Active Directory Problem.....or is it ?

Discussion in 'Software' started by Greebo, Jun 17, 2004.

  1. Greebo

    Greebo Byte Poster

    182
    0
    21
    The problem I am having at work is unspecific which doesn't help. I think the main problems are due to the way that Active Directory was originally set up and would appreciate any help.

    SOMETIMES (not always :? ) the students get the control panel when they logon :eek: It has been set in AD not to allow this group of users this facility and as I stated, they could log on again and have the correct desktop options. What I'd like to know is WHY :?:

    Having been abandonded by the Network Manager after my first week, I am starting to feel the pressure now as I am trying to deal with everything and get things sorted but don't have the knowledge yet. Its coming but FFS, I've only been there 3 months have basically been running everything since my second week!:eek:

    I've managed to get the filtering sorted and it is working a treat. But the issues I'm having with the Gremlins is doing my head in :(

    Another thing, why can't I delete certain user profiles from individual computers :?: I would like to run a script that would delete the profiles from the machines used by the students when they log off but don't know how to get around the problem when it WON'T allow certain profiles to be deleted :roll: Could it be the computers and the way they have been set up, as certain machines act stranger than others (I hope to get the ghosting underway today) and within AD the computers are dotted around like poop in a field :roll:

    Will logon again when I get to work and hope that you can at least advise me into what the hell is going on

    Hope you can help me peeps as I really need to get this sorted
     
  2. SimonV
    Honorary Member

    SimonV Petabyte Poster Gold Member

    6,651
    180
    258
    Could this be that the clients are logging onto the network using cached credentials when the domain controller is not available? Try setting "Interactive logon: Number of previous logons to cache (in case domain controller is not available)" to 0.

    You can find this setting in your group policy under Computer Configuration>Windows> Settings>Security Settings>Local Policies>Security Options

    We use this because some of the kids figured if you pull the network cable out of the wall you can still login with the previous logon on account and not have the restrictions set by group policy.
     
    Certifications: MOS Master 2003, CompTIA A+, MCSA:M, MCSE
    WIP: Keeping CF Alive...
  3. Greebo

    Greebo Byte Poster

    182
    0
    21
    Thanx Si :) Hope this cures at least some of the problems. I've just set it up so here's hoping :wink:
     
  4. Greebo

    Greebo Byte Poster

    182
    0
    21
    I had to take it out again :( By heck I wish I could figure out all the gremlins :( It was having a worse effect as it stopped kids logging on :eek: Hoping to get AD sorted next week as I have 2 companies coming in to see whats going on and hopefully sort it out :roll: So far, the only thing that I have managed to win with is the filtering :twisted: Don't think I'm the students favourite person somehow :? coz I won't let them do what they want :lol:

    I'm hoping like hell that server 1 is back up tomorrow as I bounced it after school and it still wasn't back up when I left :cry: Thats all I bloody need :x
     
  5. Phoenix
    Honorary Member

    Phoenix 53656e696f7220 4d6f64

    5,749
    200
    246
    if it stopped them logging in that narrows down your problems,
    they are intimitantly loosing contact with the DC, thats why sometimes they dont get a group policy applied
    rather often if its causing that many probs, id look into network/server probs
     
    Certifications: MCSE, MCITP, VCP
    WIP: > 0
  6. tripwire45
    Honorary Member

    tripwire45 Zettabyte Poster

    13,493
    180
    287
    It's the intermittent nature of the problem that creates the mystery. If they were "always" or "never", it would be reasonably straight forward to sort out. I'd have to agree with Ryan that it's a DC/network connection issue. Either your DCs are cutting in and out for some reason or the network connections are. You can start with the usual "ping" test but I'd also go to the DCs and check the Event Viewer to see if it's logging some problems with replication or downtime.

    Also...is the set up for the network documented anywhere. Sometimes there's a clue in the documentation that can tell you if the network was badly constructed in the first place. Whether or not documentation exists, if you haven't already, start documenting these issues. You never can tell when you (or someone else) will find the information valuable.
     
    Certifications: A+ and Network+
  7. Greebo

    Greebo Byte Poster

    182
    0
    21
    As you are aware, I am relatively new to all this, please explain in a more idiot proof fashion WTF I need to do. I hope to goodness the server is back up when I go in tomorrow else I'll be well screwed :cry:
     
  8. tripwire45
    Honorary Member

    tripwire45 Zettabyte Poster

    13,493
    180
    287
    Well, you are trying to diagnose a problem where Group Policy is only being intermittently applied. Group Policies reside in the domain where they are created. In order for a group policy to be applied (assuming it has already been created and linked to a container such as a site, domain, or organizational unit, Active Directory must be operating. This means at least one domain controller (DC) has to be up and running and the clients have to be able to connect to it/them. When a client logs on, group policy is applied depending on how it is set up. If your students belong to an OU that has group policy applied to limit the functionality of their desktop, etc..., then it should create the environment that was designed for them (no control panel or whatever). If they can't contact a domain controller, they would logon with cached credentials which means they'd have access to the local machine and possibly the network but not the domain (I work in a controlled domain but I could bring my personal machine into work, hook it up to the LAN and without joining the domain, still get internet access, for example). Group policies would not be applied and I would have access to the usual desktop features.

    In your case, it seems that either the DCs aren't up and running or there is a problem with network connectivity. You can check your DCs by going to start, administrative tools, event viewer and going through the log files to see if there are any error messages having to do with replication, DNS, or anything else that might be creating the problem. You can also try to ping the various client machines to see if there's a connectivity issue.

    This is kind of tough since it isn't a fixed problem. If the GPO settings were "never" applied, it would be one thing but sometimes they work and sometimes they don't.

    That's about the best I can do under the circumstances. Keep poking around, writing everything down and see what shakes loose. Also notice if this is happening to every client machine or only certain ones. Is there a pattern? Does this only happen on one subnet for example? Do the students all belong to the same site, domain and OU or to different ones? Is this only affecting one container or several and at what level?

    Keep posting issues and let us know how you get on.
     
    Certifications: A+ and Network+
  9. Phoenix
    Honorary Member

    Phoenix 53656e696f7220 4d6f64

    5,749
    200
    246
    what are the DC specs and client load? your DC could be getting hammered and hence dropping certain requests, do you have a single server for DC/File usage (as alot of schools do) this would cause such a problem
    is it only a SPECIFIC set of clients that are randomly effected? or does it randomly effect everyone

    do the problems only arrise during busy periods like 'everyone logging in at once at the start of a lesson' does a relog 5 minutes later fix the problem?

    please give more detail :)
    and check what i have mentioned to see if you can decipher anything more
     
    Certifications: MCSE, MCITP, VCP
    WIP: > 0
  10. AJ

    AJ 01000001 01100100 01101101 01101001 01101110 Administrator

    6,897
    182
    221
    Good advice given all around Greebo. We sometimes have this problem, and we find it is a local profile in the machine. If you are using roaming profiles them you will have to delete the local profiles. We have also had problems with offline files and had to disable then through GP.
     
    Certifications: MCSE, MCSA (messaging), ITIL Foundation v3
    WIP: Breathing in and out, but not out and in, that's just wrong
  11. Greebo

    Greebo Byte Poster

    182
    0
    21
    Cheers for all the info peeps. Will be at work in just over an hour so I will be able to tell you more then. From what I can remember, It wasn't just that group that had problems. On some machines I couldn't get on as administrator either! Hope to goodness I can get it sorted. The pressure is building up and the stress levels are pretty high. Obviously there are issues with the kids getting rather pee'ed off coz it takes them about 20mins or so to actually get in, if they can !!!!!
    I have been going round deleting profiles off machines as this did cause some issues but yesterday was horrendous :(

    Last week, the OU for the students was re-done (not by me) as it was found to be corrupt. Since that has happened, things appear to have just got worse!

    Fingers crossed that the server is back up so that I can look into the log files and let you peeps know WTF's going on :roll:
     
  12. tripwire45
    Honorary Member

    tripwire45 Zettabyte Poster

    13,493
    180
    287
    Good luck, Greebo. :)
     
    Certifications: A+ and Network+
  13. Greebo

    Greebo Byte Poster

    182
    0
    21
    It was worse than feared guys..............The server STILL hasn't come back up!!!!!!!!!!!!! Wot a day :cry:

    Had two peeps trying to get in to fix the problem but its just hanging :eek:

    Stress levels going thro the roof now :( I wanna go home :( But first I need to get this sorted
     
  14. Phoenix
    Honorary Member

    Phoenix 53656e696f7220 4d6f64

    5,749
    200
    246
    why is the server down?
     
    Certifications: MCSE, MCITP, VCP
    WIP: > 0
  15. Greebo

    Greebo Byte Poster

    182
    0
    21
    Coz it wouldn't come back up...............it just hung :( Some peeps coming Monday to try and get it back up. Wot a day :(
     
  16. AJ

    AJ 01000001 01100100 01101101 01101001 01101110 Administrator

    6,897
    182
    221
    more info Greebo, just not booting at all, gets so far and freezes, log in and then freeze. Give us a bit more info and we shall see what advice we can give you.

    either that or point you in the direction of a big hammer :D :D
     
    Certifications: MCSE, MCSA (messaging), ITIL Foundation v3
    WIP: Breathing in and out, but not out and in, that's just wrong
  17. tripwire45
    Honorary Member

    tripwire45 Zettabyte Poster

    13,493
    180
    287
    I have an idea. Get a nice, new powerful server. Load Windows Server 2003 on it. Promote it to a DC. Use your last backup and restore it to the new DC. Take your old DC completely offline. Seize all the FSMO roles that were held by the old DC. The backup should restore the original configuration of GPOs, etc and the other DCs in the domain will help bring the new DC up to speed via AD replication. If your problems are being caused by the cranky DC, that should at least help.

    Plus, you'll get the satisfaction of taking the now defunct DC out into the countryside and blasting the living daylights out of it with your shotgun. Beats the heck out of shooting clay pigeons. :eek: :D
     
    Certifications: A+ and Network+
  18. Phoenix
    Honorary Member

    Phoenix 53656e696f7220 4d6f64

    5,749
    200
    246
    not always possible with school budgets mate
    alot of schools i've worked at have had a single machine doing everything, and those with more generally only have one DC

    as AJ said, a little more info greebo, doesnt LKGC work? what about Recovery Console?
     
    Certifications: MCSE, MCITP, VCP
    WIP: > 0
  19. tripwire45
    Honorary Member

    tripwire45 Zettabyte Poster

    13,493
    180
    287
    Actually, I was kidding. I kind of figured she wouldn't have that option. I still think it would be particularly satisfying to blow the thing up, though...especially if you could figure out a way to make sure it was powered up when you started pumping shells into it. :wink: :P
     
    Certifications: A+ and Network+
  20. Phoenix
    Honorary Member

    Phoenix 53656e696f7220 4d6f64

    5,749
    200
    246
    lol one of the things i enjoy most is rebuilding ADs from scratch due to poorly implemented ones! its satisfying to rebuild everything from scratch and do it properly :)
     
    Certifications: MCSE, MCITP, VCP
    WIP: > 0

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.