none
Some windows clients cannot bind to the domain (extended error has occurred)

    Question

  • Background Information:
    We have 8 different buildings: 7 branch offices and our headquarters. Each location is an AD site on the same domain with its own subnet and DC. Each DC in each site handles DNS and DHCP for the clients in the building. Some of the users at the site have their Desktop and My Docs folders redirected via Group Policy to a file server at our main headquarters (all sites are connected by 1GB fiber WAN).

    The Issue:
    I started to see errors on two computers at two different sites. When the user logged in first thing in the morning they received error messages saying "An Extended Error Has Occurred.”  Their “My Docs” and Desktops were not being redirected as usual. When trying to access networked resources such as mapped drives or shares the connection fails saying "\\server is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have permission to access." In the event logs for the computer, I see Events 1006 USERENV (Windows cannot bind to domain (invalid credentials) as well as Events 1030 USERNV (cannot query group policy objects).  

    Edit:

    2 additional Erorrs that may be of help:  Events 40961 SPNEGO (Negotiator)

    "The Security System could not establish a secured connection with the server LDAP/server.DOMAIN.local.  No authentication protocol was available." AND "The Security System could not establish a secured connection with the server ldap/server.DOMAIN.local/DOMAIN.local@DOMAIN.LOCAL.  No authentication protocol was available."

    When the user logs on from a different computer everything works fine, so it is not a problem with the user account. And when I log in with my domain administrator account from the affected computers it also works without any trouble. We tried deleting the user profile and recreating it again from scratch and that did not work. We rejoined the computer to the domain as well and that did not fix it. We checked for cached credentials and there are none. The only way we've found to fix the problem is to completely re-image / rebuild the computer from scratch. The Domain Controllers at each site have no peculiar events in their logs indicating any problems.

    Recent Changes:
    We did make some changes to the domain recently right before we saw these errors start cropping up. At our main site, we had a 2003 DC that held all out FSMO roles. I installed a brand new 2008 R2 DC (after prepping the domain and forest) and after 2-3 weeks of it being in service, I moved all the FSMO roles to it. They moved successfully and we're still running on the 2003 forest / domain level. Also, there do not seem to be any errors in the new DCs event logs that would indicate any issues.

    Any thoughts on what is happening and what can be done to fix it (aside from rebuilding machines from scratch?)


    • Edited by Enable Hibernation Friday, February 17, 2012 3:54 PM
    • Moved by Tiger Li Monday, February 20, 2012 3:52 AM (From:Network Infrastructure Servers)
    Friday, February 17, 2012 3:38 PM

Answers

  • Arthur,

    I have tried all suggestions provided and the only solution that worked was to rebuild the affected systems. I will note, however, we have not seen this problem again and it was only these two machines. I suspect it was just some type of corruption.

    I appreciate everyone's help!

    Wednesday, February 29, 2012 2:42 PM

All replies

  • Hello,

    any DNS changes made also during that time?

    I assume all machines use ONLY the domain DNS servers on the NIC, from the sites also another one so in case the own DNS is down they are able to logon with another DNS providing the DCname?

    Windows server 2008 R2 has a builtin firewall, so is this active and used?

    Please check replication and also the domain/DCs with the support tools, if you like that we have a look also please upload the following files:

    ipconfig /all >c:\ipconfig.txt [from each DC/DNS Server]
    dcdiag /v /c /d /e /s:dcname >c:\dcdiag.txt
    repadmin /showrepl dc* /verbose /all /intersite >c:\repl.txt  ["dc* is a place holder for the starting name of the DCs if they all begin the same (if more then one DC exists)]
    dnslint /ad /s "DCipaddress" (http://support.microsoft.com/kb/321045)


    As the output will become large, DON'T post them into the thread, please use Windows Sky Drive (skydrive.live.com) [with open access!] and add the link from it here. Also the /e in dcdiag scans the complete forest, so better run it on COB.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.


    Friday, February 17, 2012 4:11 PM
  • Yes, there were some DNS changes made during this time. The new 2008 R2 DC was generating some errors that pointed to _MSDCS in the DNS configuration. It was still located under the domain.local zone. I moved it to be its own forward look-up zone.

