Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 373
  • Last Modified:

Long delay during XP reboot after install of Windows Server 2008 R2 as DC

I recently installed, under VMware, a new Windows Server Standard 2008 R2 domain controller and joined it to my existing 2003 domain (the 2 existing domain controllers are on real hardware).  One of the existing DCs and the new DC are on the same subnet at the moment.  The new DC is fully patched and the 2003 servers were patched about a month ago.  The install and promotion of the new DC went smooth and after the install, knowing that it was required for Exchange 2010, I promoted the forest to 2003 (the domain was at that functional level already).  The next day, random PCs (all running XP SP3) around my network starting experiencing long delays when booting and arriving at the Applying Computer Settings.   Granted, this new DC install and long delay could be a coincidence but I don’t think so.

I checked event logs on all DCs and the affected PCs and there’s nothing reporting any related issue.  I ran an extensive, verbose DCDIAG on all the DCs and that’s attached for review.  I’ve searched the Internet for other similar tales but have found nothing.  My next resort, I suspect, is to use a sniffer to find out what traffic is going in/out of the PCs at this critical junction.

Has anyone heard of this issue or have any suggestions on where to start to isolate the problem?  The problem is not confined to any one PC (happens across different offices) and I’ve rebooted and tried recreating it at an affected PC without luck.  Is there a simple way (other than shutting down the DCs) to force PCs to go to a specific DC to try and isolate the problem.  

Thank you!!!! dcdiag.txt
0
ejefferson213
Asked:
ejefferson213
  • 8
  • 7
  • 2
2 Solutions
 
allan_jardineCommented:
I would start by ensuring the the DNS settings you give to the XP machines through DHCP are correct
0
 
ejefferson213Author Commented:
As suggested, I checked the PCs and the IP settings they're getting from the DHCP server is correct.  That part hasn't changed and has consistently worked.

The users, when faced with this situation, simply powered off and on their PC and it worked.  Almost as if the choice chosen for their DC was now different and working again.  I'm half tempted to shut down the new DC to see if the problem disappears but assuming it does, I'm still faced with trying to determine why this is happening when all appears well (event logs, etc.).
0
 
allan_jardineCommented:
Is there anything in the event logs on the client or server that may point to the cause of the problem?
Als, can you run the following command on a workstation that experienced the slow logon (replacing yourdomain.com with the correct domain of course)
nslookup -type=srv _ldap._tcp.dc._msdcs.yourdomain.com
and check it returns the all of your domain controllers and the correct IP addresses for them
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
ejefferson213Author Commented:
I checked the event log on the system that experienced the problem and there was nothing unusual in the event log (unfortunately).  And I ran the command you requested on that same system and it came back with the 3 domain controllers I expected to see, including their proper IP addresses.  

Any other suggestions?  Thank you!
0
 
allan_jardineCommented:
Is the 2008 DC a global catalog server?
0
 
ejefferson213Author Commented:
Yes, under AD Sites and Services, all 3 have a DC type of Global Catalog.
0
 
IntegrityOfficeCommented:
HI there,

Please can you do an IPConfig /all can you confirm that you do not have a firewall on. Why are you not useing the new server to do DNS as you mention that you have not changed anything. I see a load of failures in your DCdiag output.

Have you considered dcpromo'ing the server back down again and cleaning up the AD and giving it another dcpromo to see.
0
 
ejefferson213Author Commented:
I did the ipconfg/all as requested but don't see anything there regarding firewall.  However, the firewall service is indeed running.  Should I stop it?  (I naturally have some anti-virus/spamware running on the DC.) And I haven't yet brought this new DC into the DNS mix yet; no specific reason other than haven't gotten around to it yet.  Viewing a book I picked up on installing AD 2008, it has something in there about moving AD-integrated zones to application partitions that I wanted to review first.

The failures I think you're referring to in the DCDIAG point to some old DCs that are no longer around and haven't been for years; I'm in the process of trying to remove them from AD.  And I'm not opposed to doing the demotion and promotion again (after cleanup) but I wanted to make sure there wasn't something else wrong before I go through that effort (only to experience the same thing again). Within the next few days, if nothing surfaces, I'll be forced to do what you suggest.

I've been looking at event logs from those systems that have had issues and there's nothing in them pointing me to a problem and the strange thing is that it almost appears that once it's happened to a client PC, it doesn't happen again.  I've turned on userenv logging to see what details I can see on my own system but no issues have been found.  
0
 
allan_jardineCommented:
Can you switch off the firewall on the 2008 DC please and let me know if that helps with the problem
0
 
ejefferson213Author Commented:
I've turned off the firewall and will report back to you in a few days (allow events to unfold).
0
 
IntegrityOfficeCommented:
when you \\newserver is the \\newserver\netlogon folder there? If not either a service has not started or replication is failing.

When running on a Windows 2008 domain I think that it has been identified that PCs require a little more RAM as there are some GPO settings that seem to affect performance. Also have you run something like gpresult or rsop.msc on a client PC once it has logged in to see if it is a group policy that is causing the hanging? I trust that you have good comms on your Win 2008 hardware and that it is not just a faulty switch or cable etc.

Your VM hardware is not on the same IP as another bit of kit in error? I came a crross a site where they had a firewall on 0.1 and they had bought two smart switches that were default the same IP, fun networking for a while...
0
 
ejefferson213Author Commented:
Allan - It's been 4 days since I reported in and there hasn't been a reported incident.  Does that mean the problem is fixed or that no one is telling me (I hope the former but suspect the latter). I certainly haven't done anything to fix things other than turn off the firewall as you suggested. (Did that fix it???? Who knows.)  

IntegrityOffice - we certainly haven't changed our workstations with additional RAM and being a non-profit (meaning cash starved), I hope it doesn't come down to that.  I ran gpresult and it didn't reveal anything wrong (unfortunately).  And we haven't changed out/added any hardware but that doesn't mean we're not having some issues with them.  Good point and something I'll need to investigate.  

If no further ideas or occurrences, I'll need to close this out.  Thanks for all your help thus far!!!
0
 
allan_jardineCommented:
The firewall could certainly cause problems if it was blocking some services required for the logon process. Personally, I dont run internal firewalls on any of my servers but if you do choose to have them running it is important that they are correctly configured. This document is a good starting point to understand the ports that must be open for Active Directory to function http://support.microsoft.com/kb/179442
0
 
allan_jardineCommented:
There is another article here http://support.microsoft.com/kb/832017 that lists the services and ports required by clients and servers - quite a good reference guide
0
 
ejefferson213Author Commented:
Thanks for that valuable article; I'll hold on to it.  I don't believe it's a firewall issue; a PC in one of the remote offices experienced this problem again after the firewall was stopped on the server.  And since then the PC has been fine and has been rebooted.  Again, it seems to come and go and may be related to what DC is used to handle the request.  Another possibility I saw during my search is that the PC is not yet on the network when group policy processing tries to get underway.  There's a fix for that and I'm considering applying that registry patch.  
0
 
allan_jardineCommented:
Yes, in some circumstances a machine with an active network connection will be slow to logon if the domain controller is not available although i thought you would have seen that with your 2003 DCs as well
0
 
ejefferson213Author Commented:
For now, the problem has disappeared. I suspect it might be a timing issue with the PCs coming onto the wireless network for which there's a fix for that if I need to go that far.  I'll work with the resources you've pointed out to try and resolve this if it should resurface again (which I'm sure it will).  Thank you both for your efforts; greatly appreciated!!!
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

  • 8
  • 7
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now