XP Users randomly get access denied to Roaming Profiles

hi spec01

thanks for your suggestion, i've just been through the problem server with getsid and all users (including admin & ghost_spare) have different sid's. the problem has occurred on all of the pc's in the child domain at one point or another, it's just random which one it picks to be it's next victim.

i have tried creating 2 fake users without hidden shares but i'll have to let you know tomorrow how they get on because they have both logged in fine now. i can't see how this would be as the parent domain has exactly the same setup and no users get this problem, but i'll give it a shot

there are no cautions or errors in the event logs of 4 of the pc's (none at all for over a week, which is unusual in itself), i'll have to check the others tomorrow as they are in use at the moment.

hello again spec01

right: one of the fake users without a hidden shared profile folder got access denied this morning, but the other logged in fine. one of the standard users got access denied as well but the others, well the ones who are in this early, logged in fine. I've managed to check the event logs of the other 4 pc's (turns out there are only 8 logging into the child domain which cancels out the 10 concurrent user theory - would it still happen with 8 users?) - only errors i found were to do with the sound card and a printer.

found another problem with the backup as well - only using NTBackup (lack of funds for a decent system) to DDS3 tapes - yesterday i was asked to restore a folder. the backup tapes (going back a month) have NOT backed this damn folder up - it has backed up another folder and all Word and Excel doc's in the same parent folder, but this particular folder is missing. i think i'll start another thread for this problem though. think my network's haunted...

any more ideas on this access denied thing?

I suspect that there is something deeper then just a permissions issue i.e user authentication, computers etc. Can you create an entirely new share (testing) for 1 or 2 users on a different server to see if they can work-around this issue and maybe try to rule out this issue based on server.

Are the users able to access their profiles directory from UNC or Mapped drive or are they getting Access Denied as well? Is there any other GPO or scripts that are loading up on startup that may be causing this issue? Try running rsop.msc and see if anything populates.

It appears that you have covered all of the basics so it should work fine. That why I think it might be something more then just user profile share.

>> Can you create an entirely new share (testing) for 1 or 2 users on a different server to see if they can work-around this issue and maybe try to rule out this issue based on server.  << do you mean create a share on the parent to see if they can connect?

if they login with the temp profile (after having access denied to load their profile) they still have full access to their profile folder and home folder and can access via both UNC  and mapped drive.

just looking thru' rsop now but as far as i'm aware the only change in policy is the one i mentioned earlier to make the PC wait for the network before logging in.

i think it may have something to do with the word shortcut failing to copy, because that's ALWAYS in the 'access denied' message

the only policies that are enabled:

in computer configuration\admin templates\system\user profiles

Do not check for ownership of roaming profiles folder

in computer configuration\admin templates\system\logon

always wait for the network at computer startup and login

in computer configuration\admin templates\network\offline files

prevent use of offline files folder

thats it!

Yes create a direct share on the parent server. You had said that from the parent server they were not running into this issue if the profile was being stored here. Also, could you check the time stamp on the server and local profile? Make sure that the server one is the most current. Once you have done this login to the machine that is having issues and cut/paste the users profile to a temp directory then login as the user to force the server profile to be repushed to the users computer.

If the local cached profile is more recent then the server one that was pushed you can copy the contents from the moved profile (c:\temp) to the new profile that was pushed.

If there is an issue with a specific file transfering during this causing the access denied can you check the permissions on this file and make sure that the user has full control.

apologies for not getting back sooner - one of my network switches has locked everyone out of the system and i'm concentrating on that at the moment as it's taken a whole floor down.

i'll get back to you as soon as i can

hi Spec01

that was a nightmare - HP procurve switches and vlans! all good fun. all sorted now, one of the trunks were tagged when it shouldn't have been.

anyway back to the problem -

i have put the test users profiles on the parent server but they are still logging into the child domain. no problems as yet (only been one day tho), i'll try again after the weekend. i cannot put the actual child domains users onto the parent server for various political reasons (don't ask!).

All of the actual child domain users logged in without problems today, but last night one of the users got access denied when trying to write back to the server on logoff. again it was a word.doc.url it couldn't copy. on checking the profile again the shortcut wasn't there - it seems to be a shortcut that used to exist but the user has deleted it. the error doesn't show up the day after the user deletes the shortcut, it pops up 4 or 5 days after it has been deleted

checked the time stamps - all profiles have the latest on the server. They are all problem machines, it picks one at random to have a problem, but i see what you mean about rebuilding the local profile, i'll do that to one of the users first thing monday and get back to you - once i do it to one of the users i'll have to leave it a couple of days to see if it eliminates the problem and follow suit with the rest

hi Spec01

just tried rebuilding the local profile - i moved the local copy of the profile into a temp directory and deleted it for docs&settings, got the user to log in and surprise surprise 'Windows cannot find your local profile and is logging you in with a temporary one'.

just don't know what's going on with this...

