Applying Computer Settings slow 4 to 6 min logons

itdaddyitdaddy Member Posts: 2,089 ■■■■□□□□□□
hey buds,

this is the scenario...we have logons that are slow and random
that take 5 to 6 minutes at "Applying Computer Settings"

when I logon with my account (Domain Admin/Enterprise Admin)
it takes like 5 to 6 minutes sometimes to login to network; and everyone else is random as well.

when I logon as Domain Administrator never does it take 5 minutes or 6 to login never! WTF..i thought it might be a DNS issue but
why does the domain admin never take that long infact it is fast!
another clue: I have excluded myself (my personal login)from getting
computer settings butu still my login take way too long!

WTF mates?

what am i missing?icon_mad.gif

Comments

  • jescabjescab Inactive Imported Users Posts: 1,321
    MAke sure you have DNS and DHCP set up correctly.
    Also make sure you have the correct Gateway
    GO STEELERS GO - STEELERS RULE
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    Check the event log for userenv and Group Policy errors. Then see if the hyperlink for MS has more info. These issues can be hard to troubleshoot.

    What is your network environment like? Are there NAT'ing routers between clients and DC's?
    All things are possible, only believe.
  • itdaddyitdaddy Member Posts: 2,089 ■■■■□□□□□□
    right after our DNS was configured to this:

    say we have 4 DCs that are also DNS servers

    they use to be pointing to themselves but our tech changed them to this:
    192.168.1.1 has a DNS or primary and secondary 1.1, 2.1 (2k server)
    192.168.2.1 has 1.1, 2.1(2k server)
    192.168.3.1 has 1.1, 2.1(2k server)
    192.168.4.1 has 1.1, 2.1 (the only 2k3 server)
    all DNS servers which are DC (Active Directory integrated)

    all clients at the 1.1 subnet are config 1.1, 2.1
    all clients at the 2.1 subnet are config 2.1, 1.1

    and at 3.1 and 4.1 clients the secondary is 1.1
    while the primary is the local DNS 3.1 and 4.1.

    i dont like this setup myself; i think it is over loading 1.1
    2.1 dns servers..

    nothing new in event viewers.
    thought it strange that Administrator has no issues with long
    Applying Computer Setting logons but me(enterprise admin) does.
    wtf


    no Nat between clients
    just T1 lines joined by CSU devices and then
    routers for each subnet and then DNS/DC behind that
    i thought once you had the dns/dc setup you can point
    the DNS to themselves you know when that A record of DNS was setup??
    i think the DNS is wrong

    we do have alot of the usr not known errors in the event logs
    what up with that?
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    Are the clients W2K or WXP?
    Did the error just start after changing the DNS on the servers?
    All things are possible, only believe.
  • itdaddyitdaddy Member Posts: 2,089 ■■■■□□□□□□
    yes,
    and the xp seems to be affect not the win2k machines i think more so
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    itdaddy wrote:
    yes,
    and the xp seems to be affect not the win2k machines i think more so
    Well my motto is "What changed last?". If it worked before, but not after, then put it back the way it was, one step at a time.

    Also, it's strange that it affects the XP more than the 2K, because by default W2K will "wait for the network" before logging someone in while XP will load a cached profile while waiting for network settings.
    All things are possible, only believe.
  • Danman32Danman32 Member Posts: 1,243
    Run NetDiag /fix on the DCs. This is part of the support tools, so you need the correct version installed on the server.

    If you get DNS error, that's your problem. Could be bad records, or a server is unable to register itself in the DNS. Sometimes you can have bad SRV records in the _MSDCS child zone which Netdiag won't remove if not related to the server running Netdiag. Sometimes it's just best to recreate the zone and run Netdiag.

    If you don't get DNS error, you could still have bad SRV records, but probably not as likely.

    Be sure your clients (and your servers) ONLY point to the DNS servers holding the zone for AD.
  • itdaddyitdaddy Member Posts: 2,089 ■■■■□□□□□□
    i will try this and see what happens
    thanks
    yeah that SRV record i think is established and then once this happens
    we should put it back to DNS/DC pointingto themselve.
    i will try this
    thanks a million icon_eek.gif
  • SWMSWM Member Posts: 287
    I have experienced this with several w2003 servers and it was a roaming profile issue. Disable the user accounts roaming profile and see if logon is quicker.
    Isn't Bill such a Great Guy!!!!
  • blargoeblargoe Member Posts: 4,174 ■■■■■■■■■□
    Could it be that you are authenticating to a remote domain controller instead of one in your site? Open a command prompt and run the "set" command on your workstation when this is occuring, and see which DC your workstation is using. If you're going to another site to authenticate, then you need to correctly define subnets in AD sites and services.

    Also run gpresult to see which computer settings are being actually applied via policy.
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
  • itdaddyitdaddy Member Posts: 2,089 ■■■■□□□□□□
    i get in GP results on my pc Policy failure.
    but what could cause slow logons which would cause policy failure.


    if i set GPO Default Domain to cache say 5 logon credentials will this
    fix this issue with slow logons? but will it asyncronously apply GPO behind the scense while logged on even though i set this GPO?

    explain: how to align subnets in AD sites and services??
    thanks

    oh yeah, absolutey no windows 2000 machines are affected by slow logons only the XP one we have half xp machines and have 200 pro machines and no 2kpro are affected by slow logons only the XP wtf??
  • Danman32Danman32 Member Posts: 1,243
    The workstation will (should) contact the closest available DC. If it can't reach the closest, then it will try and contact another one based on what DNS told it are supposedly available DCs. Which points back to possible stale SRV records.

    If you are getting errors with GPO, that could give slow logins. Each DC is supposed to have a copy of all the GPOs in sysvol. Connect ADU&C to each of the DCs, and see if you can read the GPOs on that server using ADU&C. If you get an error reading a GPO for a particular DC, then that DC likely has a bad copy of Sysvol.

    Examine event viewer on your servers and the problem WS for clues, mainly AD/DNS errors.

    Did you run netdiag on all your DCs yet?
  • blargoeblargoe Member Posts: 4,174 ■■■■■■■■■□
    Ask the network engineer if anything changed on his end lately.

    You can also Check the Active Directory event logs on your DC's for problems finding a global catalog.


    If the subnet where the client PC is located is not defined in AD (and thus not associated with a site), it might authenticate to a local DC and it might not. I've seen them go 2 or 3 hops across a wan to a random DC when there is one available in the same building.
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
  • blargoeblargoe Member Posts: 4,174 ■■■■■■■■■□
    I just reread what the tech did to your DNS servers. It is STUPID to not have the network settings on the servers running DNS pointing to the local server for DNS resolution. Flat out Retarded. Why did they do this? I don't think this would directly have an impact on client resolution, but still...

    So the .1.1, .2.1, etc. subnets are connected by wan links and not in the same site, then?
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
  • Danman32Danman32 Member Posts: 1,243
    Not always stupid. It wasn't said that all servers were running DNS service first of all. Second, for diagnostics I often have clients only use one server for DNS, and have it's zone set to non-AD integrated.

    Otherwise, AD replication problems will cause DNS replication problems, which will cause AD replication problems, which will cause DNS replication problems....

    Once everything is fixed, then you can make the zone AD integrated, then you can add the other servers back as DNS servers with AD zones. Once you establish that the 'secondary' zones have correct information, then you can have the clients (and servers) start using them.
Sign In or Register to comment.