Group Policy Not Applying Correctly 1

[sysadmin123]

The problem I'm running into involves WSUS. I had to change servers and WSUS is on a new server now.

Well of course I had all these system that where going to the old server so I changed the Group Policy to go towards the new WSUS server.

Problem is that some of them aren't detecting. I got all clients to detect by going to each system and manually editting the registry to go to the new WSUS...But the next time the Group Policy applies it sets it back.

This is only on about 7 out of 35 machines that this is happening. The reset are doing fine.

Any suggestions?

 

[markdmac]

What OS are the clients?

For Windows 2000 run:
secedit /refreshpolicy machine_policy /enforce
secedit /refreshpolicy user_policy /enforce

For Windows XP run:
gpupdate /force

After doing that, login to the box and run GPRESULT to determine what policies are being applied and from where. Make sure that all of your DCs are replicating and that all have the new server name in thier policy that gets pushed down.

I hope you find this post helpful.

Regards,

Mark

 

[sysadmin123]

I did as you said and the issue on the ones being effected is the policy is being applied from my other server.

Let me explain what happened.

I have 2 locations and a DC at each.

Everything was fine but recently we removed the location2 server as it was old and moved the location1 server over there.

All we did was demote the server and move it over and join it back.

The Brand new server should be supplying the GPO no the old server we moved. How do i fix this?

 

[sysadmin123]

I tried disjoining and rejoining the domain and now it's getting the GPO from the right server but the changes are still not taking place.

The only other difference I can see is that on on that does work under policy object that were applied the Local Group Policy is not there on one that works and is there on the one that isn't working.

 

[markdmac]

You have me confused about what you have in production.

How many servers are DCs? Where are they and where are the computers that have the issue? Have you rebooted the clients since moving servers around?

I hope you find this post helpful.

Regards,

Mark

 

[sysadmin123]

We have two DC's at and the replicate back and forth...yes all clients have been rebooted.

I did a gpresult on both systems and the only difference between the two is under the computer section on the working one the Local Group Policy object is filtered and it's not on the one that isn't working.

Almost like the local policy is somehow messing it up.

 

[djtech2k]

Try running rsop.msc on one that works and one that does not. That will show you what settings are applying and what policy is doing it.

 

[sysadmin123]

Apparently it just had to sit for awhile but it finally took. What is working is removing and readding the computer to the domain.

So I think I've solved that but I have one more question.

One of the systems that I need to do this on is a DC at my other location.

Is there any harm in disjoining and rejoining this to the domain? Besides downtime for the time it takes to do this....

This is not the Primary DC.

 

[djtech2k]

If it is a DC you would have to dcpromo it. I would not do that unless absolutely necessary.

 

[sysadmin123]

Any other suggestions then? How do I get the right GPO to apply.

The one that's not working is getting it's GPO from itself...It used to be the PDC but we demoted it and moved it to another location and installed a new PDC.

I think some are still trying to get the GPO from it somehow.

Like I said though I've been fixing by disjoining and rejoining the systems to the domain.

But if I can't for this one any other suggestions.

 

[markdmac]

You have a replication problem you need to address and stop focus on the symptom.

Check the connectivity between the DCs. Check DNS settings as well.

Force AD replication and see what happens. Check the event logs.

I hope you find this post helpful.

Regards,

Mark

 

[sysadmin123]

I looked...I'm not seeing any replication issues in the event log.

It's replicating fine it's just that since the location2 server used to be the primary and held the Global Catalog some of the systems are going to that server for the GPO. Disjoining and rejoining them puts them on the right track to the new server which holds the global catalog.

So no way to fix it for that one server with out using DCPROMO?

 

[djtech2k]

Mark is correct though that all DC's should be distributing the same GPO's regardless of location or site. How many sites do you have? It is not normally a bad practice to have all sites have 1 GC.

Have you looked at the FSMO roles your servers have and how they are distributed? How about replication partners? Which site/server replicates with which? Have you run the KCC? If nothing else, it may be an option to delete all of the connection objects and force the kcc to run.

 

[markdmac]

If the server does not have the proper GPO settings then you DO have a replication problem. The policies should synchronize.

Again I would stress that the computers having the problem are only a symptom of the real problem. These machines are not getting the right information from that second server so you need to see why the second server does nto have the right information. The GPO from the other server should be copied over but is not. THAT is the root of your problem. Focus on that issue and the rest will fall into place.

I hope you find this post helpful.

Regards,

Mark

 

[MTVW]

Both servers should be GC's.....Removing and rejoining PC's to the domain doesn't sound like a good fix to me. Your GPO's are not getting to the other server....Replication.

 

[sysadmin123]

I'm not very well versed when coming to DC and setting them up. We had a third party help me move the server and set the new one up.

Where should I look?

 

[markdmac]

Event logs would be the first place to start.

I hope you find this post helpful.

Regards,

Mark

 

[sysadmin123]

I'll post some things from the event log from the one's that's not getting the correct GPO settings.


THis is in the Directory log:
Event Type: Error
Event Source: NTDS Inter-site Messaging
Event Category: Inter-Site Messaging
Event ID: 1373
Date: 1/6/2006
Time: 1:40:10 PM
User: N/A
Computer: SERVER
Description:
The query for messages for service NTDS Replication via transport CN=SMTP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=DOMAIN,DC=Local failed with the following status:

The system cannot find the path specified.

The record data is the status code.
Data:
0000: 03 00 07 80 ...?



I'm Also getting this on the current PDC and it's stating the Source Server is our other server it should be replicating to.

I'm try to figure this out but it may be over my head at this point.

Event Type: Error
Event Source: NTDS Replication
Event Category: DS RPC Client
Event ID: 2087
Date: 1/6/2006
Time: 3:04:25 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: SNSERVER
Description:
Active Directory could not resolve the following DNS host name of the source domain controller to an IP address. This error prevents additions, deletions and changes in Active Directory from replicating between one or more domain controllers in the forest. Security groups, group policy, users and computers and their passwords will be inconsistent between domain controllers until this error is resolved, potentially affecting logon authentication and access to network resources.

Source domain controller:
SERVER
Failing DNS host name:
47fb988a-b4c0-4f3d-b1bc-17a9ebdb0f1e._msdcs.DOMAIN.Local

NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur. To log all individual failure events, set the following diagnostics registry value to 1:

Registry Path:
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client

User Action:

1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498.

2) Confirm that the source domain controller is running Active directory and is accessible on the network by typing "net view \\<source DC name>" or "ping <source DC name>".

3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on

http://www.microsoft.com/dns

dcdiag /test:dns

4) Verify that that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows:

dcdiag /test:dns

5) For further analysis of DNS error failures see KB 824449:

http://support.microsoft.com/?kbid=824449

Additional Data
Error value:
11004 The requested name is valid, but no data of the requested type was found.


For more information, see Help and Support Center at

http://go.microsoft.com/fwlink/events.asp.

 

[djtech2k]

Another quick thing to check is dcdiag and netdiag. That could give you a quick overview of problem areas.

 

[sysadmin123]

Netdiag on the PDC all passess

On the other DC which is really only a file server and is a DC for replication purposes gave these warnings on netdiag everything else passed.


DNS test . . . . . . . . . . . . . : Passed
[WARNING]: The DNS registration for 'SERVER.Domain.Local' is corre
ct only on some DNS servers.
Please wait 15 min for replication and run the test again.
PASS - All the DNS entries for DC are registered on DNS server 'xx.xx.xxx.xx
' and other DCs also have some of the names registered.
PASS - All the DNS entries for DC are registered on DNS server 'xx.xx.xxx.xx'
and other DCs also have some of the names registered.