Prev: AD backup
Next: Windows 2008 Domain Name Rename
From: Dave Onex on 26 Nov 2009 05:38 Hi Folks! I have an all Windows 2000 network comprised of 4 servers, two of which are DC's. The two server's that are not DC's are my mail server and my proxy server (ISA). The problem I'm having is this, logging on to the ISA machine is now taking forever (30 minutes or so). The computer sits there saying, "Applying your personal settings" until you get really, really mad! I know from past experience that this usually means that the machine is having problems contacting the DC during the log-on process and that's usually caused by a DNS issue. Thing is, my DNS is correct all the way through. In addition, my ISA server is set up correctly. This network has been operational for years - literally. So what changed? I added another NIC to the ISA machine so that I could team the two internal NIC's. The team is set up correctly and has the proper IP addresses. It should work, just as it did before. The ISA machine can ping and resolve all the machines on the internal network including the 2 domain controllers. The event viewer on the ISA machine has these two errors listed; First; Event ID 1000 Windows cannot establish a connection to domain.com with (0). Then; Event ID 1000 Windows cannot query for the list of Group Policy objects . A message that describes the reason for this was previously logged by this policy engine. (that's the one above) That's it. Those are the only two errors that the machine will cough up. I can ping the domain controllers, I can do reverse lookups to the domain controllers. I can access \Backup\SYSVOL\domain.com\Policies\{really-long-guid}\GPT.ini and read it. I can also browse the network and see the shares on other computers but I can't access the data in any of them - and I used to be able to. I am logged on as the administrator and have full rights to all that stuff. I tried changing the binding order on the proxy so that the internal NIC team is first. I tried re-creating the machine's account in active directory by resetting it and then re-joining it to the domain - no difference. I don't really understand what the issue is. I tried removing ISA altogether and also removed the new NIC and put it all back the way it was and still got the 30 minute log-in experience :-) Something is up with respect to that machine and the domain controller but what could it be? It's almost as if that domain controller refuses to deal with the ISA server for some reason.... Best & Thanks! Dave
From: Meinolf Weber [MVP-DS] on 26 Nov 2009 06:16 Hello Dave, Please post an unedited ipconfig /all from all DC/DNS server and the problem machine so we can check DNS settings. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > Hi Folks! > > I have an all Windows 2000 network comprised of 4 servers, two of > which are > DC's. > The two server's that are not DC's are my mail server and my proxy > server > (ISA). > The problem I'm having is this, logging on to the ISA machine is now > taking forever (30 minutes or so). The computer sits there saying, > "Applying your personal settings" until you get really, really mad! > > I know from past experience that this usually means that the machine > is having problems contacting the DC during the log-on process and > that's usually caused by a DNS issue. Thing is, my DNS is correct all > the way through. In addition, my ISA server is set up correctly. This > network has been operational for years - literally. > > So what changed? I added another NIC to the ISA machine so that I > could team the two internal NIC's. The team is set up correctly and > has the proper IP addresses. It should work, just as it did before. > The ISA machine can ping and resolve all the machines on the internal > network including the 2 domain controllers. The event viewer on the > ISA machine has these two errors listed; > > First; > > Event ID 1000 > Windows cannot establish a connection to domain.com with (0). > Then; > > Event ID 1000 > Windows cannot query for the list of Group Policy objects . A message > that > describes the reason for this was previously logged by this policy > engine. > (that's the one above) > That's it. Those are the only two errors that the machine will cough > up. I can ping the domain controllers, I can do reverse lookups to the > domain controllers. I can access > \Backup\SYSVOL\domain.com\Policies\{really-long-guid}\GPT.ini and read > it. I can also browse the network and see the shares on other > computers but I can't access the data in any of them - and I used to > be able to. I am logged on as the administrator and have full rights > to all that stuff. > > I tried changing the binding order on the proxy so that the internal > NIC team is first. I tried re-creating the machine's account in active > directory by resetting it and then re-joining it to the domain - no > difference. > > I don't really understand what the issue is. I tried removing ISA > altogether and also removed the new NIC and put it all back the way it > was and still got the 30 minute log-in experience :-) Something is up > with respect to that machine and the domain controller but what could > it be? It's almost as if that domain controller refuses to deal with > the ISA server for some reason.... > > Best & Thanks! > Dave
