Solved

Slow/No Logins after Domain Migration

Posted on 2004-08-05
7
3,454 Views
Last Modified: 2008-01-09
Greetings folks - first, please note: this question has been posted to a newsgroup as well.  Will be happy to award the points here if someone here answers correctly first.

We have an existing SBS 4.5 install (lets call it NYC domain) that I'm trying to migrate to an SBS 2K3 system on a new server (lets call the new one NYCCORP domain) .

All 14 clients are running either Windows XP SP1 or Win2K SP4.

As members of the SBS 4.5 (NYC) domain, all users can log in to the clients quickly reach a desktop with start menu.

(Please note: my efforts below focused on one XP machine in particular, but identical problems (for as long as I allowed the system to keep trying) were seen on the other XP clients).

Upon creating new user accounts in the NYCCORP domain and removing the computers from NYC domain, placing them into NYCCORP, no users (even the domain admins of NYCCORP) are able to fully log in to the XP clients.  Basically, the login window appears, the username and password is entered, a message that settings are being applied comes up.  After a few seconds the only thing on the screen is a mouse pointer and nice desktop wallpaper.  After a few minutes like this, I press CTRL-ALT-DEL.  I am able to bring up task manager and view processes and resource utilization.  Task manager reports System Idle process using ~98/99% of the CPU.  So basically, the CPU isn't
pegged.  I review the process list - Explorer is running but set to High priority and using ~6MB of physical memory?  No start menu appears.  Then suddenly, the system process jumps to attention and pegs the CPU for ~2 minutes.  Then stops.  This repeats about 6-9 minutes later.  After 20+ minutes of waiting, I rebooted the client and began putting them back in the NYC (SBS 4.5)
domain.  Everything resumes running normally.

On the system focused on, the following were recorded in the userenv.log file during the tries to log in as a user in the NYCCORP domain:

USERENV(1c8.740) 08:22:41:543 GetGPOInfo:  Local GPO's gpt.ini is not accessible, assuming default state.
USERENV(1c8.370) 09:13:08:406 GetGPOInfo:  Local GPO's gpt.ini is not accessible, assuming default state.
USERENV(1c8.ec) 09:26:07:676 GetGPOInfo:  Local GPO's gpt.ini is not accessible, assuming default state.
USERENV(1c8.470) 09:26:10:821 PolicyChangedThread: UpdateUser failed with 1008.
USERENV(1c8.1cc) 09:29:00:377 CUserProfile::CleanupUserProfile: Ref Count is not 0USERENV(1c8.1cc) 09:29:00:387 CUserProfile::CleanupUserProfile: Ref Count is not 0
USERENV(1c8.1cc) 09:29:00:387 CUserProfile::CleanupUserProfile: Ref Count is not 0
USERENV(1c8.510) 09:29:09:390 GetGPOInfo:  Local GPO's gpt.ini is not accessible, assuming default state.
USERENV(1c8.744) 09:29:29:118 GetGPOInfo:  Local GPO's gpt.ini is not accessible, assuming default state.
USERENV(1c8.754) 09:29:30:520 PolicyChangedThread: UpdateUser failed with 6.
USERENV(1cc.1d0) 09:58:22:256 CUserProfile::CleanupUserProfile: Ref Count is not 0
USERENV(1cc.1d0) 09:58:22:256 CUserProfile::CleanupUserProfile: Ref Count is not 0
USERENV(1cc.1d0) 09:58:22:256 CUserProfile::CleanupUserProfile: Ref Count is not 0
USERENV(1cc.528) 09:58:30:669 GetGPOInfo:  Local GPO's gpt.ini is not accessible, assuming default state.
USERENV(1cc.758) 09:58:45:199 GetGPOInfo:  Local GPO's gpt.ini is not accessible, assuming default state.
USERENV(1c8.1cc) 10:00:33:357 CUserProfile::CleanupUserProfile: Ref Count is not 0

The Windows 2000 machines seem to eventually log in but take ~5 minutes.  Maybe longer.  There are no unusual messages in the event log.  

