[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Folder redirection not applying the same for every user

Posted on 2012-08-24
31
Medium Priority
?
853 Views
Last Modified: 2012-08-29
I have recently taken over as technology coordinator for a school district.  

I have some issues with folder redirection.

I have a lab in one of the elementary schools that used to have roaming profiles along with folder redirection enabled (RUP used to be implemented for every user, over 700 of them).

1.  Roaming profiles are no longer being used (extremely long logon times)
2.  Folder redirection is being applied for desktop and documents
3.  Elementary Lab Students are all using the same login id

Example 1:
The instructor used to be able to add items to the desktop from his machine, do a refresh, and see it reflected on all of the desktops.  This no longer seems to work.  I also noticed that only two desktops out of the 30 laptop computers seemed to come up with the same desktop (icons, shortcuts, etc).

Example 2:
I've noticed this on quite a few computers throughout the district.  I know that for instance I can logon to a Windows 7 machine and logon to a Windows XP machine and the desktop is the same, so desktop redirection appears to be working fine.  But, I'm getting different results for different users and they are all setup the same exact way (folder redirection with desktop and documents, no roaming profiles).

I can't figure out why some users seem to have no problems, whereas some just don't seem to be getting the correct results.  I've verified that the group policy is being applied without any errors.

I look forward to any suggestions.
0
Comment
Question by:elgraves
  • 15
  • 7
  • 6
  • +2
31 Comments
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 38332519
How is the policy applied ... OU based or how ?
What if you run GPMC do you see that policy applied to the user.

- Rancy
0
 

Author Comment

by:elgraves
ID: 38332526
Hi Rancy,

The policy is applied using security groups.  

Example Groups:

HS Redirection
MS Redirection
DE Redirection
SE Redirection
CO Redirection

GPMC is showing it applies with no errors.
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 38332537
What i meant was is the Policy applied to Users\OU\etc ?

Is the affected machine and the working machine having the same OS version ?

- Rancy
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 

Author Comment

by:elgraves
ID: 38332557
It is applied to users (via groups).  

In the lab environment they are the same exact type of laptop with the same Windows XP images on every laptop.  

Throughout the district we are using multiple computer types with a mixture of Windows XP and Windows 7.
0
 
LVL 17

Expert Comment

by:James Haywood
ID: 38332705
Have a look at the event logs on a client that isn't working. This will usually give you a reason why the gpo/redirections aren't applying properly
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 38332746
Did you try to run .... Gpupdate /force and restart and check.
Hope users are logging into the domain ? Is there a specific GP not working or all working just few machines or users ? (Anything you noticed that is it some machines or users having issue)

- Rancy
0
 

Author Comment

by:elgraves
ID: 38332886
I have done gpupdate /force with a restart.  Users are logging into one domain only.  All are working according to GPMC.

I haven't actually looked at event logs on each machine.  I have checked via group policy results using the GPMC.
0
 
LVL 12

Expert Comment

by:DLeaver
ID: 38333101
How many DC's are there in the domain?

IF you have more than 1 then confirm that they are syncing correctly, also check the File replication logs for NTFRS issues.  It may be the case that the GPO's are not applying across all DC's and so the policy applies intermittently depending on which DC they are logging into...
0
 
LVL 65

Expert Comment

by:btan
ID: 38333249
Maybe can also enable for veebose diagnostic log for folder redirection to sieve out hints

http://sourcedaddy.com/windows-7/troubleshooting-folder-redirection.html
0
 

Author Comment

by:elgraves
ID: 38336239
Dleaver,

This could be the culprit.  I have ran dcdiag but not familiar with any commands to verify if the DCs are replicating properly.  I have two DCs by the way.

What's the best way to go about verifying sync?
0
 
LVL 12

Expert Comment

by:DLeaver
ID: 38336968
The first place to check is the event logs.

The Directory Service event log will notify you of any AD sync issues and the File Replication event log will notify you of any NTFRS errors.

GPO's are split into two - the group policy container syncs in AD and the group policy template syncs via the file replication.  

Post back any errors
0
 

Author Comment

by:elgraves
ID: 38338359
Log Name:      File Replication Service
Source:        NtFrs
Date:          8/21/2012 3:56:40 PM
Event ID:      13516
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      RICHMOND-DC.richmond.k12.mo.us
Description:
The File Replication Service is no longer preventing the computer RICHMOND-DC from becoming a domain controller.
The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL.


 
Log Name:      File Replication Service
Source:        NtFrs
Date:          8/21/2012 3:58:20 PM
Event ID:      13508
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      RICHMOND-DC.richmond.k12.mo.us
Description:
The File Replication Service is having trouble enabling replication from RICHMOND-BDC to RICHMOND-DC for c:\windows\sysvol\domain using the DNS name RICHMOND-BDC.richmond.k12.mo.us. FRS will keep retrying.
 Following are some of the reasons you would see this warning.
 
 [1] FRS can not correctly resolve the DNS name RICHMOND-BDC.richmond.k12.mo.us from this computer.
 [2] FRS is not running on RICHMOND-BDC.richmond.k12.mo.us.
 [3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.
 
