johndeerb
asked on
Login fails every other time
This is weird.
I have a W2K AD w/ 2 DC's. Clients are W2KPro and WXPPro primarily. Yesterday a strange phenomenom started....
Some clients still login normally all the time, but others fail every other login attempt-
IE, first time you try to log in, it works fine, but the next time it just hangs on an hourglass with a blank blue background (not BSOD). When it fails, you can three-finger it, go to task manager, log out, then try again and it logs right in. The problem seems to be at certain PC's, and happens regardless of what userid is attempting to authenticate.
Every place we have experienced this, we can go to task manager/log out/log in again, and it works. The problem has even occurred on one of the DC's! We can't isolate any part of configuration specific to the failing PC's.
Anybody ever heard of anything like this? I'm not even sure I believe it, and I'm looking right at it!
Any ideas will be greatly appreciated..
jb
I have a W2K AD w/ 2 DC's. Clients are W2KPro and WXPPro primarily. Yesterday a strange phenomenom started....
Some clients still login normally all the time, but others fail every other login attempt-
IE, first time you try to log in, it works fine, but the next time it just hangs on an hourglass with a blank blue background (not BSOD). When it fails, you can three-finger it, go to task manager, log out, then try again and it logs right in. The problem seems to be at certain PC's, and happens regardless of what userid is attempting to authenticate.
Every place we have experienced this, we can go to task manager/log out/log in again, and it works. The problem has even occurred on one of the DC's! We can't isolate any part of configuration specific to the failing PC's.
Anybody ever heard of anything like this? I'm not even sure I believe it, and I'm looking right at it!
Any ideas will be greatly appreciated..
jb
ASKER
It gets so far along the login process. Task manager shows explorer.exe running, along with a few other processes. This happens even when only one DC is up and running, so scratch the notion of problems only happening when authenticating against one of the DC's. Profiles are local.
Hmmm... Ok. Your right about that. It's a very odd problem indeed. I'm sorry, but I've run out of ideas! Anyone else have any suggestions?
Hi
anything in the event viewer of the pc's? I'm thinking something like the user's hive not unloading, or failing to load... not sure though.
have you ever let it finish logging in?(I've seen it take 20 minutes one time I was troubleshooting something) or will it hang there forever? also you say you can see the process list... is there anything that is hogging the processor? or the ram? or look out of whack?
that's all I got for ya so far...
Tanelorn
anything in the event viewer of the pc's? I'm thinking something like the user's hive not unloading, or failing to load... not sure though.
have you ever let it finish logging in?(I've seen it take 20 minutes one time I was troubleshooting something) or will it hang there forever? also you say you can see the process list... is there anything that is hogging the processor? or the ram? or look out of whack?
that's all I got for ya so far...
Tanelorn
Hi,
also... anything in the event viewer of the DC.. if there was an issue with the server, I'd hope there would be something in there..
T
also... anything in the event viewer of the DC.. if there was an issue with the server, I'd hope there would be something in there..
T
ASKER
Nothing good in event viewer of the DC, I'm still trying to get a decent event log from a failing client. As for the processes, nothing hogging CPU/RAM, and all processes are recognized. I'll update once I have a good log from a failing client.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Sounds like a failed DC. Even if you shut it off, the client will get the name and address from DNS or Wins, and can still have issues. How many Domain Controllers do you have, How many Global Catalogs are there? Go to a DC, and run "DCDIAG" at the command prompt and paste the contents here please. We can try to go down some multiple paths on this one.
J
J
ASKER
The weird gets weirder...
After Symantec posted their virus definitions last night for yesterday (09/08), I updated a client and started detecting a virus..
w32.spybot.worm was infecting a file called spoolsvc.exe, which I later found was getting called out by the registry from several keys. The spoolsvc.exe was showing up in the process list in Task Manager while a failing PC was "stuck", but was not (usually) using any CPU. I had overlooked it, because it looks so much like the legitimate spoolsv.exe. After more investigation, I began to notice that spoolsvc.exe did in fact use up some CPU sometimes, but usually it did not. Once this virus was detected, the client started logging on each time, but was still very slow. A manual extraction of the virus by deleting the keys from the registry and deleting the infected file brought the client back to a seemingly normal state.
WinXP PC's were infected, but had shown no noticable symptoms, while Win2K PC's that had been turned on the previous day were infected and had the crazy 'every other login' thing going on. Last night and today, we have repeated the extraction process on several clients, and it seems to be curing all of them. So, it appears that the problem was no more than a new virus that we didn't have a definition for, right?
Wrong!
That virus was first detected April 16, 2003 and there have been no know updates since July, 2004. We were current on virus definitions up to the previous Wednesday, September 1, 2004. So why did we get infected without detecting the virus before we updated defintions? Could our AV be detecting some other (brand new) virus and just calling it by the wrong name? Has anyone even ever heard of a virus doing something every other login attempt?
I'm still confused, and certainly not convinced that all is well, but at least for now we are logging on every time and are able to work. We continue to manually remove the virus from client PC's, and I'll post again after I'm sure whether or not this worm was the whole problem.
After Symantec posted their virus definitions last night for yesterday (09/08), I updated a client and started detecting a virus..
w32.spybot.worm was infecting a file called spoolsvc.exe, which I later found was getting called out by the registry from several keys. The spoolsvc.exe was showing up in the process list in Task Manager while a failing PC was "stuck", but was not (usually) using any CPU. I had overlooked it, because it looks so much like the legitimate spoolsv.exe. After more investigation, I began to notice that spoolsvc.exe did in fact use up some CPU sometimes, but usually it did not. Once this virus was detected, the client started logging on each time, but was still very slow. A manual extraction of the virus by deleting the keys from the registry and deleting the infected file brought the client back to a seemingly normal state.
WinXP PC's were infected, but had shown no noticable symptoms, while Win2K PC's that had been turned on the previous day were infected and had the crazy 'every other login' thing going on. Last night and today, we have repeated the extraction process on several clients, and it seems to be curing all of them. So, it appears that the problem was no more than a new virus that we didn't have a definition for, right?
Wrong!
That virus was first detected April 16, 2003 and there have been no know updates since July, 2004. We were current on virus definitions up to the previous Wednesday, September 1, 2004. So why did we get infected without detecting the virus before we updated defintions? Could our AV be detecting some other (brand new) virus and just calling it by the wrong name? Has anyone even ever heard of a virus doing something every other login attempt?
I'm still confused, and certainly not convinced that all is well, but at least for now we are logging on every time and are able to work. We continue to manually remove the virus from client PC's, and I'll post again after I'm sure whether or not this worm was the whole problem.
Good find. Good to know. Are you sure the NAV was doing active scanning? Or maybe the folder was exempt from the scanning.
ASKER
Yup, real-time protection was enabled on all clients. It's the strangest thing I've seen here...
ASKER
I will accept robrandon's answer, since I should have noticed the rogue process in task manager.
Thanks to everyone for trying to help.
Thanks to everyone for trying to help.
One thing I'm confused about is where you actually get to when your login fails? You say that you can ctrl+alt+del it to log out. Is it just that you are getting to the blue background without explorer starting, or what?
It just seems like its the 1 DC that had the symptoms is the one causeing the issue.
Using roaming or local profiles?