Sign in with
Sign up | Sign in
Your question

Network Logon Issues with Group Policy and Network

Last response: in Business Computing
Share
July 6, 2012 8:01:34 PM

I am gravely in need of your help and assistance.

We have a problem with our logon and startup to our Windows 7 Enterprise system. We have more than 3000 Windows Desktops situated in roughly 20+ buildings around campus. Almost every computer on campus has the problem that I will be describing. I have spent over one month peering over etl files from Windows Performance Analyzer (A great product) and hundreds of thousands of event logs. I come to you today humbled that I could not figure this out.

The problem as simply put our logon times are extremely long. An average first time logon is roughly 2-10 minutes depending on the software installed. All computers are Windows 7, the oldest computers being 5 years old. Startup times on various computers range from good (1-2 minutes) to very bad (5-60). Our second time logons range from 30 seconds to 4 minutes.

Initial testing led us to believe that this was a software problem. So I spent a few days testing machines only to find inconsistent results from the etl files from xperfview. Each subset of computers on campus had a different subset of software issues, none seeming to interfere with logon just startup.

So I started looking at our group policy and located some very interesting event ID’s.

Group Policy 1129: The processing of Group Policy failed because of lack of network connectivity to a domain controller.

Group Policy 1055: The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).

NETLOGON 5719 : This computer was not able to set up a secure session with a domain controller in domain OURDOMAIN due to the following:
There are currently no logon servers available to service the logon request.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.

E1kexpress 27: Intel®82567LM-3 Gigabit Network Connection – Network link is disconnected.

NetBT 4300 – The driver could not be created.

WMI 10 - Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.


More or less with timestamps it becomes apparent that the network maybe the issue.

1:25:57 - Group Policy is trying to discover the domain controller information
1:25:57 - The network link has been disconnected
1:25:58 - The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.
1:25:58 - Making LDAP calls to connect and bind to active directory. DC1.ourdomain.edu
1:25:58 - Call failed after 0 milliseconds.
1:25:58 - Forcing rediscovery of domain controller details.
1:25:58 - Group policy failed to discover the domain controller in 1030 milliseconds
1:25:58 - Periodic policy processing failed for computer OURDOMAIN\%name%$ in 1 seconds.
1:25:59 - A network link has been established at 1Gbps at full duplex
1:26:00 - The network link has been disconnected
1:26:02 - NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 3473457 minutes and double the reattempt interval thereafter.
1:26:05 - A network link has been established at 1Gbps at full duplex
1:26:08 - Name resolution for the name %Name% timed out after none of the configured DNS servers responded.
1:26:10 – The TCP/IP NetBIOS Helper service entered the running state.
1:26:11 - The time provider NtpClient is currently receiving valid time data at dc4.ourdomain.edu
1:26:14 – User Logon Notification for Customer Experience Improvement Program
1:26:15 - Group Policy received the notification Logon from Winlogon for session 1.
1:26:15 - Making LDAP calls to connect and bind to Active Directory. dc4.ourdomain.edu
1:26:18 - The LDAP call to connect and bind to Active Directory completed. dc4. ourdomain.edu. The call completed in 2309 milliseconds.
1:26:18 - Group Policy successfully discovered the Domain Controller in 2918 milliseconds.
1:26:18 - Computer details:
Computer role : 2
Network name : (Blank)
1:26:18 - The LDAP call to connect and bind to Active Directory completed. dc4.ourdomain.edu. The call completed in 2309 milliseconds.
1:26:18 - Group Policy successfully discovered the Domain Controller in 2918 milliseconds.
1:26:19 - The WinHTTP Web Proxy Auto-Discovery Service service entered the running state.
1:26:46 - The Network Connections service entered the running state.
1:27:10 – Retrieved account information
1:27:10 – The system call to get account information completed.
1:27:10 - Starting policy processing due to network state change for computer OURDOMAIN\%name%$
1:27:10 – Network state change detected
1:27:10 - Making system call to get account information.
1:27:11 - Making LDAP calls to connect and bind to Active Directory. dc4.ourdomain.edu
1:27:13 - Computer details:
Computer role : 2
Network name : ourdomain.edu (Now not blank)
1:27:13 - Group Policy successfully discovered the Domain Controller in 2886 milliseconds.
1:27:13 - The LDAP call to connect and bind to Active Directory completed. dc4.ourdomain.edu The call completed in 2371 milliseconds.
1:27:15 - Estimated network bandwidth on one of the connections: 0 kbps.
1:27:15 - Estimated network bandwidth on one of the connections: 8545 kbps.
1:27:15 - A fast link was detected. The Estimated bandwidth is 8545 kbps. The slow link threshold is 500 kbps.
1:27:17 – Powershell - Engine state is changed from Available to Stopped.
1:27:20 - Completed Group Policy Local Users and Groups Extension Processing in 4539 milliseconds.
1:27:25 - Completed Group Policy Scheduled Tasks Extension Processing in 5210 milliseconds.
1:27:27 - Completed Group Policy Registry Extension Processing in 1529 milliseconds.
1:27:27 - Completed policy processing due to network state change for computer OURDOMAIN\%name%$ in 16 seconds.
1:27:27 – The Group Policy settings for the computer were processed successfully. There were no changes detected since the last successful processing of Group Policy.

