Win 2003 servers hang at "Applying computer settings" just before the logon

[Andyw]

Hi, we have just upgraded our network from a single NT4
Domain to a Win2k3 Domain. It is in Native mode and all
the servers work, which include a one WinNT 4 server,
many Win2k servers, two 2003 DC's, and three 2003
servers. The problem we have is since the upgrade, 2 of
the windows 2003 servers hang at "Applying computer
settings" just before the logon screen when we boot up.
Also the strange thing is they work in safe mode with
networking on. When the servers are stuck at this point
we can ping them for a few minutes and the they drop out.

Any ideas????

Andy

 

[Lanwench [MVP - Exchange]]

What do you see in these servers' system/app event logs? Can you see the
logs from another server/computer when they finally do come up, and do they
eventually come up in normal mode?

 

[Andy]

We can get them into safe mode, but the event logs show
nothing, we rebooted and the servers just hang on the
the "Applying computer settings" before the logon screen
I asssume a Gp or and local policy is kicking in, but
don't know how to check this locally in the safe
mode.....what do you think?

 

[Tim Hines [MSFT]]

It would be a good idea to enable userenv logging to troubleshoot this
issue. For steps to enable this take a look at this article
http://support.microsoft.com/default.aspx?scid=kb;en-us;221833 . Review the
logs for errors or delays in time and post them in the group.

--
--
Tim Hines, MCSE, MCSA
Windows 2000 Directory Services

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Bruce Musgrove]

I have this same problem. 2-3 a day, nothing in the event logs or boot
logs.I do not know the cause, but I can usually fix it by

1) Running "netdom reset". My batch file for this is "NETDOM.exe move
%computername% /Domain:<insert domain> /UserD:* /PasswordD:* /UserO:*
/PasswordO:* /REBoot:1"

OR

2) Boot into safe mode with network, remove the machine from the domain
(join a workgroup, AND make sure the local admin account is active and you
know the password.), Reboot (wait for the "saving settings" to complete on
the shutdown, it can take 4-8 minutes) and after reboot, logon with local
admin rights and rejoin the domain.

I would love to know why it does this

 

[Guest]

If netdom is correcting this then you have a problem with the machine
resetting its secure channel with the domain.
There are alot of possibilities that can cause this but some of the more
common are SMB signing, and other security settings in the "user rights
assignment" portion of group policy.
Check out 823659

 

[Bruce Musgrove]

Sure wish someone had an idea what could cause this and how to stop it

 

[Doug Gabbard]

You probably have a DNS issue with the client machine. The issue
sounds as if is your secure channel is is not valid. Verify your DNS
Settings are correct on your machine experiencing the issue.

Clients should use the domain dns servers for both preferred and
alternate DNS servers. A common mistake is to use the ISP as a
client's DNS server. Then when it tries to communicate with the
domain it goes to the ISP (the ISP has no information about your
domain), so the client will eventually fail.

So... preferred DNS and alternate DNS on your clients should point to
your domain's DNS servers.

Check that out.

regards
doug

 

[Bruce Musgrove]

I don't run my onw DNS servers internally on the domain. We use the DNS
Servers provided by the school who manages the parent domain.

All of our servers use static IP and point to the Schools main dns servers.
All other units use DHCP and they pick up one of the main DNS servers and a
local server setup within their buildings subnets

We have noticed this week that this appears to happen on several speciifc
computers and a few randon ones and irregular intervals. We have also
noticed that there are occasionally some weird DNS entries showing up such
as non server machines registering as domain master browsers (in WINS) and
as a DC. We have never noticed this happening after the hangs start, but on
2 occasion it did happen and get corrected the day before the hang started.

Bringing the affected machines up in safe mode with networking works
everytime and lets me remove the machine from the domin to correct the
issue, and I can browse the PDC nad DC's with no problem using DNS for
lookup. I know that doen's meand crud as it is not querying for PDC entries
but....