Hey all,This may be the wrong forum. It's active directory / DNS related. If I need to take this somewhere else, please let me know of the place to go.I've got issues on laptops and desktops that I'm imaging. The login box will go grey for up to 5 minutes after you enter in your credentials. This problem will happen whether the machine is connected on the network or disconnected. I can't find a common thread between the affected machines. Excuse my potential misues of Windows Server terminology. I'll try to give you as much backstory as I can.Roaming profiles aren't in use or at least in limited use. An employee's mailbox, office communicator, and other various settings have to be manually set up by me. All users files also need to be moved over by me.There is a logon script that adds the appropriate mapped drives for the user.Now, I may image two machines and have them set up identically and one of them may have the problem, they other may not. Where can I start with my recommendations to the system administrator to help remedy this issue?I can use the local admin account and login in a couple of seconds 10/10 times (this was a test someone had asked me to do). Obviously this account has nothing to do with the corporate network.One oddity I've seen: if someone with the slow logon issue logs in as someone else, they'll get right in. If they log off of that other account and then back onto their own, they'll also get right in. After that, it may go right back to what it was doing. The slow logon will also happen in safe mode.In IP Sec under Local Security Settings, we've got Client (Respond Only) set to assigned. For the DNS service under the Log On tab, we've got "Local System Account" and it is not set to "Allow service to interact with desktop. I don't know the significance of either of these but thought it could be useful background.In advanced network settings, we've got the binding order set to do 1. Remote Access Connection (2) Ethernet (3) wireless.I've seen an LSASRV error on the problem machines reporting "The Security System could not establish a secured connection with the server DNS/chia.arin.net. No authentication protocol was available.I'm lost! You obviously lack the creative genius to integrate Legos and Duplos.

Hi customer, According to the symptom of the issue, I suspect that the slow logon issue may be caused by the crash of user profile or the logon script. Do you encounter the slow logon issue when clients intermittently display "Preparing Network connection" or "Load your personal settings" or "applying computer settings", which process hold the long time? Troubleshooting Steps: 1. Please disable the logon script for the clients and then check if the issue still exists. 2. Please create a new domain user account on the DC, and then logon with the new account on the problematic client to check if the issue still exists. 3. Please logon the problematic client with local administrator account, and then delete the user profile of the problematic user under the path of C:\Documents and Settings\Username. Afterwards, you may logoff and logon the domain with the user account to check if the slow logon issue still exists. 4. Please install UPH clean service on the problem client to check if the issue can be resolved. Download: User Profile Hive Cleanup Service http://www.microsoft.com/downloads/details.aspx?familyid=1b286e6d-8912-4e18-b570-42470e2f3582&displaylang=en If the slow logon issue still exists, we need to collect Userenv.log and Winlogon.log on the problematic client to solid narrow down the root cause. Please follow the Microsoft KB articles to collect these 2 logs on the clients and then you may send them to tfwst@microsoft.com. We would be glad to assist you with that. 221833 How to enable user environment debug logging in retail builds of Windows http://support.microsoft.com/default.aspx?scid=kb;EN-US;221833 245422 How to Enable Logging for Security Configuration Client Processing in Windows 2000 http://support.microsoft.com/default.aspx?scid=kb;EN-US;245422 Thanks for the co-operation.David Shen - MSFT

Hi customer, According to the symptom of the issue, I suspect that the slow logon issue may be caused by the crash of user profile or the logon script. Do you encounter the slow logon issue when clients intermittently display "Preparing Network connection" or "Load your personal settings" or "applying computer settings", which process hold the long time? Troubleshooting Steps: 1. Please disable the logon script for the clients and then check if the issue still exists. 2. Please create a new domain user account on the DC, and then logon with the new account on the problematic client to check if the issue still exists. 3. Please logon the problematic client with local administrator account, and then delete the user profile of the problematic user under the path of C:\Documents and Settings\Username. Afterwards, you may logoff and logon the domain with the user account to check if the slow logon issue still exists. 4. Please install UPH clean service on the problem client to check if the issue can be resolved. Download: User Profile Hive Cleanup Service http://www.microsoft.com/downloads/details.aspx?familyid=1b286e6d-8912-4e18-b570-42470e2f3582&displaylang=en If the slow logon issue still exists, we need to collect Userenv.log and Winlogon.log on the problematic client to solid narrow down the root cause. Please follow the Microsoft KB articles to collect these 2 logs on the clients and then you may send them to tfwst@microsoft.com. We would be glad to assist you with that. 221833 How to enable user environment debug logging in retail builds of Windows http://support.microsoft.com/default.aspx?scid=kb;EN-US;221833 245422 How to Enable Logging for Security Configuration Client Processing in Windows 2000 http://support.microsoft.com/default.aspx?scid=kb;EN-US;245422 Thanks for the co-operation.David Shen - MSFT

