0

Windows XP Clients, fully patched, with Symantec Endpoint Protection 11 client

Windows 2008 R2 domain Roaming profiles Folder Redirection applied to Documents, AppData & Desktop

I've enabled userenv logging, and logged on just after 17:00 last night. The user shell hadn't appeared at 17:45 when I left last night. When I arrived this morning, I checked the log file and found the following.

USERENV(3f8.e7c) 17:02:18:296 LogExtSessionStatus: Successfully logged Extension Session data
USERENV(654.a30) 17:04:09:468 ImpersonateUser: Failed to impersonate user with 5.
USERENV(654.a30) 17:04:09:468 GetUserNameAndDomain Failed to impersonate user
USERENV(654.a30) 17:04:09:468 GetUserDNSDomainName:  Domain name is NT Authority.  No DNS domain name available.
USERENV(c8c.cb8) 17:04:09:781 LibMain: Process Name:  C:\Program Files\Symantec\Symantec Endpoint Protection\SescLU.exe
USERENV(cd0.cd4) 17:04:10:781 LibMain: Process Name:  C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
USERENV(d08.c84) 17:07:09:609 LibMain: Process Name:  C:\Program Files\Symantec\Symantec Endpoint Protection\SescLU.exe
USERENV(cbc.cc0) 17:07:10:625 LibMain: Process Name:  C:\Program Files\Symantec\LiveUpdate\luall.exe
USERENV(db0.db4) 17:07:10:781 LibMain: Process Name:  C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
USERENV(e00.e0c) 17:07:11:062 LibMain: Process Name:  C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
USERENV(e20.e34) 17:07:11:203 LibMain: Process Name:  C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
USERENV(e40.e50) 17:07:11:406 LibMain: Process Name:  C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
USERENV(efc.54c) 17:07:11:656 LibMain: Process Name:  C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
USERENV(ccc.df0) 17:08:45:687 LibMain: Process Name:  C:\Program Files\Symantec\Symantec Endpoint Protection\SescLU.exe
USERENV(e24.e20) 17:08:45:937 LibMain: Process Name:  C:\Program Files\Symantec\LiveUpdate\luall.exe
USERENV(ff0.ff4) 17:08:46:078 LibMain: Process Name:  C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
USERENV(32c.cd0) 17:08:46:265 LibMain: Process Name:  C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
USERENV(cc4.3d4) 17:08:46:406 LibMain: Process Name:  C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
USERENV(434.4d0) 17:08:46:593 LibMain: Process Name:  C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
USERENV(f2c.ac) 17:08:46:828 LibMain: Process Name:  C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
USERENV(d60.d7c) 17:09:40:265 LibMain: Process Name:  C:\Program Files\Symantec\Symantec Endpoint Protection\SescLU.exe
USERENV(d94.d98) 17:09:40:531 LibMain: Process Name:  C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
USERENV(bc4.3c4) 17:10:52:765 LibMain: Process Name:  C:\Program Files\Symantec\Symantec Endpoint Protection\SescLU.exe
USERENV(37c.90c) 17:10:52:984 LibMain: Process Name:  C:\Program Files\Symantec\LiveUpdate\luall.exe
USERENV(580.540) 17:10:53:109 LibMain: Process Name:  C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
USERENV(c18.c30) 17:10:53:312 LibMain: Process Name:  C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
USERENV(c44.288) 17:10:53:468 LibMain: Process Name:  C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
USERENV(a34.cf4) 17:10:53:656 LibMain: Process Name:  C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
USERENV(d3c.d4c) 17:10:53:890 LibMain: Process Name:  C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
USERENV(970.948) 17:15:09:468 LibMain: Process Name:  C:\Program Files\Symantec\Symantec Endpoint Protection\SescLU.exe
USERENV(150.9dc) 17:15:09:734 LibMain: Process Name:  C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
USERENV(f90.cec) 17:20:38:718 LibMain: Process Name:  C:\Program Files\Symantec\Symantec Endpoint Protection\SescLU.exe
USERENV(d8c.d70) 17:20:38:984 LibMain: Process Name:  C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
USERENV(9a0.fa0) 17:26:07:953 LibMain: Process Name:  C:\Program Files\Symantec\Symantec Endpoint Protection\SescLU.exe
USERENV(844.51c) 17:26:08:218 LibMain: Process Name:  C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
USERENV(d00.9ac) 17:31:19:453 LibMain: Process Name:  C:\Program Files\Symantec\Symantec Endpoint Protection\SescLU.exe
USERENV(ad4.624) 17:31:19:718 LibMain: Process Name:  C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
USERENV(654.694) 17:31:46:390 ImpersonateUser: Failed to impersonate user with 5.
USERENV(654.694) 17:31:46:390 GetUserNameAndDomain Failed to impersonate user
USERENV(654.694) 17:31:46:390 GetUserDNSDomainName:  Domain name is NT Authority.  No DNS domain name available.
USERENV(af8.610) 17:36:48:625 LibMain: Process Name:  C:\Program Files\Symantec\Symantec Endpoint Protection\SescLU.exe
USERENV(aa4.dfc) 17:36:48:906 LibMain: Process Name:  C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
USERENV(2dc.5c8) 17:42:17:812 LibMain: Process Name:  C:\Program Files\Symantec\Symantec Endpoint Protection\SescLU.exe
USERENV(f70.8ac) 17:42:18:078 LibMain: Process Name:  C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
USERENV(d50.c30) 17:47:47:062 LibMain: Process Name:  C:\Program Files\Symantec\Symantec Endpoint Protection\SescLU.exe
USERENV(c2c.c3c) 17:47:47:328 LibMain: Process Name:  C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
USERENV(ef0.4cc) 17:53:16:234 LibMain: Process Name:  C:\Program Files\Symantec\Symantec Endpoint Protection\SescLU.exe
USERENV(cd4.c84) 17:53:16:500 LibMain: Process Name:  C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
USERENV(828.8c4) 17:58:45:484 LibMain: Process Name:  C:\Program Files\Symantec\Symantec Endpoint Protection\SescLU.exe
USERENV(a24.b30) 17:58:45:750 LibMain: Process Name:  C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

