Re: Very Slow(60mins) XP logon
From: Bobba (ellis.robert_at_btopenworld.com)
Date: 03/11/04
- Next message: Jerry Paquette: "Persistent VPN name resolution problem"
- Previous message: aa: "Re: The specified network name is nolonger available"
- In reply to: Lanwench [MVP - Exchange]: "Re: Very Slow(60mins) XP logon"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 11 Mar 2004 05:51:08 -0800
The DNS on the servers is set to internal only, workstations get their dns through dhcp which also sets them up for internal dns. I have checked the workstations and they are getting the correct ip,sm, def gw and dns.
The slow logon happens with any AD account. They don't have roaming profiles.
The network is a 4mb Tokenring site, the nic's are set to 4mbs. Accessing the problem pc's files etc works fine from other pc's even if off site.
The problem only happens on 4 out 20 pc's at this and another very similar site. The logon is fine to a local account or a trusted nt4 domain.
Once the logon has eventually completed (60mins), credentials are requested if any attempt is made to look at server resources. The set command shows that the pc was logged on by the correct dc. DNS lookups on servernames and domain names via nslookup work fine.
There are only the lsasrv.spnego.40961.40960 errors in the workstation event log. In the dc security eventlog there are the following errors at similar intervals:
Cat: logon/logoff
Type: failure
Eventid: 537
User: NT auth\system
Logon Failure:
Reason: An unexpected error occurred during logon
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
----- Lanwench [MVP - Exchange] wrote: -----
This can occur due to DNS misconfiguration. All servers and workstations
should specify *only* the internal AD-integrated DNS server's IP address in
their network settings. The AD-integrated DNS server should be set up with
forwarders to your ISP's DNS servers for external resolution.
See http://support.microsoft.com/default.aspx?scid=kb;en-us;300202 for more
info.
Also, if you're using roaming profiles, make sure they're kept small -
redirect My Documents to the users' home directories, tell people not to
store files on the desktop, etc
Make sure all NICs (server and workstation) are locked down at a specific
speed/duplex setting - don't use autosense. If you use managed Ethernet
switches, lock down those ports as well.
Bobba wrote:
> Getting very slow logons from some xp workstations. AD credentials
> are entered then the logon process begins but extremely slowly. Can
> access the pc from across the network fine. Have tried removing the
> pc from the domain, deleting it's computer account and re adding but
> no joy.
>> Any help would be greatly appreciated.
>> Setup is as follows:
>> XP sp1
> icf off
> dhcp on, client gets correct ip,dns,wins
> client is a member of the ad
>> remote domain controller is on the same subnet as the client
> nslookup works fine
> reverse lookup for the zone is ok
> can logon locally fine
> can logon to trusted nt4 domain fine
> can ping local and remote dc's
> logon to server is ok
> seems to be no difference between ok and slow machines
>> event log has following errors:
>> Warning
> Source: lsasrv
> category: spnego
> eventid:40961
> The Security System could not establish a secured connection with the
> server cifs/servername.domainname.local. No authentication protocol
> was available.
>> and
>> Warning
> Source: lsasrv
> category: spnego
> eventid:40960
> The Security System detected an attempted downgrade attack for server
> cifs/servername.domainname.local. The failure code from
> authentication protocol Kerberos was "There are currently no logon
> servers available to service the logon request. (0xc000005e)".
- Next message: Jerry Paquette: "Persistent VPN name resolution problem"
- Previous message: aa: "Re: The specified network name is nolonger available"
- In reply to: Lanwench [MVP - Exchange]: "Re: Very Slow(60mins) XP logon"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
