Desperate: Windows XP SP2 intermittent slow logins to Windows 2K AD Domain

Discussion in 'Windows Networking' started by Summer Breeze, Mar 18, 2005.

  1. I hope someone can help with this issue. I just started rolling out new Dell
    XP workstations to our 60 user domain. The XP logins sometimes take up to 5
    minutes to login. It usually happens about every 5th login sometimes
    everytime. The workstations are getting 1053 userenv errors saying that
    Windows cannot determine the computer name. The RPC server is unavailable.

    All the machines are using DHCP and getting DNS from the server. I also
    installed WINS and enabled NetBios over TCP/IP on the workstations.

    I've tried every possible fix I've found on the internet. I'm attaching a
    netdiag because I'm getting a DNS error that may be the culprit. The server
    IP is 119.0.0.199 but the netdiag says it's 119.0.0.28 which is a RAS IP
    address.

    Here is the netdiag. Sorry for the length. Any help would be appreciated.
    I'm going nuts with this one.

    Per interface results:

    Adapter : Intel Pro 1000 MT Gigabit Ethernet Adapter - onboard

    Netcard queries test . . . : Passed

    Host Name. . . . . . . . . : ZOOM
    IP Address . . . . . . . . : 119.0.0.199
    Subnet Mask. . . . . . . . : 255.255.255.0
    Default Gateway. . . . . . : 119.0.0.2
    Dns Servers. . . . . . . . : 119.0.0.199


    AutoConfiguration results. . . . . . : Passed

    Default gateway test . . . : Passed

    NetBT name test. . . . . . : Passed
    No remote names have been found.

    WINS service test. . . . . : Skipped
    There are no WINS servers configured for this interface.

    Adapter : {6B7C85D3-4637-480F-B44F-D2D2D6B2DFA8}

    Netcard queries test . . . : Passed

    Host Name. . . . . . . . . : ZOOM
    IP Address . . . . . . . . : 119.0.0.28
    Subnet Mask. . . . . . . . : 255.255.255.255
    Default Gateway. . . . . . :
    Dns Servers. . . . . . . . : 127.0.0.1


    AutoConfiguration results. . . . . . : Passed

    Default gateway test . . . : Skipped
    [WARNING] No gateways defined for this adapter.

    NetBT name test. . . . . . : Passed
    No remote names have been found.

    WINS service test. . . . . : Skipped
    There are no WINS servers configured for this interface.


    Global results:


    Domain membership test . . . . . . : Passed


    NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
    NetBT_Tcpip_{B409B810-9359-4E71-B321-FF245AD1BA52}
    NetBT_Tcpip_{6B7C85D3-4637-480F-B44F-D2D2D6B2DFA8}
    2 NetBt transports currently configured.


    Autonet address test . . . . . . . : Passed


    IP loopback ping test. . . . . . . : Passed


    Default gateway test . . . . . . . : Passed


    NetBT name test. . . . . . . . . . : Passed


    Winsock test . . . . . . . . . . . : Passed


    DNS test . . . . . . . . . . . . . : Passed
    [WARNING] Cannot find a primary authoritative DNS server for the n
    'ZOOM.domain.com.'. [RCODE_SERVER_FAILURE]
    The name 'ZOOM.domain.com.' may not be registered in DNS.
    PASS - All the DNS entries for DC are registered on DNS server '119.0.0.
    ..


    Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
    NetBT_Tcpip_{B409B810-9359-4E71-B321-FF245AD1BA52}
    NetBT_Tcpip_{6B7C85D3-4637-480F-B44F-D2D2D6B2DFA8}
    The redir is bound to 2 NetBt transports.

    List of NetBt transports currently bound to the browser
    NetBT_Tcpip_{B409B810-9359-4E71-B321-FF245AD1BA52}
    NetBT_Tcpip_{6B7C85D3-4637-480F-B44F-D2D2D6B2DFA8}
    The browser is bound to 2 NetBt transports.


