Solved

Issues with Windows 7 laptops connecting to Windows Domain via Wireless network

Posted on 2013-05-24
25
599 Views
Last Modified: 2013-06-16
I have a number of students with new Windows 7 laptops logging into an existing domain that runs across 2 Windows servers (one Win 2003 one Win 2008).  Of a group of 30, sometimes only 10/12 students (max) can login, others sit on a 'Welcome' screen or get a blue screen.  These laptops sometimes work when restarted, others may need re-starting many times before the student can log in.  It is rare that I can get all 30 logged in within a 30min period.

If I test the same student logins on an XP laptop over the same wireless, it works OK.  If I test the students on a Windows 7 desktop or laptop using Ether net it works OK (although I am losing some drive mappings for some of the users although I will post this question seperately). The students rely on the wireless network for domain authentication - the environment does not enable me to provide Ethernet support for more than 1 / 2 laptops each time.

From my research so far I am inclined to think that the laptops need to see the wireless before they authenticate but I am not sure how to progress this to confirm and resolve.  All student profiles are roaming profiles stored on the server.  All students when they can eventually log in get a message from Windows 7 to let them know that a temporary profile is in use for their session.

Any advise would be much appreciated !
0
Comment
Question by:amandajgolf
  • 13
  • 11
25 Comments
 
LVL 24

Expert Comment

by:smckeown777
ID: 39195661
Since they login fine on ethernet I'd guess its related to the wireless...

Have you set the 'Wait for network at login' option using GPO? See link here...

http://technet.microsoft.com/en-us/magazine/gg486839.aspx

That's the first thing I'd try

The roaming profiles might be a load on the wireless as well - this just one AP in one room or what's your wireless setup like?
0
 

Author Comment

by:amandajgolf
ID: 39196371
Thanks for the link, I will read through it now.  

There are several AP's through the school.  Not every room has one although the majority do.  The issue seems consistent however regardless of whether the laptops are in an AP room or not.  Ironically the students sitting closest to the AP's do seem to be the ones that have more issues with logging in although this isn't always the case.

I am thinking maybe a local default profile might be a better option moving forwards anyway and was starting to research this change prior to this issue with the new Win 7 laptops.  All students have a home drive on one of the servers, there is no reason for them to need to make any changes to the local desktop or for file management.  I obviously want to avoid having a local profile for each student on the laptop, but from what I have been reading it looks like I could have a single profile that all students would use and as part of that just have a drive mapped to the server where each student has their data.
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 39196388
That's how we run it in multiple schools we look after - students have a shared personal drive for their own files - so they have no need for roaming profiles(which always add to load unfortunately) and this makes a world of difference

In another school we have a single 'Student' account where they all access a 'Shared' folder on the server(similar to what you said) - this also works fine, so in no cases are we using roaming profiles for students...

The one place we have roaming profiles we also have NPS(Radius) running which helps with enforcing access to the network 'prior to login' which helps...but I've found with Windows 7 if you set that GPO referenced earlier then this usually takes care of that part of the equation

I'd start at that point just to see...run it without disabling the roaming profiles just to see...work one step at a time to see where the thing starts working/breaking and you'll get to the answer quick

Question - are all students accessing the wifi/logging on at same time ALL the time? Or is it you only have 30 on at the same time each time?

From a troubleshooting point of view there are different ways to diagnose this...

1) Enable the GPO above to 'wait for network'
2) Boot up all laptops and run 'gpupdate/force' to ensure the policy is run on each laptop
3) Reboot, boot up all laptops and test - if things work then you are good to go, if not...
4) Shut all down, boot up 10 laptops - same thing - if things work then we can assume 1 of 2 things - either load on AP's is too much(since 30 can't connect) or roaming profiles are issue
5) Disable roaming profiles - boot up 30 again - any issues? If you still have issues at this point I'd be heading in the direction of saying your AP's might be the issue

For reference what AP's are you using? Make/model?
0
 

Author Comment

by:amandajgolf
ID: 39196402
Thanks for the advice.  First opportunity will be Tuesday now to try it so will let you know how it goes.  

