Solved

Long wait on User Auth. via Domain

Posted on 2004-09-13
21
491 Views
Last Modified: 2013-12-04
Hi All:

I have a AD set-up via 2 DCs with Win2K Server as their OSs. I have about 150 PCs with Win XP on them that log-on through verification of the domain.

For some reason, it takes FOREVER for some accounts (so far I have seen no pattern as to why a few log-on IMMEDIATELY... they have no addtl. privileges and are governed by the same policies as the others) to log on. It literally hangs at "Applying Computer Settings" for 10 minutes... It finally does log on however when it does...

Any reason and possible solution as to WHY this is happening?

Thanks!
0
Comment
Question by:ITKnightMare
  • 7
  • 6
  • 3
  • +4
21 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 12049086
logon scripts?
XP clients set to syncronise at login?
roaming profiles?
client DNS settings incorrect?
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 12050250
Hi

As Pete had stated there could be a number of reasons - For troubleshooting purposes I'd maybe start with dns - First make sure that your client pc's have the IP address of your main dc dns server as their preferred dns server only int tcp/ip settings - don't have any isp nameservers in there at all as preferred or alternate. Also make sure that your dc's dns zone for the domain is ad integrated and set to accept dynamic updates. How are the pc's recieving ip's? static or dhcp? Maybe post the results of an ipconfig /all from the server and a client pc with the slow login,

Deb :))
0
 
LVL 2

Expert Comment

by:taveirne
ID: 12055642
do they have very large profiles?
0
 
LVL 1

Author Comment

by:ITKnightMare
ID: 12061358
@debyl99: They clients are recieving their IPs via DHCP. And how would I make sure that your dc's dns zone for the domain is ad integrated and set to accept dynamic updates?

@taveirne: Nope... Some don't have anything at all.

@PeteLong: It doesn't matter... The hang-up is totally at random stages! Sometime it hangs right after the pass is entered... Sometimes it hangs while "Applying Computer Settings" sometimes while "Applying Personal Settings" and so on.

Russ,
0
 
LVL 3

Expert Comment

by:tirandagan
ID: 12091344
Hi there Mr. nightMare!

I have seen this hangup occur even on much smaller network, usually this happens when the DC is a windows 2000 and the clients are XP.

Try setting the DNS manually on the XP workstations: click on the network connection -> tcp/ip properties -> advanced -> dns, and add the DC to the top of the list of DNS servers. If one of your DCs is a DNS server then it should resolve lookups for the clients as welll.

If your DHCP server is a separate server from the DC or is a gateway to another network, you might have some conflicts with your DCs.

Here are a few microsoft KB's that might also help you out (in decending order of relevance to your situation, in my opinion):

http://support.microsoft.com/default.aspx?scid=kb;en-us;832161
http://support.microsoft.com/default.aspx?kbid=829909
http://support.microsoft.com/default.aspx?kbid=812924
http://support.microsoft.com/default.aspx?kbid=171386


Hope this helps you out!

Tiran Dagan,
<advertizing removed by CetusMOD per http:help.jsp#hi106>
0
 
LVL 1

Author Comment

by:ITKnightMare
ID: 12099619
Mr Dagan,

>> If your DHCP server is a separate server from the DC or is a gateway to another network, you might have some conflicts with your DCs.

this is EXACTLY the case!!! My DHCP Server is a Apple Macintosh G3 that is running DHCPD via Webmin.

So what is it that I need to adjust or re-do? I mean, if I am going to have to enter the DNS info on all of my PCs then what's the friggin point of having a DHCPD?

PLEASE HELP ME!! WHOEVER IT IS! Mr. Dagan seems to be the closest!
0
 
LVL 3

Expert Comment

by:tirandagan
ID: 12101935
I agree - it doesn't make sense. But there is a problem with Windows XP on a mixed network, caused by the fact you are hooking it up to a win2K DC. Don't forget that your first line of defense is manuallyg entering the DNS, not assigning the IP. If you want a more seamless operation with separate DHCP server, you might want to consider upgrading your DC to XP or 2003.

I strongly suggest you check the DC's event log, after a "long" login from a client station. That may reveal the issue as well.

I would go about it selectively - only on the stations where you are seeing slow performance - go for the tweaks listed above.

