Folder redirection not applying the same for every user

How is the policy applied ... OU based or how ?
What if you run GPMC do you see that policy applied to the user.

- Rancy

Hi Rancy,

The policy is applied using security groups.  

Example Groups:

HS Redirection
MS Redirection
DE Redirection
SE Redirection
CO Redirection

GPMC is showing it applies with no errors.

What i meant was is the Policy applied to Users\OU\etc ?

Is the affected machine and the working machine having the same OS version ?

- Rancy

It is applied to users (via groups).  

In the lab environment they are the same exact type of laptop with the same Windows XP images on every laptop.  

Throughout the district we are using multiple computer types with a mixture of Windows XP and Windows 7.

Have a look at the event logs on a client that isn't working. This will usually give you a reason why the gpo/redirections aren't applying properly

Did you try to run .... Gpupdate /force and restart and check.
Hope users are logging into the domain ? Is there a specific GP not working or all working just few machines or users ? (Anything you noticed that is it some machines or users having issue)

- Rancy

I have done gpupdate /force with a restart.  Users are logging into one domain only.  All are working according to GPMC.

I haven't actually looked at event logs on each machine.  I have checked via group policy results using the GPMC.

How many DC's are there in the domain?

IF you have more than 1 then confirm that they are syncing correctly, also check the File replication logs for NTFRS issues.  It may be the case that the GPO's are not applying across all DC's and so the policy applies intermittently depending on which DC they are logging into...

Maybe can also enable for veebose diagnostic log for folder redirection to sieve out hints

http://sourcedaddy.com/windows-7/troubleshooting-folder-redirection.html

Dleaver,

This could be the culprit.  I have ran dcdiag but not familiar with any commands to verify if the DCs are replicating properly.  I have two DCs by the way.

What's the best way to go about verifying sync?

The first place to check is the event logs.

The Directory Service event log will notify you of any AD sync issues and the File Replication event log will notify you of any NTFRS errors.

GPO's are split into two - the group policy container syncs in AD and the group policy template syncs via the file replication.  

Post back any errors

Log Name:      File Replication Service
Source:        NtFrs
Date:          8/21/2012 3:56:40 PM
Event ID:      13516
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      RICHMOND-DC.richmond.k12.mo.us
Description:
The File Replication Service is no longer preventing the computer RICHMOND-DC from becoming a domain controller.
The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL.


 
Log Name:      File Replication Service
Source:        NtFrs
Date:          8/21/2012 3:58:20 PM
Event ID:      13508
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      RICHMOND-DC.richmond.k12.mo.us
Description:
The File Replication Service is having trouble enabling replication from RICHMOND-BDC to RICHMOND-DC for c:\windows\sysvol\domain using the DNS name RICHMOND-BDC.richmond.k12.mo.us. FRS will keep retrying.
 Following are some of the reasons you would see this warning.
 
 [1] FRS can not correctly resolve the DNS name RICHMOND-BDC.richmond.k12.mo.us from this computer.
 [2] FRS is not running on RICHMOND-BDC.richmond.k12.mo.us.
 [3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.
 
Log Name:      File Replication Service
Source:        NtFrs
Date:          8/21/2012 4:14:10 PM
Event ID:      13509
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      RICHMOND-DC.richmond.k12.mo.us
Description:
The File Replication Service has enabled replication from RICHMOND-BDC to RICHMOND-DC for c:\windows\sysvol\domain after repeated retries.


Log Name:      File Replication Service
Source:        NtFrs
Date:          8/27/2012 8:01:33 AM
Event ID:      13516
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      RICHMOND-DC.richmond.k12.mo.us
Description:
The File Replication Service is no longer preventing the computer RICHMOND-DC from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL.
 
Type "net share" to check for the SYSVOL share.

net share results

Share name   Resource                        Remark

-------------------------------------------------------------------------------
C$           C:\                             Default share
IPC$                                         Remote IPC
ADMIN$       C:\Windows                      Remote Admin
NETLOGON     C:\Windows\SYSVOL\sysvol\richmond.k12.mo.us\SCRIPTS
                                             Logon server share
SYSVOL       C:\Windows\SYSVOL\sysvol        Logon server share
The command completed successfully.

I am also getting quite a few of these types of errors.  
Log Name:      System
Source:        srv
Date:          8/27/2012 3:17:38 PM
Event ID:      2012
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      RICHMOND-DC.richmond.k12.mo.us
Description:
While transmitting or receiving data, the server encountered a network error. Occassional errors are expected, but large amounts of these indicate a possible error in your network configuration.  The error status code is contained within the returned data (formatted as Words) and may point you towards the problem.

As well as the following errors.  It varies from every couple of days to sometimes every 5 or 6 days.


Log Name:      Application
Source:        Microsoft-Windows-WMI
Date:          8/27/2012 8:01:35 AM
Event ID:      10
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      RICHMOND-DC.richmond.k12.mo.us
Description:
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Hopefully that wasn't overkill.  I did check the Directory Service logs and don't see any glaring indicators of sync issues.  

I have to restate my DC count.  

I actually have three DC's.  Two of them are new 2008 r2 servers, one of them is a leftover Exchange 2003 server.  It is running as a domain controller as well as dns.  DNS (on the Exchange 2003 server) was causing a lot of corruption so that service has been removed.  The exchange server is old and failing.  I've been milking it along until I get a replacement.

Hi Rancy,

Actually there were quite a few DCs that were removed.  I thought I had gotten rid of any last vestiges of those but it is definately possible there's crap leftover.  In the 4 months that i've had the job I've had 4 servers kick the bucket (all Server 2003, all DC's, on hardware that was over 12 years old).

