Link to home
Create AccountLog in
Avatar of Hurel
Hurel

asked on

Slow Logon after reboot

Hi
I have a strange problem with one laptop running XP sp2. The laptop is a member of a W2k3 ad domain.

When the user logs on the laptop after a reboot it takes several minutes for him to log in. If he then logs out and back in again the log on process is fast. This happeneds with any user.It only happends after the PC has bee switched off or rebooted.It also happened to the local admin account, domain admin etc.
I removed the laptop from the domain , logged on as local admin and the logon was fast again even after a reboot.

When I added the laptop back to the doamin the problem returned.

There is nothing in the event log,the network has been ruled out, I have run chkdsk, and once logged on the laptop works fine.

At a guess It looks like the laptop is having some sort of problem applying computer setting but i'm not sure where to go from here.

I have had a search on here but one question which sounded like mine had a dead link.

Any ideas??

Thanks
Avatar of darenceang
darenceang

You might want to give this a try:
Change dhcp on the client desktops to only use the AD 2003's dns ip.
Avatar of Hurel

ASKER

They already do. I have 350 pc's on the network,all configured the same and this is only effecting one laptop

thanks
After the computer boots up go to a command prompt and type "set l" for "set logonserver", this will show you what server authenticated the logon.  After logging in again, do the same thing to see if it has a different server.

Are roaming profiles involved?
Avatar of Hurel

ASKER

We do use roaming profiles and this was my first thought. I recreated the users profile but it made no diffrence.I am a domain admin and I do not have a roaming profile and I still have this problem on this laptop.
Do you have different sites and subnets?
Avatar of Hurel

ASKER

yes we do
Avatar of Hurel

ASKER

We do but not in this child domain only in the AD forest
You might want to download a copy of these support tools. Install the full set on this laptop.

WindowsXP-KB838079-SupportTools-ENU

http://www.microsoft.com/downloads/details.aspx?familyid=49ae8576-9bb9-4126-9761-ba8011fabf38&displaylang=en

It looks like your laptop looses its netbios connection. So, it goes to another source. If it goes to another source that can't perform netbios translation, then it will keep trying for a little while and revert back to an alternative location. So, you are in effect swapping netbios connections. What you will want to do is download these tools and run Nbtstat. That will tell you what netbios connections you have. Then, you want to prevent any netbios connection from doing netbios unless it can provide a DNS or WINS record to your laptop. Going to a netbios connection that doesn't exist will slow down the machine.
Avatar of Hurel

ASKER


I have had a look at this and this is the result

       NetBIOS Remote Machine Name Table

   Name               Type         Status
---------------------------------------------
XPL001985      <00>  UNIQUE      Registered
XPL001985      <20>  UNIQUE      Registered
UK             <00>  GROUP       Registered
UK             <1E>  GROUP       Registered

MAC Address = 00-15-C5-43-F7-A2

This looks normal to me

"Then, you want to prevent any netbios connection from doing netbios unless it can provide a DNS or WINS record to your laptop. "

How do I do this?

When adding the laptop back to the doamin this you use the same id ?
Those do look good. I don't think I would mess with them.

Is your time synchronization between client and server off?
Avatar of Hurel

ASKER

I added the laptop back into the doamin with the same computer name.

We use a separate NTP time sync program with separate time server.

I have just disable antivirus to rule this out.

Any more thoughts?

Would , as a last resort a reinstall solve this problem?

Thanks
What happens if you change the laptop computer name?
Can we see an IPconfig /all on the client?
Avatar of Hurel

ASKER

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

Y:\n317118>ipconfig /all

Windows IP Configuration

        Host Name . . . . . . . . . . . . : XPL001985
        Primary Dns Suffix  . . . . . . . : uk.ad.xxxxxx
        Node Type . . . . . . . . . . . . : Peer-Peer
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : uk.ad.xxxxxx
                                            ad.xxxxxx
                                            hhuk.hurel-hispano.snecma
                                            corp.ad.xxxxxx

Ethernet adapter Wireless Network Connection:

        Media State . . . . . . . . . . . : Media disconnected
        Description . . . . . . . . . . . : Dell Wireless 1390 WLAN Mini-Card
        Physical Address. . . . . . . . . : 00-18-F3-00-7B-B2

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : uk.ad.xxxxxx
        Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Cont
roller
        Physical Address. . . . . . . . . : 00-15-C5-43-F7-A2
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 128.1.140.87
        Subnet Mask . . . . . . . . . . . : 255.255.0.0
        Default Gateway . . . . . . . . . : 128.1.1.1
        DHCP Server . . . . . . . . . . . : 128.1.3.101
        DNS Servers . . . . . . . . . . . : 128.1.3.101
                                            128.1.3.102
        Primary WINS Server . . . . . . . : 128.1.3.102
        Secondary WINS Server . . . . . . : 128.1.3.101
        Lease Obtained. . . . . . . . . . : 11 March 2008 08:58:07
        Lease Expires . . . . . . . . . . : 19 March 2008 08:58:07

I have not tried renameing the client but have remove it from the doamin , deleted it from DHCP,DNS and WINS and then re-joined it .
I read that you can try to add the DNS/PDC's ip (have you got more the one DNS ip ?? ) to the list of dns server list passed down by the DHCP server.

