Question

XP Users randomly get access denied to Roaming Profiles

Asked by: mrroonie

hello all

this problem has me absolutely stumped, hope you guys have some idea of what's going on because i've run out of ideas and have exhausted googles and EE's solutions to no avail.

Setup as follows: Parent PDC: Win2k8 x64 standard, child DC: win 2k3 x86 std. ALL clients XP sp3, fully up-to-date.

I have about 10 users logging into a child domain on my network. All users (on child and parent domain) have a roaming profile.

Nearly every morning the child DC picks one user at random on this child domain to pop the message 'windows cannot copy the file blah blah blah. Reason: Access denied' then straight away another popup 'Windows cannot locate your roaming profile and is logging you on with a temporary one.... reason: access denied'. This happens pretty much every morning to a different user, sometimes to 2 users, sometimes it doesn't happen and everyone logs in fine.

The file windows cannot copy is ALWAYS an MS Word shortcut eg. worddoc.doc.url in docs&settings>local settings that is not there when browsing through the profile folder.

The users profiles folder is a hidden share (user$) and is set so the user has full control in both the sharing and security tab, and offline file caching is OFF. In ADUC the users profile folder is set to \\profileserver\user$\profile. i can get round it by getting them to logout and in ADUC change their profile folder in ADUC to \\profileserver\user$\profile2 and they can login fine. this is getting a bit tedious doing it practically every morning

this is exactly how the parent domain's roaming profiles are set up and none of those users have this issue.

I have amended the GPO to make sure the PCs wait for the network before logging in and have also tried rebuilding the profiles from scratch, but that doesn't matter as it happens to new users on the domain. there is nothing in the event log on the server, not even a failure audit in the security log.

All child DC clients have a static IP and the child DC as primary dns and the parent DC as secondary dns.

the thing is - this started happening overnight a couple of weeks ago for no apparent reason so i'm thinking it could be a faulty server update.

has anyone seen this before? any ideas?

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-10-27 at 03:17:58ID24846621
Tags

roaming profiles

,

access denied

,

server 2003

,

xp

Topics

OS / 2 Network Security

,

Microsoft Operating Systems

,

Windows XP Operating System

Participating Experts
3
Points
500
Comments
42

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Stack Exhaustion
    Hi, I've built a server that when running high load coredumps, examining the coredump is shows that it is failing in memcpy. In my code, randomly the affending line could be either a creation of a class or just simple std::string new_str; How can I be sure that it is runni...
  2. Upgrade STD Server to X64
    Does anyone know the process to upgrade STD Server to X64 we have open licensing. What would we need to purchase?
  3. Roaming profiles using Windows Terminal server
    Hi Guys, I have a terminal server running MS Win Server 2K3 Std R2a. This server is also acting as the Licensing server. This server is called "app-server" users that connect to this terminal server do so by using HP thin clients or PCs I have made a share on a fi...
  4. Assigned wallpaper via GPO not applying on x64 Servers
    Just replaced our windows 2003 STD terminal server with a 64 bit server running windows 2003 R2 STD x64. We moved to 64 bit because our previous server was limited by the avail. memory. Everything is working perfectly, however i have one group policy setting that basically...
  5. Setup Roaming Profiles in SBS Std 2003, without DFS
    Could someone please suggest how I setup roaming profiles in SBS Std 2003 SP2, without using DFS? I am currently redirecting the MyDocuments folder to the users home directory.( using GPO) Clients are XP Pro SP3 I am assuming it is not possible to setup roaming profiles as i...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: Spec01Posted on 2009-10-27 at 05:50:04ID: 25671770

From what you have explained above the only thing I can pick out is that try using a non-hidden share. Also I have seen weird permission issue happening when computers have duplicate/conflicting SID's on the network. When you have duplicate SID's you get very odd security issues saying access denied etc etc. I would try changing the SID's on a few computers that normally run into this issue.

Seems weird that you are getting the security issues when all permissions look right but the computer on the domain has to authenticate as well and if you have duplicate SID's these are common symptoms.