Hey David,I appreciate the response. I'm unable to disable the logon script. My boss will have to do that administratively. All machines have UPH Cleanup on them. I will try deleting one of the problematic accounts but I wanted to add something to my original post before I go any further.I noticed a common thread across all of these slow machines. They all have LSASRV errors (Category SPNEGO, Event ID: 40961) with the following description: "The Security System could not establish a secured connection with the server DNS/chia.arin.net. No authentication protocol was available."On systems that don't have the issue, we see a similar error but the description is: The Security System could not establish a secured connection with the server DNS/ns1-auth.sprintlink.net. No authentication protocol was available. I don't know where the addresses in these errors are defined so I don't know how to troubleshoot it. Why are the failing ones trying to hit chia.arin.net? How can I change them? Perhaps if I can get them to communicate with the ns1-auth.sprintlink.net, the slow logon will be fixed.While I don't know anything about it, I have recognized that trend. Can you shed some light on that?I'm also seeing these dnsapi errors. The system failed to update and remove host (A) resource records (RRs) for network adapterwith settings: Adapter Name : {35141C29-7355-4DC4-A24D-702697FA532A} Host Name : achapman2008d Primary Domain Suffix : tusa.tkinet.com DNS server list : 172.16.6.2, 172.16.6.6 Sent update to server : 172.1.1.1 IP Address(es) : 172.16.6.69From what I've read in regards to the dnsapi errors, it sounds like the system administrator needs to create a pointer resource record that creates a map in the reverse lookup zone. That was in the TechNet article for Reverse lookup. You obviously lack the creative genius to integrate Legos and Duplos.

Hi, As you noticed the trend, you may try to get the problematic clients point the DNS server (ns1-auth.sprintlink.net) to communicate with it, and then check if the slow logon issue can be resolved. If possible, please let the system administrator create corresponding Reverse Lookup zone on the local DNS server (chia.arin.net) and the other one (ns1-auth.sprintlink.net) to support PTR registration. Please also let him ensure that the dynamic update is enabled on the zone. You may also try the following method to disable PTR record registration on the problematic clients to check if the issue can be resolved. a. Start Registry Editor (Regedt32.exe). b. Locate the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters c. On the Edit menu, click Add Value, and then add the following registry value: Value Name: DisableReverseAddressRegistrations Data Type: REG_DWORD Value: 1 d. Quit Registry Editor. Hope it helps.David Shen - MSFT

Hey David,I would like to try to get the problematic clients to point to the DNS server that has the sprint address. Our internal DNS servers are x.x.x.2 and x.x.x.6. Chia.arin.net is the American Registry for Internet Numbers. I don't know where these values are specified... I'm guessing somewhere in active directory. The actual computers are getting x.x.x.2 and x.x.x.6 as their DNS servers.I tried the reg fix on a machine. It didn't fix the slow logon but I saw we didn't get the LSASRV error. I did get these errors though:Event Type: ErrorEvent Source: UserenvEvent Category: NoneEvent ID: 1085Date: 9/11/2008Time: 1:56:10 PMUser: NT AUTHORITY\SYSTEMComputer: CKERN2008Description:The Group Policy client-side extension Security failed to execute. Please look for any errors reported earlier by that extension.For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.and at the same time:Event Type: WarningEvent Source: SceCliEvent Category: NoneEvent ID: 1202Date: 9/11/2008Time: 1:56:10 PMUser: N/AComputer: CKERN2008Description:Security policies were propagated with warning. 0x5 : Access is denied.For best results in resolving this event, log on with a non-administrative account and search http://support.microsoft.com for "Troubleshooting Event 1202's".For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.I apologize for bombarding you. I'm trying to assemble all of the information and figure out what actually is causing the slowness. You've been more helpful than anyone on Experts-Exchange so farYou obviously lack the creative genius to integrate Legos and Duplos.

