random slow login

[Guest]

We just migrated our domain from NT4 to W2K. The new domain controllers are also to be used for DNS and WINS. Users are able to login fine...until we change the clients to point to the new servers for their DNS and WINS settings. Clients all use static IP. Once the settings are changed, users randomly have problems logging in. Their login then seems to take, but the computer locks up for 10+ minutes. Once the time passes, they get their desktop and everything works fine, but the login script didn't seem to run. I would think it is a DNS problem, but it only happens to particular users on each machine, but that same user can login just fine on another client configured identically to the other...and I do mean identically since they were built from the same Norton ghost image. When trying pings to the new DNS/WINS servers, they come back 100% with <10ms responses. I can resolve the domain using NSLOOKUPS. The clients still pointed to the old DNS/WINS servers don't have any problems. If the user having the slow login problem intentionally types in a wrong password for their domain accout, he is immediately notified that the password is wrong, which means they are communicating with the domain controllers. Users with the same group permissions and login script as the problematic user have no problem logging in onto the same machine. Each computer having the problem seems to have the same error in their application event log:

USERENV Event ID: 1000 Windows cannot obtain the domain controller name for your computer network. Return value (59).

I have run a few tests to single out the problem, which seemed to add to the confusion. Here's a list of what works (user logs in quickly) and doesn't work (slow login).

Doesn't work:
Remove user's local profile.
Removing computer from domain and adding back.
Rebuilding computer from scratch.
Creating a blank login script in each DC's NETLOGON directory (e.g. blank.bat) and linked to the user's account. A blank script should run without any problems, but the login is still slow (10+ minutes) for the user.
Granting user both local machine admin and domain admin rights.

Does work:
Delete user's domain account and rebuild from scratch...placing them back in all of the same groups with the same login script.
Remove login script from user account. Note: User can then manually map the same drives that the login script normally handles.
________________________

To me, the problem does seem to point to either DNS or WINS though, since the problem doesn't begin until the client IP settings point to the new DCs running DNS and WINS. Any thoughts?

Thank you,
Clueless in Cleveland

 

[Pegasus \(MVP\)]

Can you provide some more details?

a) What OS & SP do your clients run?

b) What do you get when you remove the logon script
entry from the user's domain account definition, and
place the script into the local startup folder instead?

c) In the case of b), how long does it take to execute
this command when inserted into the logon script:
net user clueless /domain

We just migrated our domain from NT4 to W2K. The new domain controllers

are also to be used for DNS and WINS. Users are able to login fine...until
we change the clients to point to the new servers for their DNS and WINS
settings. Clients all use static IP. Once the settings are changed, users
randomly have problems logging in. Their login then seems to take, but the
computer locks up for 10+ minutes. Once the time passes, they get their
desktop and everything works fine, but the login script didn't seem to run.
I would think it is a DNS problem, but it only happens to particular users
on each machine, but that same user can login just fine on another client
configured identically to the other...and I do mean identically since they
were built from the same Norton ghost image. When trying pings to the new
DNS/WINS servers, they come back 100% with <10ms responses. I can resolve
the domain using NSLOOKUPS. The clients still pointed to the old DNS/WINS
servers don't have any problems. If the user having the slow login problem
intentionally types in a wrong password for their domain accout, he is
immediately notified that the password is wrong, which means they are
communicating with the domain controllers. Users with the same group
permissions and login script as the problematic user have no problem logging
in onto the same machine. Each computer having the problem seems to have
the same error in their application event log:

USERENV Event ID: 1000 Windows cannot obtain the domain controller name

for your computer network. Return value (59).

I have run a few tests to single out the problem, which seemed to add to

the confusion. Here's a list of what works (user logs in quickly) and
doesn't work (slow login).

Doesn't work:
Remove user's local profile.
Removing computer from domain and adding back.
Rebuilding computer from scratch.
Creating a blank login script in each DC's NETLOGON directory (e.g.

blank.bat) and linked to the user's account. A blank script should run
without any problems, but the login is still slow (10+ minutes) for the
user.

Granting user both local machine admin and domain admin rights.

Does work:
Delete user's domain account and rebuild from scratch...placing them back

in all of the same groups with the same login script.

Remove login script from user account. Note: User can then manually map

the same drives that the login script normally handles.

________________________

To me, the problem does seem to point to either DNS or WINS though, since

the problem doesn't begin until the client IP settings point to the new DCs
running DNS and WINS. Any thoughts?