I've seen posts suggesting that it may be Windows Desktop Search 3.01 that is causing this, so I've removed that.

I've removed the policy, 'Always wait for the network at startup or logon', thinking that might have helped.

I'm running out of ideas. Has anyone seen this before?

LapTop006
  • 6,496
  • 20
  • 26
Bryan
  • 7,628
  • 15
  • 69
  • 94
  • Is there anything *massive* in the user's profile? perhaps a big cluttered Desktop or MyDocs? Offline profiles tend to like to download all that junk to the computer each time the user logs in. – Tom O'Connor Dec 11 '09 at 12:34

4 Answers4

6

The basics:

  • Is the computer's network configured to use Active Directory DNS servers (and only them, no external ones)?
  • Can you succesfully resolve DC names?
  • Can you succesfully ping them?
  • Can you access network shares on them (f.e. SYSVOL)?

Also: what happens if your stop and/or uninstall Symantec Endpoint Protection?

Massimo
  • 70,200
  • 57
  • 200
  • 323
  • It turns out that a rouge entry was in DNS for a recently decommissioned Domain Controller. (i.e. nslookup domain.local resolved to 4 IPs, instead of 3). Removing that seems to have fixed it. Odd thing is, I did check this after the DC was decommissioned, and I'm was sure it had been removed. – Bryan Dec 11 '09 at 12:39
  • 3
    Very long login times like this are almost ALWAYS DNS issues. – Russ Warren Dec 11 '09 at 14:48
4

My first suggestion would be to disable or remove all Symantec components on one client machine and see if that resolves the problem.

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
  • +1 even if this time it wasn't causing the issue; Symantec products have a **long** history of blocking things they shouldn't and generally slowing everything down to a crawl. – Massimo Dec 11 '09 at 15:51
0

Looks like the Symantec Liveupdate could be hogging resources? Try disabling the service and restarting.

Moif Murphy
  • 254
  • 1
  • 3
  • 10
0

I have also seen this error (and associated slow log on) when UDP port 88 was blocked, or a firewall between the client and DC was not allowing large/fragmented UDP packets. The workaround (at the time) was to use the steps in KB244474 (How to force Kerberos to use TCP instead of UDP in Windows) to force the Kerberos to use TCP instead of UDP.

While I'm at it... some standard troubleshooting questions:

  1. When did it start happening?
  2. How many clients does it happen to?
  3. What changed around the time it started happening?
Sean Earp
  • 7,227
  • 3
  • 36
  • 38