All windows 7 computers in domain are hanging on restart / shutdown

[scottatwittenberg]

They are shutting down their computers at night. In the morning, they come in, the screen is on, but black. Computers are frozen, and they have to hold the power to shut off.
Domain controller is Server 2008 standard. Only about 12 computers in the domain with 8 or so being win 7.
Also, the Domain controller froze last night (assume when restarting after installing updates).
Where do I start? I have never seen anything like this before..

 

[Theory5]

wow, that's weird. I have a few questions that might help:
1) is the DC having similar problems? (and is it R2?)

2) What happens when you run sfc /scannow on one of the computers?

3) are the non-windows 7 computers having problems and are what's their OS?

 

[Quartz-1]

Start in Safe Mode, check the Event Logs, and roll back the last update.

 

[scottatwittenberg]

The only errors I am getting on the Domain controller are Print Spooler / Print Driver errors, and "Publishing the Key Management Service Failed"

 

[scottatwittenberg]

The servers are 2008 (non R2).
I think the DC is having the same problem, it froze last night and I had to hard reboot this morning.
No one could log into their computers when the server was down of course.
The other computers are XP pro sp3. I just tested, and they are freezing on "saving your settings"

So yes, all computers are freezing on "Saving yours settings".
So It looks like I have some kind of AD issue.

 

[exchange keys]

Are you using Roaming Profiles?

 

[scottatwittenberg]

No roaming profiles.

 

[scottatwittenberg]

Also, They only thing I have changed since this problem started is things in the Firewall. It's a Cisco ASA. Anything in there that you can think of that would cause this would be helpful.

DHCP is handled by the ASA. DNS is on the domain controller and the Blackberry server.

 

[Jay_2]

unless the the DC is connected to over a VPN nothing inside the ASA should really make any difference. Remove the blackberry server from the DNS for now and see if that makes any difference.

Is it just log off and not log on that has issues?

 

[BigJayDogg3]

following

 

[scottatwittenberg]

I removed one XP and one Win 7 computers from the domain.
Both of them restarted.fine when they were not joined to the domain.
I rejoined them with no issues, I think the XP computer was fine for one restart, and then started freezing again.
I am about to restart the Windows 7 computer after rejoining to see what it does.

 

[Nate7311]

Any specific reason that the ASA is handling DHCP? Typically, I've found that DHCP integrated withe DNS helps Domains function smoother.

 

[stiltner]

DHCP and DNS should be handled by the DC.

Otherwise you get these issues.

 

[renixinq]

Do you mind elaborating on "these issues" when running DHCP on any other devices besides an authorized server? I've run DHCP off any number of devices in conjuction with a domain and have never had one issue. DHCP has literally nothing to do with AD except you have to authorize a server to run the service.

And I agree with Jay, the ASA shouldn't have any affect on this unless the domain traffic has to pass through it. Do you have anything that runs on shutdown/log off? Any type of sync/upload/etc.? Almost sounds like you have something that runs and can't complete. I've had scripts cause issues kind of like that when the account that runs them has a password change or is disabled and there is no error checking.

 

[Zetro]

I agree, DHCP is not required to be hosted on a Windows based box in an Active Directory based network to work properly. As long as the DNS is pointing to the appropriate DC it will register in Active Directory without issue.

 

[Zetro]

The only errors I am getting on the Domain controller are Print Spooler / Print Driver errors, and "Publishing the Key Management Service Failed"

First things that I would be checking on this setup are related to DNS

When you nslookup on either the server itself or a workstation with its primary DNS set to the DC (hopefully it was set this way) do you get replies for both internal and external resolutions from the DC?

 

[scottatwittenberg]

The computers aren't having any trouble logging in.
I was able un-join and re-join 2 computers in the domain pretty quickly..

There are no logoff scripts or anything. pretty basic setup..


I am not too familiar with NSlookup.. The DNS of all of the computers point to the internal DNS servers. DC and "Blackberry".. Those use forwarders to go to the ISP's DNS and Google's 8.8.8.8.

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Users\gmdtech.IFS>nslookup
Default Server: ifsdc01.ifs.local
Address: 10.10.10.7

>
>
> google.com
Server: ifsdc01.ifs.local
Address: 10.10.10.7

Non-authoritative answer:
Name: google.com
Addresses: 74.125.131.139
74.125.131.100
74.125.131.101
74.125.131.102
74.125.131.138
74.125.131.113

>
>
> hardforum.com
Server: ifsdc01.ifs.local
Address: 10.10.10.7

Non-authoritative answer:
Name: hardforum.com
Address: 75.126.99.220

 

[Zetro]

First question is 10.10.10.7 your Domain Controller?

Secondly, why are you using forwarders? Your server will do root look ups just fine all on its very own

 

[scottatwittenberg]

10.10.10.7 is the domain controller

I have always used forwarders.. That's just how I was taught. But I have seen servers that do not have them and work fine. Doesn't it take a long time to build up the DNS on one that does not have forwarders?

 

[Zetro]

Short answer is no, your machine will not build up DNS at all. It will query the root servers for all unknown domain names and it will cache them for a period of time. I always prefer to never use forwarders and in my Microsoft courses and other Senior sys admins we shy away from them.

That is not the cause of your problem though so I digress.

On your domain controller, how do you have the networking configured? What is the primary and secondary DNS specifically?

 

[Zetro]

My gut feeling is that there is something up with the networking stack on your server or possibly the DNS is mis-configured

My last post I want to see your domain controller listed as the Primary DNS server or many of the issues you are mentioning could be fixed just by this.

If you could PM me your email address I will send you further things to check.

 

[scottatwittenberg]

The DNS "should" be fine. I set it up 3 years ago and haven't touched it since, and the problems are just now starting.

I am pretty sure that I have DNS on the DC going to 10.10.10.7 and 10.10.10.5 (DC and Blackberry)
Then I should have the inverse on the Blackberry server.


I sent you a PM Zetro.
Thanks

 

[YeOldeStonecat]

Do you mind elaborating on "these issues" when running DHCP on any other devices besides an authorized server? I've run DHCP off any number of devices in conjuction with a domain and have never had one issue. DHCP has literally nothing to do with AD except you have to authorize a server to run the service..

Not true. DNS registrations are much more accurate and up to date if done by the (or one of the..if several) domain controller(s)..than offloaded to some device.

While the typical network of a plain workstation to server...you don't really have to give a rats ass nor will you really notice about how updated (or not really) the DNS entries are for workstations. In other setups, such as where TSGateway or RWW portals are concerned..the most up to date (accurate) records in DNS for workstations is...well....desired. This is just one example.

Now...if DHCP was suddenly (for some reason) handing out incorrect IPs for DNS (as in...not your domain controllers..but perhaps your ISPs DNS servers by mistake)...typical symptom of this is a painfully long login process for the workstations. Not a long logoff/shutdown though. So that's odd. Folder redirection/offline file syncs?

 

[scottatwittenberg]

I do have My Documents pointed to H:\ on XP and have the folders in Windows 7 pointed to //server/users/username/documents etc.. I think offline file sync is on in Windows 7 and off on XP.

As I said before, If I remove a computer from the domain, it shuts down fine. But If I add it back into the domain it hangs.

 

[Electrofreak]

I'd pull the ASA from the equation and see what happens then.

I've run into far too many situations where weird crap ultimately was happening because of some firewall rule, and DHCP could certainly be a contributor.

EDIT - At the very least, I'd ip helper-address the ASA towards the DC to handle DHCP, DNS, etc.

 

[scottatwittenberg]

^^^
Exactly. It just so happened that I got delayed in getting over there today. But that was a good thing, I waited until everyone left, and did just that. Swapped out their firewall with the old one.

I put the old PIX firewall in.. Guess what??
The problem went away.
So something happened when upgrading that ASA to the newest 8.3.. (i believe it was 7.0 or 7.2 before)..

So, I am going to get cisco on this. I have the old pix running everything now.. and the ASA is still plugged in with a console cable. So hopefully I can get this done remotely.

If anyone know what the changes were between cisco 8.0 and 8.2 and has any ideas, let me know.
I think it was 8.2 where they reversed the firewall rules for example..
Something got messed up. I knew that was when this all started to happen too.

 

[marley1]

What antivirus?

 

[scottatwittenberg]

What antivirus?

Webroot Corporate

But, FYI, it was caused by the ASA firewall. I put in the old PIX and the problem went away. Now I have to probably just reconfigure that ASA from scratch instead of trying to "fix" whatever is wrong.

 

[/usr/home]

I had an issue at home where I had trouble between devices with my ASA. I had to enable the "Allow two or more devices to communicate on the same interface"

It's near the bottom of the screenshot.