GPO Time out. Please Help

Discussion in 'Networks' started by Gingerdave, Jul 17, 2008.

  1. Gingerdave

    Gingerdave Megabyte Poster

    990
    44
    74
    Good morning all

    Currently at work we are experiencing issues with two of our sites, one is our head office in London, the other is one of our satellite offices in Edinburgh. The issue is one of logon time and that there is a GPO issue that causing the machines to try and process a policy but is timing out at the 10 minute mark, meaning that its taking approx 12 minutes from power on to being able to use the machine - clearly unacceptable.

    The domain is 2003 native with each location having its own DC for users to authenticate against. In Edinburgh there are 9 users on either Fujitsu desktops or Lenovo laptops, all of which are under a year old. The London office is a different story with a much greater equipment mix, however the servers down there contain the FSMO roles as well.

    What I cannot tell at this point is which GPO is causing the issue, do you guys know of any way to narrow this down from the 30 or so we have in place.

    My inital idea was to turn them off one by one to see which one would stop the problem, however at 10 mins+ per logon this isn't really an issue.

    Any advice greatly appreciated.
     
    Certifications: A+,MCP, MCDST, VCP5 /VCP-DV 5, MCTS AD+ Net Inf 2008, MCSA 2008
    WIP: MCSA 2012
  2. craigie

    craigie Terabyte Poster

    3,020
    174
    155
    Perhaps check the Error Logs on a PC that has logged in successfully to check the Information Report.
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  3. onoski

    onoski Terabyte Poster

    3,120
    51
    154
    Try gpresult to rule out any gpo conflicts etc.
     
    Certifications: MCSE: 2003, MCSA: 2003 Messaging, MCP, HNC BIT, ITIL Fdn V3, SDI Fdn, VCP 4 & VCP 5
    WIP: MCTS:70-236, PowerShell
  4. Hades

    Hades Nibble Poster

    90
    3
    0
    how about remote connecting to one of the problem machines and doing a rsop.msc.

    Should tell you any problems with GPO's... i think
     
    Certifications: City & Guilds Diploma in ICT level 2+3
  5. Gingerdave

    Gingerdave Megabyte Poster

    990
    44
    74
    Thanks Guys

    Gpresult shows the polices being applied correctly with the machine and user ones being filtered out as appropriately.

    The Userenv log is a mess but isn't giving me the info (or I am not reading it correctly - more likely to be honest) I have attached (had to change it to a txt file to get it on here) it please see what you think.

    The application log gives me eventid 1217 source Winlogon. Which effectively says gpo has timed out and sure enough there is a gap of 10 mins between that event and preceding one.
     

    Attached Files:

    Certifications: A+,MCP, MCDST, VCP5 /VCP-DV 5, MCTS AD+ Net Inf 2008, MCSA 2008
    WIP: MCSA 2012
  6. onoski

    onoski Terabyte Poster

    3,120
    51
    154

    What is the connection link from your London office to Edingburg as looking at the event logs it says profile cleanup.

    You might want to consider if the users are logging on for the first time using roaming profiles and how large their profiles are on the server can result in a time out.
     
    Certifications: MCSE: 2003, MCSA: 2003 Messaging, MCP, HNC BIT, ITIL Fdn V3, SDI Fdn, VCP 4 & VCP 5
    WIP: MCTS:70-236, PowerShell
  7. Gingerdave

    Gingerdave Megabyte Poster

    990
    44
    74
    the link is 1mb sdsl, but there is no roaming profiles in effect. Also why would they be going to the london office when they have a dc on site?:blink
     
    Certifications: A+,MCP, MCDST, VCP5 /VCP-DV 5, MCTS AD+ Net Inf 2008, MCSA 2008
    WIP: MCSA 2012
  8. BrizoH

    BrizoH Byte Poster

    243
    6
    25
    This may be an obvious one - but do you have sites configured in AD Sites and Services?
     
    Certifications: CCNA, CCNA Security
    WIP: CCNP
  9. Gingerdave

    Gingerdave Megabyte Poster

    990
    44
    74
    As far as I am aware, they are both there in sites but I have to confess my AD knowledge is such that other then establishing that they exsit and the directory is aware of them I can't tell you much more then that.
     
    Certifications: A+,MCP, MCDST, VCP5 /VCP-DV 5, MCTS AD+ Net Inf 2008, MCSA 2008
    WIP: MCSA 2012
  10. BosonMichael
    Honorary Member Highly Decorated Member Award 500 Likes Award

    BosonMichael Yottabyte Poster

    19,183
    500
    414
    Hm. I was going to suggest roaming profiles as well, but I guess that's not it.

    What recent changes have you made to the GPOs?

    Just trying to think out loud... have you published an app through GPO?

