Slow/No Logins after Domain Migration

Posted on 2004-08-05
Last Modified: 2008-01-09
Greetings folks - first, please note: this question has been posted to a newsgroup as well.  Will be happy to award the points here if someone here answers correctly first.

We have an existing SBS 4.5 install (lets call it NYC domain) that I'm trying to migrate to an SBS 2K3 system on a new server (lets call the new one NYCCORP domain) .

All 14 clients are running either Windows XP SP1 or Win2K SP4.

As members of the SBS 4.5 (NYC) domain, all users can log in to the clients quickly reach a desktop with start menu.

(Please note: my efforts below focused on one XP machine in particular, but identical problems (for as long as I allowed the system to keep trying) were seen on the other XP clients).

Upon creating new user accounts in the NYCCORP domain and removing the computers from NYC domain, placing them into NYCCORP, no users (even the domain admins of NYCCORP) are able to fully log in to the XP clients.  Basically, the login window appears, the username and password is entered, a message that settings are being applied comes up.  After a few seconds the only thing on the screen is a mouse pointer and nice desktop wallpaper.  After a few minutes like this, I press CTRL-ALT-DEL.  I am able to bring up task manager and view processes and resource utilization.  Task manager reports System Idle process using ~98/99% of the CPU.  So basically, the CPU isn't
pegged.  I review the process list - Explorer is running but set to High priority and using ~6MB of physical memory?  No start menu appears.  Then suddenly, the system process jumps to attention and pegs the CPU for ~2 minutes.  Then stops.  This repeats about 6-9 minutes later.  After 20+ minutes of waiting, I rebooted the client and began putting them back in the NYC (SBS 4.5)
domain.  Everything resumes running normally.

On the system focused on, the following were recorded in the userenv.log file during the tries to log in as a user in the NYCCORP domain:

USERENV(1c8.740) 08:22:41:543 GetGPOInfo:  Local GPO's gpt.ini is not accessible, assuming default state.
USERENV(1c8.370) 09:13:08:406 GetGPOInfo:  Local GPO's gpt.ini is not accessible, assuming default state.
USERENV( 09:26:07:676 GetGPOInfo:  Local GPO's gpt.ini is not accessible, assuming default state.
USERENV(1c8.470) 09:26:10:821 PolicyChangedThread: UpdateUser failed with 1008.
USERENV(1c8.1cc) 09:29:00:377 CUserProfile::CleanupUserProfile: Ref Count is not 0USERENV(1c8.1cc) 09:29:00:387 CUserProfile::CleanupUserProfile: Ref Count is not 0
USERENV(1c8.1cc) 09:29:00:387 CUserProfile::CleanupUserProfile: Ref Count is not 0
USERENV(1c8.510) 09:29:09:390 GetGPOInfo:  Local GPO's gpt.ini is not accessible, assuming default state.
USERENV(1c8.744) 09:29:29:118 GetGPOInfo:  Local GPO's gpt.ini is not accessible, assuming default state.
USERENV(1c8.754) 09:29:30:520 PolicyChangedThread: UpdateUser failed with 6.
USERENV(1cc.1d0) 09:58:22:256 CUserProfile::CleanupUserProfile: Ref Count is not 0
USERENV(1cc.1d0) 09:58:22:256 CUserProfile::CleanupUserProfile: Ref Count is not 0
USERENV(1cc.1d0) 09:58:22:256 CUserProfile::CleanupUserProfile: Ref Count is not 0
USERENV(1cc.528) 09:58:30:669 GetGPOInfo:  Local GPO's gpt.ini is not accessible, assuming default state.
USERENV(1cc.758) 09:58:45:199 GetGPOInfo:  Local GPO's gpt.ini is not accessible, assuming default state.
USERENV(1c8.1cc) 10:00:33:357 CUserProfile::CleanupUserProfile: Ref Count is not 0

The Windows 2000 machines seem to eventually log in but take ~5 minutes.  Maybe longer.  There are no unusual messages in the event log.  


(sorry - didn't mean to yell, just wanted to emphasize the ultimate problem and what I need working).

Thanks for your time folks
Question by:Lee W, MVP

Expert Comment

ID: 11728607
Did you use the SBS Migrate Computer setup feature that exists? On the existing computer, you should be able to open up Internet Explore and go to http://<sbsservername>/connectcomputer. Only do that after you have created the accounts using the SBS Add User wizard - this allows you to configure a computer name, etc., for the user. When you connect to the web connectcomputer site, it will prompt you for the username and allow you to migrate the profile. It should help address your problem.

I know that wizards are scary - I don't usually use them, either, but on SBS 2k3, it works well and is the safest way to migrate a computer. Obviously, the user that you are logged in as on the existing computer has to be a local admin to make all the changes.
LVL 95

Author Comment

by:Lee W, MVP
ID: 11728736
Thanks for the suggestion - so far no newsgroup suggestions have been offered, so if this should work, the points are yours.

That aside, some comments regarding your suggestion:
All computers were removed from the old domain through the system control panel and then manually configured to join the new domain.  MOST have likewise been moved back to the old domain to allow the users to work again.  But I still have a couple machines I can test with.
LVL 84

Expert Comment

ID: 11728794
My guess is that the DNS settings on the clients (and maybe on the server itself) are incorrect.
On your DC/DNS, and on all of your domain members, make sure the DC's address *only* is listed in the TCP/IP properties (be that via DHCP or static; do NOT use on the DC/DNS itself!). That makes sure your internal lookups work correctly.
For internet access, delete the root zone (if present; it's the single dot: ".") on your DNS in your forward lookup zones. Then open the properties page of your DNS server and configure forwarders to point to your ISP's DNS. The forwarders section is the *only* entry in your network where non-AD-DNS server should be listed.

Frequently Asked Questions About Windows 2000 DNS and Windows Server 2003 DNS

Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003

How Domain Controllers Are Located in Windows

How Domain Controllers Are Located in Windows XP

HOW TO: Configure DNS for Internet Access in Windows Server 2003

HOW TO: Troubleshoot DNS Name Resolution on the Internet in Windows Server 2003
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

LVL 95

Author Comment

by:Lee W, MVP
ID: 12036826
Turns out the problem was that I renamed the default Active Directory groups - not DNS related.  The ones starting with and contained in "MyBusiness".  A call to Microsoft revealed this (though they had no documentation concerning it).  Upon renaming them back, everything worked correctly.

Thanks for the efforts folks, but I'll be requesting this be PAQed.

Of course, please speak up if there are any objections.
LVL 95

Author Comment

by:Lee W, MVP
ID: 12576478
Sure, close it and refund.

I'd also like to point out this:

I recently had another experience virtually identical to this one and I discovered a few things:

userinit.exe never completes - that's probably what holds up the login.  I had disabled offline files using the account in question.  When I reenabled them, things worked as before.  Similarly, in the above question, I had disabled offline files, but doing so through AD GPO seemed to work.  It may have been a coincidence timing thing, but just for people to keep in mind, Offline Files might be a reason for this as well.

Accepted Solution

modulo earned 0 total points
ID: 12612569
PAQed with points refunded (400)

Community Support Moderator

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question