XP PC's on domain hang at login

[Mitch]

I support several hundred PC's & have about a dozen right
now that hang the the "Applying Computer Settings" window
once the user inputs their ID, password & selects the
correct domain. Some users have waited up to an hour but
the PC never fully logs in & gets a desktop.
A "weird" work-around is to unplug the users NIC cable
allowing the PC/laptop to login with the local cached
credentials, re-insert the NIC cable once the user can
see the desktop, then have them log off & back on & the
PC logs in just fine. Everything is OK until the user
reboots or shuts down their PC.
We've tested with different logins, different domains,
different DC's, different network segments and nothing so
far has worked!! ANY IDEA's????
Any help would be greatly appreciated!!

 

[Matt DuBois [MSFT]]

Most of the time, logon problems with XP are because of problems with the
DNS configuration. Other causes can include bad group policies, roaming
profiles, slow network connectivity or high packet loss, etc. Can you post
back with some more info to help narrow it down:

1) Are the DNS settings on the computers that are slow different than
computers that have no trouble logging in?
?? ?????? ?? ? ??????? ??????? ??? ????????? ????? ??? ??????? ??? ??????? ??? ???? ????????? ???? ??????? ??? ????? ????????????? ?? ??? ???? ?? ?? ??? ?????? ?? ??? ??? ????? ?????? ????????? ???????? ????? ??????? ?????????? ??? ??? ??? ????????? ?? ??? ??? ???? ??? ??? ???? ?? ????? ???????? ?? ??????????? ?? ???????? Type
of NIC
???????? ????????? ??? ?????????? ??? ????? ????? ?????????????
? ???? ??? ??????? ????????? ??????? ??? ??????? ????????? ??? ??? ??? ??? ????? ??? ???? ????? ?????? ????????????? ??? ??????? ?????? ?? ? ??????? ???? ???? ??????? Can
you clarify what you mean by trying "different DCs"? What did you do to
test this?

4) You say that the logon works fine after you get it logged in the first
time after a reboot. When you log on successfully, open a command prompt
and run "set". Scroll back through the output and check to see if
"LOGONSERVER" is a DC
5) If you are using AD, are you using different sites? Are the non-working
computers in different OUs?
6) Were the non-working computers all installed around the same time? Have
any working computers been installed since the non-working computers were
installed? Were any new group policies created, changed, or applied around
the time the non-working computers were installed?
7) Are you using roaming profiles or network redirection (redirecting My
Documents, etc)?
8) Is it certain user accounts that are having trouble and not really
certain computers? Did you try having a user with a computer that works
fine log into one of the computers that is having trouble after a reboot?
???????????? ??????? ?? ???????? ?? ?? ???? ?? ??????????? ??? ??????? ?? ?????????????? ???????? ??????? ???????????? ??????? ???????????????????????????????????? ????????????????????????????????????????????? ??????? ???????? ??? ???? ???? ???????????? ?? ???? ?? ?????? ???? ?? ??????????? ??????? ??????? ??????? ???? ? ???? ????? ? ????? ????? ??? ??? ???? ???? ??? ??? ????????? ???????? ????????? ?????? ??? ???? ??? ???? ?????? ????? ??? ???????? ? ??????? ??? ??? ??????? ??????? ???? ????? ???? ?????? ?? ?? ?? ???? ??? ??? ??? ?? ????? ????? ???? ?? ? ???? ? ??????????? ? ??????? ??????????? ?? ?? ?????? ??? ????? ??? ????? ??? ???????? ??? ????????? ?? ????? ???? ??? ????? ?????? ??? ???????????? ????????? ??? ??? ????? ???? ??? ???? ??? ??? ??? ??? ???????? ???? ???? ???? ??? ??? ? ???? ?? ? ??? ??? ?? ???? ?? ???? ????? ?????????? ?? ?? ????? ??? ???? ??? ??????? ?? ????? ???? ????? ?????? ????? ?????? ???? ????????? ??????? ????????? ???????? ??? ????????? ????? ????????? ??????? ???????? ??? ??????? ?? ??? ??? ??? ???????? ??? ????????????? ??? ???? ????? ?? ??????? ?????????????