    DC discovery test. . . . . . . . . : Passed


    DC list test . . . . . . . . . . . : Passed


    Trust relationship test. . . . . . : Skipped


    Kerberos test. . . . . . . . . . . : Passed


    LDAP test. . . . . . . . . . . . . : Passed


    Bindings test. . . . . . . . . . . : Passed


    WAN configuration test . . . . . . : Skipped
    No active remote access connections.


    Modem diagnostics test . . . . . . : Passed

    IP Security test . . . . . . . . . : Passed
    IPSec policy service is active, but no policy is assigned.


    The command completed successfully
     
    Summer Breeze, Mar 18, 2005
    #1
    1. Advertisements

  2. Summer Breeze

    Bill Grant Guest

    See KB 292822 "Name Resolution and Connectivity Issues on Windows 2000
    Domain Controller with Routing and Remote Access and DNS Installed".

     
    Bill Grant, Mar 19, 2005
    #2
    1. Advertisements

  3. Summer Breeze

    Don Wilwol Guest

    If I had to guess, I'd say the domain controller for your domain is NOT
    pointed to the DNS server. If the domain controller IS the DNS server, make
    sure it is pointed to itself.

    The problem is the domain is not registered in DNS. You will need to find
    out why.

    If the DC is pointed to the DNS server, I would try running netdiag /fix and
    dcdiag / fix on the domain controller.

    --
    Hope it helps...........

    dw

    Don Wilwol
    Blog - http://spaces.msn.com/members/wilwol/
    Web - http://capital.net/~wilwol/dw.htm
    DonWilwol(REMOVE)@yahoo.com

     
    Don Wilwol, Mar 19, 2005
    #3
  4. Along with the other two answers, you could band-aid fix this and put the IP
    address and the DNS name of the DC into the hosts file on each machine.

    Greg

     
    Greg DeMaderios, Mar 19, 2005
    #4
  5. In
    Here is the link:
    830063 - Name resolution and connectivity issues occur on Windows 2000
    domain controllers that have the Routing and Remote Acce:
    http://support.microsoft.com/default.aspx?scid=kb;en-us;830063


    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Mar 19, 2005
    #5
  6. Thanks guys. I hope these work.
     
    Summer Breeze, Mar 19, 2005
    #6
  7. Thanks guys. The only thing that worked was the LMHOSTS files.
     
    Summer Breeze, Mar 19, 2005
    #7
  8. Summer Breeze

    Don Wilwol Guest

    the lmhost shouldn't be considered a fix. Note Greg submitted it as a
    bandaid. You should really find out why your domain is not being registered
    in DNS. Although your client appear to be working correctly now, its most
    likely AD is not, and will not if you ever try to expand it.

    --
    Hope it helps...........

    dw

    Don Wilwol
    Blog - http://spaces.msn.com/members/wilwol/
    Web - http://capital.net/~wilwol/dw.htm
    DonWilwol(REMOVE)@yahoo.com
     
    Don Wilwol, Mar 19, 2005
    #8
  9. Unfortunately I'm a one man IT department and I'm not an MCSE. I would have
    no idea where to start and no time right now to fix it. I would consider
    hiring an MCSE for a day (to work remotely with me) if they could guarantee
    results.
     
    Summer Breeze, Mar 19, 2005
    #9
  10. Summer Breeze

    Don Wilwol Guest

    Don Wilwol, Mar 19, 2005
    #10
  11. In
    The fix is in that KB article that I posted, it only take a few minutes.

    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Mar 19, 2005
    #11
  12. Kevin, that fix didn't work. I followed it to the letter. However step
    number 3 wasn't in my registry so I don't know if that mattered.
     
    Summer Breeze, Mar 19, 2005
    #12
  13. In
    Did you add the PublishAddresses entry with IP 119.0.0.199? (IANA reserved
    IP I can only assume IANA permites you to use this IP)
    File sharing must be enabled on this interface.