There is something obviously wrong with the way the server is communicating with the computers on the domain. I have listed above before to try NewSID and change the SID of one computer (just to try) and also remove the computer account from the domain delete the existing computer account in active directory and re-add the computer back to the domain.

If you delete the local cached profile from the computer it should automatically pull the profile from the server locally to the machine.

Also, have you checked the Event viewer on the servers to see if they are reporting back any issues trying to connect to these computers?

Hi Spec01

>>There is something obviously wrong with the way the server is communicating with the computers on the domain.<< You're telling me!!

>>If you delete the local cached profile from the computer it should automatically pull the profile from the server locally to the machine<< yeah, that's the whole idea of roaming profiles isn't it but the damn thing wouldn't let her in once i deleted the local cache until i changed her profile location (again), and when that happened it lost everything, she was basically a brand new user - had to set up outlook again, reinstall a shared printer and she lost all desktop background and everything. She still had access to her profile folder when going in via Windows Explorer. i tried to change the profile location back before going through it all again but got the 'access denied' thing again.

>>I have listed above before to try NewSID and change the SID of one computer (just to try) and also remove the computer account from the domain delete the existing computer account in active directory and re-add the computer back to the domain. <<  i joined 2 completely new PC's (new machine with new hostname, IP address, and new users) to the domain last week - these are having the same problems as the existing ones. these are easier to test things out on as well as they are new users they don't have huge profiles to download.

Event viewer on the server - checked applications, directory service, DNS, security, system and file replication - the only error in any of them was System moaning about not having a printer driver when i RDP'd in. Oddly no failure audits in security.

another oddity is that all users (including the fake ones i set up with profiles on the parent server) logged in this morning without a problem

all users logged in fine again today - 2 days in a row!

just to keep you posted - all users logged in fine friday and today - 4 days in a row! i'll give it a fortnight before i close the thread just to make sure its all working properly. God knows what started it off and i have less of a clue as to why it seems to be working ok now. I have a sneaky suspicion it was a windows update, and a follow up has sorted it out, but there's nothing in the event log about installing updates!

all users logged in fine again today, BUT one user got an error when logging off last night -

Windows cannot update your roaming profile. Possible causes of this error include network problems or insufficient security rights. If this problem persists, contact your network administrator.

 DETAIL - Cannot create a file when that file already exists.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.





Windows cannot copy file C:\Documents and Settings\ajd76\Favorites\Links\Google.url to location \\server\user$\profile1\Favorites\Links\Google.url. Possible causes of this error include network problems or insufficient security rights. If this problem persists, contact your network administrator.

 DETAIL - Cannot create a file when that file already exists.

all users seem to be logging in fine now, BUT the 'cannot update roaming profile' has now changed to when they log out - they are all getting the message

DETAIL - Cannot create a file when that file already exists.

again this is not happening to all users all of the time, it's picking one or 2 at random

See whether the issue arises when a the authentication check is hitting a particular PDC.
I.e. user logs in.  Access is attemped to \\profileserver\user$\%username%.  Does it make a difference if the \\profileserver accesses server1_win2k8 or server2_win2k3?
Enable auditing on the profileserver's user$ share and see what is recorded in the security event log on the profileserver.  This way you can see whether and possibly why access was denied.

It is possible as spec01 pointed out that two separate systems with the same sid attempting to access the same resource result in a denial.

How many domain controllers do you have?

Here's what I am thinking. You have two domain controllers, (call them DC1 and DC2).

DC1 was the first within the forest/domain. DC2 was added later, but there were problems. Now DC2 has the same domain name, but is realistically on its OWN domain.

So, periodically, you are logging onto the wrong domain and these computers can't find the profiles.

This would go right along with DNS. You have two servers with SRV records. These records point the way to the  AD authentication server for authentication. But if the SRV records of one are not there, then the clients can't see the authentication server and would get access denied.

WAIT, I am not done.
Let's say you have mulithomed DCs. So, periodically your server responds to a kerberos authentication on the wrong NIC or VPN.

Still with other ideas:
Let's say you have spanning tree protocol enabled on your switches. This can intermittently knock down the clients and time them out when they  are trying to authenticate.

Oh, I got another one:
Let's say you have cached passwords: (they actually are not cached, but saved passwords). Now your clients will try to communicate using cached passwords. You can view these on the client machines by going to control pannel>>users>>advanced>>managed passwords.

To me, this sounds like intermittent Kerberos authentication. This could mean intermittent communications with the server. Mulithomed servers, Spanning tree protocol, Service pack 1 on the server, and other problems are suspect when it comes to intermittent comms.

