Windows XP Windows XP SP3 clients hang at wallpaper after logon to Windows 2000 domain


Joined
Sep 7, 2012
Messages
3
Reaction score
0
I have a 20+ Windows XP SP3 workstations all joined to a Windows 2000 domain. 10 at site A, 10 at site B, joined together via an IPSec VPN tunnel with Cisco routers. Site A is where the domain controllers reside, and all machines on that side of the network work fine and do not exhibit any issues.

The problem is at site B, there is no DC on that side of the network so all machines just VPN back to site A.

This is what happens at site B...

I power up the computers, they do not apply group policy, slow log on (DNS issue?), but it joined the domain just fine, my guess is with NetBios. The log on screen comes up like normal, I enter in my username and password and log on into the domain. The log on box disappears but then things just sit at a standstill, at a blank blue screen and it will never load the user's profile unless I unplug the computer's network cable or power down the DCs back at site A.

Machines back at Site A work fine. They log on, apply GPOs, run scripts, and map shares all under and the user has a good desktop within 10 seconds.

This boggles me... I tried removing the roaming profile of the user on the machines at site B (all machines exhibit the same issue) thinking that the issue was a profile/NTUSER.DAT corruption.

But the issue still persists once I log in again. Then I went into Active Directory and created a new user called 'test' with default user groups. I log in with that account and the profile loads fine, still slow, but it does not hang indefinitely at a blue background and not load explorer. I can't even use CTRL ALT DEL. But the issue soon comes up again with that account on the next restart. I then deleted my own AD account and created a new one. I logged in to a computer at site B, it logged me in fine, but like the test account, the relief did not last long and on the next reboot it did the same thing.

Please note that I am using roaming profiles on all computers, and I am not using any OUs. The issue is only at Site B which is IPSec VPN endpoint. The issue starts immediately after login (the normal loading user profile, loading computer settings, etc. splash screen does not come up).

Could it be that GPOs are trying to apply over to site B but the internet download speed is too slow and it's just hanging? is it a DNS issue? I really don't know. I've tried pointing the workstations DNS to the IP address of the Primary DC via hosts file, tcpip settings, and from the routers dhcp server and have no luck.

Any suggestions on where to go from here would be really appreciated. I have not checked the event log on the workstations or server. But everything works fine at Site A, this is what boggles me.

I'm new to PC Review, I apologize if this may be more of a networking/ISP issue. I'll re post if necessary.:cry:
 
Ad

Advertisements

Joined
Sep 19, 2012
Messages
2
Reaction score
0
2k domain hmmm, the memory cells are grinding....

if a unknown user can connect and authenticate but on restart it cant, sounds like its using open encryption for the unknown user and switching to closed, which would cache and would be lost over time or restart. Kerberos would be trying to establish on UDP through the vpn. If the Kerberos couldn't establish via UDP it could have that effect. check the event logs on the client for kerberos errors

if it is you could try forcing TCP for kerebos
/hlkm/system/ccs/control/Lsa/Kerberos/Parameters
create a DWORD value "MaxPacketSize" and set it to decimal "1"
restart the box

Any other errors in evetlogs at either end which could give a clue?
 
Ad

Advertisements

Joined
Sep 7, 2012
Messages
3
Reaction score
0
Thanks! I'll try enabling the registry value to force Kerberos over TCP.
Would it make any difference if I forwarded ports for Active Directory or any other related ports? I dont believe you need to do any opening/forwarding when over VPN.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top