 

[Guest]

Can you provide some more details?

a) What OS & SP do your clients run? My clients run both Windows 2000 (service pack 3) and NT4.0 (service pack 6)

b) What do you get when you remove the logon script
entry from the user's domain account definition, and
place the script into the local startup folder instead? Works just fine. Mappings in the script work just fine when run locally. It seems that upon login that certain users cannot run the logon script from the DCs. I've created dummy domain accounts with the exact same permissions and logon scripts...these accounts work fine when logging in on the same client computers.

c) In the case of b), how long does it take to execute
this command when inserted into the logon script:
net user clueless /domain

Is something missing from the command in c? Maybe an /ADD or /DELETE? I attempted to type this in at a command prompt and it seems as though the command is incomplete.

Thank you for the help,
Chris

 

[Pegasus \(MVP\)]

See below.

Can you provide some more details?

a) What OS & SP do your clients run? My clients run both Windows 2000

(service pack 3) and NT4.0 (service pack 6)

b) What do you get when you remove the logon script
entry from the user's domain account definition, and
place the script into the local startup folder instead? Works just

fine. Mappings in the script work just fine when run locally. It seems
that upon login that certain users cannot run the logon script from the DCs.
I've created dummy domain accounts with the exact same permissions and logon
scripts...these accounts work fine when logging in on the same client
computers.

It seems some of your clients have a problem getting validated by the
domain. An easy way around the problem might be to delete & recreate their
domain accounts.

c) In the case of b), how long does it take to execute
this command when inserted into the logon script:
net user clueless /domain

Is something missing from the command in c? Maybe an /ADD or /DELETE? I

attempted to type this in at a command prompt and it seems as though the
command is incomplete.
This command is completely correct as I typed it. However, there is a
difference between
net user clueless /domain and
net use clueless /domain

 

[Guest]

Pegasus,

Sorry to keep pestering you about step C, but it doesn't seem to work for me. As an example, we have a user-- Jerry.Jones in our OUTHOUSE domain. So, I created a batch (.bat) file with the following line:
net user jerry.jones/outhouse
The batch file runs, but the results are the details for the syntax of the net user command, as though something is either missing or incorrect in the statement. I get the same results when attempting this command at a command prompt on a Windows 2000 client.

As far as recreating the accounts...it does seem to work--for a while. However, the problem eventually comes back with the rebuilt accounts. It's a very wierd problem which is really difficult to single out the problem. I think the problem can be traced back to the error in the event log, but I cannot find any specifics for this exact event:

USERENV Event ID: 1000 Windows cannot obtain the domain controller name for your computer network. Return value (59).

Every client with the logon problem has this in its logs, while the properly functioning clients do not have this error. And again, it is only a problem with certain users. Baffling.

Well, any other thoughts or ideas are welcome.

Thanks again,
Chris

a) What OS & SP do your clients run? My clients run both Windows 2000

(service pack 3) and NT4.0 (service pack 6)

entry from the user's domain account definition, and
place the script into the local startup folder instead? Works just

fine. Mappings in the script work just fine when run locally. It seems
that upon login that certain users cannot run the logon script from the DCs.
I've created dummy domain accounts with the exact same permissions and logon
scripts...these accounts work fine when logging in on the same client
computers.

It seems some of your clients have a problem getting validated by the
domain. An easy way around the problem might be to delete & recreate their
domain accounts.

c) In the case of b), how long does it take to execute
this command when inserted into the logon script:
net user clueless /domain

attempted to type this in at a command prompt and it seems as though the
command is incomplete.
This command is completely correct as I typed it. However, there is a
difference between
net user clueless /domain and
net use clueless /domain

 

[Pegasus \(MVP\)]

In the command

net user Jerry.Jones /domain

the word "domain" is a keyword. It does NOT denote your
own domain name. Run "net help user | more" to see the
full description of the command.

You are probably correct with your suspicion that the
problem is caused by the message you observe in the
event logger. I have never seen it before. If I came across
such a problem then I would search both the MS Knowledge
Base and Google for that exact string.

Pegasus,

Sorry to keep pestering you about step C, but it doesn't seem to work for

me. As an example, we have a user-- Jerry.Jones in our OUTHOUSE domain.
So, I created a batch (.bat) file with the following line:

net user jerry.jones/outhouse
The batch file runs, but the results are the details for the syntax of the

net user command, as though something is either missing or incorrect in the
statement. I get the same results when attempting this command at a command
prompt on a Windows 2000 client.

As far as recreating the accounts...it does seem to work--for a while.

However, the problem eventually comes back with the rebuilt accounts. It's
a very wierd problem which is really difficult to single out the problem. I
think the problem can be traced back to the error in the event log, but I
cannot find any specifics for this exact event:

USERENV Event ID: 1000 Windows cannot obtain the domain controller name

for your computer network. Return value (59).

Every client with the logon problem has this in its logs, while the

properly functioning clients do not have this error. And again, it is only
a problem with certain users. Baffling.