Solved

Logon Script / Group Policy fails at very random times on PCs in a single site

Posted on 2012-03-22
4
581 Views
Last Modified: 2012-04-22
Experts,

I've been troubled with a single site that seems to have issues with users logging in at VERY random times.  Of our 45+ AD sites, this particular site in question is the only one seemingly to have the problems I'm describing here, as it hasn't been noticed elsewhere in the entire Domain (as far as I'm aware).

The issue is completely random, and fairly inconsistent - but it happens enough that it's a somewhat regular "thing."

Here are the symptoms:
     - Users log into the PCs, but the login script (KIXTART) does not run.
     - When this occurs, this log entry gets put in the Application log:
               Windows cannot obtain the domain controller name for your computer network. (A socket operation was attempted to an unreachable host. ). Group Policy processing aborted.
     - Users (upon seeing they have no additional mapped drives by the logon script) immediately log out and right back in again.  On the 2nd log in, everything is perfect and Group Policy processing occurs normally, as well as the login script is able to run with out any hickups.

There is no matching patterns in any of this, and as an example - in a meeting room of about 20 PCs, 18 users can log in with absolutely no issues, where 2 need to complete the sequence described above (logout/log right back in).  And it's compounded by the fact that it's PCs accross the entire site, and never the same units in a row.

A PC that previously had the issue, will work absolutely perfect for weeks - but then at what seems like as random as it can possibly get, it happens again.

In trying to identify the cause / frequency of these events, I've been scouring logs *Fun day at work all around, but here's an example of this happening on a particular PC.  The randomness of it makes this very hard to pin down what's causing it.
1054,ERROR,Userenv,Fri Mar 23 13:06:11 2012,NT AUTHORITY\SYSTEM, A socket operation was attempted to an unreachable host. 
1054,ERROR,Userenv,Tue Mar 20 07:54:54 2012,NT AUTHORITY\SYSTEM, A socket operation was attempted to an unreachable host. 
1054,ERROR,Userenv,Thu Mar 15 13:52:45 2012,NT AUTHORITY\SYSTEM, A socket operation was attempted to an unreachable host. 
1054,ERROR,Userenv,Thu Mar 01 14:03:01 2012,NT AUTHORITY\SYSTEM, A socket operation was attempted to an unreachable host. 
1054,ERROR,Userenv,Wed Jan 18 13:52:28 2012,NT AUTHORITY\SYSTEM, A socket operation was attempted to an unreachable host. 
1054,ERROR,Userenv,Tue Oct 04 10:13:43 2011,NT AUTHORITY\SYSTEM, The specified domain either does not exist or could not be contacted. 

Open in new window



I have followed MANY different KB Articles to try and pretty much throw anything into this problem to see if anything comes out of it - but nothing seems to work.

  We've disabled the Media Sensing feature for TCP/IP as per http://support.microsoft.com/?id=326152
  We've adjusted the GpNetworkStartTimeoutPolicyValue as per http://support.microsoft.com/kb/840669
  We've also adjusted the ExpectedDialupDelay as per http://technet.microsoft.com/en-us/library/cc957332.aspx

DNS Configuration would have been my next guess, but that's fine as well.
                Primary                              Secondary
DC           Itself                                  DC in another geographic location
Clients     DC in local site                  DC in another geographic location (same as DC's DNS)

This site has just about 200 client PCs (WinXP), and a single DC (Server 2k8).
We do ~not~ use roaming profiles at all, but we are using folder redirection for "my documents".

The DC itself is VERY healthy, and there are no reported problems in dcdiag.
    (Except the entries of me logging into the server with printers / folder redirection), and the logged error about replication but we're not using ReadOnlyDCs in our Enterprise - all of which are non-issues.

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = %DCNAME%
   * Identified AD Forest. 
   Done gathering initial info.

Doing initial required tests
   
   Testing server: %PARENTDC%\%DCNAME%
      Starting test: Connectivity
         ......................... %DCNAME% passed test Connectivity

