Solved

Slow login

Posted on 2003-12-07
6
546 Views
Last Modified: 2007-12-19
Hi everyone. I have this small problem during LOGIN.
Windows 2000 Server with Service Pack 4 as Domain Controller
Windows 2000 Professional with Service Pack 4

During the GUI startup process, after 'Applying Computer Settings', there is a delay at either at 'Seeting up Network Connections' or at 'Applying Security Settings'. This delay takes approximately 20 seconds before the CTRL-ALT-DEL login screen appear.
This delay has never occured before as the CTRL-ALT-DEL login screen will immediately appear. The delay happens after I update my server to SP4.
Please don't tell me to restore back to SP3.
0
Comment
Question by:shaharidzal
  • 2
6 Comments
 
LVL 41

Expert Comment

by:stevenlewis
ID: 9893822
Roaming profiles?
exclude items from the roaming profile

----------------

y default, the History, Local Settings, Temp, and Temporary Internet Files folders are excluded from a user's profile. This means that these folders are not stored on the network and do not follow the user from PC to PC.

You can exclude addition folders by ADDing the Default Domain Policy to the MMC and setting Exclude

directories in roaming profile, by navigating through User Configuration\Administrative

Templates\System\Logon/Logoff.

There is no way to use this policy to include the folders that are excluded by default.

The results of the GPO are stored in the registry at:

HKEY_CURRENT_UsER\Software\Policies\Microsoft\Windows\System\ExcludeProfileDirs. The

ExcludeProfileDirs value name is a REG_SZ data type, that stores the additional excluded folders in

Folder-name[;Folder-name...] format.

If you subsequently disable the policy, or set it to Not configured, Group Policy deletes the ExcludeProfileDirs

value name.

NOTE: If you add ExcludeProfileDirs, you must also add it at:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy

Objects\LocalUser\Software\Policies\Microsoft\Windows\System

---------------------

excluding folders from roaming profiles.

In Windows 2000, the default value of ExcludeProfileDirs at

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon is Local

Settings;Temporary Internet Files;History;Temp;Local Settings\Application Data\Microsoft\Outlook.

The Exclude directories in roaming profile Group Policy at User Configuration\Administrative

Templates\System\Logon/Logoff lets you add to the list of folders which are excluded from your roaming profile.

The additional folders that you configure are stored in the ExcludeProfileDirs value name, as a string variable

(REG_SZ), at HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System.

NOTE: You could reduce the number of Days to keep pages in history on the General tab of Internet Options,

and check the Empty temporary Internet Files when browser is closed box on the Advanced tab.

3712 » Excluded profile folders are being uploaded to your Windows 2000 profile?

Even though you have excluded some directories from your profile (tips 3868 and 3543), these excluded folders are

uploaded to your profile when you log off?

When Windows 2000 retrieves the ExcludeProfileDirs value, it writes the data to Ntuser.ini. If the data exceeds 260

characters, a buffer overflow occurs and the entire string is considered to be NULL.

To resolve the issue, limit the total length of the exclusion list to 260 characters.

--------------------------------

http://www.jsiinc.com/subg/tip3400/rh3496.htm

496 » You MUST disable the cache option for Offline Files on a roaming profile share?

If you do not disable the cache option for Offline Files on a user profile share, the profile will become unstable, as

both the Offline Files and roaming profile attempt to synchronize the files in the profile.

The cache option is SMB share based. If you enable the cache option on a share, and roaming profiles are below that

share, Offline Files caches files in the profile.

NOTE: Whenever possible, store roaming profiles and offline-enabled shares on different servers.

To resolve the problem:

Create a separate share for user profiles and disable the cache option on the new share by opening a CMD prompt and

typing:

net share \\Server\Sharename /cache:no

You can use Windows Explorer to disable the cache by right-clicking the shared folder and press Properties. On the

Sharing tab, press the Caching button and clear the Allow caching of files in this folder box


0
 
LVL 4

Author Comment

by:shaharidzal
ID: 9925449
Wow, that is a very conprehensive help you give stevenlewis. Thanks...
Anyway, I don't use Roaming Profiles for all of my users (2000 of them).
GPO is applied and LOGIN scripts are witten just to map network drive. Everyone is using the LOGIN script globally from the DC server. Even with a freshly installed PC, the delay is still there. My network administrator says that it might be due to the NIC drivers. How can I rectify that. I am not a DC or server administrator but a workstation and helpdesk administrator.
0
 
LVL 41

Accepted Solution

by:
stevenlewis earned 350 total points
ID: 9925607
Well the first thing would be to install updated drivers on one or two of the machines to check and see if it speeds up logon
I assume you are using dhcp for all your tcp settings?
try on one or two setting static ip's to see if the delay is with the dhcp server
the other thing I can think of is they are checking for scheduled tasks when they map

http://cyberwizardpit.net/article2.htm
Here's a great tip to speed up your browsing of Windows 2000 & XP machines. Its actually a fix to a bug that by default of a normal Windows 2000 setup that scans shared files for Scheduled Tasks. And its turns out that you can experience a delay as long as 30 seconds when you try to view shared files across a network as Windows 2000 is using the extra time to search the Remote Computer for any Scheduled Tasks. Note that though the fix is originally intended for only those affected, Windows 2000 & XP users will experience that actual browsing speed of both the Internet & Windows Explorers improving significantly after applying it since it doesnt search for Scheduled Tasks anymore. Here's how :

Open up the Registry and go to :

HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/Current Version/Explorer/RemoteComputer/NameSpace

Under that branch, select the key :

{D6277990-4C6A-11CF-8D87-00AA0060F5BF}

Right click it and select "Delete".







