Solved

Login fails every other time

Posted on 2004-09-08
12
141 Views
Last Modified: 2010-04-14
This is weird.

I have a W2K AD w/ 2 DC's.  Clients are W2KPro and WXPPro primarily.  Yesterday a strange phenomenom started....

Some clients still login normally all the time, but others fail every other login attempt-
IE, first time you try to log in, it works fine, but the next time it just hangs on an hourglass with a blank blue background (not BSOD).  When it fails, you can three-finger it, go to task manager, log out, then try again and it logs right in.  The problem seems to be at certain PC's, and happens regardless of what userid is attempting to authenticate.

Every place we have experienced this, we can go to task manager/log out/log in again, and it works.  The problem has even occurred on one of the DC's!  We can't isolate any part of configuration specific to the failing PC's.

Anybody ever heard of anything like this?  I'm not even sure I believe it, and I'm looking right at it!

Any ideas will be greatly appreciated..

jb
0
Comment
Question by:johndeerb
  • 5
  • 2
  • 2
  • +2
12 Comments
 
LVL 5

Expert Comment

by:tebacher
ID: 12009883
I have not heard of this problem.  But, acording to what you've stated, it sounds to me like some of the users are having the problem because they are authenticating off the DC that has the issue.

One thing I'm confused about is where you actually get to when your login fails?  You say that you can ctrl+alt+del it to log out. Is it just that you are getting to the blue background without explorer starting, or what?

It just seems like its the 1 DC that had the symptoms is the one causeing the issue.  

Using roaming or local profiles?
0
 
LVL 4

Author Comment

by:johndeerb
ID: 12010024
It gets so far along the login process.  Task manager shows explorer.exe running, along with a few other processes.  This happens even when only one DC is up and running, so scratch the notion of problems only happening when authenticating against one of the DC's.  Profiles are local.
0
 
LVL 5

Expert Comment

by:tebacher
ID: 12010601
Hmmm...  Ok.  Your right about that.  It's a very odd problem indeed.  I'm sorry, but I've run out of ideas!  Anyone else have any suggestions?
0
 
LVL 6

Expert Comment

by:tanelorn
ID: 12010766
Hi
anything in the event viewer of the pc's?  I'm thinking something like the user's hive not unloading, or failing to load...  not sure though.

have you ever let it finish logging in?(I've seen it take 20 minutes one time I was troubleshooting something)  or will it hang there forever?  also you say you can see the process list... is there anything that is hogging the processor?  or the ram?  or look out of whack?

that's all I got for ya so far...

Tanelorn
0
 
LVL 6

Expert Comment

by:tanelorn
ID: 12010773
Hi,

also... anything in the event viewer of the DC..  if there was an issue with the server,  I'd hope there would be something in there..

T
0
 
LVL 4

Author Comment

by:johndeerb
ID: 12010910
Nothing good in event viewer of the DC, I'm still trying to get a decent event log from a failing client.  As for the processes, nothing hogging CPU/RAM, and all processes are recognized.  I'll update once I have a good log from a failing client.
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 16

Accepted Solution

by:
robrandon earned 500 total points
ID: 12011574
If you can CTRL-ALT-DELETE when the logon is hanging, can you start Task Manager and see if a particular process is using most of the CPU time?  

What about using a local account to logon to the computer?  Does it still happen every other time?  Wondering if it is just domain accounts.

0
 
LVL 9

Expert Comment

by:jdeclue
ID: 12016457
Sounds like a failed DC. Even if you shut it off, the client will get the name and address from DNS or Wins, and can still have issues. How many Domain Controllers do you have, How many Global Catalogs are there? Go to a DC, and run "DCDIAG" at the command prompt and paste the contents here please. We can try to go down some multiple paths on this one.


J
0
 
LVL 4

Author Comment

by:johndeerb
ID: 12021477
The weird gets weirder...

After Symantec posted their virus definitions last night for yesterday (09/08), I updated a client and started detecting a virus..

w32.spybot.worm was infecting a file called spoolsvc.exe, which I later found was getting called out by the registry from several keys.  The spoolsvc.exe was showing up in the process list in Task Manager while a failing PC was "stuck", but was not (usually) using any CPU.  I had overlooked it, because it looks so much like the legitimate spoolsv.exe.  After more investigation, I began to notice that spoolsvc.exe did in fact use up some CPU sometimes, but usually it did not.  Once this virus was detected, the client started logging on each time, but was still very slow.  A manual extraction of the virus by deleting the keys from the registry and deleting the infected file brought the client back to a seemingly normal state.

WinXP PC's were infected, but had shown no noticable symptoms, while Win2K PC's that had been turned on the previous day were infected and had the crazy 'every other login' thing going on.  Last night and today, we have repeated the extraction process on several clients, and it seems to be curing all of them.  So, it appears that the problem was no more than a new virus that we didn't have a definition for, right?

Wrong!

That virus was first detected April 16, 2003 and there have been no know updates since July, 2004.  We were current on virus definitions up to the previous Wednesday, September 1, 2004.  So why did we get infected without detecting the virus before we updated defintions?  Could our AV be detecting some other (brand new) virus and just calling it by the wrong name?  Has anyone even ever heard of a virus doing something every other login attempt?

I'm still confused, and certainly not convinced that all is well, but at least for now we are logging on every time and are able to work.  We continue to manually remove the virus from client PC's, and I'll post again after I'm sure whether or not this worm was the whole problem.  
0
 
LVL 16

Expert Comment

by:robrandon
ID: 12026066
Good find.  Good to know.  Are you sure the NAV was doing active scanning?  Or maybe the folder was exempt from the scanning.  
0
 
LVL 4

Author Comment

by:johndeerb
ID: 12027867
Yup, real-time protection was enabled on all clients.  It's the strangest thing I've seen here...
0
 
LVL 4

Author Comment

by:johndeerb
ID: 12179965
I will accept robrandon's answer, since I should have noticed the rogue process in task manager.

Thanks to everyone for trying to help.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In this article, I show you step by step with screenshots to assist you - HOW TO: Deploy and Install the VMware vCenter Server Appliance 6.5 (VCSA 6.5), with some helpful tips along the way.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now