You can download NewSIDv4 at the following link...
http://technet.microsoft.com/en-us/sysinternals/bb897418.aspx

Also, look in the event viewer of the users PC's and see if you find anything relating to TCP/IP warning limit as you can only have 10 concurrent connections at a time and I have also seen this issue cause similar issues.

 

by: mrrooniePosted on 2009-10-27 at 08:47:34ID: 25673763

hi spec01

thanks for your suggestion, i've just been through the problem server with getsid and all users (including admin & ghost_spare) have different sid's. the problem has occurred on all of the pc's in the child domain at one point or another, it's just random which one it picks to be it's next victim.

i have tried creating 2 fake users without hidden shares but i'll have to let you know tomorrow how they get on because they have both logged in fine now. i can't see how this would be as the parent domain has exactly the same setup and no users get this problem, but i'll give it a shot

there are no cautions or errors in the event logs of 4 of the pc's (none at all for over a week, which is unusual in itself), i'll have to check the others tomorrow as they are in use at the moment.

 

by: mrrooniePosted on 2009-10-28 at 01:28:16ID: 25680907

hello again spec01

right: one of the fake users without a hidden shared profile folder got access denied this morning, but the other logged in fine. one of the standard users got access denied as well but the others, well the ones who are in this early, logged in fine. I've managed to check the event logs of the other 4 pc's (turns out there are only 8 logging into the child domain which cancels out the 10 concurrent user theory - would it still happen with 8 users?) - only errors i found were to do with the sound card and a printer.

found another problem with the backup as well - only using NTBackup (lack of funds for a decent system) to DDS3 tapes - yesterday i was asked to restore a folder. the backup tapes (going back a month) have NOT backed this damn folder up - it has backed up another folder and all Word and Excel doc's in the same parent folder, but this particular folder is missing. i think i'll start another thread for this problem though. think my network's haunted...

any more ideas on this access denied thing?

 

by: Spec01Posted on 2009-10-28 at 06:51:59ID: 25683192

I suspect that there is something deeper then just a permissions issue i.e user authentication, computers etc. Can you create an entirely new share (testing) for 1 or 2 users on a different server to see if they can work-around this issue and maybe try to rule out this issue based on server.

Are the users able to access their profiles directory from UNC or Mapped drive or are they getting Access Denied as well? Is there any other GPO or scripts that are loading up on startup that may be causing this issue? Try running rsop.msc and see if anything populates.

It appears that you have covered all of the basics so it should work fine. That why I think it might be something more then just user profile share.

 

by: mrrooniePosted on 2009-10-28 at 07:15:10ID: 25683420

>> Can you create an entirely new share (testing) for 1 or 2 users on a different server to see if they can work-around this issue and maybe try to rule out this issue based on server.  << do you mean create a share on the parent to see if they can connect?

if they login with the temp profile (after having access denied to load their profile) they still have full access to their profile folder and home folder and can access via both UNC  and mapped drive.

just looking thru' rsop now but as far as i'm aware the only change in policy is the one i mentioned earlier to make the PC wait for the network before logging in.

i think it may have something to do with the word shortcut failing to copy, because that's ALWAYS in the 'access denied' message

 

by: mrrooniePosted on 2009-10-28 at 08:24:06ID: 25684272

the only policies that are enabled:

in computer configuration\admin templates\system\user profiles

Do not check for ownership of roaming profiles folder

in computer configuration\admin templates\system\logon

always wait for the network at computer startup and login

in computer configuration\admin templates\network\offline files

prevent use of offline files folder

thats it!



 

by: Spec01Posted on 2009-10-28 at 10:27:38ID: 25685866

Yes create a direct share on the parent server. You had said that from the parent server they were not running into this issue if the profile was being stored here. Also, could you check the time stamp on the server and local profile? Make sure that the server one is the most current. Once you have done this login to the machine that is having issues and cut/paste the users profile to a temp directory then login as the user to force the server profile to be repushed to the users computer.

If the local cached profile is more recent then the server one that was pushed you can copy the contents from the moved profile (c:\temp) to the new profile that was pushed.

