Applying Computer Settings slow 4 to 6 min logons

itdaddy

hey buds,

this is the scenario...we have logons that are slow and random
that take 5 to 6 minutes at "Applying Computer Settings"

when I logon with my account (Domain Admin/Enterprise Admin)
it takes like 5 to 6 minutes sometimes to login to network; and everyone else is random as well.

when I logon as Domain Administrator never does it take 5 minutes or 6 to login never! WTF..i thought it might be a DNS issue but
why does the domain admin never take that long infact it is fast!
another clue: I have excluded myself (my personal login)from getting
computer settings butu still my login take way too long!

WTF mates?

what am i missing?

jescab

MAke sure you have DNS and DHCP set up correctly.
Also make sure you have the correct Gateway

sprkymrk

Check the event log for userenv and Group Policy errors. Then see if the hyperlink for MS has more info. These issues can be hard to troubleshoot.

What is your network environment like? Are there NAT'ing routers between clients and DC's?

itdaddy

right after our DNS was configured to this:

say we have 4 DCs that are also DNS servers

they use to be pointing to themselves but our tech changed them to this:
192.168.1.1 has a DNS or primary and secondary 1.1, 2.1 (2k server)
192.168.2.1 has 1.1, 2.1(2k server)
192.168.3.1 has 1.1, 2.1(2k server)
192.168.4.1 has 1.1, 2.1 (the only 2k3 server)
all DNS servers which are DC (Active Directory integrated)

all clients at the 1.1 subnet are config 1.1, 2.1
all clients at the 2.1 subnet are config 2.1, 1.1

and at 3.1 and 4.1 clients the secondary is 1.1
while the primary is the local DNS 3.1 and 4.1.

i dont like this setup myself; i think it is over loading 1.1
2.1 dns servers..

nothing new in event viewers.
thought it strange that Administrator has no issues with long
Applying Computer Setting logons but me(enterprise admin) does.
wtf


no Nat between clients
just T1 lines joined by CSU devices and then
routers for each subnet and then DNS/DC behind that
i thought once you had the dns/dc setup you can point
the DNS to themselves you know when that A record of DNS was setup??
i think the DNS is wrong

we do have alot of the usr not known errors in the event logs
what up with that?

sprkymrk

Are the clients W2K or WXP?
Did the error just start after changing the DNS on the servers?

itdaddy

yes,
and the xp seems to be affect not the win2k machines i think more so

sprkymrk

itdaddy wrote:

yes,
and the xp seems to be affect not the win2k machines i think more so

Well my motto is "What changed last?". If it worked before, but not after, then put it back the way it was, one step at a time.

Also, it's strange that it affects the XP more than the 2K, because by default W2K will "wait for the network" before logging someone in while XP will load a cached profile while waiting for network settings.

Danman32

Run NetDiag /fix on the DCs. This is part of the support tools, so you need the correct version installed on the server.

If you get DNS error, that's your problem. Could be bad records, or a server is unable to register itself in the DNS. Sometimes you can have bad SRV records in the _MSDCS child zone which Netdiag won't remove if not related to the server running Netdiag. Sometimes it's just best to recreate the zone and run Netdiag.

If you don't get DNS error, you could still have bad SRV records, but probably not as likely.

Be sure your clients (and your servers) ONLY point to the DNS servers holding the zone for AD.

itdaddy

i will try this and see what happens
thanks
yeah that SRV record i think is established and then once this happens
we should put it back to DNS/DC pointingto themselve.
i will try this
thanks a million

SWM

I have experienced this with several w2003 servers and it was a roaming profile issue. Disable the user accounts roaming profile and see if logon is quicker.

blargoe

Could it be that you are authenticating to a remote domain controller instead of one in your site? Open a command prompt and run the "set" command on your workstation when this is occuring, and see which DC your workstation is using. If you're going to another site to authenticate, then you need to correctly define subnets in AD sites and services.

Also run gpresult to see which computer settings are being actually applied via policy.

itdaddy

i get in GP results on my pc Policy failure.
but what could cause slow logons which would cause policy failure.


if i set GPO Default Domain to cache say 5 logon credentials will this
fix this issue with slow logons? but will it asyncronously apply GPO behind the scense while logged on even though i set this GPO?

explain: how to align subnets in AD sites and services??
thanks

oh yeah, absolutey no windows 2000 machines are affected by slow logons only the XP one we have half xp machines and have 200 pro machines and no 2kpro are affected by slow logons only the XP wtf??

Danman32

The workstation will (should) contact the closest available DC. If it can't reach the closest, then it will try and contact another one based on what DNS told it are supposedly available DCs. Which points back to possible stale SRV records.

If you are getting errors with GPO, that could give slow logins. Each DC is supposed to have a copy of all the GPOs in sysvol. Connect ADU&C to each of the DCs, and see if you can read the GPOs on that server using ADU&C. If you get an error reading a GPO for a particular DC, then that DC likely has a bad copy of Sysvol.

Examine event viewer on your servers and the problem WS for clues, mainly AD/DNS errors.

Did you run netdiag on all your DCs yet?

blargoe

Ask the network engineer if anything changed on his end lately.

You can also Check the Active Directory event logs on your DC's for problems finding a global catalog.


If the subnet where the client PC is located is not defined in AD (and thus not associated with a site), it might authenticate to a local DC and it might not. I've seen them go 2 or 3 hops across a wan to a random DC when there is one available in the same building.

blargoe

I just reread what the tech did to your DNS servers. It is STUPID to not have the network settings on the servers running DNS pointing to the local server for DNS resolution. Flat out Retarded. Why did they do this? I don't think this would directly have an impact on client resolution, but still...

So the .1.1, .2.1, etc. subnets are connected by wan links and not in the same site, then?

Danman32

Not always stupid. It wasn't said that all servers were running DNS service first of all. Second, for diagnostics I often have clients only use one server for DNS, and have it's zone set to non-AD integrated.

Otherwise, AD replication problems will cause DNS replication problems, which will cause AD replication problems, which will cause DNS replication problems....

Once everything is fixed, then you can make the zone AD integrated, then you can add the other servers back as DNS servers with AD zones. Once you establish that the 'secondary' zones have correct information, then you can have the clients (and servers) start using them.