Log Name:      File Replication Service
Source:        NtFrs
Date:          8/21/2012 4:14:10 PM
Event ID:      13509
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      RICHMOND-DC.richmond.k12.mo.us
Description:
The File Replication Service has enabled replication from RICHMOND-BDC to RICHMOND-DC for c:\windows\sysvol\domain after repeated retries.


Log Name:      File Replication Service
Source:        NtFrs
Date:          8/27/2012 8:01:33 AM
Event ID:      13516
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      RICHMOND-DC.richmond.k12.mo.us
Description:
The File Replication Service is no longer preventing the computer RICHMOND-DC from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL.
 
Type "net share" to check for the SYSVOL share.

net share results

Share name   Resource                        Remark

-------------------------------------------------------------------------------
C$           C:\                             Default share
IPC$                                         Remote IPC
ADMIN$       C:\Windows                      Remote Admin
NETLOGON     C:\Windows\SYSVOL\sysvol\richmond.k12.mo.us\SCRIPTS
                                             Logon server share
SYSVOL       C:\Windows\SYSVOL\sysvol        Logon server share
The command completed successfully.
0
 

Author Comment

by:elgraves
ID: 38338396
I am also getting quite a few of these types of errors.  
Log Name:      System
Source:        srv
Date:          8/27/2012 3:17:38 PM
Event ID:      2012
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      RICHMOND-DC.richmond.k12.mo.us
Description:
While transmitting or receiving data, the server encountered a network error. Occassional errors are expected, but large amounts of these indicate a possible error in your network configuration.  The error status code is contained within the returned data (formatted as Words) and may point you towards the problem.

As well as the following errors.  It varies from every couple of days to sometimes every 5 or 6 days.


Log Name:      Application
Source:        Microsoft-Windows-WMI
Date:          8/27/2012 8:01:35 AM
Event ID:      10
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      RICHMOND-DC.richmond.k12.mo.us
Description:
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
0
 
LVL 52

Assisted Solution

by:Manpreet SIngh Khatra
Manpreet SIngh Khatra earned 1000 total points
ID: 38338411
Was there ever any other DC that had been removed ... if so might have to do Metadata cleanup.

- Rancy
0
 

Author Comment

by:elgraves
ID: 38338422
Hopefully that wasn't overkill.  I did check the Directory Service logs and don't see any glaring indicators of sync issues.  

I have to restate my DC count.  

I actually have three DC's.  Two of them are new 2008 r2 servers, one of them is a leftover Exchange 2003 server.  It is running as a domain controller as well as dns.  DNS (on the Exchange 2003 server) was causing a lot of corruption so that service has been removed.  The exchange server is old and failing.  I've been milking it along until I get a replacement.
0
 

Author Comment

by:elgraves
ID: 38338473
Hi Rancy,

Actually there were quite a few DCs that were removed.  I thought I had gotten rid of any last vestiges of those but it is definately possible there's crap leftover.  In the 4 months that i've had the job I've had 4 servers kick the bucket (all Server 2003, all DC's, on hardware that was over 12 years old).
0
 
LVL 12

Accepted Solution

by:
DLeaver earned 1000 total points
ID: 38339747
As Rancy mentions if you have a number of old DC's that are now dead then get read of them using the metadata cleanup as outlined below, also clear out any old DNS entires that exist for the old servers

http://www.petri.co.il/delete_failed_dcs_from_ad.htm

It does look like you have had the NTFRS issues you would expect to see for the problem you are having, however the latest ones show that they are resolved.

If you do the following on both DC's

Type net share and ensure the Netlogon and Sysvol folders exist.

Assuming they do then check all of the GPC polices are identical on each DC via the GPMC, then check the GPT's are all identical by checking the C:\WINDOWS\SYSVOL\domain\Policies folder to check all of poilcies listed there are identical.
0
 

Author Comment

by:elgraves
ID: 38340719
It appears that all of the GPT's are identical.  SYSVOL and NETSHARE folders exist.  When running ntdsutil on my exchange server, I get the following (in bold).  

Found 1 site(s)
0 - CN=RPS,CN=Sites,CN=Configuration,DC=richmond,DC=k12,DC=mo,DC=us
select operation target: select site 0
Site - CN=RPS,CN=Sites,CN=Configuration,DC=richmond,DC=k12,DC=mo,DC=us
Domain - DC=richmond,DC=k12,DC=mo,DC=us
No current server
No current Naming Context
select operation target: list servers in site
Found 1 server(s)
0 - (null)
select operation target: select server 0
DsListInfoForServerW error 0x57(The parameter is incorrect.)
Continuing ...
Site - CN=RPS,CN=Sites,CN=Configuration,DC=richmond,DC=k12,DC=mo,DC=us
Domain - DC=richmond,DC=k12,DC=mo,DC=us
Server - (null)
No current Naming Context
select operation target:
0
 

Author Comment

by:elgraves
ID: 38340775
After looking up the DsListInfoForServerW error 0x57

I found the following knowledgebase article that describes the exact problem.  
http://support.microsoft.com/kb/958839

My concern is twofold.  
If I run the command as stated, will this mess up the exchange server as a domain controller?  