Any help would be appreciated. Please ask for any relevant information and it will be provided as soon as possible.
July 6, 2012 8:11:43 PM

How many domain controllers do you have, and where are they?
July 6, 2012 8:16:37 PM

We have 5 domain controllers located on site, 1 at another college campus, and 2 situated at one of our satellite campus locations. The 3 not located on campus are not used on the workstations.
Related resources
July 6, 2012 8:21:27 PM

I've seen this happen with a bad/wrong DNS.

"1:26:08 - Name resolution for the name %Name% timed out after none of the configured DNS servers responded. "

What Server OS are you using?
July 6, 2012 8:37:21 PM

Windows Server 2008 R2 Enterprise
July 6, 2012 8:55:53 PM

Do some of the computers have more than one network port, and if so are any that aren't connected disabled? What are the specs of some of these computers? It seems like some of the computers may not have enough horsepower to be running Windows 7.
July 6, 2012 8:58:45 PM

Most of the hardware is brand new and at maximum the oldest hardware is 5 years old. It happens on the newest of all computers. Most computers are HP Compaq's 8200, 8000, and 7800. These lab computers only have 1 network port and I have tried multiple drivers with no fix.

Edit: Though new hardware exists, the problem is still random. Old hardware sometimes doesn't exhibit the problem as bad. But most logins are still over 1 minute.
July 6, 2012 9:01:17 PM

In the message I pasted below it thinks it has 2 network connections, that is why I asked:

1:27:15 - Estimated network bandwidth on one of the connections: 0 kbps.
1:27:15 - Estimated network bandwidth on one of the connections: 8545 kbps.
July 6, 2012 9:09:46 PM

Jim_L9 said:
In the message I pasted below it thinks it has 2 network connections, that is why I asked:

1:27:15 - Estimated network bandwidth on one of the connections: 0 kbps.
1:27:15 - Estimated network bandwidth on one of the connections: 8545 kbps.


We are looking into this. The computers do not have two network ports.

Does anyone know if this is normal????
July 6, 2012 9:19:42 PM

Are you running any kind of virtualization software that might account for this? It doesn't look normal to me. If you run an "ipconfig /all" command from the machine in question what does it show?
July 6, 2012 9:27:15 PM

Microsoft Application Virtualization Client is all that's on my head for Virtualization software but that would not make another internet connection. Most computers do not have any VM type software installed and all show this event.

ipconfig /all shows only one ethernet adapter.
July 6, 2012 9:33:37 PM

It also looks like there is a lot of very specific things that are part of the Group Policy there, including extensions to the registry. Is all of this required? In the example above it took 16 seconds, a lot in computer time, for all of the Group Policy processing.
July 6, 2012 9:40:06 PM

16 seconds is the fastest :( 
July 8, 2012 6:52:45 PM

There is a lot to cover.......

is there any new hardware , software , gpo in your environment since the problem began ???
if so disable them or disconnect from your network and see if the problem disappears.

check your domain controllers are in sync , AD , DNS , TIME .
if you use dhcp on your network try and use static IP on a workstation.
if you use gpo make a new OU without any gpo linked to it .

examine your switches log for errors, port counters : excessive retransmission , duplex mismatch , crc errors .
do you have any ips , firewalls (hardware,software) , AV on servers and workstations , try to disable them.

scan workstations , servers for viruses,malwares.

use sniffer like wireshark to try and diagnose any networking problems.


good luck

:hello: 
July 9, 2012 2:46:01 PM

Lots to cover as mentioned. Log into a computer with minimal GPOs applied to them.

It also depends on how many GPOs you have and how they are structured. Often, people fail miserably at configuring GPOs with best practices in mind.

You have multiple AD sites with DCs for each location?

How many GPOs are being applied to computers and users?

Is Ping available? This is required for Win2k8 GPO processing.
!