Folder redirection not applying the same for every user

I have recently taken over as technology coordinator for a school district.  

I have some issues with folder redirection.

I have a lab in one of the elementary schools that used to have roaming profiles along with folder redirection enabled (RUP used to be implemented for every user, over 700 of them).

1.  Roaming profiles are no longer being used (extremely long logon times)
2.  Folder redirection is being applied for desktop and documents
3.  Elementary Lab Students are all using the same login id

Example 1:
The instructor used to be able to add items to the desktop from his machine, do a refresh, and see it reflected on all of the desktops.  This no longer seems to work.  I also noticed that only two desktops out of the 30 laptop computers seemed to come up with the same desktop (icons, shortcuts, etc).

Example 2:
I've noticed this on quite a few computers throughout the district.  I know that for instance I can logon to a Windows 7 machine and logon to a Windows XP machine and the desktop is the same, so desktop redirection appears to be working fine.  But, I'm getting different results for different users and they are all setup the same exact way (folder redirection with desktop and documents, no roaming profiles).

I can't figure out why some users seem to have no problems, whereas some just don't seem to be getting the correct results.  I've verified that the group policy is being applied without any errors.

I look forward to any suggestions.
elgravesAsked:
Who is Participating?
 
DLeaverConnect With a Mentor Commented:
As Rancy mentions if you have a number of old DC's that are now dead then get read of them using the metadata cleanup as outlined below, also clear out any old DNS entires that exist for the old servers

http://www.petri.co.il/delete_failed_dcs_from_ad.htm

It does look like you have had the NTFRS issues you would expect to see for the problem you are having, however the latest ones show that they are resolved.

If you do the following on both DC's

Type net share and ensure the Netlogon and Sysvol folders exist.

Assuming they do then check all of the GPC polices are identical on each DC via the GPMC, then check the GPT's are all identical by checking the C:\WINDOWS\SYSVOL\domain\Policies folder to check all of poilcies listed there are identical.
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
How is the policy applied ... OU based or how ?
What if you run GPMC do you see that policy applied to the user.

- Rancy
0
 
elgravesAuthor Commented:
Hi Rancy,

The policy is applied using security groups.  

Example Groups:

HS Redirection
MS Redirection
DE Redirection
SE Redirection
CO Redirection

GPMC is showing it applies with no errors.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
What i meant was is the Policy applied to Users\OU\etc ?

Is the affected machine and the working machine having the same OS version ?

- Rancy
0
 
elgravesAuthor Commented:
It is applied to users (via groups).  

In the lab environment they are the same exact type of laptop with the same Windows XP images on every laptop.  

Throughout the district we are using multiple computer types with a mixture of Windows XP and Windows 7.
0
 
James HaywoodCommented:
Have a look at the event logs on a client that isn't working. This will usually give you a reason why the gpo/redirections aren't applying properly
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
Did you try to run .... Gpupdate /force and restart and check.
Hope users are logging into the domain ? Is there a specific GP not working or all working just few machines or users ? (Anything you noticed that is it some machines or users having issue)

- Rancy
0
 
elgravesAuthor Commented:
I have done gpupdate /force with a restart.  Users are logging into one domain only.  All are working according to GPMC.

I haven't actually looked at event logs on each machine.  I have checked via group policy results using the GPMC.
0
 
DLeaverCommented:
How many DC's are there in the domain?

IF you have more than 1 then confirm that they are syncing correctly, also check the File replication logs for NTFRS issues.  It may be the case that the GPO's are not applying across all DC's and so the policy applies intermittently depending on which DC they are logging into...
0
 
btanExec ConsultantCommented:
Maybe can also enable for veebose diagnostic log for folder redirection to sieve out hints

http://sourcedaddy.com/windows-7/troubleshooting-folder-redirection.html
0
 
elgravesAuthor Commented:
Dleaver,

This could be the culprit.  I have ran dcdiag but not familiar with any commands to verify if the DCs are replicating properly.  I have two DCs by the way.

What's the best way to go about verifying sync?
0
 
DLeaverCommented:
The first place to check is the event logs.

The Directory Service event log will notify you of any AD sync issues and the File Replication event log will notify you of any NTFRS errors.

GPO's are split into two - the group policy container syncs in AD and the group policy template syncs via the file replication.  

Post back any errors
0
 
elgravesAuthor Commented:
Log Name:      File Replication Service
Source:        NtFrs
Date:          8/21/2012 3:56:40 PM
Event ID:      13516
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      RICHMOND-DC.richmond.k12.mo.us
Description:
The File Replication Service is no longer preventing the computer RICHMOND-DC from becoming a domain controller.
The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL.


