ITKnightMare
asked on
Long wait on User Auth. via Domain
Hi All:
I have a AD set-up via 2 DCs with Win2K Server as their OSs. I have about 150 PCs with Win XP on them that log-on through verification of the domain.
For some reason, it takes FOREVER for some accounts (so far I have seen no pattern as to why a few log-on IMMEDIATELY... they have no addtl. privileges and are governed by the same policies as the others) to log on. It literally hangs at "Applying Computer Settings" for 10 minutes... It finally does log on however when it does...
Any reason and possible solution as to WHY this is happening?
Thanks!
I have a AD set-up via 2 DCs with Win2K Server as their OSs. I have about 150 PCs with Win XP on them that log-on through verification of the domain.
For some reason, it takes FOREVER for some accounts (so far I have seen no pattern as to why a few log-on IMMEDIATELY... they have no addtl. privileges and are governed by the same policies as the others) to log on. It literally hangs at "Applying Computer Settings" for 10 minutes... It finally does log on however when it does...
Any reason and possible solution as to WHY this is happening?
Thanks!
Hi
As Pete had stated there could be a number of reasons - For troubleshooting purposes I'd maybe start with dns - First make sure that your client pc's have the IP address of your main dc dns server as their preferred dns server only int tcp/ip settings - don't have any isp nameservers in there at all as preferred or alternate. Also make sure that your dc's dns zone for the domain is ad integrated and set to accept dynamic updates. How are the pc's recieving ip's? static or dhcp? Maybe post the results of an ipconfig /all from the server and a client pc with the slow login,
Deb :))
As Pete had stated there could be a number of reasons - For troubleshooting purposes I'd maybe start with dns - First make sure that your client pc's have the IP address of your main dc dns server as their preferred dns server only int tcp/ip settings - don't have any isp nameservers in there at all as preferred or alternate. Also make sure that your dc's dns zone for the domain is ad integrated and set to accept dynamic updates. How are the pc's recieving ip's? static or dhcp? Maybe post the results of an ipconfig /all from the server and a client pc with the slow login,
Deb :))
do they have very large profiles?
ASKER
@debyl99: They clients are recieving their IPs via DHCP. And how would I make sure that your dc's dns zone for the domain is ad integrated and set to accept dynamic updates?
@taveirne: Nope... Some don't have anything at all.
@PeteLong: It doesn't matter... The hang-up is totally at random stages! Sometime it hangs right after the pass is entered... Sometimes it hangs while "Applying Computer Settings" sometimes while "Applying Personal Settings" and so on.
Russ,
@taveirne: Nope... Some don't have anything at all.
@PeteLong: It doesn't matter... The hang-up is totally at random stages! Sometime it hangs right after the pass is entered... Sometimes it hangs while "Applying Computer Settings" sometimes while "Applying Personal Settings" and so on.
Russ,
Hi there Mr. nightMare!
I have seen this hangup occur even on much smaller network, usually this happens when the DC is a windows 2000 and the clients are XP.
Try setting the DNS manually on the XP workstations: click on the network connection -> tcp/ip properties -> advanced -> dns, and add the DC to the top of the list of DNS servers. If one of your DCs is a DNS server then it should resolve lookups for the clients as welll.
If your DHCP server is a separate server from the DC or is a gateway to another network, you might have some conflicts with your DCs.
Here are a few microsoft KB's that might also help you out (in decending order of relevance to your situation, in my opinion):
http://support.microsoft.com/default.aspx?scid=kb;en-us;832161
http://support.microsoft.com/default.aspx?kbid=829909
http://support.microsoft.com/default.aspx?kbid=812924
http://support.microsoft.com/default.aspx?kbid=171386
Hope this helps you out!
Tiran Dagan,
<advertizing removed by CetusMOD per http:help.jsp#hi106>
I have seen this hangup occur even on much smaller network, usually this happens when the DC is a windows 2000 and the clients are XP.
Try setting the DNS manually on the XP workstations: click on the network connection -> tcp/ip properties -> advanced -> dns, and add the DC to the top of the list of DNS servers. If one of your DCs is a DNS server then it should resolve lookups for the clients as welll.
If your DHCP server is a separate server from the DC or is a gateway to another network, you might have some conflicts with your DCs.
Here are a few microsoft KB's that might also help you out (in decending order of relevance to your situation, in my opinion):
http://support.microsoft.com/default.aspx?scid=kb;en-us;832161
http://support.microsoft.com/default.aspx?kbid=829909
http://support.microsoft.com/default.aspx?kbid=812924
http://support.microsoft.com/default.aspx?kbid=171386
Hope this helps you out!
