Solved

Event ID 1054 and 15 at remote site, no errors at local site.

Posted on 2006-06-14
34
3,199 Views
Last Modified: 2012-05-05
    First a little bit of background.  We have a single location where our servers are housed and most of our clients work from.  We recently opened a new location which we are directly connected to via a T1 line.  ALL of the users at the new location are running XP SP2 and connect to the domain controller (Win 2003 server) via the T1.  
     We are currently experiencing two problems.  First when a user without a roaming profile cold boots their machine in the morning and opens outlook they are prompted in outlook for their username and password.  No matter what they put in outlook will not take it and they have to log out, log back in, and everything is fine.  If they log in, log out, and then log back in before opening outlook everything works fine.  Second users with roaming profiles receive the error "Windows did not load your roaming profile...etc" when they log on from a cold boot.  Their cached profile is loaded, but if they log off and back on everything loads up fine.
     In the application log of ALL computers at the remote site we have the following event ID's.  These errors do not occur on ANY of the machines at the local site.

Event 1054:  Can not obtain DC computer name...etc.
Event 15:  Failed to contact AD....etc.

There are other errors in the application log sporatically, but these are the only consistent errors.  These errors only appear at the first logon after a cold boot, and do not reappear until the machine is shut down and cold booted again.  I can provide more details if needed, I appreciate any help with this matter.  I believe it is an error relating to the remote location PC's not being able to contact the DNS server (primary on DC, secondary on exchange) quick enough on a cold boot.
0
Comment
Question by:tcbgeeks
  • 16
  • 11
  • 3
  • +2
34 Comments
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 16903314
Are the devices having issues plugged into a switch a hub???? what??? also try this as a test. Power on a pc but don't log in for a good 2 or 3 minutes does this fix the problems?

If this solves the problem and you are connected to a switch spanning tree may be getting you.

Please fill in the details.

Thanks
Scott
0
 

Author Comment

by:tcbgeeks
ID: 16903487
@scott

All devices are plugged into a single Cisco POE switch.

As for your test, I shutdown the computer.  Booted and waited three minutes to logon.  When I got in I had the Event ID 15 at 11:08 a.m. (as soon as the computer got to the logon screen), and the Event ID 1054 at 11:11 a.m. (after I logged in).
0
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 16903627
ok in the PoE switch is the MAC security set in the switch

show port-security?

If so what is it set to and are you exceeding any of these?

Thanks
Scott
0
 
LVL 4

Expert Comment

by:tomerlei
ID: 16903669
From the sound of it, the first logon is not a real logon but it logs you on anyway because your username & pass are stored in the cache, for some reason your computers could not contact the DC to give them real credentials in the first logon.
I'm almost sure that this is a DNS problem, does the clients in the other site use a local DNS server or they use the DNS server at your location?
Anyhow, i recommend you to install a new DC in the other site configure AD sites and make them replicate, it will solve your problem for sure and will be more efficent in the long run.

also try checking the DNS configuration on the workstations there.
0
 

Author Comment

by:tcbgeeks
ID: 16903693
Total addresses in system (excluding one mac per port):  0
Maximum address limit in system (excluding one mac per port):  6272

The table above these lines was empty.
0
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 16903723
so there is a possibility ... very likley one that you are not getting the domian login to the server check previous comment about DNS ect .... You may even want to put the static mapping in a host file to help out.

it looks like port security is turned off..

Thanks
scott
0
 

Author Comment

by:tcbgeeks
ID: 16903750
@tomerlei

Both sites use the same two internal DNS servers.  Primary DNS is on the domain controller, and secondary DNS is on our exchange server.  I can contact the DNS server from either site and have no other DNS related issues.  My solution to this problem before I posted the question was to setup a second DC at the remote site, but management prefers free solutions over paid solutions.  I will revisit this option once all other possibilities are exhausted.
0
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 16903787
Like I have mentioned you may want to include your DC's IP address in a hostfile on all the machines at the remote site to help them find the DC what type of traffic is being forwarded between the routers in the way of MS protocols?

Thanks
Scott
0
 

Author Comment

by:tcbgeeks
ID: 16903792
@scotty

You think I need to make a static mapping in the hosts file for the DC?  We are unable to use DHCP on our network for other reasons irrelevant to this discussion, so all IP and DNS addresses are hard coded individually.  Help me understand what exactly a hosts entry would accomplish.
0
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 16903828
a lot of your MS protocol for domain login is done via non routeable protocols and then will default to TCP when all else fails ... the static entry should have resolved this but I guess not.... what are you routing between the 2 locations your routers could be killing directed broadcasts... you also could forward DHCP with helper addresses and what not accross the T1.

Just some thoughts

Thanks
Scott
0
 

Author Comment

by:tcbgeeks
ID: 16903929
@scotty

I have made the change to the hosts file.  Basically these computers run Windows XP on the domain, they run outlook which connects to our exchange server, and a very small handful of other apps.  Most users are using web based applications the majority of the time.  If this is not what you are looking for let me know.
0
 
LVL 4

Expert Comment

by:tomerlei
ID: 16903940
You don't have to install a new DC first, but you could install there a secondry DNS server.
Using the host file to make it resolve the domain name into IP address manually will eliminate the option that there is something wrong with contacting the DNS server, because for now it looks that the problem IS contacting the DNS server.

