elgraves
asked on
Folder redirection not applying the same for every user
I have recently taken over as technology coordinator for a school district.
I have some issues with folder redirection.
I have a lab in one of the elementary schools that used to have roaming profiles along with folder redirection enabled (RUP used to be implemented for every user, over 700 of them).
1. Roaming profiles are no longer being used (extremely long logon times)
2. Folder redirection is being applied for desktop and documents
3. Elementary Lab Students are all using the same login id
Example 1:
The instructor used to be able to add items to the desktop from his machine, do a refresh, and see it reflected on all of the desktops. This no longer seems to work. I also noticed that only two desktops out of the 30 laptop computers seemed to come up with the same desktop (icons, shortcuts, etc).
Example 2:
I've noticed this on quite a few computers throughout the district. I know that for instance I can logon to a Windows 7 machine and logon to a Windows XP machine and the desktop is the same, so desktop redirection appears to be working fine. But, I'm getting different results for different users and they are all setup the same exact way (folder redirection with desktop and documents, no roaming profiles).
I can't figure out why some users seem to have no problems, whereas some just don't seem to be getting the correct results. I've verified that the group policy is being applied without any errors.
I look forward to any suggestions.
I have some issues with folder redirection.
I have a lab in one of the elementary schools that used to have roaming profiles along with folder redirection enabled (RUP used to be implemented for every user, over 700 of them).
1. Roaming profiles are no longer being used (extremely long logon times)
2. Folder redirection is being applied for desktop and documents
3. Elementary Lab Students are all using the same login id
Example 1:
The instructor used to be able to add items to the desktop from his machine, do a refresh, and see it reflected on all of the desktops. This no longer seems to work. I also noticed that only two desktops out of the 30 laptop computers seemed to come up with the same desktop (icons, shortcuts, etc).
Example 2:
I've noticed this on quite a few computers throughout the district. I know that for instance I can logon to a Windows 7 machine and logon to a Windows XP machine and the desktop is the same, so desktop redirection appears to be working fine. But, I'm getting different results for different users and they are all setup the same exact way (folder redirection with desktop and documents, no roaming profiles).
I can't figure out why some users seem to have no problems, whereas some just don't seem to be getting the correct results. I've verified that the group policy is being applied without any errors.
I look forward to any suggestions.
ASKER
Hi Rancy,
The policy is applied using security groups.
Example Groups:
HS Redirection
MS Redirection
DE Redirection
SE Redirection
CO Redirection
GPMC is showing it applies with no errors.
The policy is applied using security groups.
Example Groups:
HS Redirection
MS Redirection
DE Redirection
SE Redirection
CO Redirection
GPMC is showing it applies with no errors.
What i meant was is the Policy applied to Users\OU\etc ?
Is the affected machine and the working machine having the same OS version ?
- Rancy
Is the affected machine and the working machine having the same OS version ?
- Rancy
ASKER
It is applied to users (via groups).
In the lab environment they are the same exact type of laptop with the same Windows XP images on every laptop.
Throughout the district we are using multiple computer types with a mixture of Windows XP and Windows 7.
In the lab environment they are the same exact type of laptop with the same Windows XP images on every laptop.
Throughout the district we are using multiple computer types with a mixture of Windows XP and Windows 7.
Have a look at the event logs on a client that isn't working. This will usually give you a reason why the gpo/redirections aren't applying properly
Did you try to run .... Gpupdate /force and restart and check.
Hope users are logging into the domain ? Is there a specific GP not working or all working just few machines or users ? (Anything you noticed that is it some machines or users having issue)
- Rancy
Hope users are logging into the domain ? Is there a specific GP not working or all working just few machines or users ? (Anything you noticed that is it some machines or users having issue)
- Rancy
ASKER
I have done gpupdate /force with a restart. Users are logging into one domain only. All are working according to GPMC.
I haven't actually looked at event logs on each machine. I have checked via group policy results using the GPMC.
I haven't actually looked at event logs on each machine. I have checked via group policy results using the GPMC.
How many DC's are there in the domain?
IF you have more than 1 then confirm that they are syncing correctly, also check the File replication logs for NTFRS issues. It may be the case that the GPO's are not applying across all DC's and so the policy applies intermittently depending on which DC they are logging into...
IF you have more than 1 then confirm that they are syncing correctly, also check the File replication logs for NTFRS issues. It may be the case that the GPO's are not applying across all DC's and so the policy applies intermittently depending on which DC they are logging into...
Maybe can also enable for veebose diagnostic log for folder redirection to sieve out hints
http://sourcedaddy.com/windows-7/troubleshooting-folder-redirection.html
http://sourcedaddy.com/windows-7/troubleshooting-folder-redirection.html
ASKER
Dleaver,
This could be the culprit. I have ran dcdiag but not familiar with any commands to verify if the DCs are replicating properly. I have two DCs by the way.
What's the best way to go about verifying sync?
This could be the culprit. I have ran dcdiag but not familiar with any commands to verify if the DCs are replicating properly. I have two DCs by the way.
What's the best way to go about verifying sync?
The first place to check is the event logs.
The Directory Service event log will notify you of any AD sync issues and the File Replication event log will notify you of any NTFRS errors.
GPO's are split into two - the group policy container syncs in AD and the group policy template syncs via the file replication.
Post back any errors
The Directory Service event log will notify you of any AD sync issues and the File Replication event log will notify you of any NTFRS errors.
GPO's are split into two - the group policy container syncs in AD and the group policy template syncs via the file replication.
Post back any errors
ASKER
Log Name: File Replication Service
Source: NtFrs
Date: 8/21/2012 3:56:40 PM
Event ID: 13516
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: RICHMOND-DC.richmond.k12.m o.us
Description:
The File Replication Service is no longer preventing the computer RICHMOND-DC from becoming a domain controller.
The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL.
Log Name: File Replication Service
Source: NtFrs
Date: 8/21/2012 3:58:20 PM
Event ID: 13508
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: RICHMOND-DC.richmond.k12.m o.us
Description:
The File Replication Service is having trouble enabling replication from RICHMOND-BDC to RICHMOND-DC for c:\windows\sysvol\domain using the DNS name RICHMOND-BDC.richmond.k12. mo.us. FRS will keep retrying.
Following are some of the reasons you would see this warning.
[1] FRS can not correctly resolve the DNS name RICHMOND-BDC.richmond.k12. mo.us from this computer.
[2] FRS is not running on RICHMOND-BDC.richmond.k12. mo.us.
[3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.
Log Name: File Replication Service
Source: NtFrs
Date: 8/21/2012 4:14:10 PM
Event ID: 13509
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: RICHMOND-DC.richmond.k12.m o.us
Description:
The File Replication Service has enabled replication from RICHMOND-BDC to RICHMOND-DC for c:\windows\sysvol\domain after repeated retries.
Log Name: File Replication Service
Source: NtFrs
Date: 8/27/2012 8:01:33 AM
Event ID: 13516
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: RICHMOND-DC.richmond.k12.m o.us
Description:
The File Replication Service is no longer preventing the computer RICHMOND-DC from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL.
Type "net share" to check for the SYSVOL share.
net share results
Share name Resource Remark
-------------------------- ---------- ---------- ---------- ---------- ---------- ---
C$ C:\ Default share
IPC$ Remote IPC
ADMIN$ C:\Windows Remote Admin
NETLOGON C:\Windows\SYSVOL\sysvol\r ichmond.k1 2.mo.us\SC RIPTS
Logon server share
SYSVOL C:\Windows\SYSVOL\sysvol Logon server share
The command completed successfully.
Source: NtFrs
Date: 8/21/2012 3:56:40 PM
Event ID: 13516
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: RICHMOND-DC.richmond.k12.m
Description:
The File Replication Service is no longer preventing the computer RICHMOND-DC from becoming a domain controller.
The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL.
Log Name: File Replication Service
Source: NtFrs
Date: 8/21/2012 3:58:20 PM
Event ID: 13508
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: RICHMOND-DC.richmond.k12.m
Description:
The File Replication Service is having trouble enabling replication from RICHMOND-BDC to RICHMOND-DC for c:\windows\sysvol\domain using the DNS name RICHMOND-BDC.richmond.k12.
Following are some of the reasons you would see this warning.
[1] FRS can not correctly resolve the DNS name RICHMOND-BDC.richmond.k12.
[2] FRS is not running on RICHMOND-BDC.richmond.k12.
[3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.
