none
Major Network Logon Issues (8 Domain Controllers and 3.5 thousand workstations) DNS, Time Server, DHCP, and Group Policy Errors

    Question

  • I come to you again seeking help. We have a problem with our logon and startup to our Windows 7 Enterprise system. We have more than 3000 Windows Desktops situated in roughly 20+ buildings around campus. Almost every computer on campus has the problem that I will be describing. I have spent over two months peering over etl files from Windows Performance Analyzer (A great product) and hundreds of thousands of event logs. I come to you today humbled that I could not figure this out. The problem as simply put our logon times are extremely long. An average first time logon is roughly 2-10 minutes depending on the software installed. All computers are Windows 7, the oldest computers being 5 years old. Startup times on various computers range from good (1-2 minutes) to very bad (5-60). Our second time logons range from 30 seconds to 4 minutes. We have a gigabit connection between each computer on the network. We have 5 domain controllers which also double as our DNS servers.

    My original posts on:

    Technet: http://social.technet.microsoft.com/Forums/en/w7itproperf/thread/e8400dbe-e6b8-4b1d-8851-a03e7af32e6e

    Reddit: http://www.reddit.com/r/sysadmin/comments/w5f38/network_logon_issues_with_group_policy_and/

    I followed a lot of what you all told me to do from testing the domain controllers with dcdiag and also completing netlogon tests. I did group policy tests where I got rid of the group policy and just did default policy and it only slightly fixed the problem on some computers.

    Below are a bunch of logs:

    First being the netlogon.log file: http://pastebin.com/XKksB6ZA <!------ Lines that bother me a lot: 07/31 13:41:45 [DNS] NlDnsHasDnsServers: DNS Server is NOT configured on this machine. 07/31 13:41:45 [MISC] NetpDcGetName: OURDOM cache is too old. 22206150 07/31 13:41:45 [CRITICAL] NetpDcPingListIp: OURDOM: Cannot LdapOpen ip address 192.168.36.213: 58 07/31 13:42:15 [SITE] DsrGetSiteName: Returning site name 'Campus' from local cache. LIKE 100 OF THESE

    Second being the dcdiag log file: http://pastebin.com/KSXWWxaS <!------ If you require more tests please ask.

    KB’s that I have tested:

    KB2459530 - Event ID 5719 and event ID 1129 may be logged when a non-Microsoft DHCP Relay Agent is used

    KB2561285 - You experience a long domain logon time in Windows 7 or in Windows Server 2008 R2 after you deploy Group Policy preferences to the computer

    KB2581608 - Logon scripts take a long time to run in Windows Vista, in Windows Server 2008, in Windows 7 or in Windows Server 2008 R2

    KB2617858 - Unexpectedly slow startup or logon process in Windows Server 2008 R2 or in Windows 7

    KB2510636 - An update that improves the startup performance of Windows 7 and of Windows Server 2008 R2 is available None of these tests have worked consistently over the entire system.

    Problems noted:

    Machines sometimes put up “No logon servers available” even after sitting there for a set time period.

    Machines sometimes lose their trust relationship with the domain and have to be unjoined and rejoined from the domain using the local admin account. User and machine accounts are sometimes mysteriously locked from logging to the domain.

    The LDAP call to connect and bind to Active Directory completed. DC3.ourdomain.edu The call completed in 9001 milliseconds. (Should this be taking 9 seconds????????)

    Event Log Errors:

    DHCP-Client 1002

    Group Policy 1055 and 1129

    DNS Client Events 1014 - Name resolution for the (name ourdomain.edu and computername) timed out after none of the configured DNS servers responded.

    Application Virtualization Client 3130

    NetBT 4300 and 4321- The name "OURDOM :1d" could not be registered on the interface with IP address 192.168.93.71. The computer with the IP address 192.168.93.60 did not allow the name to be claimed by this computer.

    Netlogon 5719

    E1kexpress 27

    Time Service 129 and 131

    Bowser 8005 – The browser has received a server announcement indicating that the computer WRKSTNAQ-WD is a master browser, but this computer is not a master browser.

    Important Information and Edits:

    Sites & Services could be correctly set up. I set up in DHCP Scope only one DC and it did not seem to speed anything up. I also set up a lmhost file on multiple computers once again not speeding anything up and Kerberos over UDP is already disabled. IPv6 seems to be disabled on all machines, though I am not certain.

    EDIT 1: ipconfig /all

    Hostname: WRKSTNAQ-WD

    Primary DNS Suffix: ourdomain.edu

    Node Type: Hybrid IP

    Routing Enabled: No WINS Proxy Enabled: No

    DNS Suffix Search List: ourdomain.edu


    DHCP Enabled: Yes

    Autoconfiguration Enabled: Yes

    IPv4 Address: xxx.xxx.93.71

    Subnet Mask: 255.255.255.0

    Default Gateway: xxx.xxx.93.1

    DHCP Server: xxx.xxx.32.60

    DNS Servers: xxx.xxx.37.94, xxx.xxx.37.212, xxx.xxx.37.95, xxx.xxx.36.213

    NetBIOS over Tcpip: Enabled

    EDIT 2: nltest /sc_query:ourdomain.edu

    Flags: 30 HAS_IP HAS_TIMESERV

    Trusted DC Name : \dc4.ourdomain.edu

    Trusted DC Connection Status Status: 0 0x0 NERR_Success

    The command completed successfully.

    Friday, August 03, 2012 9:54 PM

Answers

All replies