amandajgolf
asked on
Issues with Windows 7 laptops connecting to Windows Domain via Wireless network
I have a number of students with new Windows 7 laptops logging into an existing domain that runs across 2 Windows servers (one Win 2003 one Win 2008). Of a group of 30, sometimes only 10/12 students (max) can login, others sit on a 'Welcome' screen or get a blue screen. These laptops sometimes work when restarted, others may need re-starting many times before the student can log in. It is rare that I can get all 30 logged in within a 30min period.
If I test the same student logins on an XP laptop over the same wireless, it works OK. If I test the students on a Windows 7 desktop or laptop using Ether net it works OK (although I am losing some drive mappings for some of the users although I will post this question seperately). The students rely on the wireless network for domain authentication - the environment does not enable me to provide Ethernet support for more than 1 / 2 laptops each time.
From my research so far I am inclined to think that the laptops need to see the wireless before they authenticate but I am not sure how to progress this to confirm and resolve. All student profiles are roaming profiles stored on the server. All students when they can eventually log in get a message from Windows 7 to let them know that a temporary profile is in use for their session.
Any advise would be much appreciated !
If I test the same student logins on an XP laptop over the same wireless, it works OK. If I test the students on a Windows 7 desktop or laptop using Ether net it works OK (although I am losing some drive mappings for some of the users although I will post this question seperately). The students rely on the wireless network for domain authentication - the environment does not enable me to provide Ethernet support for more than 1 / 2 laptops each time.
From my research so far I am inclined to think that the laptops need to see the wireless before they authenticate but I am not sure how to progress this to confirm and resolve. All student profiles are roaming profiles stored on the server. All students when they can eventually log in get a message from Windows 7 to let them know that a temporary profile is in use for their session.
Any advise would be much appreciated !
ASKER
Thanks for the link, I will read through it now.
There are several AP's through the school. Not every room has one although the majority do. The issue seems consistent however regardless of whether the laptops are in an AP room or not. Ironically the students sitting closest to the AP's do seem to be the ones that have more issues with logging in although this isn't always the case.
I am thinking maybe a local default profile might be a better option moving forwards anyway and was starting to research this change prior to this issue with the new Win 7 laptops. All students have a home drive on one of the servers, there is no reason for them to need to make any changes to the local desktop or for file management. I obviously want to avoid having a local profile for each student on the laptop, but from what I have been reading it looks like I could have a single profile that all students would use and as part of that just have a drive mapped to the server where each student has their data.
There are several AP's through the school. Not every room has one although the majority do. The issue seems consistent however regardless of whether the laptops are in an AP room or not. Ironically the students sitting closest to the AP's do seem to be the ones that have more issues with logging in although this isn't always the case.
I am thinking maybe a local default profile might be a better option moving forwards anyway and was starting to research this change prior to this issue with the new Win 7 laptops. All students have a home drive on one of the servers, there is no reason for them to need to make any changes to the local desktop or for file management. I obviously want to avoid having a local profile for each student on the laptop, but from what I have been reading it looks like I could have a single profile that all students would use and as part of that just have a drive mapped to the server where each student has their data.
That's how we run it in multiple schools we look after - students have a shared personal drive for their own files - so they have no need for roaming profiles(which always add to load unfortunately) and this makes a world of difference
In another school we have a single 'Student' account where they all access a 'Shared' folder on the server(similar to what you said) - this also works fine, so in no cases are we using roaming profiles for students...
The one place we have roaming profiles we also have NPS(Radius) running which helps with enforcing access to the network 'prior to login' which helps...but I've found with Windows 7 if you set that GPO referenced earlier then this usually takes care of that part of the equation
I'd start at that point just to see...run it without disabling the roaming profiles just to see...work one step at a time to see where the thing starts working/breaking and you'll get to the answer quick
Question - are all students accessing the wifi/logging on at same time ALL the time? Or is it you only have 30 on at the same time each time?
From a troubleshooting point of view there are different ways to diagnose this...
1) Enable the GPO above to 'wait for network'
2) Boot up all laptops and run 'gpupdate/force' to ensure the policy is run on each laptop
3) Reboot, boot up all laptops and test - if things work then you are good to go, if not...
4) Shut all down, boot up 10 laptops - same thing - if things work then we can assume 1 of 2 things - either load on AP's is too much(since 30 can't connect) or roaming profiles are issue
5) Disable roaming profiles - boot up 30 again - any issues? If you still have issues at this point I'd be heading in the direction of saying your AP's might be the issue
For reference what AP's are you using? Make/model?