Log Name: File Replication Service
Source: NtFrs
Date: 8/21/2012 4:14:10 PM
Event ID: 13509
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: RICHMOND-DC.richmond.k12.m
Description:
The File Replication Service has enabled replication from RICHMOND-BDC to RICHMOND-DC for c:\windows\sysvol\domain after repeated retries.
Log Name: File Replication Service
Source: NtFrs
Date: 8/27/2012 8:01:33 AM
Event ID: 13516
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: RICHMOND-DC.richmond.k12.m
Description:
The File Replication Service is no longer preventing the computer RICHMOND-DC from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL.
Type "net share" to check for the SYSVOL share.
net share results
Share name Resource Remark
--------------------------
C$ C:\ Default share
IPC$ Remote IPC
ADMIN$ C:\Windows Remote Admin
NETLOGON C:\Windows\SYSVOL\sysvol\r
Logon server share
SYSVOL C:\Windows\SYSVOL\sysvol Logon server share
The command completed successfully.
ASKER
I am also getting quite a few of these types of errors.
Log Name: System
Source: srv
Date: 8/27/2012 3:17:38 PM
Event ID: 2012
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: RICHMOND-DC.richmond.k12.m o.us
Description:
While transmitting or receiving data, the server encountered a network error. Occassional errors are expected, but large amounts of these indicate a possible error in your network configuration. The error status code is contained within the returned data (formatted as Words) and may point you towards the problem.
As well as the following errors. It varies from every couple of days to sometimes every 5 or 6 days.
Log Name: Application
Source: Microsoft-Windows-WMI
Date: 8/27/2012 8:01:35 AM
Event ID: 10
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: RICHMOND-DC.richmond.k12.m o.us
Description:
Event filter with query "SELECT * FROM __InstanceModificationEven t WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercent age > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Log Name: System
Source: srv
Date: 8/27/2012 3:17:38 PM
Event ID: 2012
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: RICHMOND-DC.richmond.k12.m
Description:
While transmitting or receiving data, the server encountered a network error. Occassional errors are expected, but large amounts of these indicate a possible error in your network configuration. The error status code is contained within the returned data (formatted as Words) and may point you towards the problem.
As well as the following errors. It varies from every couple of days to sometimes every 5 or 6 days.
Log Name: Application
Source: Microsoft-Windows-WMI
Date: 8/27/2012 8:01:35 AM
Event ID: 10
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: RICHMOND-DC.richmond.k12.m
Description:
Event filter with query "SELECT * FROM __InstanceModificationEven
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hopefully that wasn't overkill. I did check the Directory Service logs and don't see any glaring indicators of sync issues.
I have to restate my DC count.
I actually have three DC's. Two of them are new 2008 r2 servers, one of them is a leftover Exchange 2003 server. It is running as a domain controller as well as dns. DNS (on the Exchange 2003 server) was causing a lot of corruption so that service has been removed. The exchange server is old and failing. I've been milking it along until I get a replacement.
I have to restate my DC count.
I actually have three DC's. Two of them are new 2008 r2 servers, one of them is a leftover Exchange 2003 server. It is running as a domain controller as well as dns. DNS (on the Exchange 2003 server) was causing a lot of corruption so that service has been removed. The exchange server is old and failing. I've been milking it along until I get a replacement.
ASKER
Hi Rancy,
Actually there were quite a few DCs that were removed. I thought I had gotten rid of any last vestiges of those but it is definately possible there's crap leftover. In the 4 months that i've had the job I've had 4 servers kick the bucket (all Server 2003, all DC's, on hardware that was over 12 years old).
Actually there were quite a few DCs that were removed. I thought I had gotten rid of any last vestiges of those but it is definately possible there's crap leftover. In the 4 months that i've had the job I've had 4 servers kick the bucket (all Server 2003, all DC's, on hardware that was over 12 years old).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It appears that all of the GPT's are identical. SYSVOL and NETSHARE folders exist. When running ntdsutil on my exchange server, I get the following (in bold).
Found 1 site(s)
0 - CN=RPS,CN=Sites,CN=Configu ration,DC= richmond,D C=k12,DC=m o,DC=us
select operation target: select site 0
Site - CN=RPS,CN=Sites,CN=Configu ration,DC= richmond,D C=k12,DC=m o,DC=us
Domain - DC=richmond,DC=k12,DC=mo,D C=us
No current server
No current Naming Context
select operation target: list servers in site
Found 1 server(s)
0 - (null)
select operation target: select server 0
DsListInfoForServerW error 0x57(The parameter is incorrect.)
Continuing ...
Site - CN=RPS,CN=Sites,CN=Configu ration,DC= richmond,D C=k12,DC=m o,DC=us
Domain - DC=richmond,DC=k12,DC=mo,D C=us
Server - (null)No current Naming Context
select operation target:
Found 1 site(s)
0 - CN=RPS,CN=Sites,CN=Configu
select operation target: select site 0
Site - CN=RPS,CN=Sites,CN=Configu
Domain - DC=richmond,DC=k12,DC=mo,D
No current server
No current Naming Context
select operation target: list servers in site
Found 1 server(s)
0 - (null)
select operation target: select server 0
DsListInfoForServerW error 0x57(The parameter is incorrect.)
Continuing ...
Site - CN=RPS,CN=Sites,CN=Configu
Domain - DC=richmond,DC=k12,DC=mo,D
Server - (null)No current Naming Context
select operation target:
ASKER
After looking up the DsListInfoForServerW error 0x57
I found the following knowledgebase article that describes the exact problem.
http://support.microsoft.com/kb/958839
My concern is twofold.
If I run the command as stated, will this mess up the exchange server as a domain controller?
It's my understanding that Exchange Server 2003 has to be a domain controller? Am I mistaken in this?
I truly appreciate your help with this. I won't say I'm a complete newb to Active Directory, but I inherited quite a mess. I'm learning alot as we go along.
I found the following knowledgebase article that describes the exact problem.
http://support.microsoft.com/kb/958839
My concern is twofold.
If I run the command as stated, will this mess up the exchange server as a domain controller?
It's my understanding that Exchange Server 2003 has to be a domain controller? Am I mistaken in this?
I truly appreciate your help with this. I won't say I'm a complete newb to Active Directory, but I inherited quite a mess. I'm learning alot as we go along.
That should be the opposite (unless you are dealing with SBS) Exchange shouldn't be on a domain controller.
Where are you running the ntdsutil? on an existing DC?
Just run the following to check none of your FSMO roles are assigned to one of the dead DC's
netdom query fsmo
If they are let us know....
Where are you running the ntdsutil? on an existing DC?
Just run the following to check none of your FSMO roles are assigned to one of the dead DC's
netdom query fsmo
If they are let us know....
Have you checked client error logs yet? This will help you point towards DNS/permissions/DC location/Kerberos etc etc
To be very true i have always been able to remove using ntdsutil ...... i saw the Support article and it also shows Metadata cleanup but from ADAM .....
Exchange on a DC isnt recommended and if so it isnt recommended to demote that DC to member server.
I won't say I'm a complete newb to Active Directory, but I inherited quite a mess - I agree seeing you with all this.
- Rancy
Exchange on a DC isnt recommended and if so it isnt recommended to demote that DC to member server.
I won't say I'm a complete newb to Active Directory, but I inherited quite a mess - I agree seeing you with all this.
- Rancy
ASKER
I am running ntdsutil on each DC. The DC that I get the error message from is the Exchange Server 2003.
I just ran netdom query fsmo and everything is good to go there. The roles are running on my PDC (2008 r2).
I am not running SBS. If I run the the meta data cleanup (from KB article) on my exchange server, do I take the risk of screwing up the exchange server? It's dying a slow death with failed fans and a failed hard drive, I'm almost scared to touch it ;o)
Of course if it dies it will force the district to hurry the purchase of a replacement.
I just ran netdom query fsmo and everything is good to go there. The roles are running on my PDC (2008 r2).
I am not running SBS. If I run the the meta data cleanup (from KB article) on my exchange server, do I take the risk of screwing up the exchange server? It's dying a slow death with failed fans and a failed hard drive, I'm almost scared to touch it ;o)
Of course if it dies it will force the district to hurry the purchase of a replacement.
So am I right in saying the Exchange server was once a DC? If it has already been demoted and just running as an Exchange server member then it shouldn't be an issue, however if it is still an active DC then leave it be until it dies as removing the AD will cause more problems than good
ASKER
The exchange server is still a DC (minus dns). I haven't demoted it and thanks to you and Rancy's advice will not be demoted.
Ok, so leaving that as it is
Have you cleaned out the dead DC's and checked the GPC and GPT parts of the polices match up?....
Have you cleaned out the dead DC's and checked the GPC and GPT parts of the polices match up?....
Ideally removing stale object doesnt harms anything ..... but i havent worked with that article that you shared so cant comment on it :(
Why not push the Mgmt for new server if possible :)
- Rancy
Why not push the Mgmt for new server if possible :)
- Rancy
ASKER
Yes, none of the old DC's are showing up and the GPC and GPT are matching.
I am finding out as this goes on that it's not just affecting GPO's, but affecting how users access shares.
Some users cannot access shares that they could once access (like last week). All share permissions are correct and ntfs permissions are correct. As I said, they could access it fine last week.
The fix seems to be removing the computer from the domain and re-adding it to the domain. I've tried this for one user and when her computer was re-addes she could "magically" access the share.
I have a feeling this is a related issue. So I'm going today to try this out on another user in my special ed department.
Sorry so lengthy. My gut tells me this is all related. I just wish there were an easier way to remove and re-add a computer to the domain. I have over 800 computers in the district.
Rancy:
I've pushed and pushed for a new server. Because we've spent a ton of money on a 10GB switch infrastructure, 4 new poweredge servers, etc. the money has pretty much dried up. And I'm also dealing with a lot of politics. The new exchange server is out for bid, but it's a lengthy process. Hopefully I will see a new Exchange 2010 server in the next month or so.
I am finding out as this goes on that it's not just affecting GPO's, but affecting how users access shares.
Some users cannot access shares that they could once access (like last week). All share permissions are correct and ntfs permissions are correct. As I said, they could access it fine last week.
The fix seems to be removing the computer from the domain and re-adding it to the domain. I've tried this for one user and when her computer was re-addes she could "magically" access the share.
I have a feeling this is a related issue. So I'm going today to try this out on another user in my special ed department.
Sorry so lengthy. My gut tells me this is all related. I just wish there were an easier way to remove and re-add a computer to the domain. I have over 800 computers in the district.
Rancy:
I've pushed and pushed for a new server. Because we've spent a ton of money on a 10GB switch infrastructure, 4 new poweredge servers, etc. the money has pretty much dried up. And I'm also dealing with a lot of politics. The new exchange server is out for bid, but it's a lengthy process. Hopefully I will see a new Exchange 2010 server in the next month or so.
The fix seems to be removing the computer from the domain and re-adding it to the domain. I've tried this for one user and when her computer was re-addes she could "magically" access the share - Maybe some information of some old server cleared after disjoin and rejoin ? :)
Sorry so lengthy. My gut tells me this is all related. I just wish there were an easier way to remove and re-add a computer to the domain. I have over 800 computers in the district - Its a pain to do so many machines :(
I'm also dealing with a lot of politics - This always i very much in IT :(
Hopefully I will see a new Exchange 2010 server in the next month or so - Figners crossed and Best Wishes :)
- Rancy
Sorry so lengthy. My gut tells me this is all related. I just wish there were an easier way to remove and re-add a computer to the domain. I have over 800 computers in the district - Its a pain to do so many machines :(
I'm also dealing with a lot of politics - This always i very much in IT :(
Hopefully I will see a new Exchange 2010 server in the next month or so - Figners crossed and Best Wishes :)
- Rancy
ASKER
It looks like the fun just never ends. Just had a call from a user who tried to logon and got the following message:
Security Database on Server doesn't have a trust relationship with this computer.
Researching now
Figured this one out. For some reason the computer left the domain. I don't know why
Security Database on Server doesn't have a trust relationship with this computer.
Researching now
Figured this one out. For some reason the computer left the domain. I don't know why
ASKER
I truly appreciate all the help I received for this problem. It helped me to verify and resolve some issues, but my overall problems still remain. I think it's going to come down to re-imaging every single computer with a clean image, and re-adding it to the domain. A tricky prospect during school.
You guys have been awesome. I've just got to keep plugging away. For those of you out there that have inherited a domain minus any documentation, I feel your pain.
You guys have been awesome. I've just got to keep plugging away. For those of you out there that have inherited a domain minus any documentation, I feel your pain.
What if you run GPMC do you see that policy applied to the user.
- Rancy