-Run DCdiag /v from the command prompt of your servers
-Look in event logs of the servers for errors or warnings
-Make sure Windows firewall isn't blocking communications to the LDAP.
-Make sure Spanning tree is disabled on client adapters on switches. Spanning tree is good between routers and switches.
-If Cisco, check your duplex settings to make sure they are set exactly alike on switches and routers. The duplex settings will be either auto negotiate, 10 mb full duplex, 100 mB full duplex, or 1000 mb full duplex.
-Check your IPconfig /all for IPversion 6. In an IPconfig /all you will see something called a teredo tunnel and a base 16 IP address. IPv6 is a tunneling protocol and is only compatible with IPv6 routers that have it enabled. Also, you have to configure DNS to work right with IPv6. Furthermore, Netbios translation will not work with IPv6.



 

apologies guys, i was out of the office yesterday -

arnold:

the users of the child domain have nothing to do with the 2k8 server - that's the dc for the parent domain. as spec01 suggested i created some test users and had them logging into the child domain but pointing their profile to the parent domains file server - same issues occur. i cannot have the child domain users logging into the parent domain for various political reasons

i have checked the sid's - all are different. i already have auditing enabled on the child dc (the child dc is also the child domains file server, where the profiles are stored) - no failure audits at all, when they log in or out.

ChiefIT:

Here's what I am thinking. You have two domain controllers, (call them DC1 and DC2). << i have 2 dc's for the parent and 2 dc's for the child domain

DC1 was the first within the forest/domain. DC2 was added later, but there were problems. <<both child DC's were the 1st machines on the child domain and both have never been renamed from child-dc1 and child-dc2, or had different ip addy's from the start

Now DC2 has the same domain name, but is realistically on its OWN domain. << please clarify this, i'm not sure what you mean

So, periodically your server responds to a kerberos authentication on the wrong NIC or VPN.<<the kerberos thing sounds promising, but both DC's only have 1 NIC attached to the network and there is no VPN

Let's say you have spanning tree protocol enabled on your switches.<<i don't know what this is - do you know where i would  find out on HP Procurve 5406ZL's, firmware version 14.47?

This can intermittently knock down the clients and time them out when they  are trying to authenticate<<i thought it might be timing out as well - i have a policy in place so the clients wait for the network before logging on, i thought this would prevent the timeout?

Mulithomed servers, Spanning tree protocol, Service pack 1 on the server, and other problems are suspect when it comes to intermittent comms. <<both servers are 2k3 sp2 fully patched, def. not multihomed (only 1 NIC attached), the only thing i'm not sure about is the spanning tree protocol

see attached for dcdiag /v

not warnings or errors relating to security or comms in event viewer

Windows firewall's off (external firewall in DMZ)

need to check this spanning tree thing - i'll get back to you

all HP procurves with identical configuration

IP 6 is disabled throughout both domains

and dcdiag for child dc1

You have two errors they can not seem to talk to parent-SRV-2.
http://forums.techarena.in/server-dns/683254.htm
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_21739731.html


To clear my own understanding of your situation:
1) 2Dc for child domain and 2DC for the Parent domain.
2) Randomly users on the child domain get roaming profile access denied errors during login.
3) the profile share is on a server in a child domain but you also tried storing those on a parent domain fileserver.

Are the child/parent domains on the same IP segment?
What is the relationship between the parent and child domain?
somedomain.local child.somedomain.local?
Whose DNS records do the workstations where the errors occur have?  Could you check whether the roaming profile access denied issue relates to the computer being used rather than which user's experience issues?

Arnold asked for clarification on a few things:

Are both DCs designed for this child domain?

That's an important fact.

Another that wasn't mentioned is, How long has file replication been broken. If over 90 days, your looking at a tombstoned server, which will jack up AD authentication and cause your problems.

arnold:

1) 2Dc for child domain and 2DC for the Parent domain.
2) Randomly users on the child domain get roaming profile access denied errors during login.
3) the profile share is on a server in a child domain but you also tried storing those on a parent domain fileserver.

correct on all 3 counts

Are the child/parent domains on the same IP segment? << yep
What is the relationship between the parent and child domain? << again, yep - child.parent.local
Whose DNS records do the workstations where the errors occur have?  Could you check whether the roaming profile access denied issue relates to the computer being used rather than which user's experience issues?<< all machines in the child domain have the problem, it picks 1 or 2 (or none) at random as to who it happens to. All machines have child-dc1 as primary DNS

ChiefIT:
1. child-srv-1 is child-dc1 - i was using find and replace for confidentiality issues and it looks like its gone a bit wrong. child-dc1 has ALL FSMO roles, dc-2 is the GC
2&3. there have been DNS issues since i took over this network (don't you just love inherited networks?!) i thought i resolved them all but obviously not.

i think i'm going to un-dcpromo child-dc2, fix dns on dc1 and then re-dcpromo dc2, i've just compared both servers dns and they look identical so i think the easiest way will be to rebuild from scratch

i'll let you know how i get on

child-dc1 is primary, which server is secondary?

