Solved

Long delay during XP reboot after install of Windows Server 2008 R2 as DC

Posted on 2010-09-23
17
363 Views
Last Modified: 2012-06-21
I recently installed, under VMware, a new Windows Server Standard 2008 R2 domain controller and joined it to my existing 2003 domain (the 2 existing domain controllers are on real hardware).  One of the existing DCs and the new DC are on the same subnet at the moment.  The new DC is fully patched and the 2003 servers were patched about a month ago.  The install and promotion of the new DC went smooth and after the install, knowing that it was required for Exchange 2010, I promoted the forest to 2003 (the domain was at that functional level already).  The next day, random PCs (all running XP SP3) around my network starting experiencing long delays when booting and arriving at the Applying Computer Settings.   Granted, this new DC install and long delay could be a coincidence but I don’t think so.

I checked event logs on all DCs and the affected PCs and there’s nothing reporting any related issue.  I ran an extensive, verbose DCDIAG on all the DCs and that’s attached for review.  I’ve searched the Internet for other similar tales but have found nothing.  My next resort, I suspect, is to use a sniffer to find out what traffic is going in/out of the PCs at this critical junction.

Has anyone heard of this issue or have any suggestions on where to start to isolate the problem?  The problem is not confined to any one PC (happens across different offices) and I’ve rebooted and tried recreating it at an affected PC without luck.  Is there a simple way (other than shutting down the DCs) to force PCs to go to a specific DC to try and isolate the problem.  

Thank you!!!! dcdiag.txt
0
Comment
Question by:ejefferson213
  • 8
  • 7
  • 2
17 Comments
 
LVL 5

Expert Comment

by:allan_jardine
ID: 33752483
I would start by ensuring the the DNS settings you give to the XP machines through DHCP are correct
0
 

Author Comment

by:ejefferson213
ID: 33753126
As suggested, I checked the PCs and the IP settings they're getting from the DHCP server is correct.  That part hasn't changed and has consistently worked.

The users, when faced with this situation, simply powered off and on their PC and it worked.  Almost as if the choice chosen for their DC was now different and working again.  I'm half tempted to shut down the new DC to see if the problem disappears but assuming it does, I'm still faced with trying to determine why this is happening when all appears well (event logs, etc.).
0
 
LVL 5

Expert Comment

by:allan_jardine
ID: 33754984
Is there anything in the event logs on the client or server that may point to the cause of the problem?
Als, can you run the following command on a workstation that experienced the slow logon (replacing yourdomain.com with the correct domain of course)
nslookup -type=srv _ldap._tcp.dc._msdcs.yourdomain.com
and check it returns the all of your domain controllers and the correct IP addresses for them
0
 

Author Comment

by:ejefferson213
ID: 33757504
I checked the event log on the system that experienced the problem and there was nothing unusual in the event log (unfortunately).  And I ran the command you requested on that same system and it came back with the 3 domain controllers I expected to see, including their proper IP addresses.  

Any other suggestions?  Thank you!
0
 
LVL 5

Expert Comment

by:allan_jardine
ID: 33776748
Is the 2008 DC a global catalog server?
0
 

Author Comment

by:ejefferson213
ID: 33778151
Yes, under AD Sites and Services, all 3 have a DC type of Global Catalog.
0
 
LVL 9

Expert Comment

by:IntegrityOffice
ID: 33780153
HI there,

Please can you do an IPConfig /all can you confirm that you do not have a firewall on. Why are you not useing the new server to do DNS as you mention that you have not changed anything. I see a load of failures in your DCdiag output.

Have you considered dcpromo'ing the server back down again and cleaning up the AD and giving it another dcpromo to see.
0
 

Author Comment

by:ejefferson213
ID: 33799572
I did the ipconfg/all as requested but don't see anything there regarding firewall.  However, the firewall service is indeed running.  Should I stop it?  (I naturally have some anti-virus/spamware running on the DC.) And I haven't yet brought this new DC into the DNS mix yet; no specific reason other than haven't gotten around to it yet.  Viewing a book I picked up on installing AD 2008, it has something in there about moving AD-integrated zones to application partitions that I wanted to review first.

