After moving to new domain controller getting issues with roaming profiles
HelloI recently moved to a new (single) domain controller and used dcpromo to promote the new domain controller and transferred the roles including schema master and then ran dcpromo on the old domain controller to demote it (after waiting for replication to complete).However since doing this opening and saving files such as Word documents is taking ages and also when new users log in for the first time after waiting at the welcome screen for about one minute they get the personalised settings screen showing in the top left saying "setting up personalised settings for Windows Desktop Update" and this just stays there for ages and ages. In the end (after about 15 minutes or more)it will either log in or go to a black screen with no taskbar etc.The share is set up as a DFS share so it is accessed via \\domain\users\user. Existing users can log in normally.Another strange thing is that this problem isonly happening on Windows 7 RTM and Vista but XP is fine - on XP new accounts log in fine??? Even the virtual xp instance in 7 works fine.It would seem as if the systems are having trouble locating the share for some reason although they do after thinking about it for a while and no errors are logged in event viewer on the server or the client except that login is taking a long time - which I know!I have done as much troubleshooting as I can and am out of ideas. This is what I have done so far:Checked theDNS settings for any references to the old domain controller - dns runs on the domain controllerChecked that DHCP and static PCs exiblit the same behaviour - they doChecked the NTFS permissions on the share and re-applied the permissions following Microsoft's recommend settings (system/user/domain admins have full access)Checked the share permissions (everyone and system have full access) and also re-applied theseDeleted the cached profile of a user who had logged in before and could log in quickly - the next time they tried to log in they got the Windows Desktop Update messageChecked event viewer on the client and server and could not see any issues except that the logon event took a long time!I'm thinking that there must be some reference to the domain controller somewhere but I don't know where.Everything was working fine and fast before I moved domain controllers.The new domain controller is a quad core with 8GB of ram so I can't think it could be struggling.Apart from reinstalling the whole domain I can't think what else to check. I'm sure it's something simple!Can anyone help?ThanksRobinRobin Wilson
August 9th, 2009 9:41pm

I did find a reference to the old computer in ADSI Edit:Configuation/Sites/Default-First-Site-Name/Servers/CN=Old Serveras well as one for the new server. I deleted the one which referenced the old server.However it did not help!I have also tried setting uo a new OU and applying a different folder redirection policy to it in the form of \\server\share and that did exactly the same proving that the problem does not lie in DFS (I suppose!)It took about 30 minutes to log in where it showed the personalization setting for "Windows Desktop Update for about 15 minutes then "Browser Customizations" for about five minutes and then all I had was the default windows background and then after another 10 minutes the taskbar appeared and it played the logon sound.The only warningsI have in event viewerare these (it was way off with the 129 seconds as well! - this was a new profile I had just created called user2):The winlogon notification subscriber <GPClient> is taking long time to handle the notification event (Logon).The winlogon notification subscriber <GPClient> took 129 second(s) to handle the notification event (Logon).Log-off was fast and subsequent logins were fast too. Until I try to log into another machine with the same account (where it does not have a cached profile)
Free Windows Admin Tool Kit Click here and download it now
August 9th, 2009 10:19pm

Hi, Thanks for your post. To better understand the issue, I would like to confirm whether you implement roaming profile or folder redirection in the environment. Can users log in normally if they dont use roaming profile or folder redirection? Meanwhile, please reproduce the issue on a Windows Vista or Windows 7 computer and collect the following for further research: Please export the Application, System, and User Profile Service Operational (for Windows 7 computer) events. Please run the command gpresult /Z > gpresult.txt to export the Resultant Set of Policy information. After that, please upload the information above to the following space: https://sftasia.one.microsoft.com/choosetransfer.aspx?key=05e296e1-9671-47c7-9642-5be39be7b1ab Password: zcsGl]ehkSKDk!Joson Zhou TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com
August 10th, 2009 12:46pm

Hello JosonThanks for your reply.I'm using folder redirection and not roamingprofiles(sorry I got these a bit mixed up in my previous post thinking they were the same thing).I have a policy which only applies the folder redirection which occurs on an organizational unit called RWS UsersIf domain accounts are not configured with folder redirection (not in that OU) then the login is a normal speed (around 4 seconds)Following are the folder redirection settings:AppData/Desktop/Documents/Favorites/Contacts/Downloads/Links/Searches/Saved Games are all redirected to \\domain.net\\users (DFS share)Pictures/Music/Videos are set to follow the documents folderThe domain has only been running for around a year in 2008functional leveland has always worked fine on the old domain controller until I decided to upgrade andmoved it.The AD Schema was extended for Exchange 2007, Windows Communications Server 2007 R2 and System Center Configuration Manager 2007 (I never managed to get this working and removed it)I will send you the logs from a computer with Windows 7 Ultimate on it which I set up two days ago in order to troubleshoot the issue. I did this in case there was some setting on the existing clients causing an issue. As soon as it logs on I will send you the logs.Thanks for your help!RobinRobin Wilson
Free Windows Admin Tool Kit Click here and download it now
August 10th, 2009 10:12pm

ThanksI've uploadedthe logs and the gpresult info to the link you provided.I noticed it said Domain Type:Windows 2000 in gpresult - is that correct?Apart from that I could not see any errors or warnings in the logs.I logged onto the pc locally and cleared the logs and removed all the cached profiles.Then I created a new profile called testuser with folder redirection and logged inAfter the account finally logged in I then logged off again and logged in with a roaming domain admin account and after that one finally logged in I sent you the logs and RSOPinfo.The only warning I can see is about registry handles being leaked but I doubt that would affect a new account on first log in, and the logoff speed is fine.The pc I used to test with is a new installation ofWindows 7Ultimate with nothing else installed on it (Dell Optiplex 330).Thanks for looking into this problem.Robin Robin Wilson
August 11th, 2009 1:12am

