2008R2 Remote Desktop Server Profile Problems

Posted on 2014-11-06
Last Modified: 2014-12-23
We have 4 Windows 2008 R2 servers set up with RDS (session host, license manager etc).
Two are physical servers, one is a virtual ESXi 5.5 that was migrated from a physical, and one is a Virtual ESXi 5.5 built from scratch).  All of them are having the same problems.

I can log in locally with a domain admin to the servers with no problems.  (note - domain admin account does not have a roaming profile)

Users have a "Remote Desktop Services User Profile" specified in their account: EX: "\\ct01\root\RProfiles\JFanguy"

When I log in with either an existing domain user or a new one all goes swimmingly and the TS roaming profile is created on the share and the login time is a matter of seconds. All the network drives are available.  User is able to interact with file shares on our FILE server with no problems.

First time the user Logs off the remote desktop server is fine.

However on any subsequent logoff the process hangs (sometimes for hours or until I physically power off the server) on the "Please wait for the User Profile Service" and when rebooted the event viewer show their profile wasn't fully synchronized.

The errors in event viewer are:

Some version of Event 1530:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.  

 3 user registry handles leaked from \Registry\User\S-1-5-21-2000478354-1801674531-725345543-2662:
Process 668 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2000478354-1801674531-725345543-2662\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Process 2372 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2000478354-1801674531-725345543-2662\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Process 1728 (\Device\HarddiskVolume1\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-2000478354-1801674531-725345543-2662\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

about 1 minute later:
Event ID 6005 - The winlogon notification subscriber <Profiles> is taking long time to handle the notification event (Logoff).

Here is where it hangs on "Please Wait for the User profile Service"  - most of the time i have to physically power off the remote desktop server.

When it reboots, i see a bunch of these:

Event ID 1509 - Windows cannot copy file C:\Users\JFanguy\ntuser.dat to location \\ct01\root\RProfiles\jfanguy.V2\ntuser.dat. This error may be caused by network problems or insufficient security rights.

 DETAIL - The network path was not found.

Event ID 1509 -Windows cannot copy file C:\Users\JFanguy\ntuser.ini to location \\ct01\root\RProfiles\jfanguy.V2\ntuser.ini. This error may be caused by network problems or insufficient security rights.

 DETAIL - The specified network name is no longer available.

Event ID 1534 - There are too many profile copy errors. Refer to the previous events for details. Windows will not log any additional copy errors for this copy process.

Event ID 1504 - Windows Windows cannot update your roaming profile completely. Check previous events for more details.

Once logged in the user can access all the shares and indeed clicking on the link produced in Event ID 1509 takes you to the correct location. I'm pretty sure the permissions are correct on the share (the profile creates initially after all). We have Dfs in operation but even on a non Dfs share this occurs.

Logging off again hangs at the User Profile Service and then give a message about partially synchronizing before logging off.

If I delete all trace of the TS roaming profile locally and at the share then the process starts again with a good initial login and logoff and hangs on subsequent logoffs.

Anyone come across this behavior before? DNS seems ok as far as I can tell.
I worked 6 hours with Microsoft yesterday, all they did was work on "scoping" the case - no actual help.

Note: 3 weeks ago, we migrated our physical file server (which houses the roaming profiles) to ESXi 5.5 Virtual.
This is the only thing I can think of that all of our 4 remote desktop servers have in common.

all 5 servers (File and remote desktop servers) have these settings:

TCP Global Parameters
Receive-Side Scaling State                    : disabled
Chimney Offload State                          : disabled
NetDMA State                                         : enabled
Direct Cache Acess (DCA)                      : disabled
Receive Window Auto-Tuning Level    : disabled
Add-On Congestion Control Provider  : ctcp
ECN Capability                                          : disabled
RFC 1323 Timestamps                            : disabled

TCP Window Scaling heuristics Parameters
Window Scaling heuristics               : disabled
Qualifying Destination Threshold  : 3
Profile type unknown                       : normal
Profile type public                             : normal
Profile type private                           : normal
Profile type domain                          : normal

Any help appreciated
Question by:BFanguy
  • 5
  • 3
LVL 25

Expert Comment

ID: 40429802
Do they really own their roaming profile folders? because this sounds like a permissions problem.

In a roaming profile situation, the "normal" permission set most commonly used is:
Share permissions - Everyone:Full Control
NTFS permissions at the "root" folder are:
is either users or Authenticated Users:Read [This folder and files, sub-folders and files]
System:Full [This folder and files, sub-folders and files]
Administrators:F [This folder and files, sub-folders and files]
Creator Owner:Create Folder/Append Data [This folder only]
Creator Owner:Full [Sub-Folder and Files]

This allows them to create the roaming profile directories on the fly and they will own it.

If this is not allowable, then you can precreate the directories for your users (don't forget the .v2 at the end of the path!) and assign the permissions you want (but your users really need Modify at least) for their folders. Now, they will not own their folders, so you need to enable the Group Policy to tell the system not to check for ownership of the roaming profile directory.  (Or you can use takeown.exe to give them ownership)


Author Comment

ID: 40433063
thank you Carolon,  I have made the changes you suggest and will monitor for a couple of days.

LVL 25

Expert Comment

ID: 40433999
I did make one mistake.. the User/Authenticated Users should be "This Folder only".. It's easy enough to strip it out after the fact.

In the root folder, just cacls . /e /t /r users (or authenticated users) and then cacls . /e /g "authenticated users":r or do it graphically.

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.


Author Comment

ID: 40439994
no matter how many times I try this will not stick:

Creator Owner:Create Folder/Append Data [This folder only]

i.e.  once I apply, it goes away.

Author Comment

ID: 40440046
can't I just add that permission to users?

Author Comment

ID: 40440173
I have followed these instructions but when a new user log's on and then off, it creates the folder and subfolders, but administrators have no permission to even open their folder.  "You have been denied permission to this access this folder".    I have to take ownership of the folder, push down the premissions and then change owner back to the user.

what am I doing wrong.
LVL 25

Accepted Solution

Coralon earned 500 total points
ID: 40441561
If the Creator Owner is not sticking, then something is wrong.. some other set of permissions is being inherited and pushing itself down, or some automated task is stripping them.

There is also a group policy to add Administrators to the profile directory permissions, which will automatically add the Administrators permission.  It is under “Computer Configuration|Policies|Administrative Templates|System|User Profiles”.  The name of it is Add the Administrators security group to roaming user profiles.  

What you should see is that your user's directories are owned by them, and their accounts have full control of their directories.  


Author Comment

ID: 40442469
we moved the roaming profile folders to 20012R2.  the administrator group contains domain admins, but in 2012R2 you don't get access to folders owned by someone else, so i had to set up a different local group and put domain admins in that group and add that group instead of Administrators.   2012R2 UAC is what was affecting this (even though I had it turned off)

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question