Slow/No Logins after Domain Migration

Posted on 2004-08-05
Last Modified: 2008-01-09
Greetings folks - first, please note: this question has been posted to a newsgroup as well.  Will be happy to award the points here if someone here answers correctly first.

We have an existing SBS 4.5 install (lets call it NYC domain) that I'm trying to migrate to an SBS 2K3 system on a new server (lets call the new one NYCCORP domain) .

All 14 clients are running either Windows XP SP1 or Win2K SP4.

As members of the SBS 4.5 (NYC) domain, all users can log in to the clients quickly reach a desktop with start menu.

(Please note: my efforts below focused on one XP machine in particular, but identical problems (for as long as I allowed the system to keep trying) were seen on the other XP clients).

Upon creating new user accounts in the NYCCORP domain and removing the computers from NYC domain, placing them into NYCCORP, no users (even the domain admins of NYCCORP) are able to fully log in to the XP clients.  Basically, the login window appears, the username and password is entered, a message that settings are being applied comes up.  After a few seconds the only thing on the screen is a mouse pointer and nice desktop wallpaper.  After a few minutes like this, I press CTRL-ALT-DEL.  I am able to bring up task manager and view processes and resource utilization.  Task manager reports System Idle process using ~98/99% of the CPU.  So basically, the CPU isn't
pegged.  I review the process list - Explorer is running but set to High priority and using ~6MB of physical memory?  No start menu appears.  Then suddenly, the system process jumps to attention and pegs the CPU for ~2 minutes.  Then stops.  This repeats about 6-9 minutes later.  After 20+ minutes of waiting, I rebooted the client and began putting them back in the NYC (SBS 4.5)
domain.  Everything resumes running normally.

On the system focused on, the following were recorded in the userenv.log file during the tries to log in as a user in the NYCCORP domain:

USERENV(1c8.740) 08:22:41:543 GetGPOInfo:  Local GPO's gpt.ini is not accessible, assuming default state.
USERENV(1c8.370) 09:13:08:406 GetGPOInfo:  Local GPO's gpt.ini is not accessible, assuming default state.
USERENV( 09:26:07:676 GetGPOInfo:  Local GPO's gpt.ini is not accessible, assuming default state.
USERENV(1c8.470) 09:26:10:821 PolicyChangedThread: UpdateUser failed with 1008.
USERENV(1c8.1cc) 09:29:00:377 CUserProfile::CleanupUserProfile: Ref Count is not 0USERENV(1c8.1cc) 09:29:00:387 CUserProfile::CleanupUserProfile: Ref Count is not 0
USERENV(1c8.1cc) 09:29:00:387 CUserProfile::CleanupUserProfile: Ref Count is not 0
USERENV(1c8.510) 09:29:09:390 GetGPOInfo:  Local GPO's gpt.ini is not accessible, assuming default state.
USERENV(1c8.744) 09:29:29:118 GetGPOInfo:  Local GPO's gpt.ini is not accessible, assuming default state.
USERENV(1c8.754) 09:29:30:520 PolicyChangedThread: UpdateUser failed with 6.
USERENV(1cc.1d0) 09:58:22:256 CUserProfile::CleanupUserProfile: Ref Count is not 0
USERENV(1cc.1d0) 09:58:22:256 CUserProfile::CleanupUserProfile: Ref Count is not 0
USERENV(1cc.1d0) 09:58:22:256 CUserProfile::CleanupUserProfile: Ref Count is not 0
USERENV(1cc.528) 09:58:30:669 GetGPOInfo:  Local GPO's gpt.ini is not accessible, assuming default state.
USERENV(1cc.758) 09:58:45:199 GetGPOInfo:  Local GPO's gpt.ini is not accessible, assuming default state.
USERENV(1c8.1cc) 10:00:33:357 CUserProfile::CleanupUserProfile: Ref Count is not 0

The Windows 2000 machines seem to eventually log in but take ~5 minutes.  Maybe longer.  There are no unusual messages in the event log.  


(sorry - didn't mean to yell, just wanted to emphasize the ultimate problem and what I need working).

Thanks for your time folks
Question by:Lee W, MVP

Expert Comment

ID: 11728607
Did you use the SBS Migrate Computer setup feature that exists? On the existing computer, you should be able to open up Internet Explore and go to http://<sbsservername>/connectcomputer. Only do that after you have created the accounts using the SBS Add User wizard - this allows you to configure a computer name, etc., for the user. When you connect to the web connectcomputer site, it will prompt you for the username and allow you to migrate the profile. It should help address your problem.

I know that wizards are scary - I don't usually use them, either, but on SBS 2k3, it works well and is the safest way to migrate a computer. Obviously, the user that you are logged in as on the existing computer has to be a local admin to make all the changes.
LVL 95

Author Comment

by:Lee W, MVP
ID: 11728736
Thanks for the suggestion - so far no newsgroup suggestions have been offered, so if this should work, the points are yours.

That aside, some comments regarding your suggestion:
All computers were removed from the old domain through the system control panel and then manually configured to join the new domain.  MOST have likewise been moved back to the old domain to allow the users to work again.  But I still have a couple machines I can test with.
LVL 83

Expert Comment

ID: 11728794
My guess is that the DNS settings on the clients (and maybe on the server itself) are incorrect.
On your DC/DNS, and on all of your domain members, make sure the DC's address *only* is listed in the TCP/IP properties (be that via DHCP or static; do NOT use on the DC/DNS itself!). That makes sure your internal lookups work correctly.
For internet access, delete the root zone (if present; it's the single dot: ".") on your DNS in your forward lookup zones. Then open the properties page of your DNS server and configure forwarders to point to your ISP's DNS. The forwarders section is the *only* entry in your network where non-AD-DNS server should be listed.

Frequently Asked Questions About Windows 2000 DNS and Windows Server 2003 DNS

Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003

How Domain Controllers Are Located in Windows

How Domain Controllers Are Located in Windows XP

HOW TO: Configure DNS for Internet Access in Windows Server 2003

HOW TO: Troubleshoot DNS Name Resolution on the Internet in Windows Server 2003
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

LVL 95

Author Comment

by:Lee W, MVP
ID: 12036826
Turns out the problem was that I renamed the default Active Directory groups - not DNS related.  The ones starting with and contained in "MyBusiness".  A call to Microsoft revealed this (though they had no documentation concerning it).  Upon renaming them back, everything worked correctly.

Thanks for the efforts folks, but I'll be requesting this be PAQed.

Of course, please speak up if there are any objections.
LVL 95

Author Comment

by:Lee W, MVP
ID: 12576478
Sure, close it and refund.

I'd also like to point out this:

I recently had another experience virtually identical to this one and I discovered a few things:

userinit.exe never completes - that's probably what holds up the login.  I had disabled offline files using the account in question.  When I reenabled them, things worked as before.  Similarly, in the above question, I had disabled offline files, but doing so through AD GPO seemed to work.  It may have been a coincidence timing thing, but just for people to keep in mind, Offline Files might be a reason for this as well.

Accepted Solution

modulo earned 0 total points
ID: 12612569
PAQed with points refunded (400)

Community Support Moderator

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Domain Share problems 5 49
How to customise Office 2016 font settings with a GPO 3 83
Moving RDP Server to New Server. 3 48
Can’t delete a file 14 143
Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now