logging on to AD takes 20 minutes for certain users 1

[tanelorn26]

Greetings,

here's a weird one. we are in an active directory rollout. we have added about 100 of our 400 users into a sub OU in a domain. We have a couple users where it takes forever to log in. I can log in as me, and get in lickity split. when I log in as them, it takes about 20 minutes. I have deleted and recreated the user in AD, and that works for about a week. then it goes back to the 20 minutes.
looking at the user in AD, nothing looks out of wack, there are no GPO's that I can see that are being pushed down. I know DNS is working correctly because that is not a user specific setting.

any help would be great

 

[mapleleaf]

tanelorn26,

Check on the workstation in ControlPanel>System>Profiles. Click on the User and then CopyTo. Verify that permitted to use points to the correct user.

If this was an Exchange 5.5 upgrade and the accounts in question pointed to "more than one mailbox", you may have multiple entries in AD for the user, some marked as 'disabled'.

Ian

 

[tanelorn26]

the domain user is an administrator on the machine,

here's what I just tried

I moved the user's (user A) profile out of the way

delete the entry in the registry hklm/software/microsoft/windowsnt/profilelist

log in as a different domain user (user X) with no problem
and create a new profile. (this tells me the "default user" profile is ok)
log out,

log back in as user (X) again to make sure its not a second login type of thing.
log out

as soon as I log in as user A, the machine goes into la-la land for 15 mintutes. I'm not sure what the problem is..

any thoughts?
Fred

 

[mapleleaf]

Fred,

Not off the top of my head. I'll do some searching, in the meantime, I'm sure that the "good folks" in this forum will pitch in with ideas !!

Ian

 

[tanelorn26]

here's another thing I tried,

after the 20 minutes to log user X in,
logged out

logged in as domain user A

I went to the system ctrl panel under the profiles tab,

deleted user x's profile from the control panel

tried to log back in as user x,

and la-la land


Fred

 

[mapleleaf]

Fred,

A quick search of the KB turned up very little, with all of it pointing to a "machine" level.

Is there any clue in the event viewer when you login as user(x)

Ian

 

[Halfcan]

You said that DNS is working correctly... where do the clkient machines that are having the issue get their DNS from? If you have multiple DNS servers, the clients that take forever to login may be looking towards a different DNS server. Try to point those clients to the Windows DC for DNS and see if that works. The previous posts you made made it unclear if this is where they are pointing.

 

[tanelorn26]

there are a few things in the event viewer here is one

event ID 1000 source userenv
Windows cannot query for the list of Group Policy objects . A message that describes the reason for this was previously logged by this policy engine.

this is the only thing in the event viewer that is of concern,

here is some more background on the user. we had this problem before, the fix was deleting the user in AD, and reccreating him. that worked for about 8 days, and is now acting up again. I can log in as anyone else but him.. I haven't tried to log inas him on a different machine yet, only his laptop..





as far as dns goes every machine (except the servers) are using the dns settings pushed in the dhcp packet. Ipconfig on the client machine looked ok. all of the other client machines like our dns.. just weird

 

[Halfcan]

is this client on the same or different subnet? is the dhcp server the DC or a different box?

 

[tanelorn26]

all clients and our dns server is in the 138.127.100.0/22 network. we have a domain controller in house that is also in the same subnet. the domain controller is mostly controlled by the corporate domain admins. I do have server operator on it.

 

[tanelorn26]

we are also using legacy wins also pushed down in dhcp. I not convinced its a connectivity issue due to the fact that I can log in as a different users with no problem.

 

[Halfcan]

The comment you made about 8 days could be significant. I believe that the default windows DHCP lease is 8 days. If that user worked for 8 days, then didn't, perhaps the configuration changed when a new DHCP lease was obtained. Have you also tried ipconfig /release and then ipconfig /renew on the problem client computer? Just trying to throw out some suggestions.... this is of windows, so nothing is usually textbook.... hehehe

 

[tanelorn26]

more weirdness

I can log into his laptop with my account.
I can log into his laptop with 5 different user accounts.
he can log into my workstation with his account.

he can't log into his laptop with his account.

I'm thinking I just reimage his machine and start from scratch.

Thanks

fred

 

[mapleleaf]

Fred,

Here is part of a message thread regarding your Event ID 1000 error

'As the message says, this event should be preceeded by another one that usually provides more info on why the Group Policy objects could not be queried. A typical example of such event is: Userenv Event:1000 Windows cannot establish a connection to with (1787) Error code 1787 means: "The security database on the server does not have a computer account for this workstation trust relationship." '

So take a look back from the Event 1000 and tell me what you see.

Ian

 

[tanelorn26]

it says that security policy has been applied successfully about 40 minutes before the error about not being able to query. it took extra long this morning

it said:
Security policy in the Group policy objects are applied successfully. at 7:34

and then once it logged in finally, another error came up and said

Windows cannot query for the list of Group Policy objects . A message that describes the reason for this was previously logged by this policy engine.

service pack 4 just came out, I'm going to put that in to see if it clears it up.

 

[Swimpy]

Try setting te standard gateway as the Primary logon server in the subdomain

 

[dbMark]

My first thought when I saw 20 minutes was that Master Browser elections can happen about every 11 minutes, so 20 minutes was about double that. But that may not be an issue here.

When we had a slow log on issue with a new W2K server, we had to make the server's DNS server be itself so that other workstations ended looking at it. Something about installing or configuring systems while with or without internet access.

Apparently there could be a number of reasons why logon is slow, as mentioned already. I did a search on keywords Active Directory, Login, slow, and other combinations. This thread seemed to be closest to your problem: thread616-370637

 

[tanelorn26]

well, I found the answer a couple of weeks later,

it seems it was the cisco VPN clint v. 3.51. the client was installed before joining the domain, and after joining the domain, something went kaphlooey. the fix was to remove the vpn client and reinstall it and everything was dandy. I'm guessing it had something to do with the network shim that gets installed with the client. that's about all I know. it only took a month or so to make the connection though..


Fred