In answer to your questions, I only have a group of 30/31 students logging into the domain via wireless at any one time.  So not a huge number at all.  All other desktops/laptops that might be online at that time would all be Ethernet based.

The AP's are Aruba 105 AP's, (not sure if single or dual radio models), feeding back to an Aruba 620 Wireless Controller.
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 39196434
Ok, never had Aruba's so not sure, but they're a good brand at least
Are the 105's capable of 30 clients at same time?
I'm sure they are but might b worth checking

Sure see how the tests work
0
 

Author Comment

by:amandajgolf
ID: 39216455
Update -
I've modified the Group Policy to enable the 'wait at login' option.  I've also since found an updated driver for the Centrino wireless cards on the laptops which I have applied today.  I've also run gpupdate /force on each laptop to ensure the changes from the revised Group Policy have definitely been applied and rebooted a couple of times.

So far so good, but the real test will be this Thursday which will be the first time a full group of (30) students  all try to log in at the same time. .........
0
 

Author Comment

by:amandajgolf
ID: 39216466
Update cont.d
Also did research the Aruba controllers and they are definitely OK with the number of wireless connections required.
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 39216493
Good to know...hopefully the changes will have the effect for the final test...keep us posted.
0
 

Author Comment

by:amandajgolf
ID: 39226902
First full test today of 30 laptops but unfortunately the change in the Group Policy didn't help.  Same issue, taking approx. 25 minutes to get all 30 laptops logged into the domain (wirelessly) with lots of rebooting going on during that time.  First attempt saw about 7/8 of the laptops log in, all others had to be rebooted with a few more logging in each time.

Did some testing with just a smaller bank of laptops to confirm whether or not issue was load on AP's and unfortunately got same problem, so at least that does confirm it is not an AP load issue.  

The next thing you asked me to test is in disabling roaming profiles.  It sounds like they are no longer needed in our environment anyway, but just to check........
All users have their own network area currently mapped to an H: drive (h:\studentusers\%username%).  There are other mappings currently performed (all be it inconsistently) through a student.bat file run on login.  There is no reason for the students to have to make any changes to the desktop at all.  So all I need is a local default desktop defined on each laptop that can be utilised by any student that happens to use that laptop that day.  The only important point being their ability to access their personal drive and other shared areas on the network.  
Excuse my ignorance now, but to test out whether disabling the roaming profile helps at all, do I need to just remove the profile path in the user AD account properties?  Or is there other changes I need to make?

Also just to add I do have someone coming in end of next week to discuss/review the Aruba Controller and AP's in case there is something obvious in their configuration settings I don't know about, i.e firmware updates or similar.  Maybe Windows 7 is just that different that some or all of the wireless configuration settings need amending?

Any other suggestions in the interim?

Thanks so far for your input.
0
 

Author Comment

by:amandajgolf
ID: 39226907
Oh and meant to add, seems like I should be using the Group Policy to set mappings also rather than the batch files that are currently running on teacher/student login which since going to Windows 7 seem to be a bit hit and miss anyway !
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 39226938
Ok, yes to remove roaming profiles remove that property in ADUC as you said...

Nowadays in 2008 'Folder Redirection' is much better than old school roaming profiles just for reference...

But yes do that to see...

Strange thing is you've said - XP on wireless is fine, Windows 7 on cable is fine, Windows 7 on wifi isn't...can't get my head round that...but for the sake of it disable the roaming profile just to test...

One other thing - on these machines that are slow...does anything show up in Event viewer? Normally it will complain about lack of connection to a DC or something...but with the 'Wait for network' set in the GPO this shouldn't be happening

Yes, batch files aren't needed anymore(least in any environment I work in these days, the GPO thing actually works on Windows 7!)
0
 

Author Comment

by:amandajgolf
ID: 39227069
Thank you for such a quick response.  Some good advise for me to follow !

