Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

GPO Applied from defunct DC

Status
Not open for further replies.

hewissa

IS-IT--Management
Sep 11, 2002
669
US
Hi All,

I have a windows XP machine that authenticates against the dc. But when I run gpupdate and gpresult the GPO is applied from a DC that was demoted and removed from the network.

I have disjoined and rejoined the workstation to the domain, ran this sec edit command - secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose - to reset the computer security settings and still it indicates that the domain GPO's are applied from the non existant DC.

Any insight?

Thanks,

Hewissa

MCSE 2K, 2K3, CCNP
 
Hi bcastner,

Correct, I am following the MS KB article, however this isn't a disaster recovery scenario. I am using the command in an attmept to restore the Security settings to a default state.

I ran the command while the workstation was a member and non member

User account is domain and local admin.

In checking the EV the App log has a recurring Userenv event indicating that the DC cannont be contacted, so GP processing is aborted. What makes this strange is that the user authenticates, the logon script is applied but the GPO is aborted.

Scratch'n my head on this one...

Thanks,

Hewissa

MCSE 2K, 2K3, CCNP
 
Could you post a gpresult back here, please.
And the name of:
. defunct DC
. current DC
 
C:\Documents and Settings\admin>gpresult

Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 8/3/2006 at 8:23:20 PM


RSOP results for domain-name\admin on HOWA-WKS2-domain-name : Logging Mode
----------------------------------------------------------

OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: domain-name
Domain Type: Windows 2000
Site Name: Default
Roaming Profile:
Local Profile: C:\Documents and Settings\admin
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
CN=HOWA-WKS2-domain-name,OU=Managed Computers,OU=domain-name-RC Domain Computers,DC=domain-name,DC=domain-name,DC=domain-name,DC=net
Last time Group Policy was applied: 8/3/2006 at 8:21:47 PM
Group Policy was applied from: DC-svr1-domain-name.domain-name.domain-name.domain-name.net
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
Default Domain Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)

The computer is a part of the following security groups:
--------------------------------------------------------
BUILTIN\Administrators
Everyone
Debugger Users
BUILTIN\Users
HOWA-WKS2-domain-name$
Domain Computers
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users


USER SETTINGS
--------------
CN=admin,OU=Administrators,DC=domain-name,DC=domain-name,DC=domain-name,DC=net
Last time Group Policy was applied: 8/3/2006 at 8:22:48 PM
Group Policy was applied from: DC-svr4-domain-name.domain-name.domain-name.domain-name.net
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
Default Domain Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)

The user is a part of the following security groups:
----------------------------------------------------
Domain Admins
Everyone
BUILTIN\Administrators
BUILTIN\Users
Group Policy Creator Owners
Domain Users
Enterprise Admins
LOCAL
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users


DC-svr5-domain-name.domain-name.domain-name.domain-name.net is the only DC now on the network.

*I edited the names and accounts...

Thanks,

Hewissa

MCSE 2K, 2K3, CCNP
 
Neither app report errors on the new DC. I believe the issue is on the client and not the server since other workstations are able to retrieve their GPO settings.

Thanks,

Hewissa

MCSE 2K, 2K3, CCNP
 
Anything useful here?

Local Group Policy Set to None Existing Account
thread779-1221958
 
Hi guys,

No, roaming profiles are not enabled, however, folder redirection is through a GPO, which by chance, is being applied by the defunct svr1 and svr4. This is the root of the problem, because the redirection is to svr1.

I checked the other thread linney and the one link regarding resetting the sec policy I had applied already.

The domain has not changed, only the DC's. I had done a Metadata cleanup to check that there were no skeletons. Only DC 5 is now listed at the single DC in the domain.

Strangest thing...

Thanks,

Hewissa

MCSE 2K, 2K3, CCNP
 
Sounds like pilot error with dcpromo.

Glad you got it sorted.
Bill Castner
 
Not sorted out Bill.

22 worstations in this domain and 9 have this problem. DC 5 was brought online as a member server. Given 5 days to adjust to the domain. Promoted to a DC, and 5 days to adjust. Claimed all FSMO rolls and 5 days to adjust. Then all the remaining 4 DC's were demoted and removed from the network. No errors in the EV, netdiag, dcdiag, etc. Only these workstations will not relenquish their GPO applied svr.

Thanks,

Hewissa

MCSE 2K, 2K3, CCNP
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top