From: Ace Fekay [MCT] on 26 Nov 2009 13:09 "Dave Onex" <dave(a)microsoft.com> wrote in message news:O$V7hSobKHA.1028(a)TK2MSFTNGP06.phx.gbl... > Hi Folks! > > I have an all Windows 2000 network comprised of 4 servers, two of which > are DC's. > The two server's that are not DC's are my mail server and my proxy server > (ISA). > > The problem I'm having is this, logging on to the ISA machine is now > taking forever (30 minutes or so). The computer sits there saying, > "Applying your personal settings" until you get really, really mad! > > I know from past experience that this usually means that the machine is > having problems contacting the DC during the log-on process and that's > usually caused by a DNS issue. Thing is, my DNS is correct all the way > through. In addition, my ISA server is set up correctly. This network has > been operational for years - literally. > > So what changed? I added another NIC to the ISA machine so that I could > team the two internal NIC's. The team is set up correctly and has the > proper IP addresses. It should work, just as it did before. The ISA > machine can ping and resolve all the machines on the internal network > including the 2 domain controllers. The event viewer on the ISA machine > has these two errors listed; > > First; > > Event ID 1000 > Windows cannot establish a connection to domain.com with (0). > > Then; > > Event ID 1000 > Windows cannot query for the list of Group Policy objects . A message that > describes the reason for this was previously logged by this policy engine. > (that's the one above) > > That's it. Those are the only two errors that the machine will cough up. I > can ping the domain controllers, I can do reverse lookups to the domain > controllers. I can access > \Backup\SYSVOL\domain.com\Policies\{really-long-guid}\GPT.ini and read it. > I can also browse the network and see the shares on other computers but I > can't access the data in any of them - and I used to be able to. I am > logged on as the administrator and have full rights to all that stuff. > > I tried changing the binding order on the proxy so that the internal NIC > team is first. I tried re-creating the machine's account in active > directory by resetting it and then re-joining it to the domain - no > difference. > > I don't really understand what the issue is. I tried removing ISA > altogether and also removed the new NIC and put it all back the way it was > and still got the 30 minute log-in experience :-) Something is up with > respect to that machine and the domain controller but what could it be? > It's almost as if that domain controller refuses to deal with the ISA > server for some reason.... > > Best & Thanks! > Dave > > > Did you check the LAT in ISA to make sure the internal subnets are local and not remote? Ace
From: Dave Onex on 26 Nov 2009 14:01 "Ace Fekay [MCT]" <aceman(a)mvps.RemoveThisPart.org> wrote in message news:%23LbjoOsbKHA.5976(a)TK2MSFTNGP05.phx.gbl... > "Dave Onex" <dave(a)microsoft.com> wrote in message > news:O$V7hSobKHA.1028(a)TK2MSFTNGP06.phx.gbl... >> Hi Folks! >> >> I have an all Windows 2000 network comprised of 4 servers, two of which >> are DC's. >> The two server's that are not DC's are my mail server and my proxy server >> (ISA). >> >> The problem I'm having is this, logging on to the ISA machine is now >> taking forever (30 minutes or so). The computer sits there saying, >> "Applying your personal settings" until you get really, really mad! >> >> I know from past experience that this usually means that the machine is >> having problems contacting the DC during the log-on process and that's >> usually caused by a DNS issue. Thing is, my DNS is correct all the way >> through. In addition, my ISA server is set up correctly. This network has >> been operational for years - literally. >> >> So what changed? I added another NIC to the ISA machine so that I could >> team the two internal NIC's. The team is set up correctly and has the >> proper IP addresses. It should work, just as it did before. The ISA >> machine can ping and resolve all the machines on the internal network >> including the 2 domain controllers. The event viewer on the ISA machine >> has these two errors listed; >> >> First; >> >> Event ID 1000 >> Windows cannot establish a connection to domain.com with (0). >> >> Then; >> >> Event ID 1000 >> Windows cannot query for the list of Group Policy objects . A message >> that describes the reason for this was previously logged by this policy >> engine. (that's the one above) >> >> That's it. Those are the only two errors that the machine will cough up. >> I can ping the domain controllers, I can do reverse lookups to the domain >> controllers. I can access >> \Backup\SYSVOL\domain.com\Policies\{really-long-guid}\GPT.ini and read >> it. I can also browse the network and see the shares on other computers >> but I can't access the data in any of them - and I used to be able to. I >> am logged on as the administrator and have full rights to all that stuff. >> >> I tried changing the binding order on the proxy so that the internal NIC >> team is first. I tried re-creating the machine's account in active >> directory by resetting it and then re-joining it to the domain - no >> difference. >> >> I don't really understand what the issue is. I tried removing ISA >> altogether and also removed the new NIC and put it all back the way it >> was and still got the 30 minute log-in experience :-) Something is up >> with respect to that machine and the domain controller but what could it >> be? It's almost as if that domain controller refuses to deal with the ISA >> server for some reason.... >> >> Best & Thanks! >> Dave >> >> >> > > > Did you check the LAT in ISA to make sure the internal subnets are local > and not remote? > > Ace Hi Ace - really good to hear from you :-) Yes! That was my first thought - that ISA was sending the requests out the wrong network card and trying to reach the DC's by using the external NIC. To that end, after I created the NIC team I thought that maybe ISA didn't 'understand' so I re-ran the local network wizard and removed and re-added the new logical adapter. No dice. I then un-installed ISA altogether only to find the same thing - 30 minute log-on times. I then re-installed ISA and loaded in my most recent backup - same thing :-( The only other member server (my mail server) also does the same thing. I made no changes to it whatsoever - it also happened after I added the extra NIC in ISA. My thinking on that front is that it's happening to that machine because it uses ISA as it's default gateway. There are two XP workstations - both of these can log-on and log-off the domain with no issues. So it seems to be localized to only Win2K domain members. All machines can ping and lookup the addresses of the domain controllers. I think the problem must be localized to the ISA machine but I can't figure it out. I even took the extra NIC out of the ISA machine only to find the same thing. Un-installing ISA results in the same thing. What the heck can it be? Best & Thanks! Dave (pulling the hair out of my head)