It appears that all of the GPT's are identical.  SYSVOL and NETSHARE folders exist.  When running ntdsutil on my exchange server, I get the following (in bold).  

Found 1 site(s)
0 - CN=RPS,CN=Sites,CN=Configuration,DC=richmond,DC=k12,DC=mo,DC=us
select operation target: select site 0
Site - CN=RPS,CN=Sites,CN=Configuration,DC=richmond,DC=k12,DC=mo,DC=us
Domain - DC=richmond,DC=k12,DC=mo,DC=us
No current server
No current Naming Context
select operation target: list servers in site
Found 1 server(s)
0 - (null)
select operation target: select server 0
DsListInfoForServerW error 0x57(The parameter is incorrect.)
Continuing ...
Site - CN=RPS,CN=Sites,CN=Configuration,DC=richmond,DC=k12,DC=mo,DC=us
Domain - DC=richmond,DC=k12,DC=mo,DC=us
Server - (null)No current Naming Context
select operation target:

After looking up the DsListInfoForServerW error 0x57

I found the following knowledgebase article that describes the exact problem.  
http://support.microsoft.com/kb/958839

My concern is twofold.  
If I run the command as stated, will this mess up the exchange server as a domain controller?  

It's my understanding that Exchange Server 2003 has to be a domain controller?  Am I mistaken in this?

I truly appreciate your help with this.  I won't say I'm a complete newb to Active Directory, but I inherited quite a mess.  I'm learning alot as we go along.

That should be the opposite (unless you are dealing with SBS) Exchange shouldn't be on a domain controller.

Where are you running the ntdsutil?  on an existing DC?

Just run the following to check none of your FSMO roles are assigned to one of the dead DC's

netdom query fsmo

If they are let us know....

Have you checked client error logs yet? This will help you point towards DNS/permissions/DC location/Kerberos etc etc

To be very true i have always been able to remove using ntdsutil ...... i saw the Support article and it also shows Metadata cleanup but from ADAM .....

Exchange on a DC isnt recommended and if so it isnt recommended to demote that DC to member server.

I won't say I'm a complete newb to Active Directory, but I inherited quite a mess - I agree seeing you with all this.

- Rancy

I am running ntdsutil on each DC.  The DC that I get the error message from is the Exchange Server 2003.

I just ran netdom query fsmo and everything is good to go there.  The roles are running on my PDC (2008 r2).

I am not running SBS.  If I run the the meta data cleanup (from KB article) on my exchange server, do I take the risk of screwing up the exchange server?  It's dying a slow death with failed fans and a failed hard drive, I'm almost scared to touch it ;o)

Of course if it dies it will force the district to hurry the purchase of a replacement.

So am I right in saying the Exchange server was once a DC?  If it has already been demoted and just running as an Exchange server member then it shouldn't be an issue, however if it is still an active DC then leave it be until it dies as removing the AD will cause more problems than good

The exchange server is still a DC (minus dns).  I haven't demoted it and thanks to you and Rancy's advice will not be demoted.

Ok, so leaving that as it is

Have you cleaned out the dead DC's and checked the GPC and GPT parts of the polices match up?....

Ideally removing stale object doesnt harms anything ..... but i havent worked with that article that you shared so cant comment on it :(

Why not push the Mgmt for new server if possible :)

- Rancy

Yes, none of the old DC's are showing up and the GPC and GPT are matching.

I am finding out as this goes on that it's not just affecting GPO's, but affecting how users access shares.

Some users cannot access shares that they could once access (like last week).  All share permissions are correct and ntfs permissions are correct.  As I said, they could access it fine last week.

The fix seems to be removing the computer from the domain and re-adding it to the domain.  I've tried this for one user and when her computer was re-addes she could "magically" access the share.

I have a feeling this is a related issue.  So I'm going today to try this out on another user in my special ed department.  

Sorry so lengthy.  My gut tells me this is all related.  I just wish there were an easier way to remove and re-add a computer to the domain.  I have over 800 computers in the district.

Rancy:

I've pushed and pushed for a new server.  Because we've spent a ton of money on a 10GB switch infrastructure, 4 new poweredge servers, etc. the money has pretty much dried up.  And I'm also dealing with a lot of politics.  The new exchange server is out for bid, but it's a lengthy process.  Hopefully I will see a new Exchange 2010 server in the next month or so.

The fix seems to be removing the computer from the domain and re-adding it to the domain.  I've tried this for one user and when her computer was re-addes she could "magically" access the share - Maybe some information of some old server cleared after disjoin and rejoin ? :)

Sorry so lengthy.  My gut tells me this is all related.  I just wish there were an easier way to remove and re-add a computer to the domain.  I have over 800 computers in the district - Its a pain to do so many machines :(

I'm also dealing with a lot of politics - This always i very much in IT :(

Hopefully I will see a new Exchange 2010 server in the next month or so - Figners crossed and Best Wishes :)

- Rancy

It looks like the fun just never ends.  Just had a call from a user who tried to logon and got the following message:

Security Database on Server doesn't have a trust relationship with this computer.

Researching now

Figured this one out.  For some reason the computer left the domain.  I don't know why

I truly appreciate all the help I received for this problem.  It helped me to verify and resolve some issues, but my overall problems still remain.  I think it's going to come down to re-imaging every single computer with a clean image, and re-adding it to the domain.  A tricky prospect during school.

You guys have been awesome.  I've just got to keep plugging away.  For those of you out there that have inherited a domain minus any documentation, I feel your pain.