 

[Mitch]

Thanx for the quick response. Here are the answers to
most all your questions:
1) All DNS,WINS, etc are being populated by the DHCP
server, so yes that info is consistant across every PC
2) Nic's are all different, some 3C905c, some 3Com 10/100
Mini-PCI
3) Some people are being validated by the PDC, some by
the next closest BDC. Not consistant!! Had one of the
server admins remote in & login on both our normal domain
& the new AD. His account has no login scripts, roaming
profile, etc. it's a plain jane Domain Admin login. He
experienced the same issue on this laptop from both a
domain & the active directory.
4) Users can get in fine once the pc/laptop boots without
the network cable plugged, then the cable is plugged &
the user can log off then back in just fine. Will hang
again at the "Applying Computer Settings" screen forever
if the user reboots or shuts down the pc.
5) None of these users are currently loggin into the AD.
It's still under development/testing so only a handful of
people login to the AD. THese are all normal NT domain
users.
6) This issue all started on all these pc's the same day!
None of these PC's are new, nor are the people logging
into them. I've recreated it once with my login on a
brand new laptop with a brand new image. So it's
happening to only about 12 users scattered around our 2
story, 4 wing building. Not domain specific, not user
specific, not network segment, data drop or switch
specific!! :-(
Not sure about the group policy add/change question...
Getting an actual, true statement out of the server group
is kinda like pulling teeth!! Usually if no one complains
about a change then they feel like they are doing their
job OK.
7) No roaming profile of network redirection
8) Yes the user(s) in question can login elsewhere (ie -
building on other side of town with same laptop having
issue in our building) and like I stated earlier, one of
the domain admins logged into this laptop with the issue
& he also experienced the "hanging login" issue.
Found some interesting data today concerning possible DNS
server issues. I ran the microsoft scanning tool to check
for the missing 039 patches and took the output file &
imported it into Excel. I then sorted by machine name &
noticed duplicate names with DIFFERENT ip's!! So I went
through the entire spreadsheet & found over 40 entries
like this where a pc with name XYZ had 2-4 different IP
addresses!! For example:
XYZ: 10.6.19.22
XYZ: 10.6.15.22
XYZ: 10.6.17.160
This is a workstation so I does not move around &
actually has IP's all from the same network segment (same
building wing).
Very unusual if I may say so myself!!
Any of this info clear things up? Clear as mud probably!!
Thanx

-----Original Message-----
Most of the time, logon problems with XP are because of problems with the
DNS configuration. Other causes can include bad group policies, roaming
profiles, slow network connectivity or high packet loss,

etc. Can you post back with some more info to help
narrow it down:

1) Are the DNS settings on the computers that are slow different than
computers that have no trouble logging in?
Type of NIC
Can you clarify what you mean by trying "different

DCs"? What did you do to test this?

4) You say that the logon works fine after you get it logged in the first
time after a reboot. When you log on successfully, open a command prompt
and run "set". Scroll back through the output and check to see if
"LOGONSERVER" is a DC
5) If you are using AD, are you using different sites? Are the non-working
computers in different OUs?
6) Were the non-working computers all installed around the same time? Have
any working computers been installed since the non- working computers were
installed? Were any new group policies created, changed, or applied around
the time the non-working computers were installed?
7) Are you using roaming profiles or network redirection (redirecting My
Documents, etc)?
8) Is it certain user accounts that are having trouble and not really
certain computers? Did you try having a user with a computer that works
fine log into one of the computers that is having trouble after a reboot?
???????????? ??????? ?? ???????? ?? ?? ???? ?? ????????