Tiran Dagan,
<advertizing removed by CetusMOD per http:help.jsp#hi106>
ASKER
Mr Dagan,
>> If your DHCP server is a separate server from the DC or is a gateway to another network, you might have some conflicts with your DCs.
this is EXACTLY the case!!! My DHCP Server is a Apple Macintosh G3 that is running DHCPD via Webmin.
So what is it that I need to adjust or re-do? I mean, if I am going to have to enter the DNS info on all of my PCs then what's the friggin point of having a DHCPD?
PLEASE HELP ME!! WHOEVER IT IS! Mr. Dagan seems to be the closest!
>> If your DHCP server is a separate server from the DC or is a gateway to another network, you might have some conflicts with your DCs.
this is EXACTLY the case!!! My DHCP Server is a Apple Macintosh G3 that is running DHCPD via Webmin.
So what is it that I need to adjust or re-do? I mean, if I am going to have to enter the DNS info on all of my PCs then what's the friggin point of having a DHCPD?
PLEASE HELP ME!! WHOEVER IT IS! Mr. Dagan seems to be the closest!
I agree - it doesn't make sense. But there is a problem with Windows XP on a mixed network, caused by the fact you are hooking it up to a win2K DC. Don't forget that your first line of defense is manuallyg entering the DNS, not assigning the IP. If you want a more seamless operation with separate DHCP server, you might want to consider upgrading your DC to XP or 2003.
I strongly suggest you check the DC's event log, after a "long" login from a client station. That may reveal the issue as well.
I would go about it selectively - only on the stations where you are seeing slow performance - go for the tweaks listed above.
Here's another thread that may help you:
http://www.tek-tips.com/viewthread.cfm?qid=912421
Tiran/6footmedia
I strongly suggest you check the DC's event log, after a "long" login from a client station. That may reveal the issue as well.
I would go about it selectively - only on the stations where you are seeing slow performance - go for the tweaks listed above.
Here's another thread that may help you:
http://www.tek-tips.com/viewthread.cfm?qid=912421
Tiran/6footmedia
Hi
I think that maybe this is the problem - "My DHCP Server is a Apple Macintosh G3 that is running DHCPD via Webmin". Windows 2000 server networks generally function better when using the domain controller as the DHCP server. That way the server can keep track of the allocated leases and update it's databases accordingly. It shouldn't really be necessary to use static IP's. Is there any reason why you're using a MAC as a dhcp server? There are major compatibility problems on mixed networks of this kind. Windows XP should work absolutely fine on a 2000 server based network (ours do and so do many, many others) so long as you don't go near XP SP2 just yet until MS have fixed it. There should be no reason to upgrade your dc to 2003 server just to rectify this, and it's not possible to upgrade your DC to Windows XP so I'm not sure why Tiran suggested that - there is no server version of XP - XP is purely a client based OS - XP Home for home networks, XP Pro for server based networks where you need the client to be a member of a domain. Your solution here would be to discontinue using DHCP on a mac, and instead use DHCP from one of the 2k servers. You'll also need to ensure that DNS on the network is AD integrated and set to accept dynamic up dates (if it can't update the client ip's then it's going to end with duplications on the network which could well cause your problems).
To check on DNS, logon to the DNS server and open up DNS from Administrative Tools in the Control Panel, or from the Start _ Admin Tools menu. Expand dns, and you should see your server object in there. Expand the zones under this and right click on the foward look-up zone called "yourdomain.com" where that is the name of your domain. Select properties and you can check in this panel that it's ad-integrated and allows dynamic updates.
It would also be useful to check and post any errors in the event logs of a client that is taking a long time to logon(Control Panel - Administrative Tools - Event Viewer) and on the server, and to run this from a command prompt on the same client - ipconfig /all - Note the allocated IP address and check for any duplicates or name mismatches listed on the DNS server host records - again listed under the forward lookup zone,
Deb :))
I think that maybe this is the problem - "My DHCP Server is a Apple Macintosh G3 that is running DHCPD via Webmin". Windows 2000 server networks generally function better when using the domain controller as the DHCP server. That way the server can keep track of the allocated leases and update it's databases accordingly. It shouldn't really be necessary to use static IP's. Is there any reason why you're using a MAC as a dhcp server? There are major compatibility problems on mixed networks of this kind. Windows XP should work absolutely fine on a 2000 server based network (ours do and so do many, many others) so long as you don't go near XP SP2 just yet until MS have fixed it. There should be no reason to upgrade your dc to 2003 server just to rectify this, and it's not possible to upgrade your DC to Windows XP so I'm not sure why Tiran suggested that - there is no server version of XP - XP is purely a client based OS - XP Home for home networks, XP Pro for server based networks where you need the client to be a member of a domain. Your solution here would be to discontinue using DHCP on a mac, and instead use DHCP from one of the 2k servers. You'll also need to ensure that DNS on the network is AD integrated and set to accept dynamic up dates (if it can't update the client ip's then it's going to end with duplications on the network which could well cause your problems).
