Slow startup with Domain Account - Trying to resolve WPAD address?
Hey Experts, I'm working with a XP pro notebook that has been run as a workgroup machine for a long time and has recently been joined to the company domain. When logging into the user's local account the logon process is nice and fast. When logging into the user's new domain account (member of local admins group) it hangs on Applying Computer Settings for about 2 minutes. However, logging into a domain admin account the login process is fast as expected.
In an attempt to troubleshoot I've used WireShark to watch what's happening and it looks like the problem is coming from repeated requests and eventual time-outs with the following query:
NBNS Name query NB WPAD.ECCO.LAN, <00>
Where ecco.lan is our domain name. I've discovered that this is the automated proxy system trying to get its hands on a proxy config document, but we do not use a proxy at our site. After discovering this I turned OFF automatic proxy detection in IE, but no change.
I noticed a slight improvement after checking the order of the network interfaces; turned out that the LAN connection was last in line. After re-ordering those things picked up a little and here is where I sit with the 2min delay.
For some reason this search for WDAP.ECCO.LAN only occurs on the users account and not the admin account.
I'd appreciate any assistance in tracking this down!
In an attempt to troubleshoot I've used WireShark to watch what's happening and it looks like the problem is coming from repeated requests and eventual time-outs with the following query:
NBNS Name query NB WPAD.ECCO.LAN, <00>
Where ecco.lan is our domain name. I've discovered that this is the automated proxy system trying to get its hands on a proxy config document, but we do not use a proxy at our site. After discovering this I turned OFF automatic proxy detection in IE, but no change.
I noticed a slight improvement after checking the order of the network interfaces; turned out that the LAN connection was last in line. After re-ordering those things picked up a little and here is where I sit with the 2min delay.
For some reason this search for WDAP.ECCO.LAN only occurs on the users account and not the admin account.
I'd appreciate any assistance in tracking this down!
As m_walker suggests it sounds like user profile clashes.
The WPAD settings are Current user and if you dont use WPAD where did the WPAD setting come from? If it's OK to remove try deleting the LastDetectURL - (remember to Export/Backup first)
Registry entries are under :
[HKEY_CURRENT_USER\Softwar
"LastDetectUrl"="http://wpad.contoso.com/wpad.dat"
The WPAD settings are Current user and if you dont use WPAD where did the WPAD setting come from? If it's OK to remove try deleting the LastDetectURL - (remember to Export/Backup first)
Registry entries are under :
[HKEY_CURRENT_USER\Softwar
"LastDetectUrl"="http://wpad.contoso.com/wpad.dat"
by default IE has auto detect proxy on. With this setting it will try a few things to get hold of the config file (wpad.dat). One of them is wpad.<default domain suffix>, it can also get the wpad settings from the DHCP server. It will try to connet to that "host" and d/l the config file.
If you turn off "auto detect proxy" in the IE config, I would expect that wpad issue will go away.
If you turn off "auto detect proxy" in the IE config, I would expect that wpad issue will go away.
ASKER
Hey guys, thank you for the replies, I'll try to work through them in order;
m_walker - I am not using roaming profiles, the domain account was already added to (and continues to be a member of) the local admins account, everything looks OK in terms of permissions on local files (domain names included). I thought you'd hit the nail on the head with the same accounts names (local vs domain) as I have just that situation; local user account was the user's first name as was the domain account. Under documents and settings windows created the username user.ecco to represent the domain account. On your suggestion I created a new domain account which followed our company guidelines (using first initial, last name) and signed in with that. Also made that account a member of the local admins group. Unfortunatly we seem to have the same issue with this new account.
MarkieS - I have no idea where the WPAD settings came from as we don't use it in our network. I followed the path you provided in the registry to look for an Auto Proxy setting but didn't find any entries. I also searched the entire registry for wpad but came back with no results. I had a look at that registry key in another XP machine that is working correctly and it looks the same.
m_walker - thank you for the summary on the wpad process (I have read this as well). One of the first things I tried was to turn off "auto detect proxy" in IE. I would have expected the issue to go away after that as well....
m_walker - I am not using roaming profiles, the domain account was already added to (and continues to be a member of) the local admins account, everything looks OK in terms of permissions on local files (domain names included). I thought you'd hit the nail on the head with the same accounts names (local vs domain) as I have just that situation; local user account was the user's first name as was the domain account. Under documents and settings windows created the username user.ecco to represent the domain account. On your suggestion I created a new domain account which followed our company guidelines (using first initial, last name) and signed in with that. Also made that account a member of the local admins group. Unfortunatly we seem to have the same issue with this new account.