If there is an issue with a specific file transfering during this causing the access denied can you check the permissions on this file and make sure that the user has full control.

 

by: mrrooniePosted on 2009-10-30 at 01:17:47ID: 25700889

apologies for not getting back sooner - one of my network switches has locked everyone out of the system and i'm concentrating on that at the moment as it's taken a whole floor down.

i'll get back to you as soon as i can

 

by: mrrooniePosted on 2009-10-30 at 08:53:18ID: 25704172

hi Spec01

that was a nightmare - HP procurve switches and vlans! all good fun. all sorted now, one of the trunks were tagged when it shouldn't have been.

anyway back to the problem -

i have put the test users profiles on the parent server but they are still logging into the child domain. no problems as yet (only been one day tho), i'll try again after the weekend. i cannot put the actual child domains users onto the parent server for various political reasons (don't ask!).

All of the actual child domain users logged in without problems today, but last night one of the users got access denied when trying to write back to the server on logoff. again it was a word.doc.url it couldn't copy. on checking the profile again the shortcut wasn't there - it seems to be a shortcut that used to exist but the user has deleted it. the error doesn't show up the day after the user deletes the shortcut, it pops up 4 or 5 days after it has been deleted

checked the time stamps - all profiles have the latest on the server. They are all problem machines, it picks one at random to have a problem, but i see what you mean about rebuilding the local profile, i'll do that to one of the users first thing monday and get back to you - once i do it to one of the users i'll have to leave it a couple of days to see if it eliminates the problem and follow suit with the rest

 

by: mrrooniePosted on 2009-11-02 at 01:41:08ID: 25718074

hi Spec01

just tried rebuilding the local profile - i moved the local copy of the profile into a temp directory and deleted it for docs&settings, got the user to log in and surprise surprise 'Windows cannot find your local profile and is logging you in with a temporary one'.

just don't know what's going on with this...

 

by: Spec01Posted on 2009-11-03 at 04:25:11ID: 25728206

There is something obviously wrong with the way the server is communicating with the computers on the domain. I have listed above before to try NewSID and change the SID of one computer (just to try) and also remove the computer account from the domain delete the existing computer account in active directory and re-add the computer back to the domain.

If you delete the local cached profile from the computer it should automatically pull the profile from the server locally to the machine.

 

by: Spec01Posted on 2009-11-03 at 04:28:11ID: 25728227

Also, have you checked the Event viewer on the servers to see if they are reporting back any issues trying to connect to these computers?

 

by: mrrooniePosted on 2009-11-04 at 05:48:31ID: 25739216

Hi Spec01

>>There is something obviously wrong with the way the server is communicating with the computers on the domain.<< You're telling me!!

>>If you delete the local cached profile from the computer it should automatically pull the profile from the server locally to the machine<< yeah, that's the whole idea of roaming profiles isn't it but the damn thing wouldn't let her in once i deleted the local cache until i changed her profile location (again), and when that happened it lost everything, she was basically a brand new user - had to set up outlook again, reinstall a shared printer and she lost all desktop background and everything. She still had access to her profile folder when going in via Windows Explorer. i tried to change the profile location back before going through it all again but got the 'access denied' thing again.

>>I have listed above before to try NewSID and change the SID of one computer (just to try) and also remove the computer account from the domain delete the existing computer account in active directory and re-add the computer back to the domain. <<  i joined 2 completely new PC's (new machine with new hostname, IP address, and new users) to the domain last week - these are having the same problems as the existing ones. these are easier to test things out on as well as they are new users they don't have huge profiles to download.

Event viewer on the server - checked applications, directory service, DNS, security, system and file replication - the only error in any of them was System moaning about not having a printer driver when i RDP'd in. Oddly no failure audits in security.

another oddity is that all users (including the fake ones i set up with profiles on the parent server) logged in this morning without a problem

 

by: mrrooniePosted on 2009-11-05 at 03:55:43ID: 25748543

all users logged in fine again today - 2 days in a row!

 

by: mrrooniePosted on 2009-11-09 at 01:32:07ID: 25774465

just to keep you posted - all users logged in fine friday and today - 4 days in a row! i'll give it a fortnight before i close the thread just to make sure its all working properly. God knows what started it off and i have less of a clue as to why it seems to be working ok now. I have a sneaky suspicion it was a windows update, and a follow up has sorted it out, but there's nothing in the event log about installing updates!

 

by: mrrooniePosted on 2009-11-10 at 04:50:15ID: 25784778

all users logged in fine again today, BUT one user got an error when logging off last night -

Windows cannot update your roaming profile. Possible causes of this error include network problems or insufficient security rights. If this problem persists, contact your network administrator.

 DETAIL - Cannot create a file when that file already exists.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.





Windows cannot copy file C:\Documents and Settings\ajd76\Favorites\Links\Google.url to location \\server\user$\profile1\Favorites\Links\Google.url. Possible causes of this error include network problems or insufficient security rights. If this problem persists, contact your network administrator.

 DETAIL - Cannot create a file when that file already exists.




 

by: mrrooniePosted on 2009-11-17 at 06:18:05ID: 25839774

all users seem to be logging in fine now, BUT the 'cannot update roaming profile' has now changed to when they log out - they are all getting the message

DETAIL - Cannot create a file when that file already exists.

again this is not happening to all users all of the time, it's picking one or 2 at random

 

by: arnoldPosted on 2009-11-19 at 15:20:16ID: 25866265

See whether the issue arises when a the authentication check is hitting a particular PDC.
I.e. user logs in.  Access is attemped to \\profileserver\user$\%username%.  Does it make a difference if the \\profileserver accesses server1_win2k8 or server2_win2k3?
Enable auditing on the profileserver's user$ share and see what is recorded in the security event log on the profileserver.  This way you can see whether and possibly why access was denied.

It is possible as spec01 pointed out that two separate systems with the same sid attempting to access the same resource result in a denial.

 

by: ChiefITPosted on 2009-11-19 at 16:30:16ID: 25866757

How many domain controllers do you have?

Here's what I am thinking. You have two domain controllers, (call them DC1 and DC2).

DC1 was the first within the forest/domain. DC2 was added later, but there were problems. Now DC2 has the same domain name, but is realistically on its OWN domain.

So, periodically, you are logging onto the wrong domain and these computers can't find the profiles.

This would go right along with DNS. You have two servers with SRV records. These records point the way to the  AD authentication server for authentication. But if the SRV records of one are not there, then the clients can't see the authentication server and would get access denied.

WAIT, I am not done.
Let's say you have mulithomed DCs. So, periodically your server responds to a kerberos authentication on the wrong NIC or VPN.

Still with other ideas:
Let's say you have spanning tree protocol enabled on your switches. This can intermittently knock down the clients and time them out when they  are trying to authenticate.

Oh, I got another one:
Let's say you have cached passwords: (they actually are not cached, but saved passwords). Now your clients will try to communicate using cached passwords. You can view these on the client machines by going to control pannel>>users>>advanced>>managed passwords.

To me, this sounds like intermittent Kerberos authentication. This could mean intermittent communications with the server. Mulithomed servers, Spanning tree protocol, Service pack 1 on the server, and other problems are suspect when it comes to intermittent comms.

-Run DCdiag /v from the command prompt of your servers
-Look in event logs of the servers for errors or warnings
-Make sure Windows firewall isn't blocking communications to the LDAP.
-Make sure Spanning tree is disabled on client adapters on switches. Spanning tree is good between routers and switches.
-If Cisco, check your duplex settings to make sure they are set exactly alike on switches and routers. The duplex settings will be either auto negotiate, 10 mb full duplex, 100 mB full duplex, or 1000 mb full duplex.
-Check your IPconfig /all for IPversion 6. In an IPconfig /all you will see something called a teredo tunnel and a base 16 IP address. IPv6 is a tunneling protocol and is only compatible with IPv6 routers that have it enabled. Also, you have to configure DNS to work right with IPv6. Furthermore, Netbios translation will not work with IPv6.



