchronous foreground processing: Software Installation, Folder Redirection, Microsoft Disk Quota and GP Preferences Drive Mapping. If any of these are enabled within one or more GPOs, they will trigger the next foreground processing cycle to run synchronously when they are changed.

It is therefore best to avoid synchronous CSEs and to not force synchronous policy. If usage of synchronous CSEs is necessary, minimize changes to these policy settings.

The values that this measure can report and their corresponding numeric values are listed in the table below:

Measure Value Numeric Value
Synchronous 1
Asynchronous 2

Note:

By default, this test reports the Measure Values listed in the table above to indicate when the group policy of a user was applied. In the graph of this measure however, the same is indicated using the numeric equivalents only.