Hope it helps.
Avatar of Hurel

ASKER

The DNS is currently running on our Domain controllers.
128.1.3.101 is Domain Controller 1
128.1.3.102 is Domain Controller 2
So, which one is elected as global catalog server in AD ? Usually when there are more DCs only one server will be elected as the global catalog server, try to add, in AD site and services, the second server as well.
Here is your problem: Please read the article that follows.

Node Type . . . . . . . . . . . . : Peer-Peer

http://support.microsoft.com/kb/903267
From Wikipedia:

http://en.wikipedia.org/wiki/Node_type_(NetBIOS)

""The node type of a networked computer relates to the way it resolves NetBIOS names to IP addresses. There are four node types.

B-node: 0x01 Broadcast
P-node: 0x02 Peer (WINS only)
M-node: 0x04 Mixed (broadcast, then WINS)
H-node: 0x08 Hybrid (WINS, then broadcast)
The node type in use is displayed by opening a command line and typing ipconfig /all. A Windows computer registry may also be configured in such a way as to display "unknown" for the node type.""

Avatar of Hurel

ASKER

while I can see where you are coming from, this info is for a workgroup Pc. We do have a WINS server and all other PC's are Peer to Peer node.
"When I added the laptop back to the doamin the problem returned."

So, you are in a workgroup now and working well in the Peer-to-Peer Node type. When rejoining the domain, what is the node type. It should default to Hybrid.

Hybrid is WINS first, then broadcasts.
Avatar of Hurel

ASKER

When I remove the laptop from the domain and loged on lacally the logon was normal.There are no other PC's in a work group.All the other PC's in the domain default to  peer to peer mode. I'll give what you recommend a go and let you know.
Do you see any particular notification in the events ?
Avatar of Hurel

ASKER

There is nothing in the event log
As this article says:
http://support.microsoft.com/kb/903267
"In p-node mode, the computer uses only point-to-point name queries to a Windows Internet Name Service (WINS) server. However, the WINS server is not available for NetBIOS name resolution on a peer-to-peer network."

Netbios broadcasts are used for multiple things. This includes DNS, WINS, and the Domain Master Browser Service.

Broadcasts for netbios are on port 137.
The master browser service is on ports 137 and UDP port 138.
The WINS server uses port 137
DNS uses port 53 but relies upon these netbios broadcasts to communicate.

This is why, even though some don't have a  WINS server, (like my domain), we have the hybrid node acitve.

When you select p-node mode for peer2peer operations, you take away netbios broadcasts.

As the article suggests WINS is unavailable for peer to peer node type. However, there are passive alternatives to changing from peer to peer mode. I don't recommend deleting the registry keys as the article suggests, just edit them to change to hybrid mode. To do this follow these instructions:

1. Click Start/Run regedit ENTER

2. Navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\NetBT\Parameters

3. Left click on 'Paramters' to highlight it. At the top of the window
click on Registry and select Export ... - give the file a name and save to a
place where it can be easily found.

4. Right click on Parameters and highlight New - select DWORD value - name
the value NodeType (one word) ENTER.

5. Double click on NodeType - select Decimal and enter a value of 8 for h-node. Click OK, close registry editor, and reboot.


The reason you were having problems with logging onto the domain is because the netbios broadcasts were needed for DNS. Since they were unavailable, it took a long time to propogate the DNS record to log onto the domain. Once you change the node type, try logging back into the domain and see if this was the answer to your problem.





Also be careful of conflicting registry keys. If you see a node type of 1 on this same registry key, then edit it to 8, don't recreate the key and have two keys for the same parameter.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\NetBT\Parameters
Have you got a wireless card on this laptop? If so try to either set the Windows Wireless Zero Configuration Service from Manual to Automatic  or disable the Wireless card.

You can also try this:

You may experience extremely long delays (up to 5 minutes) when logging into domains using Windows XP Pro.  This is caused by the asyncronous loading of networking during the boot up process.  This speeds up the login process in a stand-alone workstation by allowing the user to log in with cached logon credentials before the network is fully ready.To disable this "feature" and restore your domain logons to their normal speed, open the MMC and add the group policy snap-in.  Under Computer Configuration-->Administrative Templates-->System-->Logon, change "Always wait for the network at computer startup and logon" to ENABLED.

