Major Network Logon Issues (8 Domain Controllers and 3.5 thousand workstations) DNS, Time Server, DHCP, and Group Policy Errors
I come to you again seeking help. We have a problem with our logon and startup to our Windows 7 Enterprise system. We have more than 3000 Windows Desktops situated in roughly 20+ buildings around campus. Almost every computer on campus has the problem that I will be describing. I have spent over two months peering over etl files from Windows Performance Analyzer (A great product) and hundreds of thousands of event logs. I come to you today humbled that I could not figure this out. The problem as simply put our logon times are extremely long. An average first time logon is roughly 2-10 minutes depending on the software installed. All computers are Windows 7, the oldest computers being 5 years old. Startup times on various computers range from good (1-2 minutes) to very bad (5-60). Our second time logons range from 30 seconds to 4 minutes. We have a gigabit connection between each computer on the network. We have 5 domain controllers which also double as our DNS servers.
My original posts on:
I followed a lot of what you all told me to do from testing the domain controllers with dcdiag and also completing netlogon tests. I did group policy tests where I got rid of the group policy and just did default policy and it only slightly fixed the problem on some computers.
Below are a bunch of logs:
First being the netlogon.log file: http://pastebin.com/XKksB6ZA <!------ Lines that bother me a lot: 07/31 13:41:45 [DNS] NlDnsHasDnsServers: DNS Server is NOT configured on this machine. 07/31 13:41:45 [MISC] NetpDcGetName: OURDOM cache is too old. 22206150 07/31 13:41:45 [CRITICAL] NetpDcPingListIp: OURDOM: Cannot LdapOpen ip address 192.168.36.213: 58 07/31 13:42:15 [SITE] DsrGetSiteName: Returning site name 'Campus' from local cache. LIKE 100 OF THESE
Second being the dcdiag log file: http://pastebin.com/KSXWWxaS <!------ If you require more tests please ask.
KB’s that I have tested:
KB2459530 - Event ID 5719 and event ID 1129 may be logged when a non-Microsoft DHCP Relay Agent is used
KB2561285 - You experience a long domain logon time in Windows 7 or in Windows Server 2008 R2 after you deploy Group Policy preferences to the computer
KB2581608 - Logon scripts take a long time to run in Windows Vista, in Windows Server 2008, in Windows 7 or in Windows Server 2008 R2
KB2617858 - Unexpectedly slow startup or logon process in Windows Server 2008 R2 or in Windows 7
KB2510636 - An update that improves the startup performance of Windows 7 and of Windows Server 2008 R2 is available None of these tests have worked consistently over the entire system.
Machines sometimes put up “No logon servers available” even after sitting there for a set time period.
Machines sometimes lose their trust relationship with the domain and have to be unjoined and rejoined from the domain using the local admin account. User and machine accounts are sometimes mysteriously locked from logging to the domain.
The LDAP call to connect and bind to Active Directory completed. DC3.ourdomain.edu The call completed in 9001 milliseconds. (Should this be taking 9 seconds????????)
Event Log Errors:
Group Policy 1055 and 1129
DNS Client Events 1014 - Name resolution for the (name ourdomain.edu and computername) timed out after none of the configured DNS servers responded.
Application Virtualization Client 3130
NetBT 4300 and 4321- The name "OURDOM :1d" could not be registered on the interface with IP address 192.168.93.71. The computer with the IP address 192.168.93.60 did not allow the name to be claimed by this computer.
Time Service 129 and 131
Bowser 8005 – The browser has received a server announcement indicating that the computer WRKSTNAQ-WD is a master browser, but this computer is not a master browser.
Important Information and Edits:
Sites & Services could be correctly set up. I set up in DHCP Scope only one DC and it did not seem to speed anything up. I also set up a lmhost file on multiple computers once again not speeding anything up and Kerberos over UDP is already disabled. IPv6 seems to be disabled on all machines, though I am not certain.
EDIT 1: ipconfig /all
Primary DNS Suffix: ourdomain.edu
Node Type: Hybrid IP
Routing Enabled: No WINS Proxy Enabled: No
DNS Suffix Search List: ourdomain.edu
DHCP Enabled: Yes
Autoconfiguration Enabled: Yes
IPv4 Address: xxx.xxx.93.71
Subnet Mask: 255.255.255.0
Default Gateway: xxx.xxx.93.1
DHCP Server: xxx.xxx.32.60
DNS Servers: xxx.xxx.37.94, xxx.xxx.37.212, xxx.xxx.37.95, xxx.xxx.36.213
NetBIOS over Tcpip: Enabled
EDIT 2: nltest /sc_query:ourdomain.edu
Flags: 30 HAS_IP HAS_TIMESERV
Trusted DC Name : \dc4.ourdomain.edu
Trusted DC Connection Status Status: 0 0x0 NERR_Success
The command completed successfully.