To check on DNS, logon to the DNS server and open up DNS from Administrative Tools in the Control Panel, or from the Start _ Admin Tools menu. Expand dns, and you should see your server object in there. Expand the zones under this and right click on the foward look-up zone called "yourdomain.com" where that is the name of your domain. Select properties and you can check in this panel that it's ad-integrated and allows dynamic updates.
It would also be useful to check and post any errors in the event logs of a client that is taking a long time to logon(Control Panel - Administrative Tools - Event Viewer) and on the server, and to run this from a command prompt on the same client - ipconfig /all - Note the allocated IP address and check for any duplicates or name mismatches listed on the DNS server host records - again listed under the forward lookup zone,
Deb :))
ASKER
@tirandagan:
Interesting...
@Debsyl99:
The onyl reason I AM using a Mac for DHCP server, is... well... b/c that's the only one I KNEW how to set-up :/ I don't know how to set-up the Win2K DC for DHCP server. If you can offer a few links or "go here, click this" kind of tutorials, I WOULD BE MOST GRATEFUL!
In the meantime, right now... For test purposes I'm going to enter EACH PC manually. UGH! But hey, if it works it works!
I'll let you all know of the results.
Interesting...
@Debsyl99:
The onyl reason I AM using a Mac for DHCP server, is... well... b/c that's the only one I KNEW how to set-up :/ I don't know how to set-up the Win2K DC for DHCP server. If you can offer a few links or "go here, click this" kind of tutorials, I WOULD BE MOST GRATEFUL!
In the meantime, right now... For test purposes I'm going to enter EACH PC manually. UGH! But hey, if it works it works!
I'll let you all know of the results.
Honestly - setting up a dhcp server on windows 2000 is easier and will be much quicker than manually entering ip's on 150 workstations! I'll hunt for some step-by-steps for you now...........
Deb :))
Deb :))
Ok here's some -
Configure IT Quick: Setting up and managing a DHCP server in Windows 2000
http://techrepublic.com.com/5100-6268-1041798.html
And this is a nice simple example
Windows 2000 Server:Install DHCP server
http://www.lpt.com/windowsnetworking/regusers/w2kdhcpi.htm
Some key points are:
1) Work out what IP range you need and make sure you exclude any fixed ip addresses -ie your server's static ip's and any network printers, routers etc
2) Don't get too overwhelmed by the scope options - your main one's are the address of the dns server, wins server if used and router etc. It's ok to leave other scope options not configured.
3) Don't forget to disable your mac dhcp server first before enabling this one - or you'll get duplicate ip's everywhere - DHCP servers aren't bright enough to talk to each other about who's dished out which IP.
4)Don't forget to activate the scope - and authorise the server or it won't work,
5) Take the steps I posted to make sure your dns server is set as ad-integrated and accepts dynamic updates,
6) Don't use XP SP2 yet, and make sure that the Internet Connection Firewall is disabled in XP,
Deb :))
Configure IT Quick: Setting up and managing a DHCP server in Windows 2000
http://techrepublic.com.com/5100-6268-1041798.html
And this is a nice simple example
Windows 2000 Server:Install DHCP server
http://www.lpt.com/windowsnetworking/regusers/w2kdhcpi.htm
Some key points are:
1) Work out what IP range you need and make sure you exclude any fixed ip addresses -ie your server's static ip's and any network printers, routers etc
2) Don't get too overwhelmed by the scope options - your main one's are the address of the dns server, wins server if used and router etc. It's ok to leave other scope options not configured.
3) Don't forget to disable your mac dhcp server first before enabling this one - or you'll get duplicate ip's everywhere - DHCP servers aren't bright enough to talk to each other about who's dished out which IP.