WHY ARE MY CLIENTS UNABLE TO LOG IN WHEN I JOIN THE EXISTING WORKSTATIONS TO THE NEW DOMAIN?

(sorry - didn't mean to yell, just wanted to emphasize the ultimate problem and what I need working).

Thanks for your time folks
0
Comment
Question by:Lee W, MVP
7 Comments
 

Expert Comment

by:JamieJamison
ID: 11728607
Did you use the SBS Migrate Computer setup feature that exists? On the existing computer, you should be able to open up Internet Explore and go to http://<sbsservername>/connectcomputer. Only do that after you have created the accounts using the SBS Add User wizard - this allows you to configure a computer name, etc., for the user. When you connect to the web connectcomputer site, it will prompt you for the username and allow you to migrate the profile. It should help address your problem.

I know that wizards are scary - I don't usually use them, either, but on SBS 2k3, it works well and is the safest way to migrate a computer. Obviously, the user that you are logged in as on the existing computer has to be a local admin to make all the changes.
0
 
LVL 95

Author Comment

by:Lee W, MVP
ID: 11728736
Thanks for the suggestion - so far no newsgroup suggestions have been offered, so if this should work, the points are yours.

That aside, some comments regarding your suggestion:
All computers were removed from the old domain through the system control panel and then manually configured to join the new domain.  MOST have likewise been moved back to the old domain to allow the users to work again.  But I still have a couple machines I can test with.
0
 
LVL 82

Expert Comment

by:oBdA
ID: 11728794
My guess is that the DNS settings on the clients (and maybe on the server itself) are incorrect.
On your DC/DNS, and on all of your domain members, make sure the DC's address *only* is listed in the TCP/IP properties (be that via DHCP or static; do NOT use 127.0.0.1 on the DC/DNS itself!). That makes sure your internal lookups work correctly.
For internet access, delete the root zone (if present; it's the single dot: ".") on your DNS in your forward lookup zones. Then open the properties page of your DNS server and configure forwarders to point to your ISP's DNS. The forwarders section is the *only* entry in your network where non-AD-DNS server should be listed.

Frequently Asked Questions About Windows 2000 DNS and Windows Server 2003 DNS
http://support.microsoft.com/?kbid=291382

Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003
http://support.microsoft.com/?kbid=825036

How Domain Controllers Are Located in Windows
http://support.microsoft.com/?kbid=247811

How Domain Controllers Are Located in Windows XP
http://support.microsoft.com/?kbid=314861

HOW TO: Configure DNS for Internet Access in Windows Server 2003
http://support.microsoft.com/?kbid=323380

HOW TO: Troubleshoot DNS Name Resolution on the Internet in Windows Server 2003
http://support.microsoft.com/?kbid=816567
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 95

Author Comment

by:Lee W, MVP
ID: 12036826
Turns out the problem was that I renamed the default Active Directory groups - not DNS related.  The ones starting with and contained in "MyBusiness".  A call to Microsoft revealed this (though they had no documentation concerning it).  Upon renaming them back, everything worked correctly.

Thanks for the efforts folks, but I'll be requesting this be PAQed.

Of course, please speak up if there are any objections.
0
 
LVL 95

Author Comment

by:Lee W, MVP
ID: 12576478
Sure, close it and refund.

I'd also like to point out this:

I recently had another experience virtually identical to this one and I discovered a few things:

userinit.exe never completes - that's probably what holds up the login.  I had disabled offline files using the account in question.  When I reenabled them, things worked as before.  Similarly, in the above question, I had disabled offline files, but doing so through AD GPO seemed to work.  It may have been a coincidence timing thing, but just for people to keep in mind, Offline Files might be a reason for this as well.
0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 12612569
PAQed with points refunded (400)

modulo
Community Support Moderator
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now