Solved

Login fails every other time

Posted on 2004-09-08
12
146 Views
Last Modified: 2010-04-14
This is weird.

I have a W2K AD w/ 2 DC's.  Clients are W2KPro and WXPPro primarily.  Yesterday a strange phenomenom started....

Some clients still login normally all the time, but others fail every other login attempt-
IE, first time you try to log in, it works fine, but the next time it just hangs on an hourglass with a blank blue background (not BSOD).  When it fails, you can three-finger it, go to task manager, log out, then try again and it logs right in.  The problem seems to be at certain PC's, and happens regardless of what userid is attempting to authenticate.

Every place we have experienced this, we can go to task manager/log out/log in again, and it works.  The problem has even occurred on one of the DC's!  We can't isolate any part of configuration specific to the failing PC's.

Anybody ever heard of anything like this?  I'm not even sure I believe it, and I'm looking right at it!

Any ideas will be greatly appreciated..

jb
0
Comment
Question by:johndeerb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
  • 2
  • +2
12 Comments
 
LVL 5

Expert Comment

by:tebacher
ID: 12009883
I have not heard of this problem.  But, acording to what you've stated, it sounds to me like some of the users are having the problem because they are authenticating off the DC that has the issue.

One thing I'm confused about is where you actually get to when your login fails?  You say that you can ctrl+alt+del it to log out. Is it just that you are getting to the blue background without explorer starting, or what?

It just seems like its the 1 DC that had the symptoms is the one causeing the issue.  

Using roaming or local profiles?
0
 
LVL 4

Author Comment

by:johndeerb
ID: 12010024
It gets so far along the login process.  Task manager shows explorer.exe running, along with a few other processes.  This happens even when only one DC is up and running, so scratch the notion of problems only happening when authenticating against one of the DC's.  Profiles are local.
0
 
LVL 5

Expert Comment

by:tebacher
ID: 12010601
Hmmm...  Ok.  Your right about that.  It's a very odd problem indeed.  I'm sorry, but I've run out of ideas!  Anyone else have any suggestions?
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 
LVL 6

Expert Comment

by:tanelorn
ID: 12010766
Hi
anything in the event viewer of the pc's?  I'm thinking something like the user's hive not unloading, or failing to load...  not sure though.

have you ever let it finish logging in?(I've seen it take 20 minutes one time I was troubleshooting something)  or will it hang there forever?  also you say you can see the process list... is there anything that is hogging the processor?  or the ram?  or look out of whack?

that's all I got for ya so far...

Tanelorn
0
 
LVL 6

Expert Comment

by:tanelorn
ID: 12010773
Hi,

also... anything in the event viewer of the DC..  if there was an issue with the server,  I'd hope there would be something in there..

T
0
 
LVL 4

Author Comment

by:johndeerb
ID: 12010910
Nothing good in event viewer of the DC, I'm still trying to get a decent event log from a failing client.  As for the processes, nothing hogging CPU/RAM, and all processes are recognized.  I'll update once I have a good log from a failing client.
0
 
LVL 16

Accepted Solution

by:
robrandon earned 500 total points
ID: 12011574
If you can CTRL-ALT-DELETE when the logon is hanging, can you start Task Manager and see if a particular process is using most of the CPU time?  

What about using a local account to logon to the computer?  Does it still happen every other time?  Wondering if it is just domain accounts.

0
 
LVL 9

Expert Comment

by:jdeclue
ID: 12016457
Sounds like a failed DC. Even if you shut it off, the client will get the name and address from DNS or Wins, and can still have issues. How many Domain Controllers do you have, How many Global Catalogs are there? Go to a DC, and run "DCDIAG" at the command prompt and paste the contents here please. We can try to go down some multiple paths on this one.


J
0
 
LVL 4

Author Comment

by:johndeerb
ID: 12021477
The weird gets weirder...

After Symantec posted their virus definitions last night for yesterday (09/08), I updated a client and started detecting a virus..

w32.spybot.worm was infecting a file called spoolsvc.exe, which I later found was getting called out by the registry from several keys.  The spoolsvc.exe was showing up in the process list in Task Manager while a failing PC was "stuck", but was not (usually) using any CPU.  I had overlooked it, because it looks so much like the legitimate spoolsv.exe.  After more investigation, I began to notice that spoolsvc.exe did in fact use up some CPU sometimes, but usually it did not.  Once this virus was detected, the client started logging on each time, but was still very slow.  A manual extraction of the virus by deleting the keys from the registry and deleting the infected file brought the client back to a seemingly normal state.

WinXP PC's were infected, but had shown no noticable symptoms, while Win2K PC's that had been turned on the previous day were infected and had the crazy 'every other login' thing going on.  Last night and today, we have repeated the extraction process on several clients, and it seems to be curing all of them.  So, it appears that the problem was no more than a new virus that we didn't have a definition for, right?

Wrong!

That virus was first detected April 16, 2003 and there have been no know updates since July, 2004.  We were current on virus definitions up to the previous Wednesday, September 1, 2004.  So why did we get infected without detecting the virus before we updated defintions?  Could our AV be detecting some other (brand new) virus and just calling it by the wrong name?  Has anyone even ever heard of a virus doing something every other login attempt?

I'm still confused, and certainly not convinced that all is well, but at least for now we are logging on every time and are able to work.  We continue to manually remove the virus from client PC's, and I'll post again after I'm sure whether or not this worm was the whole problem.  
0
 
LVL 16

Expert Comment

by:robrandon
ID: 12026066
Good find.  Good to know.  Are you sure the NAV was doing active scanning?  Or maybe the folder was exempt from the scanning.  
0
 
LVL 4

Author Comment

by:johndeerb
ID: 12027867
Yup, real-time protection was enabled on all clients.  It's the strangest thing I've seen here...
0
 
LVL 4

Author Comment

by:johndeerb
ID: 12179965
I will accept robrandon's answer, since I should have noticed the rogue process in task manager.

Thanks to everyone for trying to help.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
If you troubleshoot Outlook for clients, you may want to know a bit more about the OST file before doing your next job. IMAP can cause a lot of drama if removed in the accounts without backing up.
Come and listen to Percona CEO Peter Zaitsev discuss what’s new in Percona open source software, including Percona Server for MySQL (https://www.percona.com/software/mysql-database/percona-server) and MongoDB (https://www.percona.com/software/mongo-…
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question