2k to XP migration problems w/Active Directory

[JustinCredible]

We are rolling out Windows XP Pro (upgrading from Windows 2000 Pro) to all of our clients this summer. We are on a Windows 2000 Server Domain with Active Directory, and have about 400 clients.

On about half of the XP machines we join to the domain we are having problems. They will recieve the group policies from the server (software installation and policies will work), however they will not run the VBS logon scripts we have in place (via active directory GPOs). On the other half of the machines we don't have this problem, and none of the same computers when they were running Windows 2000 Pro had this problem.

In the application event log of the XP machines that will not run the logon scripts we have the following errors:

Source: Userenv
EventID:1054
User: System
Description: Windows cannot obtain the domain controller name for your cmputer network. (The specified domain either does not exist or could not be contacted.). Group Policy processing aborted.

and a bunch of these errors:
Source: UserInit
EventID:1000
User: N/A
Description: Could not execute the following script [scriptname.vbs]. The system cannot find the file specified.

No matter how many times we do gpupdate /force or reboot the machines they will always come up with these errors and not run our logon scripts. I find this strange for two reasons: 1. It seems to be random, only about half of the XP machines are affected by this. 2. All of our previous Win2k Pro clients worked flawlessly.

About the only area we can narrow it down to would be DNS, however all of the Win2k clients have worked fine with our current DNS setup.

 

[stash]

Can you give some details about the current DNS setup? Are the clients pointing to domain controllers for DNS? Do they have any external DNS server configured as alternates?

Is the DNS AD-integrated? How many DCs are there? Are all the machines in the same site?

Welcome to the Forum

 

[JustinCredible]

Thanks for the quick replay STaSh.

Here is our current setup:

PDC - 10.0.150.30
BDC - 10.0.150.40
Both DCs run DNS, WINS, and DHCP
We also have a member server at a remote wireless site for AD - 10.0.150.100 (all the clients we are testing right now are on the same wired network though).

Addresses for the clients are assigned from the DHCP (below is an IPCONFIG /all from one of the clients). Yes, they are pointing to our DCs for DNS.

Windows IP Configuration

Host Name . . . . . . . . . . . . : room112_1
Primary Dns Suffix . . . . . . . : 123.ourschool.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : 123.ourschool.com
ourschool.com

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 3Com 3C920 Integrated Fast Ethernet
Controller (3C905C-TX Compatible)
Physical Address. . . . . . . . . : 00-B0-D0-C4-9B-93
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.0.147.0
Subnet Mask . . . . . . . . . . . : 255.0.0.0
Default Gateway . . . . . . . . . : 10.0.144.1
DHCP Server . . . . . . . . . . . : 10.0.150.40
DNS Servers . . . . . . . . . . . : 10.0.150.30
10.0.150.40
10.0.150.100
Primary WINS Server . . . . . . . : 10.0.150.30
Secondary WINS Server . . . . . . : 10.0.150.40
10.0.150.100
Lease Obtained. . . . . . . . . . : Wednesday, July 07, 2004 7:58:54 AM
Lease Expires . . . . . . . . . . : Thursday, July 15, 2004 7:58:54 AM

 

[netsysadmin]

In your DNS and WINS settings why is the 10.0.150.100 machine listed if it is not a DC? Also FYI there are no such thing as a PDC and BDC in AD, both are Domain Controllers PDC and BDC was only used on a NT4 domain.

Also can you explain a little more about what you are trying to do with this setup that you explained below?
"We also have a member server at a remote wireless site for AD - 10.0.150.100 (all the clients we are testing right now are on the same wired network though)."


John

 

[JustinCredible]

Thanks for the correction netsysadmin.

Actually 10.0.150.100 is a DC. We have it running at the remote site just incase the wireless link is slow so the clients will look to 10.0.150.100 if they need to.

I just found out that we never setup DNS or WINS on 10.0.150.100, so I set both up. I don't know if that has been causing our problem or not.

EDIT: Doesn't look like this fixed the problem. Still getting 1054 and 1000 on clients.

 

[JustinCredible]

I found that in the logs of the XP machines that have the 1000 and 1054 errors, also have 1003 and 1007 errors in the system log:

Source: DHCP
EventID:1003
User: N/A
Description: Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 00B0D0DA30C3. The following error occurred:
The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

Source: DHCP
EventID:1007
User: N/A
Your computer has automatically configured the IP address for the Network Card with network address 00B0D0DA30C3. The IP address being used is 169.254.108.76.

However, they always end up with a valid 10. address from our DHCP server and can logon to the domain right away.

Might this be part of the problem? And what would be causing it? Should we be clearing out the DHCP records for the computers before we load XP on them?

 

[netsysadmin]

Well my other question would be why you have two DHCP servers setup? Do they both cover the same range of IP's?

The other problem I see is the DC that is at the remote site. Do you have your DC's setup in different sites in AD? If not your machines at both offices could be trying to cross the slow WAN link to get to DHCP/WINS/DNS. During high traffic times on that link that could cause issues.


John

 

[netsysadmin]

Hey Stash by the way I noticed you are in NC? Where are you located? I work in Durham and live in Raleigh.

John

 

[stash]

Yep, I'm in Charlotte

 

[JustinCredible]

Thanks for the help guys, we finally figured out the problem. I stumbled across MS KB Article 168455: DHCP Renewal Failures on Switched Networks.

Turns out because of XP starting up much faster than 2000 we were having DHCP problems during logon. The computer would receive an address, but after the logon scripts were trying to run. So the logon scripts were trying to run when the computer still had a 169. address, seconds later the computer would get the ip from the DHCP server, but it was too late by then.

Basically what we have to do (as described in the article) is turn off spanning tree and turn on port fast on all of our switches. This has fixed our problems so far!

Here is the article if anyone is interested:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;168455

 

[gaidin123]

Just a note, one of the other options you can do to make XP machines take group policy more reliably is to "always wait for the network at computer startup and logon".

This is under Computer Configuration->Administrative Templates->System/Logon. For us this solved occasional machines that wouldn't pull group policy. This feature basically makes XP boot up like a Win2k box which makes the logon prompt take a little longer to appear but all the services and policies get processed before you can try to logon.

Gaidin