Logon script won't run

vsmith3rdvsmith3rd Member Posts: 142 ■■■□□□□□□□
At work, we have a logon script for Windows 2003 AD that maps network shares. The script is in the netlogon directory : ie, \\server-name\netlogon\abc.bat. Individual users have the script pointed to the proper batch file through the profile tab of their properties in ADUC (I triple checked the text to verify the script file name was correct). When I try to login from a workstation the script does not run. This same profile tab names a home folder, which maps without issue.

This environment has multiple DCs. The site DC shows no File Replication Service issues in the Event Log. No other sites have this logon issue. The site in question has no new server or PCs, and they worked fine just a few days ago.

The script text (including spacing) is identical to all other site scripts, except for the specific site server name. The script runs manually on the server without issue, and runs on the workstations from the server navigating to the Netlogon share, just not during login. As a workaround, I've copied the script to the startup folder, but I was looking for a more permanent solution, as well as a cause. Any ideas?

PS. All stations can reach the server through FQDN ping and Windows Explorer UNC, so the switch works.
Certified Lunatic.

Comments

  • paintb4707paintb4707 Member Posts: 420
    Have you checked RSOP on one of the workstations to see if the policy is being applied? You also might find some errors in the event logs.
  • jamesp1983jamesp1983 Member Posts: 2,475 ■■■■□□□□□□
    paintb4707 wrote:
    Have you checked RSOP on one of the workstations to see if the policy is being applied? You also might find some errors in the event logs.


    x2
    "Check both the destination and return path when a route fails." "Switches create a network. Routers connect networks."
  • vsmith3rdvsmith3rd Member Posts: 142 ■■■□□□□□□□
    While trudging through RSoP, I figured I'd look into something, and I noticed a bigger issue. The workstations aren't authenticating to the DC in question. Instead they are authenticating to different DCs. Sites and Services shows the correct info and only lists the one DC, which is correctly named, and the switch was reloaded. No router side errors. Back to the drawing board.

    RSoP looks clean though.
    Certified Lunatic.
  • TechJunkyTechJunky Member Posts: 881
    Why dont you place it under Sysvol/domainname.com/scripts?

    Then all you have to do it specify abc.bat in the login profile.
  • vsmith3rdvsmith3rd Member Posts: 142 ■■■□□□□□□□
    TechJunky wrote:
    Why dont you place it under Sysvol/domainname.com/scripts?

    Then all you have to do it specify abc.bat in the login profile.

    That's exactly where it sits now. That folder path has a share name of Netlogon. Again, that is probably just a symptom of a greater issue. The site workstations are authenticating to another DC, one that's offsite. During login, that don't "see" the site DC. In fact, inexplicably, the scripts are now running, but from the other DCs to which they are authenticating. Still no replication errors are showing in the File Rep log. I think I'm stumped with this one.
    Certified Lunatic.
  • blargoeblargoe Member Posts: 4,174 ■■■■■■■■■□
    Looks like it's time to break out dcdiag and netdiag and find out what's going on with that DC. You sure you have your sites and subnets set up correctly in AD Sites and Services?
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    vsmith3rd wrote:
    While trudging through RSoP, I figured I'd look into something, and I noticed a bigger issue. The workstations aren't authenticating to the DC in question. Instead they are authenticating to different DCs. Sites and Services shows the correct info and only lists the one DC, which is correctly named, and the switch was reloaded. No router side errors. Back to the drawing board.

    RSoP looks clean though.

    How's your reverse DNS zone look? Have you rebooted the DC in question? Or at least restart the netlogon service a couple times (sometimes it takes 3-4 times grrr) on the DC in question. It may not be registering it's SRV record correctly.

    Try the following at a cmd prompt:
    nslookup
    set type=srv
    _ldap._tcp.dc._msdcs.nase.ds.army.mil
    

    You should get a list of DC's for your domain, if the one you're looking for isn't there, restart the netlogoin service on the DC until it shows up.
    All things are possible, only believe.
  • vsmith3rdvsmith3rd Member Posts: 142 ■■■□□□□□□□
    blargoe wrote:
    Looks like it's time to break out dcdiag and netdiag and find out what's going on with that DC. You sure you have your sites and subnets set up correctly in AD Sites and Services?

    I went to the support tools also, and I couldn't find any glaring signs that point to the problem.

    As an aside, I am just level 2, and running suggestions by, and partnering with level 3 to resolve this. I'll have to rely on level 3 to implement some of these suggestions. Sprkymrk, its funny that you mentioned srv records because I suggested looking at srv records as well, but I was shot down. Maybe I'm wrong, but my understanding of the domain logon process is contact a DHCP server, which will provide DNS server info. Contact the DNS server for DC srv records. If the breakdown is at this point, restart Netlogon service, or worse case, reboot DNS server. We happen to run AD-I DNS, so its contacting itself in essence, or at least its supposed to. Somewhere along the line, these PCs are being pointed to another DC. I say why not review the SRV record for the DC in question. I just escalated the ticket and washed my hands of it.

    Its frustrating to have ideas that don't get entertained. I may have been wrong, but taking a minute to review wouldn't hurt. Especially if you're stumped too. Last I heard, they demoted the DC, renamed, and promoted again. I don't yet know the result.

    Thanks to everyone who took the time to respond to my call for help. My appreciation of you exceeds my ability to properly verbally express it.
    Certified Lunatic.
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    Yeah vsmith I know it can be frustrating.

    As an aside, you can run that command I posted without admin rights, and if you dont see your DC listed I guarentee that the problem is SRV records.

    Thanks for posting back, and good luck.
    All things are possible, only believe.
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    All things are possible, only believe.
  • srcurriesrcurrie Member Posts: 55 ■■□□□□□□□□
    This may be way off from your problem but in one of my Windows 2000 Domains I had a Workstation that woiould not runa logon script for anything no matter what I did. I finally decided to remove it from the domain and re-join it. When I right-clicked on My Computer and went to the Computer name Tab I discovered that the machine was not even on the domain!!! No wonder the script did not run...
Sign In or Register to comment.