Last night, one of my client experienced a weird network issue. All users lost connections to the file server and also were not able to sign into any shared applications. The reason is because all their applications are being published using Citrix XenApp. When users launch an application from XenApp, it will first load up the login script that is mapped to their Active Directory profile. Normally, it will map their shared drives and then start the application for them. In this situation, it was stuck at the drive mapping process.

From reviewing the Event Logs of the file server, I have noticed that there are a few Event ID 1010 MsGina errors during the same period.

e.g.

Source: MsGina
Event ID: 1010
Description:Failed to set the user’s home directory (Drive Q: connected to Share \\cloudmedy\users$).
Data: 0000: 40 00 00 00

I have also noticed from the “Shared Folders” under “Computer Management”, there were a lot of open sessions. In this case, I saw 1000+ open sessions from a single user, 300 from another user, and so on. Even though the server are showing all these open sessions, when I clicked on the “Open Files” folder to see what is opened, there were only 50 files. Something is acting very strangely with this server. Since this is their production server, I restarted the server to see if it fixed the issues. Luckily, it did. Even though, it kicked all the connected users out of the server, the open sessions are matching up to the amount of open files.

The next day, I did a little more troubleshooting trying to find out what is the root cause of the issue. I have noticed that during the same time, their network also experienced a “Browser Master” errors (event id 8021 and event id 8032) on the user’s PC before the server Event ID 1010.

Event ID: 8021
Source: BROWSER
Description:
The browser was unable to retrieve a list of servers from the browser master \\cloudmedy on the network \Device\NetBT_Tcpip_{1EFASDFSSDF-SFSf-…}. The data is the error code.
Data: 40 00 00 00

Event ID: 8032
Source: BROWSER
Description:
The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{1EFASDFSSDF-SFSf-…}. The backup browser is stopping.
Data: 40 00 00 00

Looks like the Browser Master might be the culprit here. I am not familiar with how the Browser Master works in windows. I think it was an old method on how Windows see each other during the old days with Windows NT and Windows 2000. I am going to do a little more research on this one.