Roaming man profile, 2000 server and xp pro clients

[Guest]

We have around 300 clients logging into a domain with one of 12 accounts. All
profiles are mandatory roaming profiles located on one of 12 win 2000
servers, each at the physical location with the clients on 100 MB switched
networks. The entire network is within a 30 mile diameter connected by
separate T1s. We monitor the physical connections and bandwidth usage and
there is very low bandwidth consumption. The win 2000 AD master is here at my
physical location.

When a client system cant login I can terminal services to it and login to
the admin account, so I know it is not a physical hardware issue.
I have read thru a few walkthroughs and on how to set these profiles up, but
not one on how to deal with this problem on an existing network.

We continue to get an error message: Windows cannot locate the mandatory
roaming profile.
It used to load a temp desktop when it failed to get its profile, but that
allowed users to get past the security settings of the account so we renamed
all the profile folders on the 12 servers to .man. Then they just couldnt
login without sometimes rebooting 3-5 times or calling us to remote into them
and delete the cached profile folder, release the IP and reboot the computer.
We made sure all parent folders have read permission for the everyone
group--this solved 50% of the problem, but it still happens daily on many of
the computers.

Any more ideas?

 

[Steve Duff [MVP]]

The most frequent cause of this is a computer with a network adapter
driver that doesn't ready up or get an IP before the login screen appears.

This has become quite common in my experience with newer gigabit
Ethernet adapters or WPA Wi-Fi adapters and especially under
Windows XP which has an accelerated boot sequence.

You can usually detect if this is happening if you look at the sequence of
events logged at power-up in the workstation system event log.

One hard solution would be to disable cached credentials
on the workstation. This prevents users from logging in unless the
network connection is active at the time, and a functioning DC
can be located. When cached credentials are disabled and a DC
cannnot be found to authenticate, you can't get past the login screen.

You can also try to fix this by installing dependencies in the services,
or updating network drivers, etc. Network chipset and wi-fi driver
developers have not done what they should to address this though,
and it can sometimes be quite maddening to nail down a solution
if this is your cause. With 300 users, asking them to wait a little
before logging on is not - in my view - a very workable option.

Also, note that you want to be VERY sure you have functioning
admin accounts with known passwords on the workstations if you
do elect to disable cached credentials through a registry hack or
policy. If you don't you can easily end up with a workstation that
cannot be logged into at all.

Steve Duff, MCSE, MVP
Ergodic Systems, Inc.

 

[Guest]

Thanks Steve,
Well its a few days later and there seems to be a consistent new behavior
poking it's shadowy head up. The error message "Windows cannot locate the
mandatory roaming profile." seems to have disappearred and in its place is a
message "The system cannot log you on now because the domain HQ is not
available". Once the password has been entered 3 times OR you wait a few
minutes it will allow you to login.

 

[Guest]

<Chuckle> It is worth mentioning that what I did on 11/22/04 after receiving
your advice was to change the domain policy "Number of previous logons to
cache from 10 to 0".

 

[Guest]

Here are some of the event viewer entries from an XP Pro client this morning
displaying this behavior:
----------------------------------------------
Event Type: Information
Event Source: Tcpip
Event Category: None
Event ID: 4201
Date: 11/27/2004
Time: 8:48:11 AM
User: N/A
Computer: CSSOPR1
Description:
The system detected that network adapter
\DEVICE\TCPIP_{BLAHBLAHBLAH-D8BE-434F-BE6B-BLAHBLAHBLAH} was connected to the
network, and has initiated normal operation over the network adapter.

----------------------------------------------
Event Type: Warning
Event Source: Dhcp
Event Category: None
Event ID: 1003
Date: 11/27/2004
Time: 8:48:39 AM
User: N/A
Computer: CSSOPR1
Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address BLAHBLAHBLAH. The
following error occurred:
The semaphore timeout period has expired. . Your computer will continue to
try and obtain an address on its own from the network address (DHCP) server.

----------------------------------------------
Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5719
Date: 11/27/2004
Time: 8:48:42 AM
User: N/A
Computer: CSSOPR1
Description:
No Domain Controller is available for domain HQ due to the following:
There are currently no logon servers available to service the logon request.
..
Make sure that the computer is connected to the network and try again. If
the problem persists, please contact your domain administrator.

------------------------------------
Event Type: Warning
Event Source: Dhcp
Event Category: None
Event ID: 1007
Date: 11/27/2004
Time: 8:48:49 AM
User: N/A
Computer: CSSOPR1
Description:
Your computer has automatically configured the IP address for the Network
Card with network address BLAHBLAHBLAH. The IP address being used is
169.254.208.31.

----------------------------------------
Event Type: Warning
Event Source: Server
Event Category: None
Event ID: 2504
Date: 11/27/2004
Time: 8:48:51 AM
User: N/A
Computer: CSSOPR1
Description:
The server could not bind to the transport
\Device\NetBT_Tcpip_{BLAHBLAHBLAH-D8BE-434F-BE6B-BLAHBLAHBLAH}.

 

[Steve Duff [MVP]]

This is exactly indicative of an adapter or adapter driver
that is not readying up before the logon screen appears.
I see it more and more, especially with newer gigabit
and wireless stuff. I struggle with it quite a bit.

You can sometimes fix this by manually adding service
dependencies in the registry, or getting a newer adapter driver
or firmware for the NIC. You can try diagnosing this by
inserting a different model of NIC.

If you have managed network switch that supports "fast-link"
operation then you want to turn that on. This will reduce the
latency between when the adapter comes up and traffic
starts flowing. (What can happen with high-end switches
is that the first DHCP requests broadcast out before the
switch is able to forward them.) This problem is described
in this MS KB article:

http://support.microsoft.com/default.aspx?scid=kb;en-us;168455

You can also assign a static IP and see what difference
that makes. This eliminates the DHCP negotiation and
tightens the bootup - This usually will correct this problem, though
it obviously is less-than-desirable. You could try DHCP reservations
which might help, whilst still keeping a managed DHCP configuration.

Also, I should mention that there was a problem before XP SP1
which could cause the 1003 events -- I assume you are on SP1
or - preferably - SP2?

Steve Duff, MCSE, MVP
Ergodic Systems, Inc.