A recent experience at a client and a subsequent call from Microsoft PSS highlighted a possible cause for
“Slow Log off from Windows 7 and Windows Vista of between 5-10 minutes”
Early Active Directory designs often consisted of an Empty root domain for a multitude of reasons – but primarily for separation of Forest and Domain administration (another topic, for another day).
Certain secure Active Directory installations such as those deployed by banks, military and government institutions utilise firewalls to segregate and isolate environments and whilst Domain Controllers can replicate unrestricted between environments – not all Windows clients can communicate with all Domains or Domain Controllers.
One issue that this can cause on Windows Vista and Windows 7 clients is slow log off; this is because one time and one time only the Windows client needs to contact the root domain controller to set a registry key detailing the DNS name of the root domain.
To resolve this issue you need to either:
1. Open port 389 between the affected clients and the root domain.
2.Set the registry key manually, via a Group Policy Preference, an ADM Template, set the key within your deployment image or scripted build.
For newly built machines
Set the DNS name of the forest root domain on
If the machine has contacted the root domain and had the key populated but then was rebuilt – then the settings should be obtained from a client that is functioning correctly, by exporting
Then reimporting them to the rebuilt machine ensuring the root domain is still set correctly.
Reboot and the issue should now be resolved.