    Also, I did notice something potentially relavent: there were only two computers experiencing this problem so far, and each was located in a different building. When I looked closely at the DC's configuration for DNS at each site, both DCs had been configured in their network settings to point to a DC other than itself as the primary DNS server. All other DCs were pointing at themself first, and then had another DC as secondary. I'm wondering if that has something to do with it. I have changed them just now and will see if this helps.

    Friday, February 17, 2012 5:08 PM
  • I just posted the first few documents to skydrive that you requested. Here's the link:

    https://skydrive.live.com/#cid=ABFFBE41CFB91C83&id=ABFFBE41CFB91C83!111
    Friday, February 17, 2012 7:25 PM
  • It appears there are some replication problems. Could be caused by one or two things:

    .

    1. Firewall blocks. Use PortQry GUI version to determine of there are any blocks. More info:

    Active Directory Firewall Ports - Let's Try To Make This Simple
    http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspx 

    .

    2. Duplicate DNS zones. This could have happened by someone creating the one on a new DC in another location after a promotion, not realizing that the zone will auto-appear after replicaiton. There are other possibilities. Let's check to eliminate this as a possible cause.

    Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones
    Published by Ace Fekay, MCT, MVP DS on Sep 2, 2009 at 2:34 PM  2313  0
    http://msmvps.com/blogs/acefekay/archive/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones.aspx

    .

    Ace

    .


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Saturday, February 18, 2012 6:36 PM
  •  

    Hi,

     

    I would like to confirm what is the current situation? If there is anything that I can do for you, please do not hesitate to let me know, and I will be happy to help.

    Regards,

    Arthur Li

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Arthur Li

    TechNet Community Support

    Monday, February 20, 2012 8:02 AM
    Moderator
  • Windows firewall is turned off, and there are no duplicate DNS zones (I just checked using ADSIedit suggested by your link.)

    Monday, February 20, 2012 4:02 PM
  • What's the client OS/SP level? Have you verified that http://support.microsoft.com/kb/885887 does not apply in your case?

    hth
    Marcin

    Monday, February 20, 2012 4:15 PM
  • It's XP SP3, not SP2 so that doesn't apply.

    The part I'd like to emphasize is that it only affects 1 user on the system. If that user logs into any other computer in her office, everything works fine. If anyone else logs into her computer it works fine. This of course makes us think it had to do with that one user's profile on the affected machine. So we deleted the profile, checked for cached credentials, removed it from the domain and rejoined it, and so on. But none of that worked. The only thing that worked (the last time this happened a few days before on a different user's computer at a different building) was to blow-out the system completely and re-image it from scratch.

    Monday, February 20, 2012 4:48 PM
  • Have you tried increasing the MaxTokenSize (details at http://blogs.technet.com/b/shanecothran/archive/2010/07/16/maxtokensize-and-kerberos-token-bloat.aspx )?

    I understand that the behavior is not consistent for a given user/computer - nevertheless, as long as the user's token size is within the range that could introduce this problem - you might want to give it a try. Another option to consider is described in http://support.microsoft.com/kb/244474

    hth
    Marcin

    Monday, February 20, 2012 5:04 PM
  • Imaging? Have the images been Syspreoped? If not, that could be the problem.

    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, February 20, 2012 5:06 PM
  • I will try the token size suggestion, thanks. I do not have access to the client system until tomorrow so I will return then with a result. I will also try the TCP / UDP suggestion you listed as well.
    Monday, February 20, 2012 5:16 PM
  • Not the likely issue, here. The two computers that this problem has affected have been in service for years with the same users. In fact, all the systems we use (1000+) are all deployed from images. I'm not the one doing the deploying so I can't say for sure, but there have never been any other issues with that.
    Monday, February 20, 2012 6:18 PM
  • Kind of surprised that you may have over 1000 computers with identical SIDs. I kind of doubt it and have a feeling that the deployment folks sysprepped them.

    See if Marcin's suggestion works. Curious, and this may be unrelated, but I'm looking at all avenues. Are you using UPHClean?

    Download: Info & download on User Profile Hive Cleanup Service.
    http://www.microsoft.com/download/en/details.aspx?id=6676

    You experience log off problems on a Windows XP-based, Windows Server 2003-based, Windows 2000-based, or Windows NT 4.0-based computer
    http://support.microsoft.com/kb/837115

    .

