Folder Redirection Works Sometimes

GPO processing over a WAN can be slow, have you tried forcing a policy update after logon??

secedit /refreshpolicy in Win2K
gpupdate in WinXP

What speed is the WAN link between the clients and the DC?

Right now I have 2 T1 lines running from my campus to the DC at the district office. We are going to get an additional T1 line this month. There is a great deal of traffic over those 2 T1 lines mostly Http traffic, but I have a packetter partioning the http band with to 900 to 1.5 mbs non burstable. The students do not have access to the run command to force a policy update. Do you know of another way I could force the policy update while the user is logged on?

It sounds like creating a site and putting a DC/GC at your campus would be the best approach, not sure how easy that would be for you though.  You could enable Telnet and run the command remotely, but that doesn't seem like a very effecient answer.  

I have a Back up DC here, but I don't think it is being used to get group policies. I am going to try and telnet to see if I can force the policy update.

Do you know what type of traffic or port the Group policy uses. I could set aside bandwith just for that traffic type.

correction bandwidth

Hmm.  That's strange then, all DCs in AD hold a copy of the directory and the group policy objects.  The systems at that site should be authenticating to the local DC and processing GP from it.  You may want to remotely manage a PC that's having this problem and check it's event log to see if there are any errors or warnings.

I telneted in and ran gpupdate and now the event viewer shows

Folder rediredtion event Flags = 0x10

In the next event

"Folder redirection policy application has been delayed until the next logon because the group policy logon optimization is in effect."

Check this article, it seems to describe the problem you're having:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;305293

Thank you, it does discribe the problem I am having.The only part that throws me off is...

 "Fast Logon Optimization is always off during logon under the following conditions:
When a user first logs on to a computer."

20 % of the time we get the problem when the user first logs on to a computer.

I am going to change the logon optimization and test it out.

I changed the logon optimization but still the same problem.
I did find this.................

From userenv log found in WINDOWS\Debug\UserMode

USERENV(280.180) 10:31:08:410 ConnectToNameSpace:: CreateAndCopyNameSpace failed. Error=0x80041002.
USERENV(280.180) 10:31:08:410 GetWbemServices: ConnectToNameSpace failed with 0x0
USERENV(280.180) 10:31:09:211 ProcessGPOs: SetPreviousFgPolicyRefreshInfo failed.
USERENV(280.180) 10:31:09:211 ProcessGPOs: SetNextFgPolicyRefreshInfo failed.
USERENV(280.218) 10:31:10:252 PolicyChangedThread: UpdateUser failed with 1008.

By the way, how can I tell what DC we are getting the GP from. We have a DC local, but I think it is trying to get GP from the District Office DC.

Well this is interesting.
LOGONSERVER=\\SMMS-DC this is at another school site.
and
 Group Policy was applied from:      CSHS-DC.mvusd.k12.ca.us
 Group Policy slow link threshold:   500 kbps

GP is from the server here

I took a look at other computers on campus and they are all using different DCs for logon and GP. No computer is using the local DC for logon and only one was using the local DC for GP. How can I fix this?

How are your sites setup?  Subnets?  If setup properly, clients should authenticate to a DC in their site.  We're actually having issues with this at the moment at work, we're reworking our site configuration to get this working more efficiently.  

I have 16 subnets/Vlans at my site; district wide there must be over a hundred. My site is 10.23.0.0 255.255.255.0. All switches in the IDFs are run with fiber to the core switch in the MDF. The District office is 10.1.0.0. 255.255.255.0, other schools follow the same 10.X.0.0 255.255.255.0. All of my servers, switches and router are on 10.23.1.X. My router has IP helper-address running to forward broadcasts to the DHCP server, and occasionally I have it forward PXE broadcasts to my Altiris server for initial deployment. I just don’t know why clients would cross the WAN to the District Office, and then cross another WAN to another school and use their DC.

This may be what you meant above but it was not clear to me so I am going to clarify something.  When BloodRed mentioned sites and subnets he was talking about sites as they are configured in Active Directory using Active Directory Sites and Services.  If that is what you meant you can ignore this part, if however you were not aware of the need to do this it would explain your problem.  In Active Directory Sites and Services you create site, and subnet objects which describe your physical network.  You create a site, add the domain controller you want that site to use for authentication to the site, then you create subnet objects to represent the physical subnets located in that site (or which you want to have use that server for authentication) and add those subnets to the site.  Once this is done the clients with IP addresses within the subnets assigned to a site will use the domain controller(s) in that site.