 
Log Name:      File Replication Service
Source:        NtFrs
Date:          8/21/2012 3:58:20 PM
Event ID:      13508
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      RICHMOND-DC.richmond.k12.mo.us
Description:
The File Replication Service is having trouble enabling replication from RICHMOND-BDC to RICHMOND-DC for c:\windows\sysvol\domain using the DNS name RICHMOND-BDC.richmond.k12.mo.us. FRS will keep retrying.
 Following are some of the reasons you would see this warning.
 
 [1] FRS can not correctly resolve the DNS name RICHMOND-BDC.richmond.k12.mo.us from this computer.
 [2] FRS is not running on RICHMOND-BDC.richmond.k12.mo.us.
 [3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.
 
Log Name:      File Replication Service
Source:        NtFrs
Date:          8/21/2012 4:14:10 PM
Event ID:      13509
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      RICHMOND-DC.richmond.k12.mo.us
Description:
The File Replication Service has enabled replication from RICHMOND-BDC to RICHMOND-DC for c:\windows\sysvol\domain after repeated retries.


Log Name:      File Replication Service
Source:        NtFrs
Date:          8/27/2012 8:01:33 AM
Event ID:      13516
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      RICHMOND-DC.richmond.k12.mo.us
Description:
The File Replication Service is no longer preventing the computer RICHMOND-DC from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL.
 
Type "net share" to check for the SYSVOL share.

net share results

Share name   Resource                        Remark

-------------------------------------------------------------------------------
C$           C:\                             Default share
IPC$                                         Remote IPC
ADMIN$       C:\Windows                      Remote Admin
NETLOGON     C:\Windows\SYSVOL\sysvol\richmond.k12.mo.us\SCRIPTS
                                             Logon server share
SYSVOL       C:\Windows\SYSVOL\sysvol        Logon server share
The command completed successfully.
0
 
elgravesAuthor Commented:
I am also getting quite a few of these types of errors.  
Log Name:      System
Source:        srv
Date:          8/27/2012 3:17:38 PM
Event ID:      2012
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      RICHMOND-DC.richmond.k12.mo.us
Description:
While transmitting or receiving data, the server encountered a network error. Occassional errors are expected, but large amounts of these indicate a possible error in your network configuration.  The error status code is contained within the returned data (formatted as Words) and may point you towards the problem.

As well as the following errors.  It varies from every couple of days to sometimes every 5 or 6 days.


Log Name:      Application
Source:        Microsoft-Windows-WMI
Date:          8/27/2012 8:01:35 AM
Event ID:      10
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      RICHMOND-DC.richmond.k12.mo.us
Description:
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
0
 
Manpreet SIngh KhatraConnect With a Mentor Solutions Architect, Project LeadCommented:
Was there ever any other DC that had been removed ... if so might have to do Metadata cleanup.

- Rancy
0
 
elgravesAuthor Commented:
Hopefully that wasn't overkill.  I did check the Directory Service logs and don't see any glaring indicators of sync issues.  

I have to restate my DC count.  

I actually have three DC's.  Two of them are new 2008 r2 servers, one of them is a leftover Exchange 2003 server.  It is running as a domain controller as well as dns.  DNS (on the Exchange 2003 server) was causing a lot of corruption so that service has been removed.  The exchange server is old and failing.  I've been milking it along until I get a replacement.
0
 
elgravesAuthor Commented:
Hi Rancy,

Actually there were quite a few DCs that were removed.  I thought I had gotten rid of any last vestiges of those but it is definately possible there's crap leftover.  In the 4 months that i've had the job I've had 4 servers kick the bucket (all Server 2003, all DC's, on hardware that was over 12 years old).
0
 
elgravesAuthor Commented:
It appears that all of the GPT's are identical.  SYSVOL and NETSHARE folders exist.  When running ntdsutil on my exchange server, I get the following (in bold).  

Found 1 site(s)
0 - CN=RPS,CN=Sites,CN=Configuration,DC=richmond,DC=k12,DC=mo,DC=us
select operation target: select site 0
Site - CN=RPS,CN=Sites,CN=Configuration,DC=richmond,DC=k12,DC=mo,DC=us
Domain - DC=richmond,DC=k12,DC=mo,DC=us
No current server
No current Naming Context
select operation target: list servers in site
Found 1 server(s)
0 - (null)
select operation target: select server 0
DsListInfoForServerW error 0x57(The parameter is incorrect.)
Continuing ...
Site - CN=RPS,CN=Sites,CN=Configuration,DC=richmond,DC=k12,DC=mo,DC=us
Domain - DC=richmond,DC=k12,DC=mo,DC=us
Server - (null)
No current Naming Context
select operation target:
0
 
elgravesAuthor Commented:
After looking up the DsListInfoForServerW error 0x57

I found the following knowledgebase article that describes the exact problem.  
http://support.microsoft.com/kb/958839

My concern is twofold.  
If I run the command as stated, will this mess up the exchange server as a domain controller?  

