slow domain logon issue

This is caused by the asyncronous loading of networking during the boot up process.  This speeds up the login process in a stand-alone workstation by allowing the user to log in with cached logon credentials before the network is fully ready.

To disable this "feature" and restore your domain logons to their normal speed, open the MMC and add the group policy snap-in.  Under Computer Configuration-->Administrative Templates-->System-->Logon, change "Always wait for the network at computer startup and logon" to ENABLED.

This can be fed to clients via a group policy from a Windows 2000 server by upgrading the standard policy template with the XP policy template.  Since this is an XP only command, non-XP systems will ignore it in a domain distributed group policy.

Already enabled.  I already posted that in my original post. I should have been more detailed in describing what i already tried.  Sorry

Any other ideas?

The 'Default Domain Policy' needs to have 'Domain Computers' added to the Security Filtering under the Scope.

I'll try and let you know.  Thanks!

Have you checked DNS. If the DNS is not straight there can be delays in logging in. Do the workstations ONLY have internal DNS servers or is there an external address in there as well?

We only have internal DNS servers.  No external.  I double-checked DNS to the bets of my ability and everything looks good as far as I can tell.  Any specific settings I should be checking?

On your DNS server, it should have its NIC settings static IP with the first DNS pointing to itself and second to your next internal. THen in your DHCP settings, the server config should have internal servers set for DNS. That way it will had out the internal servers.

Also, I know your running xp sp2, but have you reviewed the following EE solution. There is alot of good info in there.
https://www.experts-exchange.com/questions/21093961/Windows-Xp-slow-login-on-win2k-server.html

Ok.. I"ll check those network settings.  One question, what static IP DNS settings should i set for the second dns server?  Should it point to itself , or to first DNS server.

cracksalsa,
I checked all of the DNS settings as you suggested and they were all correct.  Even the DHCP settings.  Also, I looked into that other EE solution you mentioned.  Most of the links in there were broken, but managed to find more information about some from google.  Going to see if I can find that bootvis.exe tool.  One other thing suggested in that EE solution is to disable BITS, but I'm a little concerned this will break our WSUS updating.

dfke,
I checked what you suggested, about adding domain computers to the default domain GPO and sure enough it wasn't there (only authenticated users was there).  I added it but it's going to take a little time to determine if that fixes anything.  Not sure who setup the Group Policy's before I was hired but it looks like i'll be checking all off the GPOs to make sure the security rights are correct.

I'll let you know how everything turns out, if you have any more suggestions in the mean time, please post them.

Thanks!

use Netlogon debug (http://support.microsoft.com/kb/109626) to help you troubleshoot.

http://support.microsoft.com/default.aspx?scid=kb;en-us;318266 <-- I have just found this, hope it helps.

After a murphy's law type of IT morning, I got to checking usrenv logs and it seems more people are having the slowness issue this morning.  I pulled open that usrenv log on several machines and noticed a lot of this entry that i havent seen much of:

GetGPOInfo:  Local GPO's gpt.ini is not accessible, assuming default state.

dfke,
It seems these computers are hanging longer at the applying comptuer settings now.  It sounds like adding domain computers to our Group Policy Objects is affecting this somehow.  Not sure though. Any ideas?

maze-uk,
I went to turn the netlogon debug on but it seems that the registry key that microsoft says to delete isn't even there in the registry.  In fact the DBFlag path doesnt even exist (the Parameters path does, just no DBFlag folder underneath).  Any ideas?

VCBooth,
I looked into that microsoft link.  Unless you know of someone that turned that setting to disabled and it fixed a slow logon, I don't think i want to change it.  It's in a not configured state right now and I havent seen anything on our end that points to the symptoms that microsoft describes for it.

Thanks!

Have you tried adding the domain controllers NetBIOS name and IP address in the HOSTS and LMHOSTS located in C:\windows\system32\drivers\etc ?

Possibly worth a shot

This should also be of some help
 
http://www.smart-x.com/?CategoryID=171&ArticleID=208 

I'll definitely be looking more closely into those links dstewartjr.  Thanks for the posts.  This definitely feels like a game of whack-a-mole.

Installed Windows XP SP3 on a few on the machine and haven't heard anything about a slow logon yet.  Will let it go for awhile longer before saying that's a solution.

WIndows XP SP3 seemed to do the trick, but I think some DNS and other issues may have affected it as well.  But as far as I can tell, SP3 made it go away completely.  

Thanks Everyone!