Doing primary tests
   
   Testing server: PAC-DBES\%DCNAME%
      Starting test: Advertising
         ......................... %DCNAME% passed test Advertising
      Starting test: FrsEvent
         ......................... %DCNAME% passed test FrsEvent
      Starting test: DFSREvent
         ......................... %DCNAME% passed test DFSREvent
      Starting test: SysVolCheck
         ......................... %DCNAME% passed test SysVolCheck
      Starting test: KccEvent
         ......................... %DCNAME% passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... %DCNAME% passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... %DCNAME% passed test MachineAccount
      Starting test: NCSecDesc
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have 
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,%DOMAINNAME%
         ......................... %DCNAME% failed test NCSecDesc
      Starting test: NetLogons
         ......................... %DCNAME% passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... %DCNAME% passed test ObjectsReplicated
      Starting test: Replications
         REPLICATION-RECEIVED LATENCY WARNING
         %DCNAME%:  Current time is 2012-03-22 14:03:22.
            %DOMAINNAME%
               Last replication received from %REMOVEDDC% at 
          2011-10-06 08:48:12 
               WARNING:  This latency is over the Tombstone Lifetime of 60
         days!
         ......................... %DCNAME% passed test Replications
      Starting test: RidManager
         ......................... %DCNAME% passed test RidManager
      Starting test: Services
         ......................... %DCNAME% passed test Services
      Starting test: SystemLog
         An Warning Event occurred.  EventID: 0x0000043D
            Time Generated: 03/22/2012   13:53:49
            Event String:
            Windows failed to apply the Folder Redirection settings. Folder Redirection settings might have its own log file. Please click on the "More information" link.
         An Error Event occurred.  EventID: 0x00000457
            Time Generated: 03/22/2012   13:53:55
            Event String:
            Driver Dell 5330dn Mono Laser Printer required for printer %RDC_PRINTER% is unknown. Contact the administrator to install the driver before you log in again.
         An Error Event occurred.  EventID: 0x00000457
            Time Generated: 03/22/2012   13:53:56
            Event String:
            Driver Kyocera FS-C5030N KX required for printer %RDC_PRINTER% is unknown. Contact the administrator to install the driver before you log in again.
         An Error Event occurred.  EventID: 0x00000457
            Time Generated: 03/22/2012   13:53:57
            Event String:
            Driver Dell 5330dn Mono Laser Printer required for printer %RDC_PRINTER% is unknown. Contact the administrator to install the driver before you log in again.
         An Error Event occurred.  EventID: 0x00000457
            Time Generated: 03/22/2012   13:53:59
            Event String:
            Driver Dell Color Laser 3110cn PCL6 required for printer %RDC_PRINTER% is unknown. Contact the administrator to install the driver before you log in again.
         An Error Event occurred.  EventID: 0x00000457
            Time Generated: 03/22/2012   13:54:00
            Event String:
            Driver Dell 5330dn Mono Laser Printer required for printer %RDC_PRINTER% is unknown. Contact the administrator to install the driver before you log in again.
         ......................... %DCNAME% failed test SystemLog
      Starting test: VerifyReferences
         ......................... %DCNAME% passed test VerifyReferences
   
   
   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation
   
   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation
   
   Running partition tests on : PAC
      Starting test: CheckSDRefDom
         ......................... PAC passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... PAC passed test CrossRefValidation
   
   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
   
   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
   
   Running enterprise tests on : %DOMAINNAME%
      Starting test: LocatorCheck
         ......................... %DOMAINNAME% passed test LocatorCheck
      Starting test: Intersite
         ......................... %DOMAINNAME% passed test Intersite

Open in new window




My apologies for the wall of text above, but I'm completely out of ideas on what to do here.  Have any one of you guys ever seen/experienced a similar problem like this in the past?
0
Comment
Question by:usslindstrom
  • 2
4 Comments
 
LVL 8

Accepted Solution

by:
PenguinN earned 500 total points
ID: 37756134
Sounds like link congestion but why this happens randomly is not really clear of cause. Could the problem be that the workstations logon before they have network access. A way around this would be to set the wait for network policy.

Use gpedit.msc, navigate to Computer Configuration/Administrative Templates/System/Logon

Set Always wait for the network at computer startup and logon to Enabled

You would have to run gpupdate /force on the troubling computer and reboot it. It will probably take time to see the effect since it's not alwait occuring.
0
 
LVL 5

Author Comment

by:usslindstrom
ID: 37763728
I had already checked that setting when this problem came up - and I could have sworn that it was already set.  But on your suggestion, I decided to review all GPOs in our domain.

I couldn't find that setting being attached anywhere.

Very strange, since that was one of the first things I really did check.  And I know it was there.

 - Anyhow, much appreciated on the assistance.  I'll let you know how everything pans out here shortly.
0
 
LVL 5

Author Comment

by:usslindstrom
ID: 37879151
My apologies in delay.  Much appreciated on the assistance.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup". After a while, you have entered a loop for Auto repair which does not fix anything and you will be in a  panic as all your work w…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now