From: Dave Onex on 26 Nov 2009 14:10
"Dave Onex" <dave(a)microsoft.com> wrote in message news:%23myh4rsbKHA.2188(a)TK2MSFTNGP04.phx.gbl... > > "Ace Fekay [MCT]" <aceman(a)mvps.RemoveThisPart.org> wrote in message > news:%23LbjoOsbKHA.5976(a)TK2MSFTNGP05.phx.gbl... >> "Dave Onex" <dave(a)microsoft.com> wrote in message >> news:O$V7hSobKHA.1028(a)TK2MSFTNGP06.phx.gbl... >>> Hi Folks! >>> >>> I have an all Windows 2000 network comprised of 4 servers, two of which >>> are DC's. >>> The two server's that are not DC's are my mail server and my proxy >>> server (ISA). >>> >>> The problem I'm having is this, logging on to the ISA machine is now >>> taking forever (30 minutes or so). The computer sits there saying, >>> "Applying your personal settings" until you get really, really mad! >>> >>> I know from past experience that this usually means that the machine is >>> having problems contacting the DC during the log-on process and that's >>> usually caused by a DNS issue. Thing is, my DNS is correct all the way >>> through. In addition, my ISA server is set up correctly. This network >>> has been operational for years - literally. >>> >>> So what changed? I added another NIC to the ISA machine so that I could >>> team the two internal NIC's. The team is set up correctly and has the >>> proper IP addresses. It should work, just as it did before. The ISA >>> machine can ping and resolve all the machines on the internal network >>> including the 2 domain controllers. The event viewer on the ISA machine >>> has these two errors listed; >>> >>> First; >>> >>> Event ID 1000 >>> Windows cannot establish a connection to domain.com with (0). >>> >>> Then; >>> >>> Event ID 1000 >>> Windows cannot query for the list of Group Policy objects . A message >>> that describes the reason for this was previously logged by this policy >>> engine. (that's the one above) >>> >>> That's it. Those are the only two errors that the machine will cough up. >>> I can ping the domain controllers, I can do reverse lookups to the >>> domain controllers. I can access >>> \Backup\SYSVOL\domain.com\Policies\{really-long-guid}\GPT.ini and read >>> it. I can also browse the network and see the shares on other computers >>> but I can't access the data in any of them - and I used to be able to. I >>> am logged on as the administrator and have full rights to all that >>> stuff. >>> >>> I tried changing the binding order on the proxy so that the internal NIC >>> team is first. I tried re-creating the machine's account in active >>> directory by resetting it and then re-joining it to the domain - no >>> difference. >>> >>> I don't really understand what the issue is. I tried removing ISA >>> altogether and also removed the new NIC and put it all back the way it >>> was and still got the 30 minute log-in experience :-) Something is up >>> with respect to that machine and the domain controller but what could it >>> be? It's almost as if that domain controller refuses to deal with the >>> ISA server for some reason.... >>> >>> Best & Thanks! >>> Dave >>> >>> >>> >> >> >> Did you check the LAT in ISA to make sure the internal subnets are local >> and not remote? >> >> Ace > > Hi Ace - really good to hear from you :-) > > Yes! That was my first thought - that ISA was sending the requests out the > wrong network card and trying to reach the DC's by using the external NIC. > To that end, after I created the NIC team I thought that maybe ISA didn't > 'understand' so I re-ran the local network wizard and removed and re-added > the new logical adapter. > No dice. I then un-installed ISA altogether only to find the same thing - > 30 minute log-on times. > I then re-installed ISA and loaded in my most recent backup - same thing > :-( > > The only other member server (my mail server) also does the same thing. I > made no changes to it whatsoever - it also happened after I added the > extra NIC in ISA. > My thinking on that front is that it's happening to that machine because > it uses ISA as it's default gateway. > > There are two XP workstations - both of these can log-on and log-off the > domain with no issues. So it seems to be localized to only Win2K domain > members. All machines can ping and lookup the addresses of the domain > controllers. > I think the problem must be localized to the ISA machine but I can't > figure it out. I even took the extra NIC out of the ISA machine only to > find the same thing. Un-installing ISA results in the same thing. > > What the heck can it be? > > Best & Thanks! > Dave (pulling the hair out of my head) > > BTW, the mail server is reporting almost the exact same errors except in this case it looks like it tried to contact the second domain controller...without success. Could not open LDAP session to directory 'second.domain.controller' using local service credentials. Cannot access Connection Agreement configuration information. Make sure the server 'second.domain.controller' is running Windows cannot establish a connection to my.domain.com with (0). Windows cannot query for the list of Group Policy objects . A message that describes the reason for this was previously logged by this policy engine. (the previous line) Is it possible that the whole NIC issue is a red herring of some sort? Is it possible something got pooched when I re-started all the machines? Something to do with ActiveDirectory? That only effects the two Win2K domain members? I'm certain DNS is correct - nothing was really changed. ISA rules are all in place and it's run for about 3 years without an issue. |