Here's another thread that may help you:
http://www.tek-tips.com/viewthread.cfm?qid=912421

Tiran/6footmedia
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 12102156
Hi
I think that maybe this is the problem - "My DHCP Server is a Apple Macintosh G3 that is running DHCPD via Webmin". Windows 2000 server networks generally function better when using the domain controller as the DHCP server. That way the server can keep track of the allocated leases and update it's databases accordingly. It shouldn't really be necessary to use static IP's. Is there any reason why you're using a MAC as a dhcp server? There are major compatibility problems on mixed networks of this kind. Windows XP should work absolutely fine on a 2000 server based network (ours do and so do many, many others) so long as you don't go near XP SP2 just yet until MS have fixed it. There should be no reason to upgrade your dc to 2003 server just to rectify this, and it's not possible to upgrade your DC to Windows XP so I'm not sure why Tiran suggested that - there is no server version of XP - XP is purely a client based OS - XP Home for home networks, XP Pro for server based networks where you need the client to be a member of a domain. Your solution here would be to discontinue using DHCP on a mac, and instead use DHCP from one of the 2k servers. You'll also need to ensure that DNS on the network is AD integrated and set to accept dynamic up dates (if it can't update the client ip's then it's going to end with duplications on the network which could well cause your problems).

To check on DNS, logon to the DNS server and open up DNS from Administrative Tools in the Control Panel, or from the Start _ Admin Tools menu. Expand dns, and you should see your server object in there. Expand the zones under this and right click on the foward look-up zone called "yourdomain.com" where that is the name of your domain. Select properties and you can check in this panel that it's ad-integrated and allows dynamic updates.

It would also be useful to check and post any errors in the event logs of a client that is taking a long time to logon(Control Panel - Administrative  Tools - Event Viewer) and on the server, and to run this from a command prompt on the same client - ipconfig /all - Note the allocated IP address and check for any duplicates or name mismatches listed on the DNS server host records - again listed under the forward lookup zone,

Deb :))




0
 
LVL 1

Author Comment

by:ITKnightMare
ID: 12102539
@tirandagan:
Interesting...

@Debsyl99:
The onyl reason I AM using a Mac for DHCP server, is... well... b/c that's the only one I KNEW how to set-up :/ I don't know how to set-up the Win2K DC for DHCP server. If you can offer a few links or "go here, click this" kind of tutorials, I WOULD BE MOST GRATEFUL!

In the meantime, right now... For test purposes I'm going to enter EACH PC manually. UGH! But hey, if it works it works!

I'll let you all know of the results.
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 12102566
Honestly - setting up a dhcp server on windows 2000 is easier and will be much quicker than manually entering ip's on 150 workstations! I'll hunt for some step-by-steps for you now...........

Deb :))
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 20

Expert Comment

by:Debsyl99
ID: 12102729
Ok here's some -
Configure IT Quick: Setting up and managing a DHCP server in Windows 2000
http://techrepublic.com.com/5100-6268-1041798.html
And this is a nice simple example
Windows 2000 Server:Install DHCP server
http://www.lpt.com/windowsnetworking/regusers/w2kdhcpi.htm

Some key points are:
1) Work out what IP range you need and make sure you exclude any fixed ip addresses -ie your server's static ip's and any network printers, routers etc
2) Don't get too overwhelmed by the scope options - your main one's are the address of the dns server, wins server if used and router etc. It's ok to leave other scope options not configured.
3) Don't forget to disable your mac dhcp server first before enabling this one - or you'll get duplicate ip's everywhere - DHCP servers aren't bright enough to talk to each other about who's dished out which IP.
4)Don't forget to activate the scope - and authorise the server or it won't work,
5) Take the steps I posted to make sure your dns server is set as ad-integrated and accepts dynamic updates,
6) Don't use XP SP2 yet, and make sure that the Internet Connection Firewall is disabled in XP,

Deb :))

0
 
LVL 1

Author Comment

by:ITKnightMare
ID: 12104258
@All:

OK This is what I did:

1) I entered all PCs TCP/IP settings MANUALLY!
2) On the DCs I saw that the TCP/IP's ADv tab, had "Dynamic DNS update" checked so I unchecked that ( my search on the 1M engine said that some1 solved their problem that way.
3) I TOOK DOWN MY DHCP SERVER! Entered all that were on it MANUALLY!

Result: ZILCH! NADDA! ZIP! NO CHANGE! Still hangs on "Loading Personal Settings" for approx. 3 to 4 min.

Weird thing: Those that are hanging CANNOT CREATE LOCAL PROFILES! Yet, the few that AREN'T HANGING, have created profiles?!?

Weird Thing #2: I found out that the "PCs" that are "logging on quicker" are all Win2K. It's my new Win XP SP1s that are doing this.

Weird Thing #3: Every1 keeps telling me that the Event Viewer of the DC should have DNS errors. THERE ARE NONE! None relating to this issue at least.