It's my understanding that Exchange Server 2003 has to be a domain controller?  Am I mistaken in this?

I truly appreciate your help with this.  I won't say I'm a complete newb to Active Directory, but I inherited quite a mess.  I'm learning alot as we go along.
0
 
LVL 12

Expert Comment

by:DLeaver
ID: 38340816
That should be the opposite (unless you are dealing with SBS) Exchange shouldn't be on a domain controller.

Where are you running the ntdsutil?  on an existing DC?

Just run the following to check none of your FSMO roles are assigned to one of the dead DC's

netdom query fsmo

If they are let us know....
0
 
LVL 17

Expert Comment

by:James Haywood
ID: 38340845
Have you checked client error logs yet? This will help you point towards DNS/permissions/DC location/Kerberos etc etc
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 38340972
To be very true i have always been able to remove using ntdsutil ...... i saw the Support article and it also shows Metadata cleanup but from ADAM .....

Exchange on a DC isnt recommended and if so it isnt recommended to demote that DC to member server.

I won't say I'm a complete newb to Active Directory, but I inherited quite a mess - I agree seeing you with all this.

- Rancy
0
 

Author Comment

by:elgraves
ID: 38341078
I am running ntdsutil on each DC.  The DC that I get the error message from is the Exchange Server 2003.

I just ran netdom query fsmo and everything is good to go there.  The roles are running on my PDC (2008 r2).

I am not running SBS.  If I run the the meta data cleanup (from KB article) on my exchange server, do I take the risk of screwing up the exchange server?  It's dying a slow death with failed fans and a failed hard drive, I'm almost scared to touch it ;o)

Of course if it dies it will force the district to hurry the purchase of a replacement.
0
 
LVL 12

Expert Comment

by:DLeaver
ID: 38341113
So am I right in saying the Exchange server was once a DC?  If it has already been demoted and just running as an Exchange server member then it shouldn't be an issue, however if it is still an active DC then leave it be until it dies as removing the AD will cause more problems than good
0
 

Author Comment

by:elgraves
ID: 38341142
The exchange server is still a DC (minus dns).  I haven't demoted it and thanks to you and Rancy's advice will not be demoted.
0
 
LVL 12

Expert Comment

by:DLeaver
ID: 38341236
Ok, so leaving that as it is

Have you cleaned out the dead DC's and checked the GPC and GPT parts of the polices match up?....
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 38341288
Ideally removing stale object doesnt harms anything ..... but i havent worked with that article that you shared so cant comment on it :(

Why not push the Mgmt for new server if possible :)

- Rancy
0
 

Author Comment

by:elgraves
ID: 38341311
Yes, none of the old DC's are showing up and the GPC and GPT are matching.

I am finding out as this goes on that it's not just affecting GPO's, but affecting how users access shares.

Some users cannot access shares that they could once access (like last week).  All share permissions are correct and ntfs permissions are correct.  As I said, they could access it fine last week.

The fix seems to be removing the computer from the domain and re-adding it to the domain.  I've tried this for one user and when her computer was re-addes she could "magically" access the share.

I have a feeling this is a related issue.  So I'm going today to try this out on another user in my special ed department.  

Sorry so lengthy.  My gut tells me this is all related.  I just wish there were an easier way to remove and re-add a computer to the domain.  I have over 800 computers in the district.

Rancy:

I've pushed and pushed for a new server.  Because we've spent a ton of money on a 10GB switch infrastructure, 4 new poweredge servers, etc. the money has pretty much dried up.  And I'm also dealing with a lot of politics.  The new exchange server is out for bid, but it's a lengthy process.  Hopefully I will see a new Exchange 2010 server in the next month or so.
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 38341379
The fix seems to be removing the computer from the domain and re-adding it to the domain.  I've tried this for one user and when her computer was re-addes she could "magically" access the share - Maybe some information of some old server cleared after disjoin and rejoin ? :)

Sorry so lengthy.  My gut tells me this is all related.  I just wish there were an easier way to remove and re-add a computer to the domain.  I have over 800 computers in the district - Its a pain to do so many machines :(

I'm also dealing with a lot of politics - This always i very much in IT :(

Hopefully I will see a new Exchange 2010 server in the next month or so - Figners crossed and Best Wishes :)

- Rancy
0
 

Author Comment

by:elgraves
ID: 38345417
It looks like the fun just never ends.  Just had a call from a user who tried to logon and got the following message:

Security Database on Server doesn't have a trust relationship with this computer.

Researching now

Figured this one out.  For some reason the computer left the domain.  I don't know why
0
 

Author Closing Comment

by:elgraves
ID: 38345777
I truly appreciate all the help I received for this problem.  It helped me to verify and resolve some issues, but my overall problems still remain.  I think it's going to come down to re-imaging every single computer with a clean image, and re-adding it to the domain.  A tricky prospect during school.

You guys have been awesome.  I've just got to keep plugging away.  For those of you out there that have inherited a domain minus any documentation, I feel your pain.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question