Folder Redirection Works Sometimes

When users logon to the domain their my documents and desktop are redirected as set by group policy. Redirection is to a local file server by \\servername\share\users docs, and not by mapped drives. If a user logs onto a workstation for the first time the redirection works 20% of the time. The user must log off and on the workstation several times before the redirection works. The user never has a problem again as long as that local profile on that machine is not deleted. If the local profile is deleted, then we experience the same problem. The only thing I can think of is that the policy is not getting pushed down from the DC over the WAN, and this is causing files to not be redirected. Any ideas or troubleshooting tips are greatly appreciated.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Justin CAWS Solutions ArchitectCommented:
GPO processing over a WAN can be slow, have you tried forcing a policy update after logon??

secedit /refreshpolicy in Win2K
gpupdate in WinXP

What speed is the WAN link between the clients and the DC?
masterfaceAuthor Commented:
Right now I have 2 T1 lines running from my campus to the DC at the district office. We are going to get an additional T1 line this month. There is a great deal of traffic over those 2 T1 lines mostly Http traffic, but I have a packetter partioning the http band with to 900 to 1.5 mbs non burstable. The students do not have access to the run command to force a policy update. Do you know of another way I could force the policy update while the user is logged on?
Justin CAWS Solutions ArchitectCommented:
It sounds like creating a site and putting a DC/GC at your campus would be the best approach, not sure how easy that would be for you though.  You could enable Telnet and run the command remotely, but that doesn't seem like a very effecient answer.  
CompTIA Security+

Learn the essential functions of CompTIA Security+, which establishes the core knowledge required of any cybersecurity role and leads professionals into intermediate-level cybersecurity jobs.

masterfaceAuthor Commented:
I have a Back up DC here, but I don't think it is being used to get group policies. I am going to try and telnet to see if I can force the policy update.
masterfaceAuthor Commented:
Do you know what type of traffic or port the Group policy uses. I could set aside bandwith just for that traffic type.
masterfaceAuthor Commented:
correction bandwidth
Justin CAWS Solutions ArchitectCommented:
Hmm.  That's strange then, all DCs in AD hold a copy of the directory and the group policy objects.  The systems at that site should be authenticating to the local DC and processing GP from it.  You may want to remotely manage a PC that's having this problem and check it's event log to see if there are any errors or warnings.
masterfaceAuthor Commented:
I telneted in and ran gpupdate and now the event viewer shows

Folder rediredtion event Flags = 0x10

In the next event

"Folder redirection policy application has been delayed until the next logon because the group policy logon optimization is in effect."

Justin CAWS Solutions ArchitectCommented:
Check this article, it seems to describe the problem you're having:;EN-US;305293
masterfaceAuthor Commented:
Thank you, it does discribe the problem I am having.The only part that throws me off is...

 "Fast Logon Optimization is always off during logon under the following conditions:
When a user first logs on to a computer."

20 % of the time we get the problem when the user first logs on to a computer.

I am going to change the logon optimization and test it out.
masterfaceAuthor Commented:
I changed the logon optimization but still the same problem.
I did find this.................

From userenv log found in WINDOWS\Debug\UserMode

USERENV(280.180) 10:31:08:410 ConnectToNameSpace:: CreateAndCopyNameSpace failed. Error=0x80041002.
USERENV(280.180) 10:31:08:410 GetWbemServices: ConnectToNameSpace failed with 0x0
USERENV(280.180) 10:31:09:211 ProcessGPOs: SetPreviousFgPolicyRefreshInfo failed.
USERENV(280.180) 10:31:09:211 ProcessGPOs: SetNextFgPolicyRefreshInfo failed.
USERENV(280.218) 10:31:10:252 PolicyChangedThread: UpdateUser failed with 1008.

By the way, how can I tell what DC we are getting the GP from. We have a DC local, but I think it is trying to get GP from the District Office DC.
Justin CAWS Solutions ArchitectCommented:
Run the "set" command and look for the "LOGONSERVER=\\SERVERNAME" line, that's the DC that you authenticated with.  That *should* be the DC GP is applied from as well, but you can run "gpresult" and look for the "Group Policy was applied from:" lines under Computer Settings and User Settings to be sure.  

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
masterfaceAuthor Commented:
Well this is interesting.
LOGONSERVER=\\SMMS-DC this is at another school site.
 Group Policy was applied from:
 Group Policy slow link threshold:   500 kbps

GP is from the server here
masterfaceAuthor Commented:
I took a look at other computers on campus and they are all using different DCs for logon and GP. No computer is using the local DC for logon and only one was using the local DC for GP. How can I fix this?
Justin CAWS Solutions ArchitectCommented:
How are your sites setup?  Subnets?  If setup properly, clients should authenticate to a DC in their site.  We're actually having issues with this at the moment at work, we're reworking our site configuration to get this working more efficiently.  
masterfaceAuthor Commented:
I have 16 subnets/Vlans at my site; district wide there must be over a hundred. My site is All switches in the IDFs are run with fiber to the core switch in the MDF. The District office is, other schools follow the same 10.X.0.0 All of my servers, switches and router are on 10.23.1.X. My router has IP helper-address running to forward broadcasts to the DHCP server, and occasionally I have it forward PXE broadcasts to my Altiris server for initial deployment. I just don’t know why clients would cross the WAN to the District Office, and then cross another WAN to another school and use their DC.
This may be what you meant above but it was not clear to me so I am going to clarify something.  When BloodRed mentioned sites and subnets he was talking about sites as they are configured in Active Directory using Active Directory Sites and Services.  If that is what you meant you can ignore this part, if however you were not aware of the need to do this it would explain your problem.  In Active Directory Sites and Services you create site, and subnet objects which describe your physical network.  You create a site, add the domain controller you want that site to use for authentication to the site, then you create subnet objects to represent the physical subnets located in that site (or which you want to have use that server for authentication) and add those subnets to the site.  Once this is done the clients with IP addresses within the subnets assigned to a site will use the domain controller(s) in that site.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.