 

 

by: mrrooniePosted on 2009-11-20 at 01:38:10ID: 25868696

apologies guys, i was out of the office yesterday -

arnold:

the users of the child domain have nothing to do with the 2k8 server - that's the dc for the parent domain. as spec01 suggested i created some test users and had them logging into the child domain but pointing their profile to the parent domains file server - same issues occur. i cannot have the child domain users logging into the parent domain for various political reasons

i have checked the sid's - all are different. i already have auditing enabled on the child dc (the child dc is also the child domains file server, where the profiles are stored) - no failure audits at all, when they log in or out.

ChiefIT:

Here's what I am thinking. You have two domain controllers, (call them DC1 and DC2). << i have 2 dc's for the parent and 2 dc's for the child domain

DC1 was the first within the forest/domain. DC2 was added later, but there were problems. <<both child DC's were the 1st machines on the child domain and both have never been renamed from child-dc1 and child-dc2, or had different ip addy's from the start

Now DC2 has the same domain name, but is realistically on its OWN domain. << please clarify this, i'm not sure what you mean

So, periodically your server responds to a kerberos authentication on the wrong NIC or VPN.<<the kerberos thing sounds promising, but both DC's only have 1 NIC attached to the network and there is no VPN

Let's say you have spanning tree protocol enabled on your switches.<<i don't know what this is - do you know where i would  find out on HP Procurve 5406ZL's, firmware version 14.47?

This can intermittently knock down the clients and time them out when they  are trying to authenticate<<i thought it might be timing out as well - i have a policy in place so the clients wait for the network before logging on, i thought this would prevent the timeout?

Mulithomed servers, Spanning tree protocol, Service pack 1 on the server, and other problems are suspect when it comes to intermittent comms. <<both servers are 2k3 sp2 fully patched, def. not multihomed (only 1 NIC attached), the only thing i'm not sure about is the spanning tree protocol

see attached for dcdiag /v

not warnings or errors relating to security or comms in event viewer

Windows firewall's off (external firewall in DMZ)

need to check this spanning tree thing - i'll get back to you

all HP procurves with identical configuration

IP 6 is disabled throughout both domains

 

by: mrrooniePosted on 2009-11-20 at 01:38:46ID: 25868703

and dcdiag for child dc1

 

by: arnoldPosted on 2009-11-20 at 05:10:26ID: 25869883

You have two errors they can not seem to talk to parent-SRV-2.
http://forums.techarena.in/server-dns/683254.htm
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_21739731.html


To clear my own understanding of your situation:
1) 2Dc for child domain and 2DC for the Parent domain.
2) Randomly users on the child domain get roaming profile access denied errors during login.
3) the profile share is on a server in a child domain but you also tried storing those on a parent domain fileserver.

Are the child/parent domains on the same IP segment?
What is the relationship between the parent and child domain?
somedomain.local child.somedomain.local?
Whose DNS records do the workstations where the errors occur have?  Could you check whether the roaming profile access denied issue relates to the computer being used rather than which user's experience issues?


 

by: ChiefITPosted on 2009-11-20 at 06:14:23ID: 25870355

OK:

A few oddities:

Evaluate DC2's DCdiag report.
1) Child-DC2 is looking for a server called Child-SERV1 as its replication partner,  (not Child-DC1). So, It appaers like you have child-serv1 in some places while you have child-dc1 in others. That can hose you up. Wait, are the FSMO role holders pointed to the right server??  HMMM, I can see the LDAP problems you are speaking of. from putting Child-DC1 in some spots whild putting Child-SERV1 in others.  Is that an OOOPS?

2) Replication is broken and may need to be manually reset. You should see errors in the 13000's on DC2 and DC1. To fix replication, we must fix any DNS problems.

3) Speaking of plausinble DNS issues, DNS may need to be fixed.  it appears like you may have DNS delegation records. If greyed out, they are no good.
Here's what that discrepancy looks like:
http://www.experts-exchange.com/Networking/Protocols/DNS/Q_24349599.html

 

by: ChiefITPosted on 2009-11-20 at 06:22:57ID: 25870446

Arnold asked for clarification on a few things:

Are both DCs designed for this child domain?

