Logon Script / Group Policy fails at very random times on PCs in a single site
Experts,
I've been troubled with a single site that seems to have issues with users logging in at VERY random times. Of our 45+ AD sites, this particular site in question is the only one seemingly to have the problems I'm describing here, as it hasn't been noticed elsewhere in the entire Domain (as far as I'm aware).
The issue is completely random, and fairly inconsistent - but it happens enough that it's a somewhat regular "thing."
Here are the symptoms:
- Users log into the PCs, but the login script (KIXTART) does not run.
- When this occurs, this log entry gets put in the Application log:
Windows cannot obtain the domain controller name for your computer network. (A socket operation was attempted to an unreachable host. ). Group Policy processing aborted.
- Users (upon seeing they have no additional mapped drives by the logon script) immediately log out and right back in again. On the 2nd log in, everything is perfect and Group Policy processing occurs normally, as well as the login script is able to run with out any hickups.
There is no matching patterns in any of this, and as an example - in a meeting room of about 20 PCs, 18 users can log in with absolutely no issues, where 2 need to complete the sequence described above (logout/log right back in). And it's compounded by the fact that it's PCs accross the entire site, and never the same units in a row.
A PC that previously had the issue, will work absolutely perfect for weeks - but then at what seems like as random as it can possibly get, it happens again.
In trying to identify the cause / frequency of these events, I've been scouring logs *Fun day at work all around, but here's an example of this happening on a particular PC. The randomness of it makes this very hard to pin down what's causing it.
I have followed MANY different KB Articles to try and pretty much throw anything into this problem to see if anything comes out of it - but nothing seems to work.
We've disabled the Media Sensing feature for TCP/IP as per http://support.microsoft.com/?id=326152
We've adjusted the GpNetworkStartTimeoutPolic
We've also adjusted the ExpectedDialupDelay as per http://technet.microsoft.com/en-us/library/cc957332.aspx
DNS Configuration would have been my next guess, but that's fine as well.
Primary Secondary
DC Itself DC in another geographic location
Clients DC in local site DC in another geographic location (same as DC's DNS)
This site has just about 200 client PCs (WinXP), and a single DC (Server 2k8).
We do ~not~ use roaming profiles at all, but we are using folder redirection for "my documents".
The DC itself is VERY healthy, and there are no reported problems in dcdiag.
(Except the entries of me logging into the server with printers / folder redirection), and the logged error about replication but we're not using ReadOnlyDCs in our Enterprise - all of which are non-issues.
My apologies for the wall of text above, but I'm completely out of ideas on what to do here. Have any one of you guys ever seen/experienced a similar problem like this in the past?
I've been troubled with a single site that seems to have issues with users logging in at VERY random times. Of our 45+ AD sites, this particular site in question is the only one seemingly to have the problems I'm describing here, as it hasn't been noticed elsewhere in the entire Domain (as far as I'm aware).
The issue is completely random, and fairly inconsistent - but it happens enough that it's a somewhat regular "thing."
Here are the symptoms:
- Users log into the PCs, but the login script (KIXTART) does not run.
- When this occurs, this log entry gets put in the Application log:
Windows cannot obtain the domain controller name for your computer network. (A socket operation was attempted to an unreachable host. ). Group Policy processing aborted.
- Users (upon seeing they have no additional mapped drives by the logon script) immediately log out and right back in again. On the 2nd log in, everything is perfect and Group Policy processing occurs normally, as well as the login script is able to run with out any hickups.
There is no matching patterns in any of this, and as an example - in a meeting room of about 20 PCs, 18 users can log in with absolutely no issues, where 2 need to complete the sequence described above (logout/log right back in). And it's compounded by the fact that it's PCs accross the entire site, and never the same units in a row.
A PC that previously had the issue, will work absolutely perfect for weeks - but then at what seems like as random as it can possibly get, it happens again.
In trying to identify the cause / frequency of these events, I've been scouring logs *Fun day at work all around, but here's an example of this happening on a particular PC. The randomness of it makes this very hard to pin down what's causing it.
1054,ERROR,Userenv,Fri Mar 23 13:06:11 2012,NT AUTHORITY\SYSTEM, A socket operation was attempted to an unreachable host.
1054,ERROR,Userenv,Tue Mar 20 07:54:54 2012,NT AUTHORITY\SYSTEM, A socket operation was attempted to an unreachable host.
1054,ERROR,Userenv,Thu Mar 15 13:52:45 2012,NT AUTHORITY\SYSTEM, A socket operation was attempted to an unreachable host.
1054,ERROR,Userenv,Thu Mar 01 14:03:01 2012,NT AUTHORITY\SYSTEM, A socket operation was attempted to an unreachable host.
1054,ERROR,Userenv,Wed Jan 18 13:52:28 2012,NT AUTHORITY\SYSTEM, A socket operation was attempted to an unreachable host.
