+ Post New Thread
Results 1 to 6 of 6
Windows Server 2008 Thread, First 2008 DC kills logins! in Technical; I've just put in my first 2008 server into my 2003 DC domain and promoted it to a DC. (After ...
  1. #1

    Join Date
    Mar 2007
    Posts
    421
    Thank Post
    14
    Thanked 16 Times in 10 Posts
    Rep Power
    18

    First 2008 DC kills logins!

    I've just put in my first 2008 server into my 2003 DC domain and promoted it to a DC. (After all of the forestprep etc) and all seemed to go ok.

    A day or so later we notice various random XP machines fail to login, hanging at a blank blue desktop (the same colour as the one we use in the group policy). You can still logoff using CTRL+ALT+DEL to get the dialogue though.

    Also, we also have a batch of Windows 7 machines, most of these hang at the 'Preparing your desktop' stage, before staying at a blank black desktop (you can still logoff as above though)

    This is only happening for Staff and Student users, i.e not admins like me so I thought it might be our software restriction policies. We use whitelists and all DCs are listed in there (i.e \\server\sysvol and \\server\netlogon are Allowed. Also allowed is \\domain.name\sysvol and \\domain.name\netlogon)

    It seems to hit the Windows 7 machines a lot more, presumably because they will 'favour' the 2008 DC over the 2003 DCs (1 2008, 4 2003)

    Nothing shows in the logs of the failing machines (the last message is that folder redirection was successful) so its tricky to work out whats going wrong. It has to be something to do with the new 2008 DC, because as soon as I demoted it, the logins all started to work ok (Windows 7 and XP clients)

    Anyone any ideas? Is there another path I need to whitelist for 2008 DCs?

  2. #2

    Join Date
    Oct 2008
    Location
    Lincolnshire
    Posts
    2,154
    Thank Post
    12
    Thanked 224 Times in 214 Posts
    Rep Power
    66
    Create a user and move a computer account into a brand new OU and block all policies on it and see that is any quicker.

  3. #3

    Join Date
    Mar 2007
    Posts
    421
    Thank Post
    14
    Thanked 16 Times in 10 Posts
    Rep Power
    18
    The fact any admin user (who has limited policies and no SRP) can login with no issues proves it must be a policy setting, but only when theres a 2008 DC available! I still think it might be the SRP blocking staff/students from running something at login - but I thought 2008 server only need the usual sysvol and netlogon whitelisting

  4. #4
    leco's Avatar
    Join Date
    Nov 2006
    Location
    West Yorkshire
    Posts
    2,026
    Thank Post
    595
    Thanked 125 Times in 119 Posts
    Rep Power
    41
    Couple of things to try:
    Are there any events on the 2008 DC that might indicate authentication or replication errors?
    What about checking which DC the machines/users are logging on to?

  5. #5

    Join Date
    Mar 2007
    Posts
    421
    Thank Post
    14
    Thanked 16 Times in 10 Posts
    Rep Power
    18
    I'm going to try and promote again - not sure how to check which server a user is logged onto as they have no access to cmd etc, and I would normally use SET to find this

    Edit: Checked the logs an replication seems to be OK. I think the whole promotion is working fine - its just clients are hanging when they are using it as their logon server, which brings me to the SRP idea.

    I run a program at login to log when a users has logged in - this is running ok, so login scripts are being processed by the look of it
    Last edited by GoldenWonder; 3rd August 2010 at 05:31 PM.

  6. #6

    Join Date
    Mar 2007
    Posts
    421
    Thank Post
    14
    Thanked 16 Times in 10 Posts
    Rep Power
    18
    Well I've found out what was causing this, and its a bit of an odd one.

    It wasn't any policy settings, it was a drive mapping in the login script that pointed to a DFS share (ie net use w: \\domain\share) - only when the user had the new 2008 DC as their login server did this hang. By using a derestricted user I could see the login script hung on the 'net use' mapping command with a prompt saying 'Enter user name for<domain name>:' which was why the desktop never appeared.

    Odd thing is this drive mapping to the DFS share has been in use for months (there are 2 2008 servers on our domain with the DFS share on) and the problem only happens since we promoted one 2008 server to DC, and even then it only occurs when the user gets that DC as their login server (and they aren't an admin, as the admins have the same mapping and it works every time, no matter what logon server you get!)

    So its such a convoluted set of circumstances I'm baffled:
    - You have to be connected to the 2008 DC as logon server
    - You have to be a non-admin user
    - You have a 'net user \\domain\share' statement in your login script

    Match those three and your desktop will hang - whether its XP, W7 or Vista!

    Anyone know why it is asking for a username for the mapping statement?

SHARE:
+ Post New Thread

Similar Threads

  1. Microsoft Update Kills Firewall + Network
    By Nick_Parker in forum Windows Server 2008
    Replies: 64
    Last Post: 20th April 2011, 12:23 PM
  2. Latest Sophos Update kills Sibelius
    By Psymon in forum Windows
    Replies: 4
    Last Post: 15th June 2009, 02:16 AM
  3. Longman Exploring Science kills Windows
    By Batman in forum Windows
    Replies: 3
    Last Post: 5th June 2009, 02:50 PM
  4. [Video] Jacques Rudolph Kills A Pigeon!
    By mattx in forum Jokes/Interweb Things
    Replies: 0
    Last Post: 2nd June 2009, 01:02 PM
  5. WTF -MS VS 2005 kills rpinter script?
    By Teth in forum Windows
    Replies: 3
    Last Post: 14th September 2007, 01:28 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •