Cloned Laptops - LONG domain login

We have 15 identical Dell laptops running Windows XP Pro SP2 with all the updates.  I setup the first one exactly the way we want it and then cloned that laptop's hard drive image to all the others.

I joined 5 of the laptops to our Windows Server 2003 domain and found that it takes 10-15 minutes to login when using a domain user account, but logins are fast when logging in locally.

I did some research and learned that identical SIDs on each laptop might be the issue, so I found a utility called NewSID at:
http://technet.microsoft.com/en-us/sysinternals/bb897418.aspx

I removed one laptop from the domain and used NewSID to give it a new random SID.  I then rejoined it to the domain, rebooted, and it logged in fast!

I thought for sure that I had found the fix, so I removed all the laptops from the domain (including the fixed one for some ridiculous reason), gave them all new random SIDs, and rejoined them to the domain.  Much to my dismay, they were all back to the old problem of taking 10-15 minutes to login on any domain user account (even a domain admin).

Any suggestions?
Thanks in advance!
WP
LVL 6
WhitePhantomIT ProfessionalAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Lee W, MVPTechnology and Business Process AdvisorCommented:
With that many laptops, I would suggest you do it through a supported Microsoft method - reinstall ONE system, then run Sysprep when you're ready to image them.  This will reset all security information and allow you to properly reconnect them to the domain with no SID issues.
0
ChiefITCommented:
Imaged or cloned computers may take a long time to boot up because it may duplicate the SID of an old computer and put it in Active directory. The metadata of a cloned computers may remain in AD and cause authentication problems.

I believe, removal of that metadata from active directory is much like removing an improperly demoted AD domain controller. The difference is, you can get a list of clients and make sure the SID didn't duplicate.

Let me see if I can find the errors associated with this and put you on track to resolving this issue:

Here is an example of the problems cloned computers can cause:
http://www.wsus.info/forums/index.php?showtopic=9312&pid=34802&mode=threaded&start=
0
ChiefITCommented:
LeeW snuck one in there. Sounds like Lee has been there before and has you covered.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Lee W, MVPTechnology and Business Process AdvisorCommented:
Funny thing, I've actually JUST got 5 new IBM PCs to install at a client (new to us, used with preinstalled copies of XP - all imaged).  So this was essentially my plan.  Install one, sysprep it, image it, be done with it.
0
ChiefITCommented:
Within the article provided above: (Identifying and resolving similar AD SIDs)
http://www.wsus.info/forums/index.php?showtopic=9312&pid=34802&mode=threaded&start=

""Want to figure out which computers have duplicate SIDS?
Use psGetSID from Sysinternals: http://www.microsoft.com/technet/sysintern...s/psgetsid.mspx - You can run this against all computers in your domain to discover who has a duplicate SID.

You should really then run NewSID from Sysinterals on any of the duplicate computers to resolve any potential issues in the future (not to mention the security issues involved with having duplicate SIDS on the network): http://www.microsoft.com/technet/sysintern...ies/newsid.mspx  ""

Note: if you have problems with clients not showing up or periodically disappearing in WSUS, you should also refer back to this article.
0
WhitePhantomIT ProfessionalAuthor Commented:
Lots of good comments here so far.  I'm most attracted to ChiefIT's suggestion because it's the simplest and I'm burnt out at the moment.

One question I have though...Is it definitely safe to run NewSID on a computer that is a member of the domain without also removing it and rejoining it to the domain?  Without fully understanding it, I just wonder if it could cause a synchronization issue between active directory and the computer that had its SID changed.

My concern may be silly, but I figured it's worth asking.

Thanks,
WP
0
steezyCommented:
You should remove it from the domain, run newSID, then rejoin it.
0
Lee W, MVPTechnology and Business Process AdvisorCommented:
It's important to note that NewSID is not a supported method.
0
ChiefITCommented:
You have me scratching my head on that one: (GOOD question)

This is a good question how the client synch's to the server. I would imagine requesting a new SID would also reflect the change on the DC.
0
ChiefITCommented:
Oh, thanks Lee and Steezy: (Guess they answered that question)
0
smckellar83Commented:
silly one.. but double check that the DNS server of the pc's is the dc running DNS.. and not external web dns.
0
moneywellCommented:
is sysprep a better method then newsid?
Tks
0
h11Commented:
what software did you use to image the computers with?  If you used ghost you can use their GhWalk.exe that comes with it.  First remove the pcs from the domain then reboot pc and run ghwalk.exe  from dos boot disk and follow the instructions.
0
ChiefITCommented:
I see in the original request for comments that you demoted the laptops to a workgroup, requested a new SID, and joined the domain again. So, the SIDS may be in order on the machines.

If the program NewSID doesn't synch with the DC, I would think the SIDs may have metadata on the DC.  So, instead of having a single, unique, SID per device, you may now have two SIDs per machine.

LeeW pointed out that "NewSID" is not a supported application. Maybe Lee has some good advice on straightening out the SID problem.

Also, since you already requested a New SID and rejoined the domain, maybe the scope of our troubleshooting isn't broad enough. Maybe it is a DNS problem as smckellar83 pointed out. Since, these laptops are having the problems, maybe flushing and reregistering its DNS will bring it back.

In either case, It looks like you might have metadata on the DC that needs to be discarded.
0
WhitePhantomIT ProfessionalAuthor Commented:
Thanks for all the comments!

I tried flushing and re-registering the DNS on one of the laptops, but the problem is still present.

I am now proceeding to try out psGetSID to search for dupliate SIDs in the domain, as well as looking into cleaning out bad metadata.  I will post back later with the results.

Thanks,
WP
0
ChiefITCommented:
just to clarify:

Metadata, meaning old DNS records and duplicate GUIDs in AD. Since you have created a new SID and rejoined the domain, you might have two GUIDs in AD.
0
WhitePhantomIT ProfessionalAuthor Commented:
Well everybody, I greatly appreciate all the comments and participation.  After endlessly trying to track this problem down (always in the wrong place), I decided to reload everything fresh on one of the laptops over the weekend.  When I was done, to my astonishment, the problem was still there!

This led me to broaden my perspective for possible causes.  It turns out that an Internet filtering application I installed was blocking far more than its fair share of network communications during the login process.  ContentProtect Professional from ContentWatch was the culprit.
http://www.contentwatch.com/products/contentprotect_pro

Once I uninstalled it, everything cleared up and logins are as fast as they should be.  I will be contacting ContentWatch to either get the issue resolved or try for a refund.

I apologize that I was unable to provide the appropriate information in my question and followup comments to potentially lead us to the solution.

Thanks again everybody!
WP
0
Computer101Commented:
PAQed with points refunded (500)

Computer101
EE Admin
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows XP

From novice to tech pro — start learning today.