That's an important fact.

Another that wasn't mentioned is, How long has file replication been broken. If over 90 days, your looking at a tombstoned server, which will jack up AD authentication and cause your problems.

 

by: mrrooniePosted on 2009-11-23 at 04:52:24ID: 25887092

arnold:

1) 2Dc for child domain and 2DC for the Parent domain.
2) Randomly users on the child domain get roaming profile access denied errors during login.
3) the profile share is on a server in a child domain but you also tried storing those on a parent domain fileserver.

correct on all 3 counts

Are the child/parent domains on the same IP segment? << yep
What is the relationship between the parent and child domain? << again, yep - child.parent.local
Whose DNS records do the workstations where the errors occur have?  Could you check whether the roaming profile access denied issue relates to the computer being used rather than which user's experience issues?<< all machines in the child domain have the problem, it picks 1 or 2 (or none) at random as to who it happens to. All machines have child-dc1 as primary DNS

ChiefIT:
1. child-srv-1 is child-dc1 - i was using find and replace for confidentiality issues and it looks like its gone a bit wrong. child-dc1 has ALL FSMO roles, dc-2 is the GC
2&3. there have been DNS issues since i took over this network (don't you just love inherited networks?!) i thought i resolved them all but obviously not.

i think i'm going to un-dcpromo child-dc2, fix dns on dc1 and then re-dcpromo dc2, i've just compared both servers dns and they look identical so i think the easiest way will be to rebuild from scratch

i'll let you know how i get on








 

by: arnoldPosted on 2009-11-23 at 06:29:14ID: 25887737

child-dc1 is primary, which server is secondary?

Could you check the parent DCs security tab to see whether any authentication requests hit them for child domain logins?

 

by: mrrooniePosted on 2009-11-23 at 06:45:00ID: 25887864

secondary dns? WAS child-dc2, but is now parent-dc1

security log on parent doesn't show anything out of the ordinary - no failures, just the standard stuff as below

Subject:
      Security ID:            childdomain\child-dc1$
      Account Name:            child-dc$
      Account Domain:            childdomain
      Logon ID:            0xf54647

and

A Kerberos service ticket was requested.

Account Information:
      Account Name:            child-dc$@child.parent.domain.co.uk
      Account Domain:            child.parent.domain.co.uk
      Logon GUID:            {b8074ce7-fa0d-cb82-c8de-80a491582498}

 

by: mrrooniePosted on 2009-11-23 at 06:45:45ID: 25887871

no child domain users have popped up in the security logs for the parent dc

 

by: arnoldPosted on 2009-11-23 at 07:12:14ID: 25888152

Does parent-dc1 have the child zones as a copy?
I think the inclusion of the parent-dc1 as the secondary DNS is the problem.  The issue happens when for one reason or another the child-dc1's dns can not be queried by a workstation which then fails over and queries the parent-dc1 for information on services for the child domain. Does the DNS server on the parent domain have the child domain references/delegated?  
if you issue the following query against a parent DNS do you get a response or an error
nslookup -q=SRV childdomain parent-dc1
nslookup -q=NS childdomain parent-dc1

If you want to maintain parent-dc1 as a secondary dns server on the child domain's workstations, make sure the parent DC has a copy of the child domain's DNS Zone records.

 

by: ChiefITPosted on 2009-11-23 at 07:21:58ID: 25888272

If you have no event logs leading up to DNS problems, or networking problems you probably don't have a problem with the DC, maybe the switch ports its on, or maybe the clients are trying to authenticate using the wrong protocol.

Remember the spanning tree problem: (well here's a thread that explains spanning tree)
This issue will ONLY happen on managed switches, NOT smart switches.

http://tcpmag.com/qanda/article.asp?editorialsid=277

Pay particular attention to the 50 seconds that it takes for spanning tree to work.

If this is a managed switch, I recommend logging onto the switches' web interface and turning off spanning tree on all client/server ports. Leave spanning tree enabled on Switch to Switch ports and Switch to Router ports.