??? ??? ??????? ?? ?????????????? ???????? ??????? ???????
????? ??????? ???????????????????????????????????? ???????
?????????????????????????????????????? ??????? ???????? ??
? ???? ???? ???????????? ?? ???? ?? ?????? ???? ?? ???????
???? ??????? ??????? ??????? ???? ? ???? ????? ? ????? ???
?? ??? ??? ???? ???? ??? ??? ????????? ???????? ?????????
?????? ??? ???? ??? ???? ?????? ????? ??? ???????? ? ?????
?? ??? ??? ??????? ??????? ???? ????? ???? ?????? ?? ?? ??
???? ??? ??? ??? ?? ????? ????? ???? ?? ? ???? ? ????????
??? ? ??????? ??????????? ?? ?? ?????? ??? ????? ??? ?????
??? ???????? ??? ????????? ?? ????? ???? ??? ????? ??????
??? ???????????? ????????? ??? ??? ????? ???? ??? ???? ??
? ??? ??? ??? ???????? ???? ???? ???? ??? ??? ? ???? ?? ?
??? ??? ?? ???? ?? ???? ????? ?????????? ?? ?? ????? ??? ?
??? ??? ??????? ?? ????? ???? ????? ?????? ????? ?????? ??
?? ????????? ??????? ????????? ???????? ??? ????????? ????
? ????????? ??????? ???????? ??? ??????? ?? ??? ??? ??? ??
?????? ??? ????????????? ??? ???? ????? ?? ??????? ???????
??????

 

[Matt DuBois [MSFT]]

Okay. Here's some more for you. There were a few interesting bits in your
first wave of responses that may be shedding some light on the picture:

1) Having multiple IP addresses for the same name is a little interesting.
You may have some stale WINS records. Check the records for your DCs and
make sure they are accurate.
2) What OSes are your clients running? Are all the clients having problems
running the same OS at the same service pack/patch level? Are there any
clients at the same service pack/patch level as the problem clients that
work fine?
3) Do you have IIS running on any of your DCs?
4) Is there anything of interest in the event logs of your DCs?
5) Are there any errors or warnings in the App or System logs on the client?
6) You are applying images down to your new machines:
Did you use sysprep before you made the image?
Was the machine you made the image of domain joined when you created
the image?
7) DNS, WINS, etc info comes from DHCP. Did you check to make sure that the
machines all have the same DHCP server and the settings really are what you
expect, versus a client that does work?

 

[Mitch]

I'm not an admin so I can't give you any info from the
DC's... unfortunately!!
I thought when you ping -a x.x.x.x that is querying DNS,
not WINS? If I do a nbtstat -A x.x.x.x it resolves
correctly to the machine name it is supposed to.
Clients are both XP SP1 & W2K SP4, all are current on
patches as we are running an SUS server.
Again can't give you any info on DC's.
On a laptop I just setup this morning, I experienced the
same issue where I could not get logged in. I'm looking
at the event viewer now. In the Application log there are
a few questionable entries:
Error: Source - Userenv - Event ID: 1053
windows can't determine the user or computername. (The
RPC server is unavailable) Group Policy processing
aborted.

Error: Source - Userenv-Event ID: 1054
windows can't determine the user or computername. (The
specified domain either does not exist or could not be
contacted) Group Policy processing aborted.

Error: Source - AutoEnrollment-Event ID: 15
Automatic certificate enrollment for local system failed
to contact the active directory (0x8007052b). Unable to
update the password. The value provided as the current
password is incorrect. Enrollment will not be performed.

Images are created once on a test machine then saved for
future use. These images have been used for month's with
no issues. Not a dup SID if that's what you are thinking.

Yes all the DHCP settings are identical & correct

 

[Matt DuBois [MSFT]]

The reason I asked is that it is extraordinarily important that a machine
you image NOT be joined to a domain or bad things will happen. "Bad things"
can include symptoms like you are seeing. Regardless of how well it has
seemed to work, imaging a domain joined machine is bad and you shouldn't do
it. If you didn't use sysprep to get the test machine ready for imaging,
what tool did you use?

From the events you quoted below, it appears as if there might be a problem
with the computer account. Can you try the following experiment:

1) Disjoin the laptop from the domain
2) Change the name of the laptop to something that will never have been
used. Make up a random name.
3) Join the laptop back to the domain and see if it still experiences the
problem.

Make a note of any errors that may occur. Also, see if you see any similar
events to the ones below after you rejoin the domain.

 

[Mitch]

Looks like it could be a combination of things. found out
last week that they were building a new DNS server.
Didn't say they were having issues with the current one
but I KNOW THEY WERE!!! But that's another story.
Seems removing & re-adding the PC to the domain worked,
but again don't know if that's related to the DNS issues.
All seem to be working fine now. Thanx for the help &
idea's.

Mitch