1054,ERROR,Userenv,Tue Oct 04 10:13:43 2011,NT AUTHORITY\SYSTEM, The specified domain either does not exist or could not be contacted. I have followed MANY different KB Articles to try and pretty much throw anything into this problem to see if anything comes out of it - but nothing seems to work.
We've disabled the Media Sensing feature for TCP/IP as per http://support.microsoft.com/?id=326152
We've adjusted the GpNetworkStartTimeoutPolic
We've also adjusted the ExpectedDialupDelay as per http://technet.microsoft.com/en-us/library/cc957332.aspx
DNS Configuration would have been my next guess, but that's fine as well.
Primary Secondary
DC Itself DC in another geographic location
Clients DC in local site DC in another geographic location (same as DC's DNS)
This site has just about 200 client PCs (WinXP), and a single DC (Server 2k8).
We do ~not~ use roaming profiles at all, but we are using folder redirection for "my documents".
The DC itself is VERY healthy, and there are no reported problems in dcdiag.
(Except the entries of me logging into the server with printers / folder redirection), and the logged error about replication but we're not using ReadOnlyDCs in our Enterprise - all of which are non-issues.
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = %DCNAME%
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: %PARENTDC%\%DCNAME%
Starting test: Connectivity
......................... %DCNAME% passed test Connectivity
Doing primary tests
Testing server: PAC-DBES\%DCNAME%
Starting test: Advertising
......................... %DCNAME% passed test Advertising
Starting test: FrsEvent
......................... %DCNAME% passed test FrsEvent
Starting test: DFSREvent
......................... %DCNAME% passed test DFSREvent
Starting test: SysVolCheck
......................... %DCNAME% passed test SysVolCheck
Starting test: KccEvent
......................... %DCNAME% passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... %DCNAME% passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... %DCNAME% passed test MachineAccount
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,%DOMAINNAME%
......................... %DCNAME% failed test NCSecDesc
Starting test: NetLogons
......................... %DCNAME% passed test NetLogons
Starting test: ObjectsReplicated
......................... %DCNAME% passed test ObjectsReplicated
Starting test: Replications
REPLICATION-RECEIVED LATENCY WARNING
%DCNAME%: Current time is 2012-03-22 14:03:22.
%DOMAINNAME%
Last replication received from %REMOVEDDC% at
2011-10-06 08:48:12
WARNING: This latency is over the Tombstone Lifetime of 60
days!
......................... %DCNAME% passed test Replications
Starting test: RidManager
......................... %DCNAME% passed test RidManager
Starting test: Services
......................... %DCNAME% passed test Services
Starting test: SystemLog
An Warning Event occurred. EventID: 0x0000043D
Time Generated: 03/22/2012 13:53:49
Event String:
Windows failed to apply the Folder Redirection settings. Folder Redirection settings might have its own log file. Please click on the "More information" link.
An Error Event occurred. EventID: 0x00000457
Time Generated: 03/22/2012 13:53:55
Event String:
Driver Dell 5330dn Mono Laser Printer required for printer %RDC_PRINTER% is unknown. Contact the administrator to install the driver before you log in again.
An Error Event occurred. EventID: 0x00000457
Time Generated: 03/22/2012 13:53:56
Event String:
Driver Kyocera FS-C5030N KX required for printer %RDC_PRINTER% is unknown. Contact the administrator to install the driver before you log in again.
An Error Event occurred. EventID: 0x00000457
Time Generated: 03/22/2012 13:53:57
Event String:
Driver Dell 5330dn Mono Laser Printer required for printer %RDC_PRINTER% is unknown. Contact the administrator to install the driver before you log in again.
An Error Event occurred. EventID: 0x00000457
Time Generated: 03/22/2012 13:53:59
Event String:
Driver Dell Color Laser 3110cn PCL6 required for printer %RDC_PRINTER% is unknown. Contact the administrator to install the driver before you log in again.
An Error Event occurred. EventID: 0x00000457
Time Generated: 03/22/2012 13:54:00
Event String:
Driver Dell 5330dn Mono Laser Printer required for printer %RDC_PRINTER% is unknown. Contact the administrator to install the driver before you log in again.
......................... %DCNAME% failed test SystemLog
Starting test: VerifyReferences
......................... %DCNAME% passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : PAC
Starting test: CheckSDRefDom
......................... PAC passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... PAC passed test CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running enterprise tests on : %DOMAINNAME%
Starting test: LocatorCheck
......................... %DOMAINNAME% passed test LocatorCheck
Starting test: Intersite
......................... %DOMAINNAME% passed test IntersiteMy apologies for the wall of text above, but I'm completely out of ideas on what to do here. Have any one of you guys ever seen/experienced a similar problem like this in the past?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
My apologies in delay. Much appreciated on the assistance.
ASKER
I couldn't find that setting being attached anywhere.
Very strange, since that was one of the first things I really did check. And I know it was there.
- Anyhow, much appreciated on the assistance. I'll let you know how everything pans out here shortly.