In another school we have a single 'Student' account where they all access a 'Shared' folder on the server(similar to what you said) - this also works fine, so in no cases are we using roaming profiles for students...
The one place we have roaming profiles we also have NPS(Radius) running which helps with enforcing access to the network 'prior to login' which helps...but I've found with Windows 7 if you set that GPO referenced earlier then this usually takes care of that part of the equation
I'd start at that point just to see...run it without disabling the roaming profiles just to see...work one step at a time to see where the thing starts working/breaking and you'll get to the answer quick
Question - are all students accessing the wifi/logging on at same time ALL the time? Or is it you only have 30 on at the same time each time?
From a troubleshooting point of view there are different ways to diagnose this...
1) Enable the GPO above to 'wait for network'
2) Boot up all laptops and run 'gpupdate/force' to ensure the policy is run on each laptop
3) Reboot, boot up all laptops and test - if things work then you are good to go, if not...
4) Shut all down, boot up 10 laptops - same thing - if things work then we can assume 1 of 2 things - either load on AP's is too much(since 30 can't connect) or roaming profiles are issue
5) Disable roaming profiles - boot up 30 again - any issues? If you still have issues at this point I'd be heading in the direction of saying your AP's might be the issue
For reference what AP's are you using? Make/model?
ASKER
Thanks for the advice. First opportunity will be Tuesday now to try it so will let you know how it goes.
In answer to your questions, I only have a group of 30/31 students logging into the domain via wireless at any one time. So not a huge number at all. All other desktops/laptops that might be online at that time would all be Ethernet based.
The AP's are Aruba 105 AP's, (not sure if single or dual radio models), feeding back to an Aruba 620 Wireless Controller.
In answer to your questions, I only have a group of 30/31 students logging into the domain via wireless at any one time. So not a huge number at all. All other desktops/laptops that might be online at that time would all be Ethernet based.
The AP's are Aruba 105 AP's, (not sure if single or dual radio models), feeding back to an Aruba 620 Wireless Controller.
Ok, never had Aruba's so not sure, but they're a good brand at least
Are the 105's capable of 30 clients at same time?
I'm sure they are but might b worth checking
Sure see how the tests work
Are the 105's capable of 30 clients at same time?
I'm sure they are but might b worth checking
Sure see how the tests work
ASKER
Update -
I've modified the Group Policy to enable the 'wait at login' option. I've also since found an updated driver for the Centrino wireless cards on the laptops which I have applied today. I've also run gpupdate /force on each laptop to ensure the changes from the revised Group Policy have definitely been applied and rebooted a couple of times.
So far so good, but the real test will be this Thursday which will be the first time a full group of (30) students all try to log in at the same time. .........
I've modified the Group Policy to enable the 'wait at login' option. I've also since found an updated driver for the Centrino wireless cards on the laptops which I have applied today. I've also run gpupdate /force on each laptop to ensure the changes from the revised Group Policy have definitely been applied and rebooted a couple of times.
So far so good, but the real test will be this Thursday which will be the first time a full group of (30) students all try to log in at the same time. .........
ASKER
Update cont.d
Also did research the Aruba controllers and they are definitely OK with the number of wireless connections required.
Also did research the Aruba controllers and they are definitely OK with the number of wireless connections required.
Good to know...hopefully the changes will have the effect for the final test...keep us posted.
ASKER
First full test today of 30 laptops but unfortunately the change in the Group Policy didn't help. Same issue, taking approx. 25 minutes to get all 30 laptops logged into the domain (wirelessly) with lots of rebooting going on during that time. First attempt saw about 7/8 of the laptops log in, all others had to be rebooted with a few more logging in each time.
Did some testing with just a smaller bank of laptops to confirm whether or not issue was load on AP's and unfortunately got same problem, so at least that does confirm it is not an AP load issue.
The next thing you asked me to test is in disabling roaming profiles. It sounds like they are no longer needed in our environment anyway, but just to check........
All users have their own network area currently mapped to an H: drive (h:\studentusers\%username
Excuse my ignorance now, but to test out whether disabling the roaming profile helps at all, do I need to just remove the profile path in the user AD account properties? Or is there other changes I need to make?
