Solved

Roaming Profiles

Posted on 2010-09-09
30
633 Views
Last Modified: 2012-06-27
Hi,

I just rebuilt a customers 2003 server. The Main board was failing. I made both servers DC's, The assigned all the rolls to the new server copied over all the shared drives, and demoted the old DC.

Thats when the weird things happened. All the users in the office use roaming profiles.When they log into their own machines, the server authenticates them but then I get an error saying that it could not find the server copy of their roaming profile. When I go to network neighborhood, I can see all the folders they should be able to view, but they are all empty.

However when I log into the server locally as a user, I get their profile just fine and all the folders are populated. I have tried everything I could think of. I gave them full permission of the files, made them owner, removed inherited permissions, made full permission be passed on to all sub contents. Its the same for all of the 5 shares they have. but on the failing server the roaming profiles worked just fine.

Any help would be appreciated.

0
Comment
Question by:RRafuls
  • 18
  • 11
30 Comments
 
LVL 3

Expert Comment

by:gcolquhoun
ID: 33642500
Just a thought, are the policies set to be getting the profiles from the right place still? As you have already looked at the permissions, then its possible the profiles aren't being found as they are mapped somewhere slightly different.
0
 

Author Comment

by:RRafuls
ID: 33642511
No that was the first thing I checked, Sorry I forgot to put that in there.

It not displaying the folder contents made me think permissions.
0
 
LVL 76

Expert Comment

by:arnold
ID: 33642719
Is the share domain or server based?

The roaming profile could take two logins to get.

What did you use to copy the data?

robocopy with /copy:DATO as the option?
Or if domain based share and you have 2003 R2 or newer, did you use DFS-replication to get the data replicated?

Do you also have folder redirection GPO setup?
0
 

Author Comment

by:RRafuls
ID: 33642798
It is 2003 R2.

I dont remember what I used to copy it was called. I think it was in a package called _____  ______ server tool kit. I know it required Dot Net 2. Think it was Microsoft download. It copied all the users, permissions, shares, etc.

It only asks for log in 1 time then errors.

I do still have the demoted old server, in case I need it.
0
 
LVL 76

Expert Comment

by:arnold
ID: 33643020
Once you demote the server, you should not try reconnecting it as it will really mess things Up.

Your options in this situation is to point the roaming profiles to a new location and let each user get a brand new profile.  You could then copy the my documents, desktop, contents from the old into the new. including the favorites

The users will experience the inconvinience of having to configure their settings anew.

The userpfofiles should not be configured to inherit the settings from the parent directory.  The other issue is to check what the sharing settings are on the \\server\profilelocation or \\domain\profilelocation

The user has to be the owner of the profile file and ntuser.dat.

You would likely need to check the application/security/system event logs on the workstation where the error occurs.
0
 

Author Comment

by:RRafuls
ID: 33643054
I will try that tomorrow.

The share is \\server\share

Thanks I will let you know.
0
 

Author Comment

by:RRafuls
ID: 33645904
I had another thought last night. I did have some problems getting the global catalog and sysvol to copy The server was working so I didn't think much about it but what if it were to have been corrupt? I didn't know if that could cause the problem or If I could restore their back-up to try and fix it due to the different hardware in the server.

 
0
 
LVL 76

Expert Comment

by:arnold
ID: 33648265
If your new DC does not have the GC role, it would cause problems logining, but not sure it will have a direct impact on the roaming profile component.

The GC and sysvol would affect the policies and scripts if any, but you indicate that your issue is with the roaming profiles.

try with one user either rename their current roaming profile to username.old
and let them login a new and see whether they get a new roaming profile created and resolve that side of the issue.
You can then compare the settings on this roaming profile with that of the others.

If there are difference i.e. settings/permissions.  Examples below there are more that will possibly go through a directory where you store the profile and will update the permissions based on the username after whom the folder is named.

http://www.tek-tips.com/faqs.cfm?fid=5734
http://www.experts-exchange.com/Security/Win_Security/Q_21019361.html
0
 

Author Comment

by:RRafuls
ID: 33648326
When I created a new user it told me the domain could not be contacted. I have now uninstalled and re-installed active directory. Created a new user. Still tells me it can't find the domain. Server name and IP address are the same as old server.
0
 
LVL 76

Expert Comment

by:arnold
ID: 33648461
The issue might be that your workstations are pointing to the OLD DC's IP for name service.
Where is your DHCP server, check the scope options and make sure that the DHCP option for name service points to the new DC.
To speed things up, you can bring up the old DC's IP on the existing DC.

Issues might start if there are still stale references to the OLD dc such that the new dc will see the old DC's IP and will try to reestablish connection/replication and may generate errors.


0
 

Author Comment

by:RRafuls
ID: 33648486
I think they were pointing to old dc's identifier I made them workgroup machines then domain machines again and I got roaming profiles back. Still having permissions issues tho.
0
 
LVL 76

Expert Comment

by:arnold
ID: 33648510
How long did you wait to demote the old one?
Did you make sure that all AD replication was completed?
Where is your DHCP server check its configuration/settings as mentioned in prior post.
0
 

Author Comment

by:RRafuls
ID: 33648526
Waited about an hour. Anyhow we are passed that I think.
0
 

Author Comment

by:RRafuls
ID: 33652221
OK, This is where I am so far.

I have removed active directory adn re installed it. I have taken the workstations off the domain and re added them. I have rebuilt 2 of the domain users and can get their profiles to load but not with out problems. Mapped drives and shares still do not load right.

I believe that it is still trying to access the old server. I read elsewhere on this site that I made a faux-pa. I removed the old server, re-created it, and put the new one in its place using the SAME IP address and server name and that this may be confusing the workstations.

I believe this to be true because some of the shares that I see when going to the server from network neighborhood do not exist on the new server yet (the folder structure does but the share does not).

I am wondering if I change the name to something else and change the IP address adn change the DNS reference in the workstations. If this may solve the problems.

Any thoughts??
0
 
LVL 76

Expert Comment

by:arnold
ID: 33653071
The \\server\share on one server is different from \\server\share when the \\server uses the same name.  The two have distinct "GUID" and would not load.

Are you able to access the \\domain\sysvol\domain\policy?

Using login script you could remap the different shares.
net use F: /delete
net use F: \\domain\share

You could change the name.  
But there is no assurance that it will clear things up.  You would then have to clean the AD of all stale references to the old server.

Presumably you are restoring the AD from a system state backup?
Or are you starting from scratch?


0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:RRafuls
ID: 33653311
Scratch. I thought about restoring their backup but it was from the begining of 2008. I did not get called in until after the problem with the drives /main board was to bad to fix.

The problem with remapping is that the workstations only see the old shares,not the new ones. Like its looking at e ghost of the former server.

I doubt I can see the sysvol folder from the workstation. It can't see any of the new shares from the workstations.
0
 
LVL 76

Expert Comment

by:arnold
ID: 33653737
What about the workstations that you rejoined?
can they access the \\domain\sysvol? This is often how the GPOs/netlogon scripts are being accessed

If they can, you have to modify the login scripts to use the \\domain\share versus \\server\share.

The other option is to setup a new server and import the AD users/computers from the current one. and then join the workstation to the new AD using netdom which I think is part of the support tools.
The problem is that you have to know and have a local administrative account on each workstation to use with netdom.
0
 

Author Comment

by:RRafuls
ID: 33653782
The Workstations that I have rejoined are the ones that I am having problems with, no access to any shares. They can see the folder (sometimes) but no contents. I have not tried any of the rest yet.

There are only 2 domain users now. I had to end up uninstalling and re installing AD so they all went bye-bye.

I was thinking, there are only 4 full time users, and 15 part time users anyway. Each with their own machine. I don't know why they have AD or roaming profiles. Seems like a pain for no real benefit. I was thinking of dropping them to a workgroup and just using the shares, if they'll work then, thats all they really use anyway.
0
 

Author Comment

by:RRafuls
ID: 33653784
Just so all of you know, I really appreciate this.
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 500 total points
ID: 33654547
The use of AD is to simplify and centrally manage the users as well as avoid the possibility that valuable information might be lost with the workstation.
This setup also provides for a single point of data backup. i.e. backup the server versus having to backup every workstation.


Double check the permissions on the shares.  The shares may have remain, but their security/permissions might be referencing the OLD AD UID/GUIDs and now with the "new" AD those are seen as inoperative/invalid.

In the condition you are now, there is no option other than to recreate the whole thing from scratch. AD and then join the workstations. Add/setup the new users. Configure the shares, etc.
0
 

Author Comment

by:RRafuls
ID: 33654603
I tried recreating from scratch. I uninstalled AD, Re-installed AD, removed the Workstations from domain and joined them to a work group, Added the user to AD and created folders and pointers for roaming profiles, rejoined the workstations to the domain, shut off the workstations, copied their old profiles to their new folders, and re logged them in. It still didnt work. I rebuilt 2 of the 4, 1 couldnt access their my docs, folder opened but it was empty, the other could access their my docs, but profile wouldnt load.

They do backup at the workstations already with external hard drives.

 I have created new shares but the users cant see them. Even if I specifically add them to the list, give them full control, and make them the owner.

I realize how AD would come in handy if they had 50-100 users but 4?
0
 
LVL 76

Expert Comment

by:arnold
ID: 33654649
several things do not make sense.