Avatar of Hurel

ASKER

HDA the wireless card is disabled

CheifIT
Sounds like a plan. :-)
The user is off site with the laptop until monday so I'll try it then first thing and let you know what happends.

It is strange that it is only on one PC out of 350

Thanks for your help so far
Also check if Net Logon in services is set to manual, if so changed it to autmatic.

cheers
Hurel:
One other thing. Slow logons usually mean that the clients are trying to do a DNS resolution to a server that no longer exists or to a server that can't make the resolution to any Host A records. One thing I would also check is the router's list of DNS servers. The router is the middle man between servers and clients. If the router's list of DNS servers has an outside server, or a server that no longer exists, then the client will have to go through the whole DNS query process, and try to use the alternative DNS. If Neither exist on the router's list of DNS servers, you may time out or go to an outsid DNS server to try and resolve the DNS query.

Check the router's list of prefered DNS servers. It should only be your active, local DNS servers.
Avatar of Hurel

ASKER

I have tried the regedt but still have the same problem.

I have check to make sure the net log on is enabled
The only DNS we use is local DNS.

Any more Ideas?
have you tried to change the computer name ?
SOLUTION
Avatar of H_D_A
H_D_A
Flag of Italy image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
ASKER CERTIFIED SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
you can locate host files in C:\windows\system32\drivers\etc
http://accs-net.com/hosts/how_to_use_hosts.html

Avatar of Hurel

ASKER

Hi

Sorry for the delay in replying but just had a few days holiday..
I have checked the host file and this is empty
dont you see  "127.0.0.1       localhost" ?
have you tried to change the computer name?

White paper: How the logon process works:
http://www.sanx.org/tipShow.asp?index=176

Enable user environment debug logging:
http://support.microsoft.com/kb/221833/en-us
I didn't see firewall mentioned:

DNS port 53
WINS port 137
Netbios translation port 137
Master browser port 137 and UDP port 138.

Do you have client firewalls blocking port 137 or 53?

Avatar of Hurel

ASKER

Hi sorry for the delay.

The user and this laptop are off site most of the time.

The firewall is turned off.
I have renamed the laptop but still get a slow logon

I've read all the link but nothing jumps out at me.

I've just enable user logging and rebooted and have attached the log file

It gets a bit over my head at this point!!
userenv.log
are you using a docking station?
Avatar of Hurel

ASKER

Have tried with and without a docking station. Doesn't seem to make a difference
USERENV(2fc.300) 12:05:20:468 GetUserDNSDomainName:  Domain name is NT Authority.  No DNS domain name available.

check this forum
http://forums.msrportal.com/archive/index.php?t-672.html

hope it helps,
cheers
USERENV(2fc.300) 12:05:20:468 GetUserDNSDomainName:  Domain name is NT Authority.  No DNS domain name available.

This error usually indicates you have no server DNS records. Your authentication server has to register both SRV and Host A records with your DNS server, even if they are the same entity.

To do this, go to the server's command prompt and type:

IPconfig /flushDNS
IPconfig /registerDNS
Net stop Netlogon
Net start Netlogon

Now force replicate that server's DNS records to all DNS servers on the LAN. IPconfig /registerDNS will register the HOST A record. Restarting Netlogon service will register the SVR record in DNS.

You will also be able to see this DCgetname error on your server when running DCdiag. I think an alternative fix to these is to run DCDiag /fix:DNS.
Avatar of Hurel

ASKER

thanks for the replies.

I've read the pages at the links and done the 'flushdns'

Just waiting for the user to get back to me as to if has solved the problem.

If this does'nt fix it am I as well just reinstalling to OS?
reinstalling the OS is too much like work. We will be able to pinpoint the problem pretty quickly. DNS is pretty solid as soon as it communicates with other nodes on the network.

A network topology would help.

The best DNS troubleshooting tool is IPconfig /all. If you look at the IP configuration of the problem child computer and your DNS server, you will be able to see discrepancies.
Avatar of Hurel

ASKER

Here's the ipconfig /all from the domain controller 1

Windows IP Configuration

   Host Name . . . . . . . . . . . . : dc1-bly
   Primary Dns Suffix  . . . . . . . : uk.ad.aircelle
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No

From DC 2
Windows IP Configuration

   Host Name . . . . . . . . . . . . : DC2-BLY
   Primary Dns Suffix  . . . . . . . : uk.ad.aircelle
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : uk.ad.aircelle
                                       ad.aircelle

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom BCM5708
 VBD Client)
   Physical Address. . . . . . . . . : 00-18-8B-7B-09-D
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 128.1.3.102
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : 128.1.1.1
   DNS Servers . . . . . . . . . . . : 128.1.3.101
                                       128.38.11.119
   Primary WINS Server . . . . . . . : 128.1.3.102
   Secondary WINS Server . . . . . . : 128.1.3.101

