slow or failed user logon authorization

  • Thread starter Thread starter kend
  • Start date Start date
K

kend

Single domain network with 2 DC supporting 600 users were
moved from a ATM network connection to a GE network
conneciton.

Now I am getting 5-10 users a day that fail intial logon
authorization. After 2 or 3 tries is allows them to log
in.

What ntdsutil would help clean up my the slow login
problem?

Thanks, Ken
 
Ken,

Slow logons are *typically* an indication that there is something going on
with DNS. A *usual* cause of this is that in the client's TCP/IP settings
the DNS Server entry is the ISP's DNS Server ( or some other external DNS ).
I would suggest that you take a look at the settings on the DHCP Server to
see what it is handing out as Option 006. All WIN2000 and WINXP clients
*MUST* *MUST* *MUST* point to an internal DNS Server that supports SRV
Records and Dynamic Updates.

Please take a look at the following two MSKB Articles that describe what a
WIN2000 and WINXP clients do at logon:

http://support.microsoft.com/?id=247811
http://support.microsoft.com/?id=314861

Another possible problem is a Global Catalog is not available at certain
times ( for God knows what reason ).

Ken, you do not give us any idea of your topology. I am assuming ( I am
almost always wrong when I do this! ) that you have one Site and not
multiple Sites. Please give us some details of your topology.

Also, I would strongly suggest that you install the Support Tools on all of
your WIN2000 Servers and run dcdaig /c /v and netdiag /v. This will give
you a good reading as to the health of your AD environment. I am not sure
why you would want to run ntdsutil? Did you dcpromo a Domain Controller and
it still shows up in the ADSS MMC? and you see it listed as a replication
partner with your currently existing DCs when you run repadmin /showreps?

The Support Tools, by the way, are located on the WIN2000 Server CD as well
as on the WIN2000 Service Pack CD in the Support | Tools folder.

HTH,

Cary
 
Thanks for your reply.
Answer to your questions are

My DHCP servers have option 006 set to my internal DNS
servers 10.3.1.18,10.3.1.9

My topology is a single domain and site with 2 DC on the
same subnet and 600 users on 6 other local subnets.

Test dcdiag /c /v and netdiag /v ran clean on both DC's.

Test repadmin /showreps displays only the other DC from
each to the 2 DC's I have.

All my failures are on my older Win98 PC's and I can ping
both my DC's when they are failing. All the PC have WINS
and DNS configured staticly or by DHCP.

Am I correct in saying that the Win98 PC's use WINS to
authenticate to AD only and DNS is not used?

Since I can ping my DC's by name does at the time of the
failure, does this tell me that WINS is working?

Thanks Ken
 
Ken,

If you are having problems with only your WIN98 clients then I might suggest
that the first thing that you try would be to install the Client Extensions
on all of them.

Here is the link for the WIN98 ADClient:
http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/adextension.asp

As you can see, it is available on the WIN2000 Server CD. I have not been
able to find it on the MS Web Site.

Just in case, here is the link for the WINNT 4.0 ADClient:
http://www.microsoft.com/downloads/...cc-ec00-4c98-ba61-fd98467952a8&DisplayLang=en

HTH,

Cary


PS. The WIN98 clients to not have a computer account like the WINNT,
WIN2000 and WINXP clients.
 
Back
Top