Skip to main content

How to resolve Windows-Xp domain logon delay problem-Kerberos Problem

By
Problem Question:

I had 800 Pc's windows-xp loaded through Ghost  it takes more  than 15 minutes to login the domain
& if i run SYSPREP  it comes on 10 minutes; at a time near about 200 Computers are online 
Server is Win2008 Enterprise Edition 
Can u any 1 help me out for this issue?
Its related to N/w or Win domain issues?

Solution:

 I Face a same problem .I was able to fix the problem... after looking at the file myself and with the help of  Microsoft chat support we came to the same conclusion.. it was a problem with Kerberos we found the same KB (force Kerberos to use TCP instead of UDP in Windows) I applied the fix to a computer it worked like a charm... 


Steps: Collect Information


1. Userenv.log
a. On the Windows XP machine, use Registry Editor to add the following registry value (or modify it, if the value already exists):
Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Value: UserEnvDebugLevel
Value Type: REG_DWORD
Value Data: 10002 (Hexadecimal)
Note: To disable logging, change the value to 0.
b. Restart the computer, and make sure the issue occurs.
c. The log file is written to the %Systemroot%\Debug\UserMode\Userenv.log
Step: Identify the problem
I have checked the log files, and found the following main error message:
---------------------------
USERENV(280.984) 16:58:41:265 PingComputer:  Fast link.  Exiting.
USERENV(280.984) 17:01:42:078 MyGetUserName:  GetUserNameEx failed with 1359.
USERENV(280.984) 17:01:42:078 MyGetUserName:  Retrying call to GetUserNameEx in 1/2 second.
---------------------------
In order to isolate this issue, I performed the following steps:
How to force Kerberos to use TCP instead of UDP in Windows Server 2003, in Windows XP, and in Windows 2000 http://support.microsoft.com/?id=244474
I change MaxPacketSize to 1 to force the clients to use Kerberos traffic over TCP.  
To do this, follow these steps:
1.       Start Registry Editor.     
2.       Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ Kerberos\Parameters
Note If the Parameters key does not exist, create it now.
3.       On the Edit menu, point to New, and then click DWORD Value.     
4.       Type MaxPacketSize, and then press ENTER.     
5.       Double-click MaxPacketSize, type 1 in the Value data box, click to select the Decimal option, and then click OK.     
6.       Quit Registry Editor.     
7.       Restart your computer.    
The following template is an administrative template that can be imported into Group Policy to let the MaxPacketSize value be set for all enterprise computers that are running Windows Server 2003, Windows XP, or Windows 2000. To view the MaxPacketSize settings in Group Policy Object Editor, click Show Policies Only on the View menu so that Show Policies Only is not selected.
This template modifies registry keys outside the Policies section. By default, Group Policy Object Editor does not display these
registry settings.


CLASS MACHINE
CATEGORY !!KRB_PARAMS
KEYNAME "SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters"
POLICY !!SET_MAXPACKETSIZE
EXPLAIN !!MAXPACKETSIZE_HELP
PART !!MAXPACKETSIZE NUMERIC REQUIRED
VALUENAME "MaxPacketSize"
MIN 1 MAX 2000 DEFAULT 2000
END PART
PART !!MAXPACKETSIZE_TIP TEXT
END PART
END POLICY
POLICY !!LOGLEVEL
EXPLAIN !!LOGLEVEL_HELP
VALUENAME "LogLevel"
END POLICY
END CATEGORY
[strings]
KRB_PARAMS="Kerberos Parameters"
SET_MAXPACKETSIZE="Set MaxPacketSize"
MAXPACKETSIZE_HELP="The Windows 2000 Kerberos Authentication package is the default in Windows 2000. It coexists with challenge/response (NTLM) and is used in instances in which both a client and server can negotiate Kerberos. Request for Comments (RFC) 1510 states that when a client contacts the Key Distribution Center (KDC), it should send a User Datagram Protocol (UDP) datagram to port 88 at the KDC's IP address.
The KDC should  respond with a reply datagram to the sending port at the sender's IP  address.\n\nWindows 2000, by default, uses UDP when the data can be fit in  packets under 2,000 bytes. Any data above this value uses TCP to carry the packets. The value of 2,000 bytes is configurable via this policy."
MAXPACKETSIZE="Bytes: "
MAXPACKETSIZE_TIP="Range is from 1 to 2000. Use 1 to force Kerberos to use TCP."
LOGLEVEL="Kerberos Event Logging"
LOGLEVEL_HELP="Windows 2000 offers the capability of tracing detailed Kerberos events through the event log mechanism. You can use this information when you troubleshoot Kerberos. All Kerberos errors are logged to the System log."
Labels:

Comments

Post a Comment

Popular posts from this blog

INSTALL CISCO VPN CLIENT ON WINDOWS 10 (32 & 64 BIT). FIX REASON 442

By
This article shows how correctly install Cisco VPN Client (32 & 64 bit) on Windows 10 (32 & 64 bit) using simple steps, overcome the ‘ This app can’t run on this PC ’ installation error , plus fix the Reason 442: Failed to enable Virtual Adapter error message . The article applies to New Windows 10 installations or Upgrades from earlier Windows versions and all versions before or after Windows 10 build 1511 .  To simplify the article, we’ve broken it into the following two sections: How to Install Cisco VPN client on Windows 10 (clean installation or upgrade from previous Windows), including Windows 10 build prior or after build 1511 . How to Fix Reason 442: Failed to enable Virtual Adapter on Windows 10 Figure 1. The Cisco VPN Client Reason 442: Failed to enable Virtual Adapter error on Windows 10 HOW TO INSTALL CISCO VPN CLIENT ON WINDOWS 10 (NEW INSTALLATIONS OR O/S UPGRADES) The instructions below are for new or clean Windows 10 inst...
45 comments
Read more

Linux File and Directory Permissions

By
file & directory protection is a essential of any OS and Linux OS is no exception for it! These authorizations allow you to choose exactly who can access your files & directory, providing an overall improved system security. There was one of the major flaws in the older Windows operating-system where, by standard, all users can see each other people's information (Windows 95, 98, Me). For overcoming it, editions of the Windows based computer system such as NT, 2000, XP and 2003 lot more security features added. They fully support file & directory permissions, just as Linux system has since the beginning. Together, we'll now assess a directory listing from our Lab Linux system hosting server, to help us understand the information provided. a simple 'ls' command will give you the file and directory listing within a given directory, including the option  '-l' will display number of new areas that we are going to discuss here:
Post a Comment
Read more

How to create a Hirens Boot CD 15.2 USB Disk

By
Hiren’s BootCD (HBCD) is a bootable CD that contains a set of tools that can help users to fix their computer if their system fails to boot. More specifically, HBCD contains hardware diagnostic programs, partition tools, data recovery utilities, antivirus tools and many other tools to fix your computer problems.  I write this article because I use Hiren’s BootCD frequently to troubleshoot computer problems, specially when a computer doesn’t boot anymore due to a virus attack or due to a corrupted file system. In this article you will find instructions on how to put Hiren’s BootCD on a USB flash drive (stick) in order to troubleshoot computer problems in the future.
4 comments
Read more