none
Network Logon Issues with Group Policy and Network

    Pergunta

  • I am gravely in need of your help and assistance.

    We have a problem with our logon and startup to our Windows 7 Enterprise system.  We have more than 2000 Windows Desktops situated in roughly 20+ buildings around campus.  Almost every computer on campus has the problem that I will be describing.  I have spent over one month peering over etl files from Windows Performance Analyzer (A great product) and hundreds of thousands of event logs.  I come to you today humbled that I could not figure this out.

    The problem as simply put our logon times are extremely long.  An average first time logon is roughly 2-10 minutes depending on the software installed.  All computers are Windows 7, the oldest computers being 5 years old.  Startup times on various computers range from good (1-2 minutes) to very bad (5-60).  Our second time logons range from 30 seconds to 4 minutes.

    Initial testing led us to believe that this was a software problem.  So I spent a few days testing machines only to find inconsistent results from the etl files from xperfview.  Each subset of computers on campus had a different subset of software issues, none seeming to interfere with logon just startup.

    So I started looking at our group policy and located some very interesting event ID’s.

    Group Policy 1129: The processing of Group Policy failed because of lack of network connectivity to a domain controller.

    Group Policy 1055: The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:

    a) Name Resolution failure on the current domain controller.

    b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).

    NETLOGON 5719 : This computer was not able to set up a secure session with a domain controller in domain OURDOMAIN due to the following:

    There are currently no logon servers available to service the logon request.

    This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. 

    E1kexpress 27: Intel®82567LM-3 Gigabit Network Connection – Network link is disconnected.

    NetBT 4300 – The driver could not be created.

    WMI 10 - Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

    More or less with timestamps it becomes apparent that the network maybe the issue.

    1:25:57 - Group Policy is trying to discover the domain controller information

    1:25:57 - The network link has been disconnected

    1:25:58 - The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.

    1:25:58 - Making LDAP calls to connect and bind to active directory. DC1.ourdomain.edu

    1:25:58 - Call failed after 0 milliseconds.

    1:25:58 - Forcing rediscovery of domain controller details.

    1:25:58 - Group policy failed to discover the domain controller in 1030 milliseconds

    1:25:58 - Periodic policy processing failed for computer OURDOMAIN\%name%$ in 1 seconds.

    1:25:59 - A network link has been established at 1Gbps at full duplex

    1:26:00 - The network link has been disconnected

    1:26:02 - NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 3473457 minutes and DOUBLE THE REATTEMPT INTERVAL thereafter.

    1:26:05 - A network link has been established at 1Gbps at full duplex

    1:26:08 - Name resolution for the name %Name% timed out after none of the configured DNS servers responded.

    1:26:10 – The TCP/IP NetBIOS Helper service entered the running state.

    1:26:11 - The time provider NtpClient is currently receiving valid time data at dc4.ourdomain.edu

    1:26:14User Logon Notification for Customer Experience Improvement Program

    1:26:15 - Group Policy received the notification Logon from Winlogon for session 1.

    1:26:15 - Making LDAP calls to connect and bind to Active Directory.  dc4.ourdomain.edu

    1:26:18 - The LDAP call to connect and bind to Active Directory completed.  dc4. ourdomain.edu. The call completed in 2309 milliseconds.

    1:26:18 - Group Policy successfully discovered the Domain Controller in 2918 milliseconds.

    1:26:18 - Computer details:

                Computer role : 2

                Network name : (Blank)

    1:26:18 - The LDAP call to connect and bind to Active Directory completed.  dc4.ourdomain.edu. The call completed in 2309 milliseconds.

    1:26:18 - Group Policy successfully discovered the Domain Controller in 2918 milliseconds.

    1:26:19 - The WinHTTP Web Proxy Auto-Discovery Service service entered the running state.

    1:26:46 - The Network Connections service entered the running state.

    1:27:10 – Retrieved account information

    1:27:10 – The system call to get account information completed.

    1:27:10 - Starting policy processing due to network state change for computer OURDOMAIN\%name%$

    1:27:10 – Network state change detected

    1:27:10 - Making system call to get account information.

    1:27:11 - Making LDAP calls to connect and bind to Active Directory. dc4.ourdomain.edu

    1:27:13 - Computer details:

                Computer role : 2

                Network name : ourdomain.edu (Now not blank)

    1:27:13 - Group Policy successfully discovered the Domain Controller in 2886 milliseconds.

    1:27:13 - The LDAP call to connect and bind to Active Directory completed.  dc4.ourdomain.edu The call completed in 2371 milliseconds.

    1:27:15 - Estimated network bandwidth on one of the connections: 0 kbps.

    1:27:15 - Estimated network bandwidth on one of the connections: 8545 kbps.

    1:27:15 - A fast link was detected. The Estimated bandwidth is 8545 kbps. The slow link threshold is 500 kbps.

    1:27:17 – Powershell - Engine state is changed from Available to Stopped.

    1:27:20 - Completed Group Policy Local Users and Groups Extension Processing in 4539 milliseconds.

    1:27:25 - Completed Group Policy Scheduled Tasks Extension Processing in 5210 milliseconds.

    1:27:27 - Completed Group Policy Registry Extension Processing in 1529 milliseconds.

    1:27:27 - Completed policy processing due to network state change for computer OURDOMAIN\%name%$ in 16 seconds.

    1:27:27 – The Group Policy settings for the computer were processed successfully. There were no changes detected since the last successful processing of Group Policy.

    Any help would be appreciated.  Please ask for any relevant information and it will be provided as soon as possible.


    Edit 1: No idea why the fonts are all crazy.
    • Editado bobloki quinta-feira, 5 de julho de 2012 23:18
    quinta-feira, 5 de julho de 2012 23:15

Respostas

Todas as Respostas

  • I talked it over with the infrastructure people and my boss.

    We have 5 very good domain controllers.  Though we have over 10,000 users and 3,000 workstations.

    We have a gigabit network connections to the desktops and our mac's do not exhibit this problem.

    The domain controllers would not just turn on and off the network connection in the event log.

    Example:  E1kexpress 27: Intel®82567LM-3 Gigabit Network Connection – Network link is disconnected.

    sexta-feira, 6 de julho de 2012 17:31
  • Why would you think its our domain controllers?  What is your reasoning?
    sexta-feira, 6 de julho de 2012 19:58
  • I'll have another meeting with the server people and the domain controller guy here in an hour or so.  

    I attempted to bombard the domain controllers on a bunch of workstations with a script to test DFS resolution time and host name resolution and it all came back ok.  Only one time out of 1000 did it take longer than 10 seconds.

    Do you have any other suggestions or any ways to test your theory?

    sexta-feira, 6 de julho de 2012 20:13
  • My boss says I cannot run that tool.  Sorry.

    How many domain controllers per x users do we need??

    • Editado bobloki sexta-feira, 6 de julho de 2012 20:47
    sexta-feira, 6 de julho de 2012 20:45
  • We have 5 very powerful ones and they do not seem to have any traffic problems.  They are all physical boxes not virtualized.
    sexta-feira, 6 de julho de 2012 21:28
  • Hi,

     

    To troubleshoot the issue, please login on the machine with administrator privilege and perform the following steps.

     

    1. Temporarily disable all policies on the machine and user account, and then verify whether you can login on the machine quicker. If so, it may cause by the polices.

     

    I suggest you open GPO and disable the “Always wait for the network at computer startup and logon” policy.

     

    Otherwise, please move on the next steps.

     

    2. Perform a Clean Boot to check the result.


    3. Check the connectivity of the Windows 7 client, the DNS server, the DHCP server and the DC.


    Also you can refer to the following KB: You experience a long domain logon time in Windows 7 or in Windows Server 2008 R2 after you deploy Group Policy preferences to the computer


    In addition, you can also post this issue in Windows Server forum to check the server settings.


    Hope this helps.


    Vincent Wang

    TechNet Community Support

    segunda-feira, 9 de julho de 2012 07:53
    Moderador