Try to do the following in a remote workstation, go the c:\winnt\system32\drivers\etc\hosts file,
and add this line:
192.168.1.1 MyDomain.Com

where 192.168.1.1 is your DC ip address, and MyDomain.Com is your domain name.

now try to cold boot and login and see if this problem happens again.
0
 
LVL 4

Expert Comment

by:tomerlei
ID: 16903944
More information about using the hosts file:

http://www.accs-net.com/hosts/how_to_use_hosts.html
0
 

Author Comment

by:tcbgeeks
ID: 16903963
@tomerlei

Should the host configuration line have mydomain.com or mydomaincontroller.mydomain.com
0
 

Author Comment

by:tcbgeeks
ID: 16903984
@scotty

I made this entry in the hosts file:  xxx.xxx.xxx.xxx              mydomaincontroller.mydomain.com

The errors were still present after a reboot.
0
 
LVL 7

Expert Comment

by:Kumar_Jayant123
ID: 16904021
Hi,

What abt the Firewall on the XP box. Is it turned on?

If you do NSLOOKUP does it resolves to the correct IP of your server?



0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 16904023
1054 errors and some of the problems you are experiencing can be due to a slow connection to the DC. A race condition can be created between accessing the domain controller and the physical network connection. This is much more prevalent with a cold start. Sometimes you can resolve this by enabling the Group Policy Item below. You will have to ave a "successful" logon to have the policy applied, but once accepted by the workstation it my help:
Computer configuration | administrative templates | system | logon | always wait for the network at startup and logon
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 16904026
in your router configuration on both sides do you have no IP directed broadcast or what do the interfaces look like anything that is blocking or doing something weird?

Thanks
scott
0
 

Author Comment

by:tcbgeeks
ID: 16904037
@kumar

Firewall is turned off on all of the XP boxes.  I will try NSLOOKUP and post back.
0
 

Author Comment

by:tcbgeeks
ID: 16904073
@robwill i enabled that policy yesterday along with the following policies:

Comp Config -> System -> Group Policy -> Slow Link Detection Enabled and set to zero.
Comp Config -> System -> User Profiles -> Do not detect slow network connections enabled.
0
 

Author Comment

by:tcbgeeks
ID: 16904204
@kumar

nslookup returns

default server:  mydc.mydomain.com
address:  xxx.xxx.xxx.xxx

system name and ip are correct.
0
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 16904217
ok I think we have ruled out DNS then... or am I missing something.... what type of ACL's and such are in the router that may prevent the connection or cause issues with it?

Thanks
scott
0
 

Author Comment

by:tcbgeeks
ID: 16904396
@scotty

show access-lists in both routers returned a blank line.  I am going to lunch, and possibly to hang myself :), if not I will check back in an hour.
0
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 16904612
in the interfaces both ethernet and serial what commands are there .... possibly no ip directed broadcasts?

Thanks
scott
0
 

Author Comment

by:tcbgeeks
ID: 16904994
@scott

I couldn't find anything about ip directed broadcasts on any of the interfaces.
0
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 16905131
you can share drives and do everything else it just prompts to be authenticated?  Guess I am wondering if the trust between the DC and the client is never made and if so why?

Thanks
Scott
0
 

Author Comment

by:tcbgeeks
ID: 16905192
@scott

Disregard the event id number 15, I have just verified that this error is also occuring on the machines at the local site.  The event 1054 is the one causing all of the problems.  Shared drives work, www works, everything works except the authentication to the exchange server, but as soon as the user logs off and logs back on the trust relationship seems to work fine.  I am 100 percent sure this has to do with cached logins being used on the first login but I can not figure out why.  I work at the local site and I found some 1054's on my laptop, but they were from taking the machine home and logging on.  I have also verified that our T is not saturated.  When I ping the local site from the remote site I get a response of ~8ms on average.  This isn't too high is it?
0
 
LVL 7

Accepted Solution

by:
Kumar_Jayant123 earned 500 total points
ID: 16905220

Hi,

I would sugest to force kerberos to use TCP in stead of UDP because authentication is not working properly over the network.

Kerberos works on UDP and since we are talkinng about different sites the UDP is not a reliable protocol.

http://support.microsoft.com/?kbid=244474

By changing this Windows will first use the general UDP and if it fails it will switch to the TCP mode.

Kumar

0
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 16905374
Saturation and response time are different but I would assume if you are getting a 8ms response that the line is not saturated at all....  so what if you add a host entry for the exchange server at the remote site does that fix it?  If that is the only one with a problem.

Thanks
scott
0
 

Author Comment

by:tcbgeeks
ID: 16905473
@kumar

I have applied the registry modification and cold booted to the same result.

@scott

I have made a host entry for the DC and exchange server with no luck.
0
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 16905557
We got to be missing a piece of information something here.....
0
 

Author Comment

by:tcbgeeks
ID: 16905579
@kumar

After upgrading NIC drivers, applying the registry entry, and removing entries I placed in the hosts file it appears the problem may be resolved.  I need to find out which change actually fixed the problem.  If it was the registry entry you suggested I will award you all points.  If it was any of the other fixes I will split points.  If I am speaking too soon and it is not fixed I will leave question open.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 16905638
>>" I am 100 percent sure this has to do with cached logins being used on the first login but I can not figure out why."
For one reason or another the physical network connection has not yet been established. Perhaps it was the drivers you replaced.
Also make sure power management is disabled on the network adapters. "allow the computer to turn off this device to save power" under NIC properties/power management in device manager
0
 

Author Comment

by:tcbgeeks
ID: 16905889
@kumar

It appears to be fixed.  Enjoy the points.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

Let’s list some of the technologies that enable smooth teleworking. 
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now