    How about the clocks? Are they synced (within 5 minutes) on that computer with the computer/user's logon server? To find the DC that logged it on:
    echo %logonserver%

    Any errors in the client's event logs? The DCs logs?

    .

    Ace


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Tuesday, February 21, 2012 6:13 AM
  • Thanks for all the suggestions and help thus far, Ace. I have the computer in front of me and I am about to try the latest suggestions. I'll let you know shortly if I find anything.

    EDIT:  I went to the building where the computer was located and brought it back to my office so I could work on it. I logged in with the user's account and everything is working perfectly fine again. Same computer, same account, same profile... the difference today is that it is physically located in a different site authenticating against a different DC.

    So it must be a problem with that DC? But what would the problem be that only affects one user account on one PC? I am looking at ADUAC on that DC and it looks the same as it does on the current DC where it is now working properly. Any thoughts?

    Tuesday, February 21, 2012 3:17 PM
  • More details!

    I rebooted the computer and the account no longer works again here at the new location! This is the same result we experienced when deleteing the user profile that last time we had this problem on the other machine: the first login after doing so was a success, the second login attempt later on caused the errors to start again.

    Tuesday, February 21, 2012 4:04 PM
  • Hive Clean-Up Service:  No help

    MaxToken Size (suggested by Marcin):  No help

    Tuesday, February 21, 2012 4:19 PM
  • Enable Netlogon debug logging and post the outcome

    http://support.microsoft.com/kb/109626

    hth
    Marcin


    Tuesday, February 21, 2012 4:22 PM
  • The results from the log files are posted here as "netlogon2"

    https://skydrive.live.com/#cid=ABFFBE41CFB91C83&id=ABFFBE41CFB91C83!111

    I can clearly see a difference between the successful login with one account compared to the login of the account that is having problems. I am not sure what the results MEAN, though. Hopefully you can shed some light on it for me.

    Tuesday, February 21, 2012 5:02 PM
  • I just posted a full copy of the logs in the same spot called "Netlogon.log" instead of just the truncated version.

    Tuesday, February 21, 2012 6:54 PM
  • When you tested this, did you restart the computer, then logon the "good" user, then restart and try to logon the "bad" user, or did you try it in succession wtihout restarting? If you didn't restart, which user was the first try?

    A couple of things stands out:

    02/21 11:44:00 [SITE] DsrGetSiteName: Site name 'West' is old. Getting a new one from DC.

    Can you describe your AS site configuration in detail, please?

    • List the number of sites the DCs in each site (check Sites and Services console for the servesr list)
    • IP subnet objects associated with them,
    • Their subnet masks or network bits
    • Any IP subnets not associated with any sites.

    .

    Good user:
    02/21 11:46:47 [MISC] WPS: DsrEnumerateDomainTrusts: Domain List collected from \\wsdc1.WPS.local

    Bad user:
    02/21 11:43:44 [MISC] DsrEnumerateDomainTrusts: returns: 0

    .

    The DsrEnumerateDomainTrusts enumeration returns a 0. Therefore, comparing the two, the "good" user  is able to enumerate the DsrEnumerateDomainTrusts from \\wsdc1.WPS.local, but the "bad" user can't. As if it's a DNS resolution problem for that user account?

    .

    Is that user account that's having the problem, have a GPO linked to its OU's account location that differs with the user that is not seeing the problem, or restricted somehow with a denial anywhere, or anything at all different that you are aware of? How about its AD account properties? Logon To, retrictions? Is the account set as trusted for delegation, or anything different?

    .

    Turn on userenv logging. It will be rather large, but post it to Skydrive, and in the meantime while one of gets a chance to take a look at it, look for anything that seems amiss.

    221833 How to Enable User Environment Debug Logging in Retail Builds of Windows
    http://support.microsoft.com/?id=221833

    .

    One last thing, and it may or may not apply, but do you see Event ID 2042 on any of the DCs? Dcdiag shows some vector errors, and they may or may not be replicating, but the best way is to see if this event exists. If you do find it on a specific DC, run repadmin /showrepl on it to see if it reports an 8614 error.

    .

    Sorry for all the info and questions. It's kind of difficult nailing it down when it's happening to one user and not another.

    .


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Tuesday, February 21, 2012 7:46 PM
  • Ace,
    .
    Number of AD Sites: 8 (Each site represents a physical location. All 8 locations are connected together using a 1GB Fiber WAN.)
    .
    Number of DCs: 10 (we have one 2003 DC at seven of the sites and 3 DCs in our main building. Of the 3 in the main building, 2 are 2003 DCs and the third is a new 2008 R2 DC which now has all four operation master roles.)
    .
    Sites and IP:
    1. NORTH: 172.20.64.0 /20    (Subnets: 127.20.65.0, 127.20.67.0, 127.20.68.0, all /24)  (DC on site: NSDC1)
    2. WOBURNST: 172.20.112.0 /20  (Subnets: 127.20.113.0, 127.20.115.0, 127.20.116.0, all /24)  (DC on site: WODC1)
    3. WILDWOOD: 172.20.96.0 /20  (Subnets: 127.20.97.0, 127.20.99.0, 127.20.100.0, all /24)  (DC on site; WWDC1)
    4. WEST: 172.20.80.0 /20  (Subnets: 127.20.81.0, 127.20.83.0, 127.20.84.0, all /24)  (DC on site: WSDC1)
    5. SHAWSHEEN: 172.20.128.0 /20  (Subnets: 127.20.129.0, 127.20.131.0, 127.20.132.0, all /24)  (DC on site: SSDC1)
    6. BOUTWELL: 172.20.48.0 /20  (Subnets: 127.20.49.0, 127.20.51.0, both /24)  (DC on site: BSDC1)
    7. MIDDLESCHOOL: 172.20.16.0 /20  (Subnets: 127.20.16.0, 127.20.17.0, 127.20.19.0, 127.20.20.0, all /24)  (DC on site: MSDC1)
    8. HIGHSCHOOL: 172.20.32.0 /20  (Subnets: 127.20.32.0, 127.20.33.0, 127.20.35.0, 127.20.36.0, 127.20.37.0,127.20.38.0, all /24) (DCs on site:  HSDC1 is a 2003 server that used to hold all 4 OM roles, HSDC2 is also 2003, and HSDC3 which is a 2008 R2 server that now holds all OM roles.
    .
    The first computer with the problem was located in site "WILDWOOD." This is the one we simply rebuilt to fix the problem. It has been fine since. The computer that is currently experiencing the same problem is from site "SHAWSHEEN." I moved the computer physically to my office (located in "WEST") where the first login using the users account worked fine. I restarted the computer and tried to log in again and the errors returned. This is the same thing that happens when the user profile is deleted.
    .
    I do not see the error 2402 on any server right now. However, I do see others that are curious. On the "SHAWSHEEN" site DC, I see this error which is peculiar: 8003, MrxSmb, saying that the file server located in site "WEST" announcing that it believes it is the master browser for the domain on transport NetBT_Tcpip (the master browser stopped or an election is being forced.)

    Tuesday, February 21, 2012 10:33 PM
  • Ace,
    .
    Number of AD Sites: 8 (Each site represents a physical location. All 8 locations are connected together using a 1GB Fiber WAN.)
    .
    Number of DCs: 10 (we have one 2003 DC at seven of the sites and 3 DCs in our main building. Of the 3 in the main building, 2 are 2003 DCs and the third is a new 2008 R2 DC which now has all four operation master roles.)
    .
    Sites and IP:
    1. NORTH: 172.20.64.0 /20    (Subnets: 127.20.65.0, 127.20.67.0, 127.20.68.0, all /24)  (DC on site: NSDC1)
    172.20.64.1  to  172.20.79.254 

    2. WOBURNST: 172.20.112.0 /20  (Subnets: 127.20.113.0, 127.20.115.0, 127.20.116.0, all /24)  (DC on site: WODC1)
    172.20.112.1  to  172.20.127.254 

    3. WILDWOOD: 172.20.96.0 /20  (Subnets: 127.20.97.0, 127.20.99.0, 127.20.100.0, all /24)  (DC on site; WWDC1)
    172.20.96.1  to  172.20.111.254 

    4. WEST: 172.20.80.0 /20  (Subnets: 127.20.81.0, 127.20.83.0, 127.20.84.0, all /24)  (DC on site: WSDC1)
    172.20.80.1  to  172.20.95.254

    5. SHAWSHEEN: 172.20.128.0 /20  (Subnets: 127.20.129.0, 127.20.131.0, 127.20.132.0, all /24)  (DC on site: SSDC1)
    172.20.128.1  to  172.20.143.254

    6. BOUTWELL: 172.20.48.0 /20  (Subnets: 127.20.49.0, 127.20.51.0, both /24)  (DC on site: BSDC1)
    172.20.48.1  to  172.20.63.254

    7. MIDDLESCHOOL: 172.20.16.0 /20  (Subnets: 127.20.16.0, 127.20.17.0, 127.20.19.0, 127.20.20.0, all /24)  (DC on site: MSDC1)
    172.20.16.1  to  172.20.31.254

    8. HIGHSCHOOL: 172.20.32.0 /20  (Subnets: 127.20.32.0, 127.20.33.0, 127.20.35.0, 127.20.36.0, 127.20.37.0,127.20.38.0, all /24) (DCs on site:  HSDC1 is a 2003 server that used to hold all 4 OM roles, HSDC2 is also 2003, and HSDC3 which is a 2008 R2 server that now holds all OM roles.
    172.20.32.1  to  172.20.47.254

    .
    The first computer with the problem was located in site "WILDWOOD." This is the one we simply rebuilt to fix the problem. It has been fine since. The computer that is currently experiencing the same problem is from site "SHAWSHEEN." I moved the computer physically to my office (located in "WEST") where the first login using the users account worked fine. I restarted the computer and tried to log in again and the errors returned. This is the same thing that happens when the user profile is deleted.
    .
    I do not see the error 2402 on any server right now. However, I do see others that are curious. On the "SHAWSHEEN" site DC, I see this error which is peculiar: 8003, MrxSmb, saying that the file server located in site "WEST" announcing that it believes it is the master browser for the domain on transport NetBT_Tcpip (the master browser stopped or an election is being forced.)

    I see lots of typos with 127.x.x.x. I assume the first octets are all transposed and supposed to be 172.x.x.x. I assume those typos are not in Sites and Services?

    I mapped out each subnet range (in bold above in the quoted text), just to make sure there are no overlaps.

    I assume that for locations, taking Wildwood for example, you stated "172.20.96.0 /20." I assume that isn't an IP SUbnet Object in Site and Services, and just a notation of the possible ranges that can exist in that location.

    I assume, such as in Wildwood for example, that only three IP Subnet objects are associated with Wildwood (transposed IPs corrected):

    • 172.20.97.0/24
    • 172.20.99.0/24
    • 172.20.100.0/24

    .

    • What was the client computer's IP address when in Wildwood? Was it in one of the three above?
    • Is the user a Folder Redirection User?
    • Using Roaming Profiles, too?
    • When you are able to login, what do you get running the following on the client? nltest /dsgetdc:yourdomain
    • How about echo %logonserver% ?
    • Are all DCs Global Catalogs?
    • Is ICMP blocked between locations, or on anything within your sites? DCs and client to DC communcations need it.
    • Is there an IP Subnet Object associated with the Default-First-Site-Name? If not, and not using it, you should still have at least a generic one associated to it. (http://social.technet.microsoft.com/Forums/en/winserverDS/thread/abb1645c-b3a6-4474-bcfa-da5863073c74)

    .

    Btw- There are five (5) FSMO (Flexible Storage Master Operations) roles, not four (4). Which one are you missing or not referring to?

    1. Schema Master
    2. Domain Naming Master
    3. RID Master
    4. PDC Emulator
    5. Infrastructure Master

    .

    .

    Here's a good read about DC stickiness and DCs in a site when a client moves.

    And I will stick to my site - Directory services, I&AM and some thoughts about it - Tomek's DS World
    http://blogs.dirteam.com/blogs/tomek/archive/2009/02/15/and-i-will-stick-to-my-site.aspx 

    .

    The 2402 are minor, and not related to this issue, but it can mean that the DC on that subnet is not responding, since it should be the master browser of the subnet, and not some non-DC or a workstation. If you want to troubleshoot it, you have to find out who is the master browser, and once you do, you have to find out why it is. Here are some pointers.

    WINS NetBIOS, Browser Service, Disabling NetBIOS, & Direct Hosted SMB (DirectSMB).
    Troubleshooting the browser service.
    The DNS Client Side Resolver algorithm.
    If one DC or DNS goes down, does a client logon to another DC?
    DNS Forwarders Algorithm and multiple DNS addresses (if you've configured more than one forwarders)
    Client side resolution process chart
    Published by Ace Fekay, MCT, MVP DS on Nov 29, 2009 at 10:28 PM  1764  1
    http://msmvps.com/blogs/acefekay/archive/2009/11/29/dns-wins-netbios-amp-the-client-side-resolver-browser-service-disabling-netbios-direct-hosted-smb-directsmb-if-one-dc-is-down-does-a-client-logon-to-another-dc-and-dns-forwarders-algorithm.aspx

    .


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, February 22, 2012 3:06 AM
  • At this point, due to the complexity of the environment and the numerous factors, I'm starting to think it may be easier, substantially faster, and benefical for you to get this resolved, if you get Microsoft PSS involved. They can take the time and devote their vast resources to get this fixed for you with a small fee, especially since this is a production environment, and it's affecting users. If you decide to contact them, here's the link to get you started.
    http://support.microsoft.com/common/international.aspx?RDPATH=dm;en-us;select&target=assistance

    .

    Ace


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, February 22, 2012 4:10 AM
  • I apologize-- there are a lot of typos due to a bad cut & paste on my part.  I'll be more careful. All your assumptions are correct with regard to IP addresses. The /20 addresses I list for each site are not subnet objects, but rather ranges I have reserved for each site. Also, I did mean 5 FSMO (OM) roles. I've no idea why my brain was stuck on 4.

    • The affected computer was a DHCP client at WILDWOOD, and was in the 172.20.99.0 range. The DC on site handles DHCP and assigns itself as the primary DNS server, and HSDC3 as secondary. The currently affected computer from SHAWSHEEN was also a DHCP client with a similar configuration, though MSDC1 is the secondary DNS server with the SHAWSHEEN DC as primary. It was in the 172.20.131.0 range until moved to WEST site for me to test.
    • Yes, both affected users have their "desktop" and "My Docs" redirected to a file server located in a different site (HIGHSCHOOL). Managers in the organization have redirection to the file server at the HIGHSCHOOL site, while other users redirect to a file server within their building.
    • We do not use roaming profiles.
    • "nltest /dsgetdc:yourdomain" (I have lost connectivity to the troubled client and will try this tomorrow morning)
    • Earlier today I ran "echo %logonserver%" on the troubled client (now at the WEST site) and it returned: \\WSDC1
    • Yes, all DCs are global catalogs.
    • No, ICMP is not blocked.
    • There is no site at all called "Default-First-Site-Name." Only the 8 sites I listed.

    Wednesday, February 22, 2012 4:13 AM
  • Well, the good news is that there have only been 2 users to experience this so far. We have over 1,000 users so that's not a big issue yet (*fingers crossed*). It doesn't take us long to rebuild a computer which is what fixed the problem for our first user, so there is a solution for us, though not an ideal or elegant one since we don't want to have to do this if the problem becomes wide-spread.

    The current user with the problematic machine has an alternative computer to use in the meantime, so I figured I could take some time and solve this while working on several other projects. I'll continue to update the thread with what I find. It's certainly an interesting puzzle.

    Wednesday, February 22, 2012 4:22 AM
  • You know waht's interesting, this sounds familiar. One small customer was complaining about anamolies, desktops icons disappearing, files on desktop disappearing, desktop icons with an access denied, etc. I finally figured out what was going on. Long story short, the boos invited a "friend" to take a look at the SBS for whatever reason, but not fully realizing what he was doing, he disabled Folder Redireciton at the GPO levbel and not in the SBS console. To fix it, suspecting a permissions issue on the redirected folder location, in the user's properties, and (keep in mind I have the "home" folder the same path same as the redirected folder), I reset the "home" folder to the same path, but using the \\server\users\folderredirection\%username% variable. Using this, it resets the proper permissions on teh folder to FC and owner to the user. Then it worked.

    I just thought I would share that. If it works for you, go for it. If not, and you can deal with re-imaging them, that's fine too. :-)

    btw - I changed the admin password and no longer giving it out to the boss. :-)

    Ace


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, February 22, 2012 5:08 AM
  • Ace,

    I had a boss with access to the passwords for our external domain hosting. On a whim he decided to move it to a new host (never understood why!) and along with it went our MX records, remote access, etc!