@Deb: Thanks for your AWESOME help! I will get to that ONCE I solve this issue!

P.S. Just raised this question to 500 points! Making it more and more appetizing!
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 12104750
Ok - What ARE your ip adresses on the clients? (In my experience dynamic dns is ALWAYS a good thing) particularly the preffered dns server?

Could you post the results of an ipconfig /all from both the dns server and from an xpclient?
Fist win2k server needs a static address (which I expect it does have), and should also point to itself for name resolution ie

Server TCP/IP
ie  IP - 192.168.0.1
Subnet Mask - 255.255.255.0
Default Gateway - your router ip address if you have one
Preferred DNS Server : 192.168.0.1 ( <- note it's the same ip address of the dns server)

Client TCP/IP
ie  IP - 192.168.0.x (where x is not the same as any other assigned ip)
Subnet Mask - 255.255.255.0
Default Gateway - your router ip address if you have one
Preferred DNS Server : 192.168.0.1 ( <- note it's the also same ip address of the dns server)

Make sure your dns server is AD-integrated and will accept dynamic updates (I keep bleating about this but I still don't know if you've done it) - If a machine receives a different ip address, the server needs to be able to update the address in the dns zone.

Don't put any ips's nameserver ip addresses anywhere in tcp/ip - they should be configured as forwarders in dns, which is possible in Windows 2000 after deletion of "." zone in dns on the server.

From a client can you ping the server? ie command prompt, type ping serveripaddress (where server ip address is the actual static ip address of the server ie 192.168.0.1 or whatever it is)

Can you also ping the server by name ie from a command prompt type ping servername - where server name is the name of your dns server,

Please follow these suggestions through carefully and let us know what you have and haven't done - it's impossible to troubleshoot this otherwise,

Deb :))



0
 

Expert Comment

by:pkwatson
ID: 12131862
Going back to basics, I know, but have you looked at where the stored profiles are (if any)?
We have the same trouble occasionally and it's down to the time (and load) on the servers when a number of people log in, trying to retrieve their stored profile (as opposed to locally stored). This is especially true if someone has been out of the office on a laptop and then reconnects after some days.

Paul.
0
 
LVL 2

Expert Comment

by:Shattuc
ID: 12150032
ok, I've been scanning this, I have some questions...
your computer(s) are ceasing their connections to your network at random times, at least once per day?
has anything else gone missing, for example, CD-ROM drives. dissapearing from the hardware profiles while being accessed.?
are you running a firewall, and has it been acting strange?
0
 
LVL 2

Expert Comment

by:Shattuc
ID: 12150043
the hanging up, theyjust freeze? but eventually find thier way to operating mode?
0
 
LVL 1

Author Comment

by:ITKnightMare
ID: 12396133
Alright... I guess there is no solution to this question. Debsyl99 you have done a terrific job in tryign to help me. I only wish your efforts weren't in vain. I would truly appreciate it if you could contact me via knightmare@mse.vt.edu (admin Im aware we shouldnt post emails but I need to contact her directly if u don't mind)

Other than that Shattuc... it has indeed to do with the local stored profiles.
0
 
LVL 20

Accepted Solution

by:
Debsyl99 earned 500 total points
ID: 12398455
Sorry we didn't help, most frustrating! Any idea what it is, and what have you ruled out?

Deb :))
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 12401309
Hi just spotted this rather important point- (and I'll bet this can be solved - just needs a step by step approach)

"Those that are hanging CANNOT CREATE LOCAL PROFILES!"

1) Are you certain that these pc's are properly joined to the domain? - check and post the event logs (ie errors) on the server and the problem pc's.. seriously I have no problem with xp sp1 clients logging on.....
0
 
LVL 2

Expert Comment

by:Shattuc
ID: 12402061
I have a suggestion... Try cleaning the systems of spyware. look specifically for an attempt on an LSP chain, a lop infection, or A:B infection.
0
 
LVL 1

Author Comment

by:ITKnightMare
ID: 13625313
Hey All!

Although this question has already been PAQ'd I wanted to inform you that I indeed solved it :)

It turns out that Windows 2000 members of the domain never cared about the reverse lookup of the DNS servers... That's why they always logged on (cached even for that matter! If the member is taken offline, the password would still log on?!?! O_o)

Anyways... XP systems as domain members won't allow that by default! So, it depended on reverse lookup to get to the server! And guess what? My reverse lookup table was pointing wrong all over the place! So once I corrected those, and provided a backup DNS server as "forwarding" WALLA!

Now all is back to normal!

Sincerely,
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
OfficeMate Freezes on login or does not load after login credentials are input.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now