Solved

Folder Redirection Works Sometimes

Posted on 2003-12-08
17
2,834 Views
Last Modified: 2012-05-04
When users logon to the domain their my documents and desktop are redirected as set by group policy. Redirection is to a local file server by \\servername\share\users docs, and not by mapped drives. If a user logs onto a workstation for the first time the redirection works 20% of the time. The user must log off and on the workstation several times before the redirection works. The user never has a problem again as long as that local profile on that machine is not deleted. If the local profile is deleted, then we experience the same problem. The only thing I can think of is that the policy is not getting pushed down from the DC over the WAN, and this is causing files to not be redirected. Any ideas or troubleshooting tips are greatly appreciated.
0
Comment
Question by:masterface
  • 10
  • 6
17 Comments
 
LVL 10

Expert Comment

by:BloodRed
ID: 9907480
GPO processing over a WAN can be slow, have you tried forcing a policy update after logon??

secedit /refreshpolicy in Win2K
gpupdate in WinXP

What speed is the WAN link between the clients and the DC?
0
 

Author Comment

by:masterface
ID: 9907594
Right now I have 2 T1 lines running from my campus to the DC at the district office. We are going to get an additional T1 line this month. There is a great deal of traffic over those 2 T1 lines mostly Http traffic, but I have a packetter partioning the http band with to 900 to 1.5 mbs non burstable. The students do not have access to the run command to force a policy update. Do you know of another way I could force the policy update while the user is logged on?
0
 
LVL 10

Expert Comment

by:BloodRed
ID: 9907757
It sounds like creating a site and putting a DC/GC at your campus would be the best approach, not sure how easy that would be for you though.  You could enable Telnet and run the command remotely, but that doesn't seem like a very effecient answer.  
0
 

Author Comment

by:masterface
ID: 9907962
I have a Back up DC here, but I don't think it is being used to get group policies. I am going to try and telnet to see if I can force the policy update.
0
 

Author Comment

by:masterface
ID: 9908000
Do you know what type of traffic or port the Group policy uses. I could set aside bandwith just for that traffic type.
0
 

Author Comment

by:masterface
ID: 9908011
correction bandwidth
0
 
LVL 10

Expert Comment

by:BloodRed
ID: 9908052
Hmm.  That's strange then, all DCs in AD hold a copy of the directory and the group policy objects.  The systems at that site should be authenticating to the local DC and processing GP from it.  You may want to remotely manage a PC that's having this problem and check it's event log to see if there are any errors or warnings.
0
 

Author Comment

by:masterface
ID: 9908179
I telneted in and ran gpupdate and now the event viewer shows

Folder rediredtion event Flags = 0x10

In the next event

"Folder redirection policy application has been delayed until the next logon because the group policy logon optimization is in effect."

0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 10

Expert Comment

by:BloodRed
ID: 9908679
Check this article, it seems to describe the problem you're having:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;305293
0
 

Author Comment

by:masterface
ID: 9913368
Thank you, it does discribe the problem I am having.The only part that throws me off is...

 "Fast Logon Optimization is always off during logon under the following conditions:
When a user first logs on to a computer."

20 % of the time we get the problem when the user first logs on to a computer.

I am going to change the logon optimization and test it out.
0
 

Author Comment

by:masterface
ID: 9914748
I changed the logon optimization but still the same problem.
I did find this.................

From userenv log found in WINDOWS\Debug\UserMode

USERENV(280.180) 10:31:08:410 ConnectToNameSpace:: CreateAndCopyNameSpace failed. Error=0x80041002.
USERENV(280.180) 10:31:08:410 GetWbemServices: ConnectToNameSpace failed with 0x0
USERENV(280.180) 10:31:09:211 ProcessGPOs: SetPreviousFgPolicyRefreshInfo failed.
USERENV(280.180) 10:31:09:211 ProcessGPOs: SetNextFgPolicyRefreshInfo failed.
USERENV(280.218) 10:31:10:252 PolicyChangedThread: UpdateUser failed with 1008.

By the way, how can I tell what DC we are getting the GP from. We have a DC local, but I think it is trying to get GP from the District Office DC.
0
 
LVL 10

Accepted Solution

by:
BloodRed earned 500 total points
ID: 9914941
Run the "set" command and look for the "LOGONSERVER=\\SERVERNAME" line, that's the DC that you authenticated with.  That *should* be the DC GP is applied from as well, but you can run "gpresult" and look for the "Group Policy was applied from:" lines under Computer Settings and User Settings to be sure.  
0
 

Author Comment

by:masterface
ID: 9916153
Well this is interesting.
LOGONSERVER=\\SMMS-DC this is at another school site.
and
 Group Policy was applied from:      CSHS-DC.mvusd.k12.ca.us
 Group Policy slow link threshold:   500 kbps

GP is from the server here
0
 

Author Comment

by:masterface
ID: 9920652
I took a look at other computers on campus and they are all using different DCs for logon and GP. No computer is using the local DC for logon and only one was using the local DC for GP. How can I fix this?
0
 
LVL 10

Expert Comment

by:BloodRed
ID: 9925104
How are your sites setup?  Subnets?  If setup properly, clients should authenticate to a DC in their site.  We're actually having issues with this at the moment at work, we're reworking our site configuration to get this working more efficiently.  
0
 

Author Comment

by:masterface
ID: 9926047
I have 16 subnets/Vlans at my site; district wide there must be over a hundred. My site is 10.23.0.0 255.255.255.0. All switches in the IDFs are run with fiber to the core switch in the MDF. The District office is 10.1.0.0. 255.255.255.0, other schools follow the same 10.X.0.0 255.255.255.0. All of my servers, switches and router are on 10.23.1.X. My router has IP helper-address running to forward broadcasts to the DHCP server, and occasionally I have it forward PXE broadcasts to my Altiris server for initial deployment. I just don’t know why clients would cross the WAN to the District Office, and then cross another WAN to another school and use their DC.
0
 

Expert Comment

by:Jared_Brown
ID: 37655301
This may be what you meant above but it was not clear to me so I am going to clarify something.  When BloodRed mentioned sites and subnets he was talking about sites as they are configured in Active Directory using Active Directory Sites and Services.  If that is what you meant you can ignore this part, if however you were not aware of the need to do this it would explain your problem.  In Active Directory Sites and Services you create site, and subnet objects which describe your physical network.  You create a site, add the domain controller you want that site to use for authentication to the site, then you create subnet objects to represent the physical subnets located in that site (or which you want to have use that server for authentication) and add those subnets to the site.  Once this is done the clients with IP addresses within the subnets assigned to a site will use the domain controller(s) in that site.
0

Featured Post

Network it in WD Red

There's an industry-leading WD Red drive for every compatible NAS system to help fulfill your data storage needs. With drives up to 8TB, WD Red offers a wide array of solutions for customers looking to build the biggest, best-performing NAS storage solution.  

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Change Time 5 43
NFS vs, iSCSI throughput ? 20 110
Multiple Static IP addresses on Router 14 73
WAN and LAN NIC on Windows Server 2012 11 51
Downtime reduced, data recovered by utilizing an Experts Exchange Business Account Challenge The United States Marine Corps employs more than 200,000 active-duty Marines with operations in four continents, all requiring complex networking system…
The Need In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more …
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now