Could you check the parent DCs security tab to see whether any authentication requests hit them for child domain logins?

secondary dns? WAS child-dc2, but is now parent-dc1

security log on parent doesn't show anything out of the ordinary - no failures, just the standard stuff as below

Subject:
      Security ID:            childdomain\child-dc1$
      Account Name:            child-dc$
      Account Domain:            childdomain
      Logon ID:            0xf54647

and

A Kerberos service ticket was requested.

Account Information:
      Account Name:            child-dc$@child.parent.domain.co.uk
      Account Domain:            child.parent.domain.co.uk
      Logon GUID:            {b8074ce7-fa0d-cb82-c8de-80a491582498}

no child domain users have popped up in the security logs for the parent dc

If you have no event logs leading up to DNS problems, or networking problems you probably don't have a problem with the DC, maybe the switch ports its on, or maybe the clients are trying to authenticate using the wrong protocol.

Remember the spanning tree problem: (well here's a thread that explains spanning tree)
This issue will ONLY happen on managed switches, NOT smart switches.

http://tcpmag.com/qanda/article.asp?editorialsid=277

Pay particular attention to the 50 seconds that it takes for spanning tree to work.

If this is a managed switch, I recommend logging onto the switches' web interface and turning off spanning tree on all client/server ports. Leave spanning tree enabled on Switch to Switch ports and Switch to Router ports.

__________________________________________________________________

The second thought is periodically your users are trying to logon using LMHASH or NTLMhash authentication.

At this point, this looks like more your culprite:

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_2003_Active_Directory/Q_23132123.html

the parent dc does have a copy of the child zones, they are not delegated - the secondary dns WAS child-dc2 until i demoted it this morning

just tried both nslookups on the parent, both come back with the error

 server:unknown and then the IP address of parent-dc, followed by 'cannot find specified server'

i tried using just the domain name and the FQDN - both give the same result

 it sounds like you were expecting those errors though...?

ChiefIT: i've just checked and all switches have spanning tree off. i've just enabled the 'do not store lm hash passwords' thing via gp - do they need to change their password to enforce this or will a logoff/on again or gpupdate/force do it?

No, they shouldn't have to redo passwords. These are old hashes saved on some PCs.

Your actual problem appears to be bad delegation records>  This will be DC1's DNS on the child domain.

Have a look see:
http://www.experts-exchange.com/Networking/Protocols/DNS/Q_24349599.html

Yes, I was expecting errors as that would explain the indeterminable intermittent errors you are seeing.

Can you double check that the secondary DNS entry you are using has the DNS service running?
DNS errors of this kind could show up as intermittent errors and would be hard to diagnose.
I.e. as explain when primary  DNS is bogged down by other tasks, the workstation/server will failover to the secondary DNS server and could cause issues if a DNS response is not received.  Does the fileserver housing the file share for the profile also use parent-dc2 as the backup?

try this in sequence
nslookup
lserver ip_of_parent-dc_used_as_secondary
Comment: The combination of the two will set the parent_dc as the name server to query
set query=SRV
Commect: this sets the query type to return SRV records
_ldap._tcp.childcomain.

chiefIT: so delete the child-dc1 from the parent-dc dns and reinstate it?

arnold: the dns service was running on child-dc2 until demoted, it is DEF running on parent-dc1!

the fileserver for the child domain is the DC - the primary dns of child-dc1 is itself and the secondary is parent-dc1.

am i running nslookup on the parent or child dc?

No, you will want to do this on BOTH DC's if both provide DNS. Remember DNS is replicated to other DCs.

both parent dcs or both parent dcs and child dc? sorry, it's been a long day and i'm struggling to keep up

Parent-dc2 and child-dc1 DNS must contain the child domain references.

The parent-dc2 if you do not want it to have the complete child zone, must contain a properly delegated one.
i.e. NS record for childdomain pointing to the child-dc1 and child-dc2.
i.e. in the parent zone
childdomain. IN NS child-dc1.childdomain
childdomain. IN NS child-dc2
child-dc1.childdomain. IN A IP_address
child-dc2.childdomain. IN A IP_address2

since the changes made yesterday (demote child-dc2, rebuild dns, gp for lm hashes, deleting child-dc1 from parent-dc1 dns and re-delegating) no errors on logon this morning or logoff last night.

think you guys might have cracked this for me.... i'll leave it open for a couple of days just in case this is one of the mornings where the server couldn't decide who to lock out so just left everything working

i'm not actually sure which of the above would have done it (probably the combination) so i'll split the points evenly