Hi, If possible, please collect Userenv.log and Winlogon.log on the problematic clients for further research on the slow logon issue. Please do as following steps to obtain detailed troubleshooting information from the user environment debug log on the problematic clients 1. Start Registry Editor. 2. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon 3. Right-click and new add DWORD(32-bit) with the Value of "UserEnvDebugLevel" 4. Type in 100002(Hexadecimal) or 65538(Decimal) in the Value data box, and then click OK. 5. Reboot the problematic computer to make the change take into effect. The Userenv.log is located in the following folder: %SYSTEMDRIVE%\Debug\UserMode\ Please do as following steps on these problematic computer to enable "winlogon.log" as the delay occurs during computer startup: a. Start Registry Editor (Regedit.exe) b. Locate and click the following key in the registry: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}. Please note: The above registry key is one path; it has been wrapped for readability. c. Edit the following registry value: Value name: ExtensionDebugLevel Data type: DWORD Value data: 2 d. Quit Registry Editor e. Reboot the computer The Winlogon.log file is created in the folder %systermroot% \Security\Logs You may send the userenv.log to tfwst@microsoft.com and we will assist you with that.David Shen - MSFT

I sent the e-mail off with the logs. I'm looking forward to the results. I'm sorry about the delay in response time. You've been great so far.You obviously lack the creative genius to integrate Legos and Duplos.

Hello,I have a similar problem with Server 2003 R2. Logon dialog box stayed open, but greyed-out for more than a minute, the a couple of minutes of 'Loading computer settings' and 5-10 minutes of 'Loading your personal settings'. No network drives mapped, but I could browse to the folder where the logon script was and run it successfully.I followed the suggestions about adding a new domain user account and logging in with that account. When I logged in, the the logon dialog was closed, followed by a 'Please wait... Loading your personal settings' dialog that lasted 5-10 minutes. But did not map the network drives, though I could still run the script and create the network drives.So I removed the logon scripts. This had the same effect as above, except the dialog box read 'Please wait... Applying your personal settings' (not Loading). Another 5-10 minutes of wait. Of course, no network drives were mapped, since I removed the script.Any ideas?Thanks.

Hi there,I am experiencing exactly the same problems as "toiletvictorious". My domain client laptops running Windows XP are taking about minutes to login to the domain (Server 2003)If a new client laptop is built then the logins appear to be very quick for several weeks but things then start to slow down at "Applying computer settings"If a new user logs onto a suspect slow laptop then they will get a quick login.Please could somebody offer some advice or take a look at some logs......I'm getting desperate to resolve this issue now :-(hope you can helpRusty

I'll recap here since I seem to have found the answer. THE SYMPTOM: Upon entering the password and hitting logon, the screen would grey out and sit there for about 5 minutes before proceeding to "applying personal settings." THE ISSUE: This problem was wireless NIC related. I removed the wireless driver (in control panel as well as in windows\system32\drivers) and restarted. I was able to log right in. I'd run CCleaner afterwards for good measure. THE WIRELESS NIC REINSTALLATION: Well, this isn't as clear. With the driver completely out of the picture, I figured I'd just simply reinstall the driver and all would be well. The issue would sometimes just simply return. I'd try a mix of manually pointing the driver installation prompts to the directory with the driver, etc. Anyway, I have NOT nailed a method for properly reinstalling the driver in a way that would guarantee no returning problem. THE CAUSE...? Well, I think it was my imaging using anything but best practices... driver intermingling between different systems, etc.You obviously lack the creative genius to integrate Legos and Duplos.

Hi toiletvictorious,thanks for the above post, really glad to read that you have made some progress on this issue however I'm sceptical that this fix will really over come the problem. Our desktop PC's for example that sufferfrom slow logonsdo not have wireless cards so a driver issue would not exist here.Another problem with this fix is, if a problematic machine has a new user account created then that account has a quick logon, only to become slower over time.No driver charges being made.Has anybody else made any progress with their slow logon problem?Has David Shen advised anything after seeing some log files?thanks

I see the last posting was a year ago. I have recently had the same problem. Not only can I not remote in, I can't even LOG ON the to server itself. I get 'Loading your personal settings'. Locked up. I can run programs and connect to the server through a browser as if it is up an running.