__________________________________________________________________

The second thought is periodically your users are trying to logon using LMHASH or NTLMhash authentication.

At this point, this looks like more your culprite:

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_2003_Active_Directory/Q_23132123.html

 

by: mrrooniePosted on 2009-11-23 at 07:49:14ID: 25888585

the parent dc does have a copy of the child zones, they are not delegated - the secondary dns WAS child-dc2 until i demoted it this morning

just tried both nslookups on the parent, both come back with the error

 server:unknown and then the IP address of parent-dc, followed by 'cannot find specified server'

i tried using just the domain name and the FQDN - both give the same result

 it sounds like you were expecting those errors though...?

ChiefIT: i've just checked and all switches have spanning tree off. i've just enabled the 'do not store lm hash passwords' thing via gp - do they need to change their password to enforce this or will a logoff/on again or gpupdate/force do it?

 

by: ChiefITPosted on 2009-11-23 at 08:01:34ID: 25888728

No, they shouldn't have to redo passwords. These are old hashes saved on some PCs.

Your actual problem appears to be bad delegation records>  This will be DC1's DNS on the child domain.

Have a look see:
http://www.experts-exchange.com/Networking/Protocols/DNS/Q_24349599.html

 

by: arnoldPosted on 2009-11-23 at 08:05:15ID: 25888781

Yes, I was expecting errors as that would explain the indeterminable intermittent errors you are seeing.

Can you double check that the secondary DNS entry you are using has the DNS service running?
DNS errors of this kind could show up as intermittent errors and would be hard to diagnose.
I.e. as explain when primary  DNS is bogged down by other tasks, the workstation/server will failover to the secondary DNS server and could cause issues if a DNS response is not received.  Does the fileserver housing the file share for the profile also use parent-dc2 as the backup?

try this in sequence
nslookup
lserver ip_of_parent-dc_used_as_secondary
Comment: The combination of the two will set the parent_dc as the name server to query
set query=SRV
Commect: this sets the query type to return SRV records
_ldap._tcp.childcomain.

 

by: mrrooniePosted on 2009-11-23 at 08:12:53ID: 25888854

chiefIT: so delete the child-dc1 from the parent-dc dns and reinstate it?

arnold: the dns service was running on child-dc2 until demoted, it is DEF running on parent-dc1!

the fileserver for the child domain is the DC - the primary dns of child-dc1 is itself and the secondary is parent-dc1.

am i running nslookup on the parent or child dc?

 

by: ChiefITPosted on 2009-11-23 at 08:30:15ID: 25889021

No, you will want to do this on BOTH DC's if both provide DNS. Remember DNS is replicated to other DCs.

 

by: mrrooniePosted on 2009-11-23 at 08:32:54ID: 25889038

both parent dcs or both parent dcs and child dc? sorry, it's been a long day and i'm struggling to keep up

 

by: arnoldPosted on 2009-11-23 at 10:08:43ID: 25889924

Parent-dc2 and child-dc1 DNS must contain the child domain references.

The parent-dc2 if you do not want it to have the complete child zone, must contain a properly delegated one.
i.e. NS record for childdomain pointing to the child-dc1 and child-dc2.
i.e. in the parent zone
childdomain. IN NS child-dc1.childdomain
childdomain. IN NS child-dc2
child-dc1.childdomain. IN A IP_address
child-dc2.childdomain. IN A IP_address2

 

by: mrrooniePosted on 2009-11-24 at 01:15:26ID: 25895328

since the changes made yesterday (demote child-dc2, rebuild dns, gp for lm hashes, deleting child-dc1 from parent-dc1 dns and re-delegating) no errors on logon this morning or logoff last night.

think you guys might have cracked this for me.... i'll leave it open for a couple of days just in case this is one of the mornings where the server couldn't decide who to lock out so just left everything working

i'm not actually sure which of the above would have done it (probably the combination) so i'll split the points evenly

 

by: mrrooniePosted on 2009-11-26 at 01:14:19ID: 31658982

excellent, thanks guys

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...