The failures I think you're referring to in the DCDIAG point to some old DCs that are no longer around and haven't been for years; I'm in the process of trying to remove them from AD.  And I'm not opposed to doing the demotion and promotion again (after cleanup) but I wanted to make sure there wasn't something else wrong before I go through that effort (only to experience the same thing again). Within the next few days, if nothing surfaces, I'll be forced to do what you suggest.

I've been looking at event logs from those systems that have had issues and there's nothing in them pointing me to a problem and the strange thing is that it almost appears that once it's happened to a client PC, it doesn't happen again.  I've turned on userenv logging to see what details I can see on my own system but no issues have been found.  
0
Free book by J.Peter Bruzzese, Microsoft MVP

Are you using Office 365? Trying to set up email signatures but you’re struggling with transport rules and connectors? Let renowned Microsoft MVP J.Peter Bruzzese show you how in this exclusive e-book on Office 365 email signatures. Better yet, it’s free!

 
LVL 5

Expert Comment

by:allan_jardine
ID: 33799873
Can you switch off the firewall on the 2008 DC please and let me know if that helps with the problem
0
 

Author Comment

by:ejefferson213
ID: 33799897
I've turned off the firewall and will report back to you in a few days (allow events to unfold).
0
 
LVL 9

Assisted Solution

by:IntegrityOffice
IntegrityOffice earned 100 total points
ID: 33803947
when you \\newserver is the \\newserver\netlogon folder there? If not either a service has not started or replication is failing.

When running on a Windows 2008 domain I think that it has been identified that PCs require a little more RAM as there are some GPO settings that seem to affect performance. Also have you run something like gpresult or rsop.msc on a client PC once it has logged in to see if it is a group policy that is causing the hanging? I trust that you have good comms on your Win 2008 hardware and that it is not just a faulty switch or cable etc.

Your VM hardware is not on the same IP as another bit of kit in error? I came a crross a site where they had a firewall on 0.1 and they had bought two smart switches that were default the same IP, fun networking for a while...
0
 

Author Comment

by:ejefferson213
ID: 33833914
Allan - It's been 4 days since I reported in and there hasn't been a reported incident.  Does that mean the problem is fixed or that no one is telling me (I hope the former but suspect the latter). I certainly haven't done anything to fix things other than turn off the firewall as you suggested. (Did that fix it???? Who knows.)  

IntegrityOffice - we certainly haven't changed our workstations with additional RAM and being a non-profit (meaning cash starved), I hope it doesn't come down to that.  I ran gpresult and it didn't reveal anything wrong (unfortunately).  And we haven't changed out/added any hardware but that doesn't mean we're not having some issues with them.  Good point and something I'll need to investigate.  

If no further ideas or occurrences, I'll need to close this out.  Thanks for all your help thus far!!!
0
 
LVL 5

Expert Comment

by:allan_jardine
ID: 33838304
The firewall could certainly cause problems if it was blocking some services required for the logon process. Personally, I dont run internal firewalls on any of my servers but if you do choose to have them running it is important that they are correctly configured. This document is a good starting point to understand the ports that must be open for Active Directory to function http://support.microsoft.com/kb/179442
0
 
LVL 5

Expert Comment

by:allan_jardine
ID: 33838363
There is another article here http://support.microsoft.com/kb/832017 that lists the services and ports required by clients and servers - quite a good reference guide
0
 

Author Comment

by:ejefferson213
ID: 33885479
Thanks for that valuable article; I'll hold on to it.  I don't believe it's a firewall issue; a PC in one of the remote offices experienced this problem again after the firewall was stopped on the server.  And since then the PC has been fine and has been rebooted.  Again, it seems to come and go and may be related to what DC is used to handle the request.  Another possibility I saw during my search is that the PC is not yet on the network when group policy processing tries to get underway.  There's a fix for that and I'm considering applying that registry patch.  
0
 
LVL 5

Accepted Solution

by:
allan_jardine earned 400 total points
ID: 33885988
Yes, in some circumstances a machine with an active network connection will be slow to logon if the domain controller is not available although i thought you would have seen that with your 2003 DCs as well
0
 

Author Closing Comment

by:ejefferson213
ID: 34000897
For now, the problem has disappeared. I suspect it might be a timing issue with the PCs coming onto the wireless network for which there's a fix for that if I need to go that far.  I'll work with the resources you've pointed out to try and resolve this if it should resurface again (which I'm sure it will).  Thank you both for your efforts; greatly appreciated!!!
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now