And from problem laptop


Windows IP Configuration

        Host Name . . . . . . . . . . . . : XPL001985
        Primary Dns Suffix  . . . . . . . : uk.ad.aircelle
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : uk.ad.aircelle
                                            ad.aircelle
                                            hhuk.hurel-hispano.snecm
                                            corp.ad.aircelle

Ethernet adapter Wireless Network Connection:

        Media State . . . . . . . . . . . : Media disconnected
        Description . . . . . . . . . . . : Dell Wireless 1390 WLAN
        Physical Address. . . . . . . . . : 00-18-F3-00-7B-B2

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : uk.ad.aircelle
        Description . . . . . . . . . . . : Broadcom NetXtreme 57xx
roller
        Physical Address. . . . . . . . . : 00-15-C5-43-F7-A2
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 128.1.140.22
        Subnet Mask . . . . . . . . . . . : 255.255.0.0
        Default Gateway . . . . . . . . . : 128.1.1.1
        DHCP Server . . . . . . . . . . . : 128.1.3.101
        DNS Servers . . . . . . . . . . . : 128.1.3.101
                                            128.1.3.102
        Primary WINS Server . . . . . . . : 128.1.3.102
        Secondary WINS Server . . . . . . : 128.1.3.101
        Lease Obtained. . . . . . . . . . : 16 April 2008 07:30:36
        Lease Expires . . . . . . . . . . : 24 April 2008 07:30:36

Everything look good to me.

We are a child domain, UK.AD.AIRCELLE and have two DC's both running DNS and WINS, DC1 is the DHCP server
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : uk.ad.aircelle
                                       ad.aircelle

Ethernet adapter UK Domain:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom BCM5708C NetXtre
 VBD Client) #2
   Physical Address. . . . . . . . . : 00-18-8B-7A-CA-A7
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 128.1.3.101
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : 128.1.1.1
   DNS Servers . . . . . . . . . . . : 128.1.3.102
                                       128.1.3.101
   Primary WINS Server . . . . . . . : 128.1.3.102
   Secondary WINS Server . . . . . . : 128.1.3.101
Hello, I am back from vacation. Sorry about the delayed response. I wen to a place with no electronics. (I want to call it heaven on earth.)

After looking at the information you provided, I think I have an idea of what's going on. Your networking, (to include Netbios and DNS connections), appear good. I am sure you can ping by computer name to and from the laptop. This means DNS works for this laptop. One more networking thing to check out is something that H_D_A was eluding to.

Check 1) Make sure your laptop is not a multi homed computer. Multi homed is defined as a computer with two nic cards or one Nic card and one wirless card. It is also defined as a computer with multiple IP addresses. Your IPconfig says that neither of these scenarios are the case. But, try to disable the wirless NIC connection and make sure your Wired NIC is selected. Laptops now a-days have a little button that slides to change NIC cards from wireless to wired or visa/versa.

Can you also look into a couple things?

I am beginning to believe your laptop is trying to use HASH to authenticate with your domain controller. HASH authentication is a legacy method to authenticate and an 2003 server will not grant an access token to a computer that uses HASH instead of Kerberos. After being denied, your computer seems to use cached logons as a means to be granted access to roaming profiles and domain files.

The reason I believe this is because of some entries in your Usernv.log file. There are a couple entries that say something like, "authenticating with SID S-1-2-8". This short SID is a HASH, not a kerberos authentication. There is a registry edit disable HASH on the client computer and only allow Kerberos to authenticate. The following post explains the differences between Hash, LMHash, and Kerberos.

https://www.experts-exchange.com/questions/23132123/Computer-failed-to-join-or-logon-to-domain-days-later-after-reboot.html

Check 2) Look at the server's security event log. See if there are any failed logons. It appears like your computer is being denied a kerberos access token. If this is Active Directory integrated DNS, then I believe the same computer will be also denied DNS resolution and access to active directory secured folders.

Check 2) Also check your Active Directory server logs (DNS logs and system logs) to see if there are any errors associated with this computer. You should see denial of service if you are having HASH problems.

Check 3) Get that laptop and thoroughly check it for trojans and key loggers. Using HASH to authenticate is not only a vulnerability, it is a common method to be granted access by a Hacker. The reason is a HASH hack is simple. A kerberos hack is very difficult. The fact that you are using a legacy SID as a means to authenticate in any manor is telling me you may have an infected client computer.

I am going to review this UserNV log further this weekend and tell you what I see as potential problems.



 





Avatar of Hurel

ASKER

Thanks for all your help.I just gave up in the end and re-installed the OS.
Laptopnow works fine

cheers