Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 153
  • Last Modified:

Login fails every other time

This is weird.

I have a W2K AD w/ 2 DC's.  Clients are W2KPro and WXPPro primarily.  Yesterday a strange phenomenom started....

Some clients still login normally all the time, but others fail every other login attempt-
IE, first time you try to log in, it works fine, but the next time it just hangs on an hourglass with a blank blue background (not BSOD).  When it fails, you can three-finger it, go to task manager, log out, then try again and it logs right in.  The problem seems to be at certain PC's, and happens regardless of what userid is attempting to authenticate.

Every place we have experienced this, we can go to task manager/log out/log in again, and it works.  The problem has even occurred on one of the DC's!  We can't isolate any part of configuration specific to the failing PC's.

Anybody ever heard of anything like this?  I'm not even sure I believe it, and I'm looking right at it!

Any ideas will be greatly appreciated..

jb
0
johndeerb
Asked:
johndeerb
  • 5
  • 2
  • 2
  • +2
1 Solution
 
tebacherCommented:
I have not heard of this problem.  But, acording to what you've stated, it sounds to me like some of the users are having the problem because they are authenticating off the DC that has the issue.

One thing I'm confused about is where you actually get to when your login fails?  You say that you can ctrl+alt+del it to log out. Is it just that you are getting to the blue background without explorer starting, or what?

It just seems like its the 1 DC that had the symptoms is the one causeing the issue.  

Using roaming or local profiles?
0
 
johndeerbAuthor Commented:
It gets so far along the login process.  Task manager shows explorer.exe running, along with a few other processes.  This happens even when only one DC is up and running, so scratch the notion of problems only happening when authenticating against one of the DC's.  Profiles are local.
0
 
tebacherCommented:
Hmmm...  Ok.  Your right about that.  It's a very odd problem indeed.  I'm sorry, but I've run out of ideas!  Anyone else have any suggestions?
0
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

 
tanelornCommented:
Hi
anything in the event viewer of the pc's?  I'm thinking something like the user's hive not unloading, or failing to load...  not sure though.

have you ever let it finish logging in?(I've seen it take 20 minutes one time I was troubleshooting something)  or will it hang there forever?  also you say you can see the process list... is there anything that is hogging the processor?  or the ram?  or look out of whack?

that's all I got for ya so far...

Tanelorn
0
 
tanelornCommented:
Hi,

also... anything in the event viewer of the DC..  if there was an issue with the server,  I'd hope there would be something in there..

T
0
 
johndeerbAuthor Commented:
Nothing good in event viewer of the DC, I'm still trying to get a decent event log from a failing client.  As for the processes, nothing hogging CPU/RAM, and all processes are recognized.  I'll update once I have a good log from a failing client.
0
 
robrandonCommented:
If you can CTRL-ALT-DELETE when the logon is hanging, can you start Task Manager and see if a particular process is using most of the CPU time?  

What about using a local account to logon to the computer?  Does it still happen every other time?  Wondering if it is just domain accounts.

0
 
jdeclueCommented:
Sounds like a failed DC. Even if you shut it off, the client will get the name and address from DNS or Wins, and can still have issues. How many Domain Controllers do you have, How many Global Catalogs are there? Go to a DC, and run "DCDIAG" at the command prompt and paste the contents here please. We can try to go down some multiple paths on this one.


J
0
 
johndeerbAuthor Commented:
The weird gets weirder...

After Symantec posted their virus definitions last night for yesterday (09/08), I updated a client and started detecting a virus..

w32.spybot.worm was infecting a file called spoolsvc.exe, which I later found was getting called out by the registry from several keys.  The spoolsvc.exe was showing up in the process list in Task Manager while a failing PC was "stuck", but was not (usually) using any CPU.  I had overlooked it, because it looks so much like the legitimate spoolsv.exe.  After more investigation, I began to notice that spoolsvc.exe did in fact use up some CPU sometimes, but usually it did not.  Once this virus was detected, the client started logging on each time, but was still very slow.  A manual extraction of the virus by deleting the keys from the registry and deleting the infected file brought the client back to a seemingly normal state.

WinXP PC's were infected, but had shown no noticable symptoms, while Win2K PC's that had been turned on the previous day were infected and had the crazy 'every other login' thing going on.  Last night and today, we have repeated the extraction process on several clients, and it seems to be curing all of them.  So, it appears that the problem was no more than a new virus that we didn't have a definition for, right?

Wrong!

That virus was first detected April 16, 2003 and there have been no know updates since July, 2004.  We were current on virus definitions up to the previous Wednesday, September 1, 2004.  So why did we get infected without detecting the virus before we updated defintions?  Could our AV be detecting some other (brand new) virus and just calling it by the wrong name?  Has anyone even ever heard of a virus doing something every other login attempt?

I'm still confused, and certainly not convinced that all is well, but at least for now we are logging on every time and are able to work.  We continue to manually remove the virus from client PC's, and I'll post again after I'm sure whether or not this worm was the whole problem.  
0
 
robrandonCommented:
Good find.  Good to know.  Are you sure the NAV was doing active scanning?  Or maybe the folder was exempt from the scanning.  
0
 
johndeerbAuthor Commented:
Yup, real-time protection was enabled on all clients.  It's the strangest thing I've seen here...
0
 
johndeerbAuthor Commented:
I will accept robrandon's answer, since I should have noticed the rogue process in task manager.

Thanks to everyone for trying to help.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 5
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now