Have just been checking some server logs from our Windows 2003/Windows 2008 servers (we have single domain with these 2 servers).  Maybe coincidence but a lot of Kerberos errors suddenly showing up.  Seem to be more warnings than actual errors.  One of the warnings (event ID 29) is "KDC cannot find a suitable certificate to use for smart card logins, or the KDS certificate could not be verified" and the others are laptop specific (event ID 27) "while processing a TGS request for the target server krbtgt/<domain name>, the account <laptop name@domain> did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8)".  There are a few of these last ones but certainly not one of each of the laptops that issues arise when the students try unsuccessfully to login.
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 39227353
Don't see KDC errors too often, but they are mainly related to when you have a CA(Certificate Authority) installed...I assume you aren't using certificates for auth for your laptops no?

Probably just a concidence in that case...if not someone else might comment on this one
If you were seeing errors for ALL laptops then we might have an issue...
0
 

Author Comment

by:amandajgolf
ID: 39227364
No we are not using certificates for authority on the laptops.
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 39227376
Cool, then might just be standard errors that will appear from time to time...

What about event viewer on the clients? Around the time of the logins mainly - see what they are saying
0
 

Author Comment

by:amandajgolf
ID: 39243570
This afternoon is next full login test of 30 laptops so will see what difference disabling roaming profiles might make and I will update accordingly.
FYI. Did have someone look at wireless infrastructure who has said I need to replace with an 'n-standard' infrastructure to resolve the issues and to give us future proofing when we want to start adding other devices.  Proposing a virtual cell environment with "fair time airtime" option so a few clients can't hog what bandwidth there is.  Seemed very confident that this would resolve issues.
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 39243653
Again that's back to my question on 'load' and your AP's...i.e. are they fit for the high number of clients all at same time...but see how the testing goes today cause if it still causes issues then we might be heading in that direction

Have you talked to Aruba at all? I'd expect their hardware to be decent...wonder if the AP's have any 'logs' to look at, might show something
0
 

Author Comment

by:amandajgolf
ID: 39251812
Enabling the 'auto wait on network login' option in the GPO and disabling roaming profiles definitely improved the situation.
Further improvement seems to have been made by making another change in regedit on the laptops in the key HKLM\Software\Microsoft\Windows\CurrentVersion\Run
I created a new string value and entered the command
%comspec% /c netsh wlan connect name="<profile name>"
where profile name is the SSID of our wireless network.  

It isn't perfect, we should be getting better speed that we are, so next step is testing with an n standard controller and AP''s, but the above has made the issue a little more bearable in the interim !

Great support and advise from smckeown777.  Good suggestions also re. how I use profiles moving forwards.
0
 
LVL 24

Accepted Solution

by:
smckeown777 earned 500 total points
ID: 39251819
Good to know, glad you're heading in the right direction ;)

See if there are any logs on the AP's or the controller that might help - usually with a controller you should be able to see some sort of 'load' graphs or the like, I'd expect this with an Aruba based system as they are supposed to be pretty decent kit...
0
 

Author Comment

by:amandajgolf
ID: 39251827
I've requested that this question be closed as follows:

Accepted answer: 0 points for amandajgolf's comment #a39251812

for the following reason:

Enabling the 'auto wait on network login' option in the GPO and disabling roaming profiles definitely improved the situation.
Further improvement seems to have been made by making another change in regedit on the laptops in the key HKLM\Software\Microsoft\Windows\CurrentVersion\Run
I created a new string value and entered the command
%comspec% /c netsh wlan connect name="<profile name>"
where profile name is the SSID of our wireless network.  

It isn't perfect, we should be getting better speed that we are, so next step is testing with an n standard controller and AP''s, but the above has made the issue a little more bearable in the interim !

Great support and advise from smckeown777.  Good suggestions also re. how I use profiles moving forwards.
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 39251828
Think you closed this question out wrong @amandajgolf - you need to 'Accept Solution' not 'Close question'...
0
 

Author Comment

by:amandajgolf
ID: 39251839
Sorry about that.  Did mean to choose 'Accept'
0
 

Author Comment

by:amandajgolf
ID: 39251840
Good support and advice, including suggestions about possible changes to profiles moving forwards.
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 39251845
Not a problem...glad to assist...if you do get more performance out of the 'n' switch let us know for the record anyways

Shane
0

Join & Write a Comment

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now