It's my understanding that Exchange Server 2003 has to be a domain controller?  Am I mistaken in this?

I truly appreciate your help with this.  I won't say I'm a complete newb to Active Directory, but I inherited quite a mess.  I'm learning alot as we go along.
0
 
DLeaverCommented:
That should be the opposite (unless you are dealing with SBS) Exchange shouldn't be on a domain controller.

Where are you running the ntdsutil?  on an existing DC?

Just run the following to check none of your FSMO roles are assigned to one of the dead DC's

netdom query fsmo

If they are let us know....
0
 
James HaywoodCommented:
Have you checked client error logs yet? This will help you point towards DNS/permissions/DC location/Kerberos etc etc
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
To be very true i have always been able to remove using ntdsutil ...... i saw the Support article and it also shows Metadata cleanup but from ADAM .....

Exchange on a DC isnt recommended and if so it isnt recommended to demote that DC to member server.

I won't say I'm a complete newb to Active Directory, but I inherited quite a mess - I agree seeing you with all this.

- Rancy
0
 
elgravesAuthor Commented:
I am running ntdsutil on each DC.  The DC that I get the error message from is the Exchange Server 2003.

I just ran netdom query fsmo and everything is good to go there.  The roles are running on my PDC (2008 r2).

I am not running SBS.  If I run the the meta data cleanup (from KB article) on my exchange server, do I take the risk of screwing up the exchange server?  It's dying a slow death with failed fans and a failed hard drive, I'm almost scared to touch it ;o)

Of course if it dies it will force the district to hurry the purchase of a replacement.
0
 
DLeaverCommented:
So am I right in saying the Exchange server was once a DC?  If it has already been demoted and just running as an Exchange server member then it shouldn't be an issue, however if it is still an active DC then leave it be until it dies as removing the AD will cause more problems than good
0
 
elgravesAuthor Commented:
The exchange server is still a DC (minus dns).  I haven't demoted it and thanks to you and Rancy's advice will not be demoted.
0
 
DLeaverCommented:
Ok, so leaving that as it is

Have you cleaned out the dead DC's and checked the GPC and GPT parts of the polices match up?....
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
Ideally removing stale object doesnt harms anything ..... but i havent worked with that article that you shared so cant comment on it :(

Why not push the Mgmt for new server if possible :)

- Rancy
0
 
elgravesAuthor Commented:
Yes, none of the old DC's are showing up and the GPC and GPT are matching.

I am finding out as this goes on that it's not just affecting GPO's, but affecting how users access shares.

Some users cannot access shares that they could once access (like last week).  All share permissions are correct and ntfs permissions are correct.  As I said, they could access it fine last week.

The fix seems to be removing the computer from the domain and re-adding it to the domain.  I've tried this for one user and when her computer was re-addes she could "magically" access the share.

I have a feeling this is a related issue.  So I'm going today to try this out on another user in my special ed department.  

Sorry so lengthy.  My gut tells me this is all related.  I just wish there were an easier way to remove and re-add a computer to the domain.  I have over 800 computers in the district.

Rancy:

I've pushed and pushed for a new server.  Because we've spent a ton of money on a 10GB switch infrastructure, 4 new poweredge servers, etc. the money has pretty much dried up.  And I'm also dealing with a lot of politics.  The new exchange server is out for bid, but it's a lengthy process.  Hopefully I will see a new Exchange 2010 server in the next month or so.
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
The fix seems to be removing the computer from the domain and re-adding it to the domain.  I've tried this for one user and when her computer was re-addes she could "magically" access the share - Maybe some information of some old server cleared after disjoin and rejoin ? :)

Sorry so lengthy.  My gut tells me this is all related.  I just wish there were an easier way to remove and re-add a computer to the domain.  I have over 800 computers in the district - Its a pain to do so many machines :(

I'm also dealing with a lot of politics - This always i very much in IT :(

Hopefully I will see a new Exchange 2010 server in the next month or so - Figners crossed and Best Wishes :)

- Rancy
0
 
elgravesAuthor Commented:
It looks like the fun just never ends.  Just had a call from a user who tried to logon and got the following message:

Security Database on Server doesn't have a trust relationship with this computer.

Researching now

Figured this one out.  For some reason the computer left the domain.  I don't know why
0
 
elgravesAuthor Commented:
I truly appreciate all the help I received for this problem.  It helped me to verify and resolve some issues, but my overall problems still remain.  I think it's going to come down to re-imaging every single computer with a clean image, and re-adding it to the domain.  A tricky prospect during school.

You guys have been awesome.  I've just got to keep plugging away.  For those of you out there that have inherited a domain minus any documentation, I feel your pain.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.