4)Don't forget to activate the scope - and authorise the server or it won't work,
5) Take the steps I posted to make sure your dns server is set as ad-integrated and accepts dynamic updates,
6) Don't use XP SP2 yet, and make sure that the Internet Connection Firewall is disabled in XP,
Deb :))
ASKER
@All:
OK This is what I did:
1) I entered all PCs TCP/IP settings MANUALLY!
2) On the DCs I saw that the TCP/IP's ADv tab, had "Dynamic DNS update" checked so I unchecked that ( my search on the 1M engine said that some1 solved their problem that way.
3) I TOOK DOWN MY DHCP SERVER! Entered all that were on it MANUALLY!
Result: ZILCH! NADDA! ZIP! NO CHANGE! Still hangs on "Loading Personal Settings" for approx. 3 to 4 min.
Weird thing: Those that are hanging CANNOT CREATE LOCAL PROFILES! Yet, the few that AREN'T HANGING, have created profiles?!?
Weird Thing #2: I found out that the "PCs" that are "logging on quicker" are all Win2K. It's my new Win XP SP1s that are doing this.
Weird Thing #3: Every1 keeps telling me that the Event Viewer of the DC should have DNS errors. THERE ARE NONE! None relating to this issue at least.
@Deb: Thanks for your AWESOME help! I will get to that ONCE I solve this issue!
P.S. Just raised this question to 500 points! Making it more and more appetizing!
OK This is what I did:
1) I entered all PCs TCP/IP settings MANUALLY!
2) On the DCs I saw that the TCP/IP's ADv tab, had "Dynamic DNS update" checked so I unchecked that ( my search on the 1M engine said that some1 solved their problem that way.
3) I TOOK DOWN MY DHCP SERVER! Entered all that were on it MANUALLY!
Result: ZILCH! NADDA! ZIP! NO CHANGE! Still hangs on "Loading Personal Settings" for approx. 3 to 4 min.
Weird thing: Those that are hanging CANNOT CREATE LOCAL PROFILES! Yet, the few that AREN'T HANGING, have created profiles?!?
Weird Thing #2: I found out that the "PCs" that are "logging on quicker" are all Win2K. It's my new Win XP SP1s that are doing this.
Weird Thing #3: Every1 keeps telling me that the Event Viewer of the DC should have DNS errors. THERE ARE NONE! None relating to this issue at least.
@Deb: Thanks for your AWESOME help! I will get to that ONCE I solve this issue!
P.S. Just raised this question to 500 points! Making it more and more appetizing!
Ok - What ARE your ip adresses on the clients? (In my experience dynamic dns is ALWAYS a good thing) particularly the preffered dns server?
Could you post the results of an ipconfig /all from both the dns server and from an xpclient?
Fist win2k server needs a static address (which I expect it does have), and should also point to itself for name resolution ie
Server TCP/IP
ie IP - 192.168.0.1
Subnet Mask - 255.255.255.0
Default Gateway - your router ip address if you have one
Preferred DNS Server : 192.168.0.1 ( <- note it's the same ip address of the dns server)
Client TCP/IP
ie IP - 192.168.0.x (where x is not the same as any other assigned ip)
Subnet Mask - 255.255.255.0
Default Gateway - your router ip address if you have one
Preferred DNS Server : 192.168.0.1 ( <- note it's the also same ip address of the dns server)
Make sure your dns server is AD-integrated and will accept dynamic updates (I keep bleating about this but I still don't know if you've done it) - If a machine receives a different ip address, the server needs to be able to update the address in the dns zone.
Don't put any ips's nameserver ip addresses anywhere in tcp/ip - they should be configured as forwarders in dns, which is possible in Windows 2000 after deletion of "." zone in dns on the server.
From a client can you ping the server? ie command prompt, type ping serveripaddress (where server ip address is the actual static ip address of the server ie 192.168.0.1 or whatever it is)
Can you also ping the server by name ie from a command prompt type ping servername - where server name is the name of your dns server,
Please follow these suggestions through carefully and let us know what you have and haven't done - it's impossible to troubleshoot this otherwise,
Deb :))
Could you post the results of an ipconfig /all from both the dns server and from an xpclient?