    You also had to add two host records, did you add those?
    run netdiag /fix then run netdiag /test:dns

    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Mar 19, 2005
    #13
  14. Yes I did add the IP. The 119 IP subnet was here before me and it would take
    alot of time to change it. Do I really need permission to use it internally?

    I ran netdiag fix and test dns and they both come back with the error that "
    Cannot find a primary authoritative DNS server for the name zoom.domain.com
    [RCODE_SERVER_FAILURE]. The name zoom.domain.com may not be registered in
    DNS.
     
    Summer Breeze, Mar 19, 2005
    #14
  15. Just a thought I thought I'd add. I'm Ghosting these machines then changing
    their names and SIDS and then joining them to the domain. I'm going to try
    adding an out of the box machine to the domain on Monday and see if it makes
    any difference. Thanks for all of your help thus far guys.
     
    Summer Breeze, Mar 19, 2005
    #15
  16. In
    This IP address is reserved by IANA, I'm sure of what you have to do to use
    a reserved IP, I'm sure though that is is going to cause problems for you
    since you have VPN clients which can see the internal and the public IP
    addresses.
    It may cause a routing problem for the VPN clients, since it is a semi
    routable IP address. You really should use a non-Routable IP range
    internally like 10.0.0.0 - 10.255.255.255, 172.16.0.0 - 172.31.255.255, or
    192.168.x.x

    http://www.dnsstuff.com/tools/whois.ch?ip=119.0.0.199
    Can you post the ipconfig /all from the DC, the AD domain name from ADU&C,
    and the names of the forward lookup zones in DNS.

    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Mar 19, 2005
    #16
  17. This IP address is reserved by IANA, I'm sure of what you have to do to
    The 119.0.0.199 is internal and all VPN clients connect to our live IP and
    then the router/firewall points them to the correct internal IP. I will make
    plans to change the IP address range once the rollout is completed. Thanks
    for your help Kevin.

    Here is the info you requested.

    Windows 2000 IP Configuration

    Host Name . . . . . . . . . . . . : ZOOM
    Primary DNS Suffix . . . . . . . : tws.com
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : Yes
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : tws.com

    Ethernet adapter Intel Pro 1000 MT Gigabit Ethernet Adapter - onboard:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network
    Connect
    ion
    Physical Address. . . . . . . . . : 00-C0-9F-28-57-45
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 119.0.0.199
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 119.0.0.2
    DNS Servers . . . . . . . . . . . : 119.0.0.199
    Primary WINS Server . . . . . . . : 119.0.0.199


    ADU&C Domain = tws.com

    Forward Lookup Zone = tws.com
     
    Summer Breeze, Mar 19, 2005
    #17
  18. In
    All looks well, is there a record named zoom in the tws.com zone?
    One more thing, the VPN clients will need to use hosts files to resolve this
    name because they can see both the internal and external namespace. I
    usually recommend an AD name of internal.tws.com in this situation because
    you can delegate the internal name in the public DNS to the internal IP of
    the AD DNS server.
    This delegation is useless without the VPN connected because the delegation
    is to a non routable IP address which is only good if the VPN has connected
    and authenticated.

    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Mar 20, 2005
    #18
  19. Yes but unfortunately it still doesn't solve my problem. My XP clients are
    taking up to 5 minutes sometimes longer to login to the domain and I don't
    know what else to try. Thanks for your help. I'm getting a new error in the
    event log now with eventid 1202 from Source SceCli saying that "Security
    policies are propagated with warning 0x534. No mapping between account names
    and security ID's was done." I'm beginning to think twice about XP. I may
    switch to 2K because I'm not having any issues with those machines.
     
    Summer Breeze, Mar 20, 2005
    #19
  20. In

    Can you post an ipconfig /all from the XP clients?
    It sounds as though the XP clients are unable to find the domain controller
    in DNS. Of course if the DC doesn't have all its records in DNS I can
    understand that. Does the zone have the AD subfolders?

    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Mar 20, 2005
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.