Also just to add I do have someone coming in end of next week to discuss/review the Aruba Controller and AP's in case there is something obvious in their configuration settings I don't know about, i.e firmware updates or similar. Maybe Windows 7 is just that different that some or all of the wireless configuration settings need amending?
Any other suggestions in the interim?
Thanks so far for your input.
Did some testing with just a smaller bank of laptops to confirm whether or not issue was load on AP's and unfortunately got same problem, so at least that does confirm it is not an AP load issue.
The next thing you asked me to test is in disabling roaming profiles. It sounds like they are no longer needed in our environment anyway, but just to check........
All users have their own network area currently mapped to an H: drive (h:\studentusers\%username
Excuse my ignorance now, but to test out whether disabling the roaming profile helps at all, do I need to just remove the profile path in the user AD account properties? Or is there other changes I need to make?
Also just to add I do have someone coming in end of next week to discuss/review the Aruba Controller and AP's in case there is something obvious in their configuration settings I don't know about, i.e firmware updates or similar. Maybe Windows 7 is just that different that some or all of the wireless configuration settings need amending?
Any other suggestions in the interim?
Thanks so far for your input.
ASKER
Oh and meant to add, seems like I should be using the Group Policy to set mappings also rather than the batch files that are currently running on teacher/student login which since going to Windows 7 seem to be a bit hit and miss anyway !
Ok, yes to remove roaming profiles remove that property in ADUC as you said...
Nowadays in 2008 'Folder Redirection' is much better than old school roaming profiles just for reference...
But yes do that to see...
Strange thing is you've said - XP on wireless is fine, Windows 7 on cable is fine, Windows 7 on wifi isn't...can't get my head round that...but for the sake of it disable the roaming profile just to test...
One other thing - on these machines that are slow...does anything show up in Event viewer? Normally it will complain about lack of connection to a DC or something...but with the 'Wait for network' set in the GPO this shouldn't be happening
Yes, batch files aren't needed anymore(least in any environment I work in these days, the GPO thing actually works on Windows 7!)
Nowadays in 2008 'Folder Redirection' is much better than old school roaming profiles just for reference...
But yes do that to see...
Strange thing is you've said - XP on wireless is fine, Windows 7 on cable is fine, Windows 7 on wifi isn't...can't get my head round that...but for the sake of it disable the roaming profile just to test...
One other thing - on these machines that are slow...does anything show up in Event viewer? Normally it will complain about lack of connection to a DC or something...but with the 'Wait for network' set in the GPO this shouldn't be happening
Yes, batch files aren't needed anymore(least in any environment I work in these days, the GPO thing actually works on Windows 7!)
ASKER
Thank you for such a quick response. Some good advise for me to follow !
Have just been checking some server logs from our Windows 2003/Windows 2008 servers (we have single domain with these 2 servers). Maybe coincidence but a lot of Kerberos errors suddenly showing up. Seem to be more warnings than actual errors. One of the warnings (event ID 29) is "KDC cannot find a suitable certificate to use for smart card logins, or the KDS certificate could not be verified" and the others are laptop specific (event ID 27) "while processing a TGS request for the target server krbtgt/<domain name>, the account <laptop name@domain> did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8)". There are a few of these last ones but certainly not one of each of the laptops that issues arise when the students try unsuccessfully to login.
Have just been checking some server logs from our Windows 2003/Windows 2008 servers (we have single domain with these 2 servers). Maybe coincidence but a lot of Kerberos errors suddenly showing up. Seem to be more warnings than actual errors. One of the warnings (event ID 29) is "KDC cannot find a suitable certificate to use for smart card logins, or the KDS certificate could not be verified" and the others are laptop specific (event ID 27) "while processing a TGS request for the target server krbtgt/<domain name>, the account <laptop name@domain> did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8)". There are a few of these last ones but certainly not one of each of the laptops that issues arise when the students try unsuccessfully to login.
Don't see KDC errors too often, but they are mainly related to when you have a CA(Certificate Authority) installed...I assume you aren't using certificates for auth for your laptops no?
Probably just a concidence in that case...if not someone else might comment on this one
If you were seeing errors for ALL laptops then we might have an issue...
Probably just a concidence in that case...if not someone else might comment on this one
If you were seeing errors for ALL laptops then we might have an issue...
ASKER
No we are not using certificates for authority on the laptops.
Cool, then might just be standard errors that will appear from time to time...
