Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Windows XP computers incredibly slow to loging; userenv and auto enrollment errors

Posted on 2004-08-04
Last Modified: 2008-01-09
Having some problems with two Windows XP computers on a Windows 2003 SBS domain.  They do not seem to be authenticating with the domain controller properly.  It take about 3 - 5 minutes for them to log in.  Once they do, everything works fine, even software that is hosted on our server.  DNS settings and such are the same as our 2000 boxes which are not having problems.  I tried removing computer account from domain to workgroup, deleteing the computer account from the server, rebooting it, and rejoining the computer account and the problem is persisting.  I turned off auto enrollment and those errors have stopped.  This is the userenv error:

Windows cannot determine the user or computer name. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

Question by:Mach70803

Expert Comment

ID: 11716553
Are you using Internet Connection Firewall on XP?  

It sounds like a DNS issue to me... do you have any special GPOs assigned to these XP computers that you can temporarily disable?

Author Comment

ID: 11716570
I would like to add that I cannot view any of the shared items on the network.  Also, the certificate services manager on the server gives the following error when opened:

Cannot manage Certificate Services.

The specified service does not exist as an installed service, 0x424 (WIN32: 1060)

Author Comment

ID: 11716623
Only GPO is one that sets Windows Updates for all computers on the network.  Nothing else.  
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud


Author Comment

ID: 11716692
Only one firewall which is on cable modem from ISP.  I have the primary DNS set to the modem and the secondary set to the router.


Server IP:
LVL 84

Accepted Solution

oBdA earned 500 total points
ID: 11719565
That's your problem:
Server IP:

On your DC/DNS, and on all of your domain members, make sure the DC's address *only* is listed in the TCP/IP properties (be that via DHCP or static; do NOT use on the DC/DNS itself!). That makes sure your internal lookups work correctly.
For internet access, delete the root zone (if present; it's the single dot: ".") on your DNS in your forward lookup zones. Then open the properties page of your DNS server and configure forwarders to point to your ISP's DNS (or the cable modem/router; whatever gives you the quickest internet addresses). The forwarders section is the *only* entry in your network where non-AD-DNS server should be listed.

Frequently Asked Questions About Windows 2000 DNS and Windows Server 2003 DNS

Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003

How Domain Controllers Are Located in Windows

How Domain Controllers Are Located in Windows XP

HOW TO: Configure DNS for Internet Access in Windows Server 2003

HOW TO: Troubleshoot DNS Name Resolution on the Internet in Windows Server 2003

Expert Comment

ID: 11725405
just put server's IP to be your alternative DNS on XP boxes. that should speed up things

Author Comment

ID: 11725456

I will give your advise a whirl.  I did change the order of the DNS servers and now the computers are logging in fine, but about 50% of website are loading very slowly.  I am going to award you the points, but I might need a bit more assistance.
LVL 84

Expert Comment

ID: 11726008
Don't just only change the order. Follow the described settings in the KB articles. It is imperative that *only* your internal AD DNS server are listed in the TCP/IP properties of your clients. The AD DNS server will then forward requests for internet domains for the clients.
The same is valid for the AD DNS server itself: The *only* DNS server listed in the TCP/IP properties is the own address; no other address!

Author Comment

ID: 11747577
I went ahead and setup DHCP on the DC and configured the forwarders and zones.   The clients are logging in fine now, but they cannot reach any webpags.  If I ping a website (google, yahoo, others) the address is resolved, but times out.  Same with tracert.  Doesn't get past the first hop.  Everything is working fine on the server. I opened up ports 53 and 135 on the cable modem as suggested by Microsoft.

IP's DNS 1
IP's DNS 2
Cable Modem

Any ideas?

Author Comment

ID: 11747595
Nevermind, I figured it out.  I had the scope options router set to the wrong IP address.  Thanks again for all your help!

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Moving SQl Server SBS 2003 to SQL Server 2014 27 137
What is the difference between basic disks? Dynamic Disks? and volumes? 4 107
Backup DHCP Server 8 115
ticket bloat 3 51
by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

837 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question