Microsoft KB Archive/935638

= You experience problems when you try to obtain Group Policy objects, roaming profiles, and logon scripts from a Windows Server 2003-based domain controller =

Article ID: 935638

Article Last Modified on 9/14/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows XP Professional

-



SYMPTOMS
Consider the following scenario:
 * You use a client computer to connect to a dynamic Virtual Local Area Network (VLAN) switch on a Microsoft Windows Server 2003-based domain controller.
 * The client computer connects to the dynamic VLAN switch by using IEEE 802.1X computer authentication and 802.1X user authentication.
 * You use large roaming profiles on the client computer.
 * Dynamic VLAN switching is performed according to 802.1X user authentication.

In this scenario, you experience problems when you try to obtain Group Policy objects (GPOs), roaming profiles, and logon scripts from the domain controller.



CAUSE
This problem occurs because dynamic VLAN switching is not supported when it is used together with 802.1X authentication.



MORE INFORMATION
Note We highly recommend that you do not use roaming profiles together with 802.1X authentication.

Why dynamic VLAN switching is not supported when it is used together with 802.1X authentication
The 802.1X authentication process and the Winlogon process are two distinct processes that are not interrelated. Both these processes occur regardless of the state of the other. In dynamic VLANs, the client computer is given a valid IP address when the computer starts. When the user logs on to the computer, the 802.1X authentication process and the Winlogon process occur at the same time. First, the network connection is reauthenticated by using the user credentials. If the authentication is successful, the dynamic VLAN switch or the access point moves the client computer to a new VLAN. However, exactly at the same time, the Winlogon process is validating a domain controller. Additionally, the Winlogon process tries to obtain GPOs, logon scripts, and roaming profiles from the domain controller. When VLANs are switched, the Winlogon process is interrupted, and the process does not restart.

Why we do not recommend that you use roaming profiles together with 802.1X authentication
If you use a computer certificate or a user certificate that resides in the roaming profile, and if the roaming profile becomes too large, you may experience problems when you try to authenticate the user. You cannot authenticate the user because you do not have the certificate yet. You have to download the roaming profile to gain access to the certificate. If the roaming profile is small, you can download it quickly. However, if the roaming profile exceeds a size of 10 megabytes (MB), you experience problems.

Keywords: kbtshoot kbexpertiseadvanced KB935638

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.