What about event viewer on the clients? Around the time of the logins mainly - see what they are saying
What about event viewer on the clients? Around the time of the logins mainly - see what they are saying
ASKER
This afternoon is next full login test of 30 laptops so will see what difference disabling roaming profiles might make and I will update accordingly.
FYI. Did have someone look at wireless infrastructure who has said I need to replace with an 'n-standard' infrastructure to resolve the issues and to give us future proofing when we want to start adding other devices. Proposing a virtual cell environment with "fair time airtime" option so a few clients can't hog what bandwidth there is. Seemed very confident that this would resolve issues.
FYI. Did have someone look at wireless infrastructure who has said I need to replace with an 'n-standard' infrastructure to resolve the issues and to give us future proofing when we want to start adding other devices. Proposing a virtual cell environment with "fair time airtime" option so a few clients can't hog what bandwidth there is. Seemed very confident that this would resolve issues.
Again that's back to my question on 'load' and your AP's...i.e. are they fit for the high number of clients all at same time...but see how the testing goes today cause if it still causes issues then we might be heading in that direction
Have you talked to Aruba at all? I'd expect their hardware to be decent...wonder if the AP's have any 'logs' to look at, might show something
Have you talked to Aruba at all? I'd expect their hardware to be decent...wonder if the AP's have any 'logs' to look at, might show something
ASKER
Enabling the 'auto wait on network login' option in the GPO and disabling roaming profiles definitely improved the situation.
Further improvement seems to have been made by making another change in regedit on the laptops in the key HKLM\Software\Microsoft\Wi
I created a new string value and entered the command
%comspec% /c netsh wlan connect name="<profile name>"
where profile name is the SSID of our wireless network.
It isn't perfect, we should be getting better speed that we are, so next step is testing with an n standard controller and AP''s, but the above has made the issue a little more bearable in the interim !
Great support and advise from smckeown777. Good suggestions also re. how I use profiles moving forwards.
Further improvement seems to have been made by making another change in regedit on the laptops in the key HKLM\Software\Microsoft\Wi
I created a new string value and entered the command
%comspec% /c netsh wlan connect name="<profile name>"
where profile name is the SSID of our wireless network.
It isn't perfect, we should be getting better speed that we are, so next step is testing with an n standard controller and AP''s, but the above has made the issue a little more bearable in the interim !
Great support and advise from smckeown777. Good suggestions also re. how I use profiles moving forwards.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I've requested that this question be closed as follows:
Accepted answer: 0 points for amandajgolf's comment #a39251812
for the following reason:
Enabling the 'auto wait on network login' option in the GPO and disabling roaming profiles definitely improved the situation.
Further improvement seems to have been made by making another change in regedit on the laptops in the key HKLM\Software\Microsoft\Wi
I created a new string value and entered the command
%comspec% /c netsh wlan connect name="<profile name>"
where profile name is the SSID of our wireless network.
It isn't perfect, we should be getting better speed that we are, so next step is testing with an n standard controller and AP''s, but the above has made the issue a little more bearable in the interim !
Great support and advise from smckeown777. Good suggestions also re. how I use profiles moving forwards.
Accepted answer: 0 points for amandajgolf's comment #a39251812
for the following reason:
Enabling the 'auto wait on network login' option in the GPO and disabling roaming profiles definitely improved the situation.
Further improvement seems to have been made by making another change in regedit on the laptops in the key HKLM\Software\Microsoft\Wi
I created a new string value and entered the command
%comspec% /c netsh wlan connect name="<profile name>"
where profile name is the SSID of our wireless network.
It isn't perfect, we should be getting better speed that we are, so next step is testing with an n standard controller and AP''s, but the above has made the issue a little more bearable in the interim !
Great support and advise from smckeown777. Good suggestions also re. how I use profiles moving forwards.
Think you closed this question out wrong @amandajgolf - you need to 'Accept Solution' not 'Close question'...
ASKER
Sorry about that. Did mean to choose 'Accept'
ASKER
Good support and advice, including suggestions about possible changes to profiles moving forwards.
Not a problem...glad to assist...if you do get more performance out of the 'n' switch let us know for the record anyways
Shane
Shane
Have you set the 'Wait for network at login' option using GPO? See link here...
http://technet.microsoft.com/en-us/magazine/gg486839.aspx
That's the first thing I'd try
The roaming profiles might be a load on the wireless as well - this just one AP in one room or what's your wireless setup like?