WinXP Pro SP1 client having trouble authenticating with domain (and roaming profile)

[Andrew Connell]

I have a new WinXP desktop that is having trouble authenticating on my domain. When I login as a non-roaming profile account in the domain on this desktop, it seems to authenticate me, but then sits forever on the "applying your personal settings". When I login with a roaming profile, it sits forever at the "loading your settings" (I see some activity at first between the two machines on my hub, but then it just sits there... I've waited for up to 45minutes just to be sure it wasn't slow).

I don't think it has anything to do with my server because I have a WinXP laptop that has no problem logging in with an account set to use local or roaming profiles. I checked in all three and there's nothing of interest in the event logs.

Any ideas?

-AC

 

[Ron Lowe]

I have a new WinXP desktop that is having trouble authenticating on my
domain. When I login as a non-roaming profile account in the domain on this
desktop, it seems to authenticate me, but then sits forever on the "applying
your personal settings". When I login with a roaming profile, it sits
forever at the "loading your settings" (I see some activity at first between
the two machines on my hub, but then it just sits there... I've waited for
up to 45minutes just to be sure it wasn't slow).

I don't think it has anything to do with my server because I have a WinXP
laptop that has no problem logging in with an account set to use local or
roaming profiles. I checked in all three and there's nothing of interest in
the event logs.

Any ideas?

-AC


I'm assuming it's a win2000 domain.

First thing to rule out is DNS.
Slow logons are often caused by DNS misconfiguration.

XP differs from previous versions of windows in that it uses
DNS as it's primary name resolution method for finding domain
controllers:

How Domain Controllers Are Located in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;314861

If DNS is misconfigured, XP will spend a lot of time waiting for it to
timeout before it tries using legacy NT4 sytle NetBIOS.
( Which may or may not work. )

1) Ensure that the XP clients are all configured to point to the local
DNS server which hosts the AD domain. That will probably be the
win2k server itself.
They should NOT be pointing an an ISP's DNS server.
An 'ipconfig /all' on the XP box should reveal ONLY the domain's
DNS server.

( you should use the DHCP server to push out the local DNS server
address. )

2) Ensure DNS server on win2k is configured to permit dynamic updates.

3) Ensure the win2k server points to itself as a DNS server.

4) For external ( internet ) name resolution, specify your ISP's DNS server
not on the clients, but in the 'forwarders' tab of the local win2k DNS
server.

On the DNS server, if you cannot access the 'Forwarders' and 'Root Hints'
tabs because they are greyed out, that is because there is a root zone (".")
present on the DNS server. You MUST delete this root zone to permit the
server to forward unresolved queries to yout ISP or the root servers.
Accept any nags etc, and let it delete any corresponding reverse lookuop
zones if it asks.


The following articles may assist you in setting up DNS correctly:

Setting Up the Domain Name System for Active Directory
http://support.microsoft.com/default.aspx?scid=kb;en-us;237675
HOW TO: Configure DNS for Internet Access in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;300202

 

[Andrew Connell]

Ron-

Thanks for the post... again let me state that I have two XP clients... one
(desktop) is giving me login (and roaming profile sync) issues... the other
(laptop) is working perfectly. Both are on the same network, have similar
IPs (.3=working, .4=notworking), and are obtaining their info from the same
DHCP. I'm going to mention a bunch of stuff here... not sure if some is
relevant or not.

This is a Win2003 domain. I verified that the XP client (desktop) is
pointing to the Win2003 DNS I've setup, and that the server is forwarding
onto my ISP. Both clients have the ISP's DNS server as a secondary...
should that come out (left it in since the laptop was always working). The
working XP client and server can both resolve external DNS records (ie.
yahoo.com).

I ~was~ only allowing secure dynamic updates, but I changed it to allow both
nonsecure and secure. Not exactly sure where to look in the DNS to make
sure the computer records are showing up (but everywhere I look, it only
shows JAGUAR listed... which is the server name). However, I am receiving
the same error on both the working & nonworking WinXP clients. I've
restarted DNS and had both clients reboot and login (the nonworking one I
have to login under the local admin account because it won't login under
domain accounts).

I have had a DNS error on the server for a while, but since everything was
working (before I rebuit the machine in question) and my DNS background was
somewhat limited, I decided to adobt "if it ain't broke and causing
problems, don't fix it." The error is that "THe DNS Server was unable to
open zone CONNEL (notice the one L) in the AD from the application directory
position DOmainDnsZones.CONNEL". My domain, CONNELL, was originally CONNEL.
I uninstalled AD and reinstalled creating the new domain. The SOA record in
both the CONNELL and _msdcs.CONNELL zone have the following (JAGUAR is the
Win2003 server): [number], jaguar.connell., hostmaster.connel. (notice the
second listing). There are no other zones. Should I manually later the
hostmaster entry?

BTW: When I say "working" and "nonworking", I'm referring to the machine
that can login and sync the roaming profile vs. the one that can't.

Again... thanks for the reply Ron... hopefully you will be able to further
assist me.
-AC