    Might it be something else, such as an XP SP3 rollout that's taking a long time to reboot? If so, the delay should only happen once. After you finally get a computer up and subsequently reboot, does this 10-minute delay happen again?
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  11. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    Open up a command prompt and type 'set' - somewhere near the top of the resulting ouput you will see a variable called 'logonserver'. Verify that this is the DC that the client 'should' be authenticating to (i.e. the DC in their physical location). If not, to me that indicates a potential problem with either:

    DNS
    Site topology
    Sysvol replication

    Run the check on a few of the clients from each location and see whether the results are consistent.

    If you're not familiar with AD Site & Link topology and that is the root cause of the problem it might take you a while to figure out the cause. Basically, you want to ensure that your sites are all configured with the correct subnet information (e.g. if your London subnet is 10.0.0.1/16 then the 'London' site should have that subnet associated with it). In a smallish environment, the KCC should take care of replication between sites and associated DCs for you, but if something has got munged, you may need to define a replication topology yourself. Check out your link costs - maybe they've been manually set incorrectly for your environment

    You also may like to take a look and see whether someone has (and this is a real longshot, but I've seen it once) configured replication over SMTP instead of IP due to a past main link failure and deleted the IP link that used to exist.

    My best bet though would be that its something to do with DNS. Have you run DCDiag and NetDiag to rule out any DNS configuration issues? They are handy resource kit utilities that have helped me out on a number of occasions. You may also have a problem with FRS - check out a utility called sonar.exe - this will give you a nice GUI that enables you to check out the status of your FRS replication (Sysvol replication between DCs amongst other things). I recently had an odd issue on my domain at home where, for some reason, AD had decided seemingly overnight that the frs-staging path was on a physical drive that didn't (and had never) exist. I had to dive into ADSIEdit to change the path and reapply permissions on GPOs!

    Good luck
     
    Certifications: A few
    WIP: None - f*** 'em
  12. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    10,718
    543
    364
    Put a user and computer object in a test OU and select 'block inheritance'. Log on and then select gpresult just to make sure no GPOs are processed.

    If the logon time is ok then at least you know its an issue with GP. 8)

    If it is then follow Zebs advice, its sound! :biggrin

    Edit: I had a similar problem a while back with a remote site and it turned out that the guy that looked after the Cisco switch and firewall (the office was in a business park on a VLAN) had made a config change that had enabled DHCP from the Cisco kit. This scope handed out 'real world' DNS servers which caused the crazy logon times. Got DHCP configured properly on the Windows box and after that logon times were fine.
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs
  13. Finkenstein

    Finkenstein Kilobyte Poster

    378
    3
    59
    Great suggestions... We had inherent issues for a while that all stemmed from DNS. Providing that someone else isn't mucking around with your GPO's, and gpresult looks fine and dandy, I would peek at the DNS stuff. It's daunting, but could be a solution. Good luck!
     
    Certifications: MCP, Network+, CCENT, ITIL v3
    WIP: 640-822
  14. Gingerdave

    Gingerdave Megabyte Poster

    990
    44
    74
    Thanks for all the help guys.

    There were 2 issues, one for each site. In our head office the pointers to the local repository became corrupted and it defualted to another office, and was trying to check with one of our remote offices instead. At least that was my understanding, I still dont understand AD yet.

    Still working on the edinburgh issue though...
     
    Certifications: A+,MCP, MCDST, VCP5 /VCP-DV 5, MCTS AD+ Net Inf 2008, MCSA 2008
    WIP: MCSA 2012
  15. onoski

    onoski Terabyte Poster

    3,120
    51
    154

    Get a good book on AD dude and start studying the theory and the practicality would come smoothly as you administer in your AD farm. Best wishes:)
     
    Certifications: MCSE: 2003, MCSA: 2003 Messaging, MCP, HNC BIT, ITIL Fdn V3, SDI Fdn, VCP 4 & VCP 5
    WIP: MCTS:70-236, PowerShell
  16. Gingerdave

    Gingerdave Megabyte Poster

    990
    44
    74
    Thanks, do you know any good ones? I am the junior admin, the senior admin was/is dealing the London issue and I was left with the other, somewhat out of my depth. Thanks again for all your help everyone
     
    Certifications: A+,MCP, MCDST, VCP5 /VCP-DV 5, MCTS AD+ Net Inf 2008, MCSA 2008
    WIP: MCSA 2012
  17. Boycie
    Honorary Member

    Boycie Senior Beer Tester

    6,281
    85
    174
    I seem to remember this coming up before, so wishlisted this one on Amazon.

    Simon
     
    Certifications: MCSA 2003, MCDST, A+, N+, CTT+, MCT

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.