MarkieS - I have no idea where the WPAD settings came from as we don't use it in our network. I followed the path you provided in the registry to look for an Auto Proxy setting but didn't find any entries. I also searched the entire registry for wpad but came back with no results. I had a look at that registry key in another XP machine that is working correctly and it looks the same.
m_walker - thank you for the summary on the wpad process (I have read this as well). One of the first things I tried was to turn off "auto detect proxy" in IE. I would have expected the issue to go away after that as well....
ASKER
Forgot to add that the issue is only present on system boot, simply signing off then back on does not recreate the problem.
So it's just at boot up. Makes sense if it's sitting there applying computer settings. No user profile has loaded yet. But I would expect the problem on any domain login.
May be worth trying some extra boot investigation to pin point the delay. WPAD sounds like a high candidate but it may be worth a try.
Have you tried Bootvis?
May be worth trying some extra boot investigation to pin point the delay. WPAD sounds like a high candidate but it may be worth a try.
Have you tried Bootvis?
re: wpad still there, it may be comming from a differnet browser. My guess is there is something that is trying to call home (eg: check for updates) when you start and is using your internet settings to find they best way to do that. I would kinda ignore it.
If the issue is on boot, then I would be looking at the computer level and the link between that computer and your domain. Check in AD that that computer has the some permissions and is in the some groups as other working computers.
If the issue is on boot, then I would be looking at the computer level and the link between that computer and your domain. Check in AD that that computer has the some permissions and is in the some groups as other working computers.
Burning the midnight oil as well!!
ASKER
Learned a little more now, just for fun I thought I'd double check another XP machine's boot cycle to make sure it wasn't affected; sure enough it is showing the same symptoms (hang on Applying Computer Settings for a couple mins). This is a CAD workstation that would normally boot in 30ish seconds. I didn't go set up with Wireshark on that machine, but from the outside the symptoms look the same. After this I checked another similar system, but this machine booted fine (tried a couple times).
Trying to think of any changes I've made recently that would affect multiple machines I disabled all the GPO's that I'd been working, ran gpupdate /force on the server and gupupdate on the machine then tried booting again; no change. I then re-enabled my GPO's.
I removed the other two browsers from the original laptop machine, but now that I see the issue appearing on a machine that USED to start fine I'm thinking this is less likely of a cause.
I'm now trying to figure out what makes these two VERY similar systems different, other than belonging to different security groups...
I tried running BootVis on the laptop but the trace would crash in windows before it ever completed so that went nowhere. I suppose I could try it on the other machine, maybe learn something...
Trying to think of any changes I've made recently that would affect multiple machines I disabled all the GPO's that I'd been working, ran gpupdate /force on the server and gupupdate on the machine then tried booting again; no change. I then re-enabled my GPO's.
I removed the other two browsers from the original laptop machine, but now that I see the issue appearing on a machine that USED to start fine I'm thinking this is less likely of a cause.
I'm now trying to figure out what makes these two VERY similar systems different, other than belonging to different security groups...
I tried running BootVis on the laptop but the trace would crash in windows before it ever completed so that went nowhere. I suppose I could try it on the other machine, maybe learn something...
Keep going, Im sure you will track it down. My money is permissions.
We took over another site and when we got those computers to join our domain we had simular issues at boot up. Join the domain and logon with a doman user... slow, log on with a local user fast. Log onto the domain as an admin, fast. removed from the domain all was fast.
It been too long to remember the exact thing that was the cause, but it was round permissions. Remember the COMPUTER needs permissions in the domain as well as the user. Applying computer settings is the computer trying to do something (hence will on boot, not log off log on; our issue was more at a user level).
You could try to remove the computer from the domain (reboot the computer). Ensre this removal has completed and the computer is not visiable in the domain any more, then re-join it. It could fix it, but may not. Keep in mind when you remove a computer from the domain, then any local ACLs that have domain\user values will be lost or "broken", so you could make a bigger mess.
Since we have stock setups here, we would just re-image the pc, join the domain and continue. If the problem come back then it would be a server side gp (as you have tried).
Like I said, keep looking and you should find it. check the event logs on the server and client computers.
We took over another site and when we got those computers to join our domain we had simular issues at boot up. Join the domain and logon with a doman user... slow, log on with a local user fast. Log onto the domain as an admin, fast. removed from the domain all was fast.
It been too long to remember the exact thing that was the cause, but it was round permissions. Remember the COMPUTER needs permissions in the domain as well as the user. Applying computer settings is the computer trying to do something (hence will on boot, not log off log on; our issue was more at a user level).
You could try to remove the computer from the domain (reboot the computer). Ensre this removal has completed and the computer is not visiable in the domain any more, then re-join it. It could fix it, but may not. Keep in mind when you remove a computer from the domain, then any local ACLs that have domain\user values will be lost or "broken", so you could make a bigger mess.
Since we have stock setups here, we would just re-image the pc, join the domain and continue. If the problem come back then it would be a server side gp (as you have tried).
Like I said, keep looking and you should find it. check the event logs on the server and client computers.
ASKER
Still working on this... I used WireShark to capture traffic during the login process for the user account as well as the admin account; user being slow, admin being quick. Interesting what I found was that all the same stuff was happening, the difference being that with the user account it would sit at "Applying Computer Settings" while with the admin account it would whip into Windows right away and continue to do the same work in the background, giving the illusion that it's booting quicker. I stopped both logs at roughly the same point, which turns out to be approximatly the same total boot time. I've attached both logs to this post, with any luck something will stand out as a flag. I've also placed a light blue line across each log indicating 1- when the machine has finished booting to the login screen, and 2- when it is into Windows (still booting though).
Having exhausted my inspection of the boot process I am continuing to look into any permissions problems; to be honest I've never had to deal with computer permissions before. Everything has just worked... I'm trying to find the diff. between these 2 XP machines (possibly more) that boot slowly vs the other XP machine that comes up very quickly. Other than being in different OUs. I've even tried moving these machines to the OU that the other belongs to but seemingly no change.
For event logs, I do see a possible clue; both trouble machines are showing the following warning in their Application Log:
Event System (52) 4356 - The COM+ Event System failed to create an instance of the subscriber partition: {MAC addresses} CoGetObject returned HRESULT 8000401A
I'll continue to keep digging, but in the meantime if anything catches you eye please let me know!
Boot---Admin.JPG
Boot---Brussell.JPG
Having exhausted my inspection of the boot process I am continuing to look into any permissions problems; to be honest I've never had to deal with computer permissions before. Everything has just worked... I'm trying to find the diff. between these 2 XP machines (possibly more) that boot slowly vs the other XP machine that comes up very quickly. Other than being in different OUs. I've even tried moving these machines to the OU that the other belongs to but seemingly no change.
For event logs, I do see a possible clue; both trouble machines are showing the following warning in their Application Log:
Event System (52) 4356 - The COM+ Event System failed to create an instance of the subscriber partition: {MAC addresses} CoGetObject returned HRESULT 8000401A
I'll continue to keep digging, but in the meantime if anything catches you eye please let me know!
Boot---Admin.JPG
Boot---Brussell.JPG
ASKER
Ok, cleared up that application event warning:
http://forums.techarena.in/small-business-server/232687.htm
But slow boot remains.... Continuing to dig...
http://forums.techarena.in/small-business-server/232687.htm
But slow boot remains.... Continuing to dig...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Glad to see you got it working. As soon as i saw your posts, another thing come to mind about a setting that is "wait for network" prior to login on. By default its off, but could have been on. But you found your issue, well done.
ASKER
Finally solved the issue, see my final post.
Nice to get a resolution.
cheers
cheers
Check the local "cached" profile on the user computer and ensure the domain\user has premissions.
Check the local computer and esnure the domain\user can create a profile.
You can try adding the user to the local admin group on that computer and double check its the correct domain user.
Check that that computer has joined the domain correcly. It will be a permissions thing. The local computer is trying to verify the account can do something, but either cant get the ok from the domain or the acls have the wrong security ID. When looking at the ntfs permssions on the local PC, if they dont show acutual usernames, this means either it cant get the details from the domain or that SID is no longer valid.
Last time I saw this I just rebuilt the computer and the problem went away.
I think it has something to do with the local username and the domain username being the same and having data on the computer already with that username. Same username conflicting Local SID v Domain SID.