Blank GPO's after promoting W2k3 server to DC status

[Aelara]

Hello, I don't know what happend but it has caused many hours of work populating the GPO's which were in place.

We introduced the first and second w2k3 DC in what was a W2k domain. Soon after the introduction of these two servers we noticed that all the GPO's were not accessible due to [STRING] too long errors. After several reboots and executing a utility which was from microsoft and designed to address the string issue, we finally gained access to half the GPO's. The rest we cant get to as we apparently dont have the privileges despite being logged on as enterprise admins.

To cut a long story short half the GPO we can access are now blank. All settings are set to "not configured" To add insult to injury when people log on it appears that older GPO's are executing that now do not exist as they were removed months ago. Any ideas? Has SYSVOL got anytrhing to do with this on the older W2k DC?

Any help would be great.

Aelara.

 

[Aelara]

Can I also mention that I transfered all FSMO roles from the old W2k DC to the new W2k3 DC.

alera.

 

[sutors]

I don't think "[STRING] too long errors" has anything to do with your issue. This is just a mismatch in the templates and a hotfix addresses your issue.

All group policy settings are stored under SYSVOL. I would 1st start looking if FRS is working as it should between your DCs.

This might not be your case, but you might want to check if the junction points are good on your 2000 DC.

Remember that what's accessed by machines to apply policies and what's being replicated by FRS is not the same folder.

Easiest way to check if this is the case is to compare content of those folders which should be the same: (or even drop a text file in each)
c:\winnt\sysvol\sysvol\your_domain_name\policies
c:\winnt\sysvol\domain\policies

Lukasz

 

[pagy]

Anything in the event logs?? Might also be worth checking if the fsmo rols transferred correctly, on each DC do;

netdom query fsmo

check that a functioning server has the roles and that all dcs give the same results.

Probably worth checking your dns as well to make sure that is properly configured and working correctly..

What does dcdiag have to say??

Paul
MCSE


"Two things are infinite: the universe and human stupidity; and I'm not sure about the the universe."
Albert Einstein

 

[sutors]

Another quick test that i just thought of, move your PDC role back to 2000 DC and then look at your policies again to see if they're fine as any modifications to policies go to PDC.

 

[Aelara]

Thanks Guys, I accessed the SYSVOL folders on the 2 2003 DC's and I noticed that one set of policies was missing from the SYSVOL folder on the W2K DC. I simply copied the missing policy from 2003 DC(Sysvol share) to 2000DC(Sysvol share) and what do you know! All works perfectly again. A simple copy and paste Job.

Many thanks for your input. It has been extremely helpful.

Aelara.

 

[sutors]

I'm glad you resolved your policy problem.

You realize though that this is just a temporary workaround for current policies, as your FRS is broken between your 2000DC and 2003DCs. (from what i've read here so far)

In a nutshell, any new policies created will not replicate to 2000DC. And once you fix FRS replication between those DCs you might end up with morphed folders as copying files is not recommended between SYSVOLs unless you perform authoritative/non-authoritative restore for SYSVOL replica set for your FRS right after performing manual copying.

Lukasz
Microsoft SMEFS/FRS/DFSN/DFSR

 

[Aelara]

I agree, It was a desperate move to stop 1000 users having much more control over their systems than intended. It is to be for a week or two till I manage to get the time to withdraw the older 2000DC. Although AD objects are replicating I noticed that SYSVOL, NETLOGON directories do not.

For that reason I thought a simple copy/paste procedure would not have any effect on the other W2k3DC's.

One thing that puzzles me though is why most policy requests are directed to the older 2000DC when in the GPO I have set it to look at the master which happens to be a very healthy W2k3 DC. Any ideas? Should I set a machine GPO as well directing it to the Master or will the user based GPO's suffice?

Aelara.

 

[sutors]

what do you mean by setting GPO to look at the master?