    Regardless, thank you for all the help. I'll have a look at the GPO and permissions. I'll keep posting any results I find here just for good record keeping in case anyone else every comes across this thread having the same problem.

    Wednesday, February 22, 2012 12:04 PM
  • nltest results came back fine when logged in under user account that works fine, and issued the same results when logged in under the user account that does not work.

    Wednesday, February 22, 2012 12:49 PM
  • For the 40961's, see if any of these suggestions help:
    http://eventid.net/display-eventid-40961-source-LsaSrv-eventno-1398-phase-1.htm 

    .

    Other than that, I'm fresh out of ideas. Maybe Marcin or someone else has something I've missed?

    .

    And your boss probably decided to move to a new host either to save money, or it's a "friend" of his, or both, and not realizing the implications.

    Let us know if you find anything else.


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, February 22, 2012 1:55 PM
  • Important Update:

    Since the user has their folders redirected using Group Policy, I tried testing the results of the policies in GP Management, targeting the user's computer and accout. This is what I got:
    .
    ----------------
    Group Policy Infrastructure failed due to the error listed below.
    Unable to update the password. The value provided as the current password is incorrect.
    Note: Due to the GP Core failure, none of the other Group Policy components processed their policy. Consequently, status information for the other components is not available.
    Additional information may have been logged. Review the Policy Events tab in the console or the application event log for events between 2/22/2012 9:10:06 AM and 2/22/2012 9:10:06 AM.
    -----------------
    .
    Once again, I checked the cached credentials section of user accounts. Again, nothing in there. So I decided to change the user's password using ADUC just to see if it worked. The user was able to log in immediately without any problem, and all folder redirection worked. I rebooted the computer to make sure it would still work after a restart because this caused the problems to return in the past (when we had deleted the user profile, for example.) Everything still worked after the restart.
    .
    During testing a few days ago, I had added her user account to the computer and granted it local "administrator" rights. So now suspecting the problem was fixed, I removed her account again. I tested to make sure everything still worked. It did not. The same problems returned. I did some further testing, and this is what happened:

    1. Checked for cached credentials: none
    2. Changed Password using ADUC on the local DC
    3. Logged in on client PC with new password and everything worked.
    4. Rebooted, logged in again, everything worked.
    5. Removed user from local administrators, left account listed in "users"
    6. Rebooted.
    7. BEFORE logging in I tested policy results in GP Manager: no errors
    8. Logged in on computer, redirection failed and errors returned.
    9. Tested policy results in GP Manager again: failed (So it only failed AFTER the next login...)
    10. Changed password again in ADUC on the local DC
    11. Rebooted, logged in, everything worked.
    12. Rebooted again, still worked.
    13. Ran result test in GP Manager, said the computer required reboot before some policies would take effect.
    14. Ran GPUPDATE /FORCE
    15. Logged out, and back in: redirection failed and errors returned.
    16. Changed password AGAIN in ADUC
    17. Rebooted several times without running any GP tests or doing a GPUPDATE. Logged other users on and off, and after a couple reboots the problems returned!

    .

    What would cause this to happen like this?


    Wednesday, February 22, 2012 2:55 PM


  • Hi,





    I would like to confirm that have you tried the troubleshooting suggestions
    Ace Fekay provided and what is the current situation?



                                    



    Regards,





    Arthur
    Li



    TechNet Subscriber Support



    If
    you are
    TechNet Subscription user and have any
    feedback on our support quality, please send your feedback
    here.



    Arthur Li

    TechNet Community Support

    Wednesday, February 29, 2012 1:35 PM
    Moderator
  • Arthur,

    I have tried all suggestions provided and the only solution that worked was to rebuild the affected systems. I will note, however, we have not seen this problem again and it was only these two machines. I suspect it was just some type of corruption.

    I appreciate everyone's help!

    Wednesday, February 29, 2012 2:42 PM
  • Good to hear you've got it straightened out. And sometimes a re-image or rebuild is the only answer overcoming unknown corruption.

    Cheers!

    Ace


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, February 29, 2012 4:44 PM