This is key that instructs Windows to search for Scheduled Tasks. If you like you may want to export the exact branch so that you can restore the key if necessary. This fix is so effective that it doesn't require a reboot and you can almost immediately determine yourself how much it speeds up your browsing processes.

Important

Note : This branch also exists in both Win98 & ME and Ive got so many mails asking me whether it's safe to apply the fix on it. However, I would like to warn users that the fix is intended only for Windows 2000 and XP. If you decide to try it for your Win98/ME system, pls make sure that you back up or export the exact branch so that you can restore the key if something should go wrong. Currently there are more than 20 users that have tried the fix in Win98/ME. Out of this 20, there are 4 users who reported that problems arises after removing the branch while the balance 16 reported great success.




don't know if this would apply, but it's possible after applying sp4
After installing Service Pack 1 on several of my Windows XP workstations, I noticed a dramatic reduction in network performance when communicating with my Windows 2000 servers. Although everything worked fine with small files, when I tried to access, create, or modify a file over 70 KB, I would get a file creation error, a delayed write failure, or some other odd error. After a little digging, I discovered that my Windows 2000 servers were holding the files open even after I had closed them, thus making it impossible to modify the file. Unfortunately, these file lock problems often occurred while the file was open, resulting in a corrupt file.

I first suspected faulty hardware—a bad network cable or hard disk ribbon. Yet after months of experimenting, I determined that my hardware was working perfectly. Since I have almost 20 computers and only PCs running Windows XP with SP1 were experiencing these communication errors, I decided that SP1 must be the culprit. I began researching the problem and after months of searching I found three potential solutions.



Word of warning

The following article suggests ways to edit your system registry. Using the Windows Registry Editor incorrectly can cause serious problems that could require you to reinstall your operating system and you could possibly lose data. TechRepublic does not and will not support problems that arise from your editing the registry. Use the Registry Editor and the following directions at your own risk.





XP has trouble writing to 2000 domain controllers

Unfortunately Microsoft's support Web site doesn’t list Windows XP SP1 problems in a single location so I dug through its knowledge base until I found article 321169, "Slow SMB Performance When You Copy Files from Windows XP to a Windows 2000 Domain Controller."





According to the article, Windows sometimes has problems writing to domain controllers, but should have no trouble reading from domain controllers. Alas, I was having trouble reading and writing to Windows 2000. Sometimes it would take a full 60 seconds for Windows XP to open a 50-KB file that was stored on a Windows 2000 domain controller. Other times though, the same file would open instantly. Although this knowledge base article didn't address my exact problem, I decided to follow the instructions and see what happened.

The article suggests that the slow performance results from a delayed TCP/IP acknowledgement occurring in an SMB: C NT Transact-Notify Change packet. To put it simply, Windows 2000 uses what are known as SMB security signatures. If security signatures are enabled, the redirector is forced to wait until the current SMB command has completed before processing the next one. This means waiting for an SMB acknowledgement from the server. The easiest way to implement a workaround to the problem is simply to disable SMB security signatures on the domain controller by editing the registry.

To do this, open the Registry Editor and navigate to HKEY_LOCAL_MACHINE\System\

CurrentControlSet\Services\LanmanServer\Parameters. Double click on the RequireSecuritySignature value and enter 0 in the Value Data dialog box. Next, double-click on the EnableSecuritySignature value and enter 0 in the Value Data dialog box. However, this registry modification didn’t correct my particular problem.

Possible task scheduling bug

I decided to turn my attention to the Web and see if anyone else was having the same problem. A quick search revealed dozens of Web pages where people discussed similar problems. One of the suggested fixes involved a bug that exists in both Windows XP and in Windows 2000. The bug causes Windows to check for any scheduled tasks that might exist on a remote machine before displaying the browse contents.

This particular bug is also controlled by the registry. To solve the problem, just remove the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\

Explorer\RemoteComputer\NameSpace\{D6277990-4C6A-11CF-8D87-00AA0060F5BF}. This registry fix did speed things up somewhat for me, but didn’t completely correct the problem.

A solution at long last: SMB signing incompatibility

Finally, after another month of digging, I discovered MSKB article 331519, "Network File Errors Occur After You Install Windows XP SP1," in which Microsoft acknowledges the problem. According to Microsoft, the problem is related to an incompatibility in SMB signing between Windows 2000 and Windows XP SP1. It appears several group policy settings are to blame.

To fix the problem, go to a domain controller and open the Active Directory Users And Computers console. Then, right-click on the Domain Controller organizational unit (OU) and select the Properties command from the shortcut menu. Doing so will display the Domain Controllers Properties sheet. Select the Group Policy tab. Select the Default Domain Controller Policy (or what ever group policy applies to the domain) and click the Edit button. Navigate through the policy to Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options. Then, locate the following four policy settings and change them to Disabled:

Digitally Sign Client Communications (Always)

Digitally Sign Client Communication (When Possible)

Digitally Sign Server Communication (Always)

Digitally Sign Server Communication (When Possible)



Close the Group Policy Editor, click OK, and close Active Directory Users And Computers. After you apply the settings, wait for the next replication cycle to complete and the settings should take effect. Once the settings took effect on my system the communication problems disappeared. Rumor has it that Microsoft intends to correct this issue in the next Windows XP Service pack.






0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

A brief overview to explain gateways, default gateways and static routes OR NO - you CANNOT have two default gateways on the same server, PC or other Windows-based network device. In simple terms a gateway is formed when a computer such as a serv…
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now