Could they have used folder redirection?
I.e. the profile is stored in one share while the user's folder such as my documents, desktop, application data, and start menu are stored in a separate share?
This speeds up the load since the profile is often maintained small maxing out at 10MB while the larger portion i.e. application data, my documents and desktop are redirected from the local system to a separate share and when offline caching is permitted, the user does not see a difference.

Did you try to force the new users to access the old roaming profiles?  The UID/SIDS would be different and may explain the issues.  If you are starting from scratch, do so.  One the new user's profile is created in the roaming share, you can always copy the my documents/desktop and favorites from the old one to the new one which should inherit the permission from the parent directory.
the user would then be able to access this.

If you do not have AD setup and the environment expands i.e. goes from 4 users to 12 users working in shifts, you will run into issues trying to either setup the AD and then try to avoid loosing the 4 users' data. OR have to go add the additional 8 users to each of the workstations just in case they pick one on which you did not set their user up.
0
 

Author Comment

by:RRafuls
ID: 33654686
They did, I recreated this.

Let me see if I understand the 2nd paragraph right. This is what I did with regard to that. I made a new user. had it create a new profile when it logged in. then logged them out and copied the contents of their old profile folder to the new one I made so their stuff would come back. and copied the contents of their my docs into the new my docs. Did I do this right?

My docs is created like this. AD Forces a map, Drive H:\ to a share on the server. My docs on desktop is mapped to drive H:\. Map shows correctly, but opens empty.

0
 
LVL 76

Expert Comment

by:arnold
ID: 33654731
You can not copy the entire profile from the old to the new ntuser.dat will have an incorrect reference to the UID/SID.
You should only copy their documents
favorites, user's documents/my document\*, Desktop
personally, I would stay away from copying the application data folder since part of that contains the user identity application data\microsoft which will be invalid in the new AD.

The only thing you can bring back is their documents, their settings/appearance can not be brought back in this fashion.


I am not getting a clear picture of your AD/GPO configuration.

Are you using folder redirection?

What are the settings on the share where drive H: points?  Check the caching options and change them to not allow offline caching.
This way the my documents access must be direct.

roaming with folder redirection:
\\domain\userprofiles\%username%

The redirected folders would be:
\\domain\userfolders\%username%\
which is also the home drive where Desktop, My documents, Application Data and Start menu will be listed.

If you want the administrator group to have rights on the created roaming profiles, configure the GPO for the workstations to add the administators group to the roaming profiles.  
0
 

Author Comment

by:RRafuls
ID: 33654745
You said
"roaming with folder redirection:
\\domain\userprofiles\%username%

The redirected folders would be:
\\domain\userfolders\%username%\
which is also the home drive where Desktop, My documents, Application Data and Start menu will be listed."

This is what I did. Only I used:
\\server\user profiles\profiles\{user name}
\\server\user profiles\documents\{user name}

I will try recreating again on monday and NOT copying the suggested files.

Thank you soo much. I hope this works.
0
 
LVL 76

Expert Comment

by:arnold
ID: 33654780
You can do the folder redirection as you have, the problem I see is that you will have more shares: i.e.
I would strongly suggest you do not use \\server\ but use \\domain.
\\domain always points to the DC.
This also simplifies things if you should ever add another server and you want that server to host this share.  You would then use DFS and point the target for \\domain\share to \\server\share without the user having to unmap and remap the shares.

in your example:
you would need to then have:
\\domain\user profiles\application data\{user name}
\\domain\user profiles\start menu\{user name}
\\domain\user profiles\Desktop\{user name}

in my example,
when creating the user and specifying the home directory map i.e.
U: \\domain\userfolders\%username%

and then creating the folder redirection for each folder to \\domain\userfolders\%username%\*

The breakout you have adds to overhead in terms of how many shares you have to have.


0
 

Author Comment

by:RRafuls
ID: 33654791
I did home directory map. I just couldn't remember the name. I think what I called documents is the home folder.
0
 

Accepted Solution

by:
RRafuls earned 0 total points
ID: 33664094
I think I got it fixed.

Not only did I have to rebuild the profile as explained above but I had to rename the server as the workstations were still trying to hit the old one.

Once I renamed the server, all went well. I could see all shares, log in properly, etc. The only difficulty that I had was that I had to re-install office, but I had to force remove the old office install with a microsoft tool.

I will update if anymore problems.
0
 

Author Comment

by:RRafuls
ID: 34617659
Done
0
 

Author Closing Comment

by:RRafuls
ID: 34662608
Thats what fixed it
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Many times while working on a computer regardless of any Operating System, lag and crashes seem to creep in, hindering your working speed. Sometimes, it can also cause your work to be lost unexpectedly and as a result, you are unable to meet your de…
This article covers how to install the Microsoft Windows Operating System (OS). What is covered in this article:  > Different Versions and Editions of the Windows OS  > Upgrading versus Fresh Installation of the OS           - Steps to take pr…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now