The domain controller is probably the bottleneck, every time a new file is opened it will request AD authentication, and with a lot of files and a lot of users or a complicated AD structure I can see the domain controller being easily bogged down.
The "Failed to authenticate" errors sound like maybe the externally authenticated filemaker accounts are above the native filemaker accounts in the authentication order and the AD auth is failing, but the pass-through is hitting a filemaker account and logging them in to that. If that's the case, changing the order of the accounts in the Manage -> Security so that the native filemaker accounts are above the externally authenticated accounts would increase performance. Keep in mind that changing the order could potentially cause users to be logged in with a different privilege set under certain circumstances (user belongs to multiple AD groups etc). Also, it would take quite a while to re-order the accounts in 100+ files.
Thanks, that raises several interesting possibilities. I've already figured that a log of these files, as they are never opened directly by the user, don't need to be externally authenticated at all as the FileMaker credentials from the file that referenced it are all that are needed to open the file.
As far as changing the account order in Manage | Security, that seems problematic and for more reasons than just the sheer number of files. As I understand it, each AD group maps to a specific account in manage security and thus all members of the same group get the same privilege set. I'm not sure that there are any accounts that don't have a corresponding AD group.
That is definitely it. I moved my FMP account to the head of the authentication order for the "Menu" file and the basic set that opens with it and the coffee cups (and delays) all disappeared.
Oh yeah, and now to use an AD account to open the system to see whether there are any delays happening there when files open...
There is a program called FM Robot that might help, I've never used it myself but it exists to try to automate things like this.
Keep in mind that a user account can be assigned to multiple groups in active directory, so the order of your accounts (at least the externally authenticated ones) does matter. For example if a user is assigned to both the Admin and Data Entry AD groups, if the Data Entry account is above the Admin account in Filemaker it will assign that person the Data Entry account's privilege set.
I would recommend trying to put the native filemaker accounts at the top, then externally authenticated accounts below ordered by descending level of access.