Hi, Thanks for the information. I have checked the logs and found that the Folder Redirection policy was applied smoothly. According to the events: 3:32:19 Received user logon notification 3:32:23 Successfully applied policy and redirected folder 3:32:24 The Group Policy settings for the user were processed successfully. According to the message Setting up personalized settings for: Windows Desktop Update, the system was configuring the local settings such as IE, etc for the user. I found that there is some IE policy applied to the user, I suggest that we temporarily un-link those GPOs. Meanwhile, please temporarily uninstall antivirus software (if there is one installed on the computer) and perform a clean boot to check if the issue goes away. To perform a clean boot, please follow the steps in the Step 1 section of the KB article (it also applies to Windows 7): How to troubleshoot a problem by performing a clean boot in Windows Vista http://support.microsoft.com/kb/929135 If the issue persists, please perform the following steps to enable debug log for further research: 1. Create the following two registry key paths and values on the Windows 7 computer: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Winlogon] "TracingControlLevel"=dword:ffffffff [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WinInit] "TracingControlLevel"=dword:ffffffff 2. Restart the computer. 3. Reproduce the issue. 4. Collect the "%systemroot%\system32\umstartup.etl" file that was created by the logging. 5. Upload the event logs and the umstartup.etl file to the space. I look forward to your response. Joson Zhou TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com
Free Windows Admin Tool Kit Click here and download it now
August 11th, 2009 1:38pm

Hello JosonI have found a major cause of the problem thanks to your help. I did have antivirus on the server which was Symantec Endpoint Protection 11 and this seemed to be mainly causing the issue as after removing this the login for a new profile jumped from taking half an hour to taking only minutes.What I can't understand though is that this same antivirus program was on the old domain controller so why could it be causing so many problems on this one when everything worked normally before. In both occasions I left out the firewall component and only installed antivirus and antispyware.I still think the system is a bit slow as a new account takes around 3 minutes to log in. This is obviously a vast improvement but is still slower than before on newer and faster hardware. I also have most of the GPOs disabled and selective startup so I'm expecting it to increase slightly more.I had worked through the other steps previously apart from modifying the registry on the Windows 7 client and none of those steps had made any difference. I disabled all gpos except the one for the printers and the one for the folder redirection.For the clean boot under startup I only had3 entries associated with theintel graphics card driver installed by windows update. Under non-microsoft services the list was empty.Out of interest I will do the registry edit now and send the results to you.Symantec EndPoint Protection was sold as being compatible with Windows Server 2008 and it would appear it still is: http://www.symantec.com/business/products/sysreq.jsp?pcid=pcat_security&pvid=endpt_prot_1Should I complain to them about this?I'm very grateful for all your help. I'd probably never have tried removing the antivirus as it worked before. I wonder why it didn't affect XP clients. Could it be some of the newer networking features triggering it? Or IPv6? - when the clients are trying to link to the profile.ThanksRobinEDIT***I've uploaded the .etl file but it only took 25 seconds to log in with a new profile which was already on the server but not cached on the client so I'm thinking this is pretty fast really so theremay beno need to troubleshoot further.All the clients have speeded up as well. Before when saving changes to a Word document the small box would appear on the screen saying it was attempting to connect to the network and things would randomly stop responding for a bit and lockup. This has solved all these problems as well.I will not be installing that antivirus program in a hurry again! Robin Wilson
August 12th, 2009 12:39am

Hi Robin, Thanks for your update. I am glad that the performance is much better now after you disabled Symantec Anti-Virus software. Actually, we handled some similar cases before where the logon process hangs at "setting up personalised settings for Windows Desktop Update". In some cases, the root cause is isolated to antivirus program. Based on my experience, when we create or read files, the antivirus program will try to scan them. That may cause performance issue. I am not sure why the issue only occurs on the new domain controller. However, as the problem went away after Antivirus software is disabled, it indicates that the antivirus software has affected the user logon operation. You may consider contacting Symantec to check if there is any update for the product. Thanks. If you have any further questions or concerns, please feel free to let me know. Joson Zhou TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com
Free Windows Admin Tool Kit Click here and download it now
August 12th, 2009 2:38pm

Hello JosonI am so relieved I found the cause thanks to your help.I actually experienced exactly the same issue just over a year ago and after troubleshooting it with a few people I ended up reinstalling the whole domain. I had had a beta version of server 2008 as a domain controller for a while and ended upputting it down tothat but I must have tried everything else except removing the SEP antivirus client over multiple weeks. I was very frustrated whenI saw the same issue occurring again. I can't be 100% sure it was the same issue but it was exactly the same symptoms as this timebut worse. It got to the point where everything slowed down so much that the taskbar would stall, windows would say it wasn't responding andpeople would end the task and be left with nothing but the background. All there was left to do was a hard reset of the client and then a wait of about 30 minutes to log in again.In case you are interested in what Symantec say on the issue I started a thread on the topic on the Symantec Forums: https://www-secure.symantec.com/connect/forums/after-install-domain-controller-profies-folder-redirection-take-30-minutes-log-first-timeThanks again!RobinRobin Wilson
August 13th, 2009 12:54am

Hi Robin, Thanks for your response. I have read your thread in the Symantec Forums. If you have any update or if you need further assistance on our site, please feel free to respond back. Have a nice day. Joson Zhou TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com
Free Windows Admin Tool Kit Click here and download it now
August 13th, 2009 5:38am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics