Announcement

Collapse
No announcement yet.

Logon Scripts Fails if Conneting to Secondary DC

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Logon Scripts Fails if Conneting to Secondary DC

    I'm running into a problem where once in a while a user will login and their login scripts won't run. If this happens, I can run gpupdate /force and it will force them to logoff and log back on and everything will work great. The next day they may have the same problem, or it may not be for a few days or weeks. It seems to happen to the same people for some reason, but lately there has been more users.

    I'm running 2 DC's - 2003 SP2 Servers with AD. Server A is our Primary and GC and Server B is our Secondary. The login scripts seem to not run when users logon to Server B. I checked the File Replication Services and both Servers are replicating and are up to date.

    Since the problem happens to the same user once it starts happening, I thought that maybe their SRV records are pointing to Server B and they continually have the problem. I don't know alot about the SRV Records and DC Locator so I'm having a problem determining if this is the case. I don't think it is a slow link problem because we have a small and fast network

    I didn't setup the GP originally and I just started about 9 months ago.

    The client machines do not have an error messages.

    Hope someone can help me out.

  • #2
    Re: Logon Scripts Fails if Conneting to Secondary DC

    Originally posted by JLWin View Post
    I'm running 2 DC's - 2003 SP2 Servers with AD. Server A is our Primary and GC and Server B is our Secondary.
    Always make sure you have at least two DC's that are GC's incase Server A ever goes down.

    You could try running DCDIAG.exe and NETDIAG.exe from the windows 2003 support tools and see if any error messages appear.

    Michael
    Michael Armstrong
    www.m80arm.co.uk
    MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

    ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

    Comment


    • #3
      Re: Logon Scripts Fails if Conneting to Secondary DC

      Just ran both tools and everything passed.

      Comment


      • #4
        Re: Logon Scripts Fails if Conneting to Secondary DC

        Hi,

        Open Computer Config\Administrative Templates\System\Logon

        Enable "Always wait for the network at computer startup and logon" and see the result.

        Thanks,
        Kapil Sharma
        ~~~~~~~~~~~~~
        Life is too short, Enjoy It.

        Comment


        • #5
          Re: Logon Scripts Fails if Conneting to Secondary DC

          I was looking at that policy yesterday too, i'm glad I got some verification that it could be the problem. I changed it this morning, now I will just wait for results. The only question now is, why does it always happen when it connects to the secondary server and not the primary?????

          Also, we are running Roaming Profiles here (forgot to mention that). And once in awhile when we do get the drives not mapping problem, explorere.exe doesn't start up and they get a blue screen. I have to use task manager to start up explorer.exe or they restart their machine again.

          Thanks so much! JL

          Comment


          • #6
            Re: Logon Scripts Fails if Conneting to Secondary DC

            This sounds like a permissions problem to me. Check the permissions on the Netlogon and Sysvol shares on the second DC.

            Comment


            • #7
              Re: Logon Scripts Fails if Conneting to Secondary DC

              Permissions could be something. It looks like the Netlogin share (or scripts) is the same with "Everyone" with Full rights (shouldn't it be Admin with Full and Authenticated Users with R,E,L?). The SYSVOL Folder however were different (should this matter because it is not the share). Here are the settings.

              On the Top Level - E:\
              My Primary had "Everyone" with Full rights
              My Secondary had Admin - full, Everyone - Special, Domain Admin - full, System - full, Users - R,E,L

              Then on SYSVOL Folder
              My Primary was different from my Secondary because it was missing Domain Admin - Full, Users - R,E,L, but the both had Admin with Full and Authenticated Users with R,E,L

              Then my sysvol Share inherited from the SYSVOL.

              Boy, did anyone follow me...it has been a long day :-\

              Comment


              • #8
                Re: Logon Scripts Fails if Conneting to Secondary DC

                Here's my permissions:

                Netlogon:
                Share=Admin&FULL - Everyone&READ

                NTFS=Admin&FULL - Authenticated Users&READ,READ&EXECUTE,LIST FOLDER CONTENTS

                Sysvol:
                Share=Admin&FULL - Authenticated Users&FULL - Everyone&READ

                NTFS=Admin&FULL - Authenticated Users&READ,READ&EXECUTE,LIST FOLDER CONTENTS

                Comment


                • #9
                  Re: Logon Scripts Fails if Conneting to Secondary DC

                  I'm assuming your logon scripts are set from your GPO because of your symptoms of getting a blues screen and no explorer shell. GPO based logon scripts are stored in the Sysvol share whereas legacy logon scripts are stored in the Netlogon share. Users must have appropriate permissions to both the Netlogon and Sysvol shares in order to log on and apply GPO settings.

                  You can run gpresults against one of your users and see if anything is being blocked and also if you have any policy events that point to the problem.

                  Comment


                  • #10
                    Re: Logon Scripts Fails if Conneting to Secondary DC

                    I was not aware of that tool. When I ran it, I found that both servers are working. I tried several machines and some pull from the Primary and some from the Secondary. Maybe the issues weren't server related.

                    We are using GP to roll out our scripts, but our Scripts are in the "scripts" folder beneath sysvol. You are referring the Netlogin Share as the Scripts Share aren't you?

                    Our Secondary Server is busy with other tasks and our Primary is only meant for AD and GP. There is no way our Primary is busy all the time (we have a small company), so why do some machines go after the Secondary instead. All of the local settings are set to go to the Primary. Is there a command I can use or a GP I can change/add that will release the Secondary?

                    Thanks so much for your help. I know this is going off track a little.

                    Comment


                    • #11
                      Re: Logon Scripts Fails if Conneting to Secondary DC

                      Looking for answers on this myself. Would like to know if there is a way of controlling which Domain Controller a client Machine logs onto?

                      - Will start a new thread

                      Comment

                      Working...
                      X