Fist win2k server needs a static address (which I expect it does have), and should also point to itself for name resolution ie
Server TCP/IP
ie IP - 192.168.0.1
Subnet Mask - 255.255.255.0
Default Gateway - your router ip address if you have one
Preferred DNS Server : 192.168.0.1 ( <- note it's the same ip address of the dns server)
Client TCP/IP
ie IP - 192.168.0.x (where x is not the same as any other assigned ip)
Subnet Mask - 255.255.255.0
Default Gateway - your router ip address if you have one
Preferred DNS Server : 192.168.0.1 ( <- note it's the also same ip address of the dns server)
Make sure your dns server is AD-integrated and will accept dynamic updates (I keep bleating about this but I still don't know if you've done it) - If a machine receives a different ip address, the server needs to be able to update the address in the dns zone.
Don't put any ips's nameserver ip addresses anywhere in tcp/ip - they should be configured as forwarders in dns, which is possible in Windows 2000 after deletion of "." zone in dns on the server.
From a client can you ping the server? ie command prompt, type ping serveripaddress (where server ip address is the actual static ip address of the server ie 192.168.0.1 or whatever it is)
Can you also ping the server by name ie from a command prompt type ping servername - where server name is the name of your dns server,
Please follow these suggestions through carefully and let us know what you have and haven't done - it's impossible to troubleshoot this otherwise,
Deb :))
Going back to basics, I know, but have you looked at where the stored profiles are (if any)?
We have the same trouble occasionally and it's down to the time (and load) on the servers when a number of people log in, trying to retrieve their stored profile (as opposed to locally stored). This is especially true if someone has been out of the office on a laptop and then reconnects after some days.
Paul.
We have the same trouble occasionally and it's down to the time (and load) on the servers when a number of people log in, trying to retrieve their stored profile (as opposed to locally stored). This is especially true if someone has been out of the office on a laptop and then reconnects after some days.
Paul.
ok, I've been scanning this, I have some questions...
your computer(s) are ceasing their connections to your network at random times, at least once per day?
has anything else gone missing, for example, CD-ROM drives. dissapearing from the hardware profiles while being accessed.?
are you running a firewall, and has it been acting strange?
your computer(s) are ceasing their connections to your network at random times, at least once per day?
has anything else gone missing, for example, CD-ROM drives. dissapearing from the hardware profiles while being accessed.?
are you running a firewall, and has it been acting strange?
the hanging up, theyjust freeze? but eventually find thier way to operating mode?
ASKER
Alright... I guess there is no solution to this question. Debsyl99 you have done a terrific job in tryign to help me. I only wish your efforts weren't in vain. I would truly appreciate it if you could contact me via knightmare@mse.vt.edu (admin Im aware we shouldnt post emails but I need to contact her directly if u don't mind)
Other than that Shattuc... it has indeed to do with the local stored profiles.
Other than that Shattuc... it has indeed to do with the local stored profiles.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi just spotted this rather important point- (and I'll bet this can be solved - just needs a step by step approach)
"Those that are hanging CANNOT CREATE LOCAL PROFILES!"
1) Are you certain that these pc's are properly joined to the domain? - check and post the event logs (ie errors) on the server and the problem pc's.. seriously I have no problem with xp sp1 clients logging on.....
"Those that are hanging CANNOT CREATE LOCAL PROFILES!"
1) Are you certain that these pc's are properly joined to the domain? - check and post the event logs (ie errors) on the server and the problem pc's.. seriously I have no problem with xp sp1 clients logging on.....
I have a suggestion... Try cleaning the systems of spyware. look specifically for an attempt on an LSP chain, a lop infection, or A:B infection.
ASKER
Hey All!
Although this question has already been PAQ'd I wanted to inform you that I indeed solved it :)
It turns out that Windows 2000 members of the domain never cared about the reverse lookup of the DNS servers... That's why they always logged on (cached even for that matter! If the member is taken offline, the password would still log on?!?! O_o)
Anyways... XP systems as domain members won't allow that by default! So, it depended on reverse lookup to get to the server! And guess what? My reverse lookup table was pointing wrong all over the place! So once I corrected those, and provided a backup DNS server as "forwarding" WALLA!
Now all is back to normal!
Sincerely,
Although this question has already been PAQ'd I wanted to inform you that I indeed solved it :)
It turns out that Windows 2000 members of the domain never cared about the reverse lookup of the DNS servers... That's why they always logged on (cached even for that matter! If the member is taken offline, the password would still log on?!?! O_o)
Anyways... XP systems as domain members won't allow that by default! So, it depended on reverse lookup to get to the server! And guess what? My reverse lookup table was pointing wrong all over the place! So once I corrected those, and provided a backup DNS server as "forwarding" WALLA!
Now all is back to normal!
Sincerely,
XP clients set to syncronise at login?
roaming profiles?
client DNS settings incorrect?