?
Solved

Login fails every other time

Posted on 2004-09-08
12
Medium Priority
?
149 Views
Last Modified: 2010-04-14
This is weird.

I have a W2K AD w/ 2 DC's.  Clients are W2KPro and WXPPro primarily.  Yesterday a strange phenomenom started....

Some clients still login normally all the time, but others fail every other login attempt-
IE, first time you try to log in, it works fine, but the next time it just hangs on an hourglass with a blank blue background (not BSOD).  When it fails, you can three-finger it, go to task manager, log out, then try again and it logs right in.  The problem seems to be at certain PC's, and happens regardless of what userid is attempting to authenticate.

Every place we have experienced this, we can go to task manager/log out/log in again, and it works.  The problem has even occurred on one of the DC's!  We can't isolate any part of configuration specific to the failing PC's.

Anybody ever heard of anything like this?  I'm not even sure I believe it, and I'm looking right at it!

Any ideas will be greatly appreciated..

jb
0
Comment
Question by:johndeerb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
  • 2
  • +2
12 Comments
 
LVL 5

Expert Comment

by:tebacher
ID: 12009883
I have not heard of this problem.  But, acording to what you've stated, it sounds to me like some of the users are having the problem because they are authenticating off the DC that has the issue.

One thing I'm confused about is where you actually get to when your login fails?  You say that you can ctrl+alt+del it to log out. Is it just that you are getting to the blue background without explorer starting, or what?

It just seems like its the 1 DC that had the symptoms is the one causeing the issue.  

Using roaming or local profiles?
0
 
LVL 4

Author Comment

by:johndeerb
ID: 12010024
It gets so far along the login process.  Task manager shows explorer.exe running, along with a few other processes.  This happens even when only one DC is up and running, so scratch the notion of problems only happening when authenticating against one of the DC's.  Profiles are local.
0
 
LVL 5

Expert Comment

by:tebacher
ID: 12010601
Hmmm...  Ok.  Your right about that.  It's a very odd problem indeed.  I'm sorry, but I've run out of ideas!  Anyone else have any suggestions?
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 6

Expert Comment

by:tanelorn
ID: 12010766
Hi
anything in the event viewer of the pc's?  I'm thinking something like the user's hive not unloading, or failing to load...  not sure though.

have you ever let it finish logging in?(I've seen it take 20 minutes one time I was troubleshooting something)  or will it hang there forever?  also you say you can see the process list... is there anything that is hogging the processor?  or the ram?  or look out of whack?

that's all I got for ya so far...

Tanelorn
0
 
LVL 6

Expert Comment

by:tanelorn
ID: 12010773
Hi,

also... anything in the event viewer of the DC..  if there was an issue with the server,  I'd hope there would be something in there..

T
0
 
LVL 4

Author Comment

by:johndeerb
ID: 12010910
Nothing good in event viewer of the DC, I'm still trying to get a decent event log from a failing client.  As for the processes, nothing hogging CPU/RAM, and all processes are recognized.  I'll update once I have a good log from a failing client.
0
 
LVL 16

Accepted Solution

by:
robrandon earned 2000 total points
ID: 12011574
If you can CTRL-ALT-DELETE when the logon is hanging, can you start Task Manager and see if a particular process is using most of the CPU time?  

What about using a local account to logon to the computer?  Does it still happen every other time?  Wondering if it is just domain accounts.

0
 
LVL 9

Expert Comment

by:jdeclue
ID: 12016457
Sounds like a failed DC. Even if you shut it off, the client will get the name and address from DNS or Wins, and can still have issues. How many Domain Controllers do you have, How many Global Catalogs are there? Go to a DC, and run "DCDIAG" at the command prompt and paste the contents here please. We can try to go down some multiple paths on this one.


J
0
 
LVL 4

Author Comment

by:johndeerb
ID: 12021477
The weird gets weirder...

After Symantec posted their virus definitions last night for yesterday (09/08), I updated a client and started detecting a virus..

w32.spybot.worm was infecting a file called spoolsvc.exe, which I later found was getting called out by the registry from several keys.  The spoolsvc.exe was showing up in the process list in Task Manager while a failing PC was "stuck", but was not (usually) using any CPU.  I had overlooked it, because it looks so much like the legitimate spoolsv.exe.  After more investigation, I began to notice that spoolsvc.exe did in fact use up some CPU sometimes, but usually it did not.  Once this virus was detected, the client started logging on each time, but was still very slow.  A manual extraction of the virus by deleting the keys from the registry and deleting the infected file brought the client back to a seemingly normal state.

WinXP PC's were infected, but had shown no noticable symptoms, while Win2K PC's that had been turned on the previous day were infected and had the crazy 'every other login' thing going on.  Last night and today, we have repeated the extraction process on several clients, and it seems to be curing all of them.  So, it appears that the problem was no more than a new virus that we didn't have a definition for, right?

Wrong!

That virus was first detected April 16, 2003 and there have been no know updates since July, 2004.  We were current on virus definitions up to the previous Wednesday, September 1, 2004.  So why did we get infected without detecting the virus before we updated defintions?  Could our AV be detecting some other (brand new) virus and just calling it by the wrong name?  Has anyone even ever heard of a virus doing something every other login attempt?

I'm still confused, and certainly not convinced that all is well, but at least for now we are logging on every time and are able to work.  We continue to manually remove the virus from client PC's, and I'll post again after I'm sure whether or not this worm was the whole problem.  
0
 
LVL 16

Expert Comment

by:robrandon
ID: 12026066
Good find.  Good to know.  Are you sure the NAV was doing active scanning?  Or maybe the folder was exempt from the scanning.  
0
 
LVL 4

Author Comment

by:johndeerb
ID: 12027867
Yup, real-time protection was enabled on all clients.  It's the strangest thing I've seen here...
0
 
LVL 4

Author Comment

by:johndeerb
ID: 12179965
I will accept robrandon's answer, since I should have noticed the rogue process in task manager.

Thanks to everyone for trying to help.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question