We help IT Professionals succeed at work.

Hoist the colors! We’ve added location flags to usernames sitewide, so it's easier to connect with the global community on EE. View My Profile

x

Active Directory group policies are randomly not applying to clients

28,059 Views
Last Modified: 2013-06-05
Hello,
We are running Windows 2000 Active Directory Servers with XP clients.
We have 3 Servers that are running as DC's + 5 other servers.

I have been crawling through all the MS material i could find but none of it seems to help,...

I am having problems with replication with our main DC server. I think this in turn may be causing group policies to not apply to client pc’s( or i suspect)
Server 2 and 3 replicate with each other without any problems.
Server 1 however does not want to play the replication game! Neither server 2 nor 3 will grab data from 1. I have tried manually copying the policies ect from 1 to 2 and 3 to try and sync the process in case this is what was causing the problem.
This didn’t help and just gave date creation mismatch errors.

Now when I run GPOTOOL it says:
Policy {FD842082-97C3-4640-9CDD-60653D0DB048}
Error: Cannot access \\server2.soc.tas.edu.au\sysvol\soc.tas.edu.au\policies\{FD842-082-97C3-4640-9CDD-60653D0DB048}, error 2
Error: Cannot access \\server3.soc.tas.edu.au\sysvol\soc.tas.edu.au\policies\
{FD842082-97C3-4640-9CDD-60653D0DB048}, error 2

On server1 under event viewer it has the following error under File Replication Service:
Event Type:      Error
Event Source:      NtFrs
Event Category:      None
Event ID:      13568
Date:            2/09/2003
Time:            10:07:56 AM
User:            N/A
Computer:      SERVER1
Description:
The File Replication Service has detected that the replica set "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR.
 
 Replica set name is    : "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"
 Replica root path is   : "c:\winnt\sysvol\domain"
 Replica root volume is : "\\.\C:"
 A Replica set hits JRNL_WRAP_ERROR when the record that it is trying to read from the NTFS USN journal is not found.

I have tested replication by copying a file to the sysvol share on server1 called server1.txt and on server2 called server2.txt and on server3 a file called server3.txt.
Server2 ended up with server2 and 3 files on it as did server 3. Server1's file did not replicate to any other servers and it also did not receive the files from the other servers.

On server 2 and 3 in the event log we get:
The File Replication Service is having trouble enabling replication from SERVER1 to SERVER2 for c:\winnt\sysvol\domain using the DNS name server1.soc.tas.edu.au. FRS will keep retrying.
 Following are some of the reasons you would see this warning.
 
 [1] FRS can not correctly resolve the DNS name server1.soc.tas.edu.au from this computer.
 [2] FRS is not running on server1.soc.tas.edu.au.
 [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.
 
 This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.

On cient pc’s event log we get:
Event Type:      Error
Event Source:      Userenv
Event Category:      None
Event ID:      1058
Date:            3/09/2003
Time:            9:02:52 AM
User:            SOC\frente
Computer:      NETWORKOFFICER
Description:
Windows cannot access the file gpt.ini for GPO CN={047EB295-9725-4152-8C06-F65A4A67B200},CN=Policies,CN=System,DC=soc,DC=tas,DC=edu,DC=au. The file must be present at the location <\\soc.tas.edu.au\SysVol\soc.tas.edu.au\Policies\{047EB295-9725-4152-8C06-F65A4A67B200}\gpt.ini>. (The system cannot find the path specified. ). Group Policy processing aborted.

Which is “apparently” a smb error. I downloaded the patch and installed it and it didn’t fix it. This is causing the group policies to not apply on most computers. It even gives this error message on a clean install of XP just added to the domain.

So i guess i need to fix some sort of trust relationship between server1 and server2+server3 and i want group policies to to start applying to client machines

I would give this a bigger point value, but its all i have :-(

Thanks for any help!

Comment
Watch Question

John Gates, CISSPLead IT Security Analyst, Global Threat Management
CERTIFIED EXPERT

Commented:
Let's start with this...  Are all these DCs running DNS ?? One of them>>???  This can all be the cause of dns misconfiguration..  On one of the servers running dns are there _MSDCS and records of the like???  Please let me know a little more about your configuration..  also how the DCs are spread out are they all on a local LAN or on different subnets etc.
CERTIFIED EXPERT

Commented:
1.  The AD DNS server is correctly setup ? _msdcs, _sites, _tcp, _udp four folders had been created in there ?? where is contain all AD linking. If not, create the DNS again as well.

2. Did you check the "AD Sites and Services"  (From administratirve Tools) ? The NTDS setting (connection) had been auto generated  between different DCs ? it is the replication link of all DCs in AD. If no, it may have some error during DC dcpromo, you are able to create the new connection in there by manual.


I hope it can help.

Author

Commented:
The servers are spread out over 2 campuses.
Server3 is located at the Junior campus and server 1 and 2 are located at the Senior campus. They are connected via a 2 meg wireless link
We have 4 DNS servers. All 4 have the _msdcs, _sites, _tcp and _udp folders.
All 3 DC's are DNS servers.
The auto generated connections like in tact.
Server1 has Server2 and 3 listed under it
2 has 1 and 3
3 has 1 and 2

As far as i can tell it all looks right.

rhinoceros: I didnt understand what you meant by "where is contain all AD linking" could you please explain this more?

running GPOTOOL shows alot of this:
Policy {FFB95CCB-2D30-466B-8313-4F2DD6782A5F}
Error: Cannot access \\server2.soc.tas.edu.au\sysvol\soc.tas.edu.au\policies\{FFB95
CCB-2D30-466B-8313-4F2DD6782A5F}, error 2
Error: Cannot access \\server3.soc.tas.edu.au\sysvol\soc.tas.edu.au\policies\
{FFB95CCB-2D30-466B-8313-4F2DD6782A5F}, error 2
Details:
------------------------------------------------------------
DC: server1.soc.tas.edu.au
Friendly name: Polname
Created: 6/03/2003 4:00:17 AM
Changed: 17/06/2003 11:34:41 PM
DS version:     7(user) 0(machine)
Sysvol version: 7(user) 0(machine)
Flags: 0
User extensions: [{25537BA6-77A8-11D2-9B6C-0000F8080861}{88E729D6-BDC1-11D1-BD2A
-00C04FB9603F}][{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B66650-4972-11D1-A7CA-0
000F87571E3}]
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: server2.soc.tas.edu.au
Friendly name: Polname
Created: 6/03/2003 4:00:17 AM
Changed: 17/06/2003 11:38:56 PM
DS version:     7(user) 0(machine)
Sysvol version: not found
Flags: 0
User extensions: [{25537BA6-77A8-11D2-9B6C-0000F8080861}{88E729D6-BDC1-11D1-BD2A
-00C04FB9603F}][{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B66650-4972-11D1-A7CA-0
000F87571E3}]
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: server3.soc.tas.edu.au
Friendly name: Polname
Created: 6/03/2003 4:00:17 AM
Changed: 17/06/2003 11:38:26 PM
DS version:     7(user) 0(machine)
Sysvol version: not found
Flags: 0
User extensions: [{25537BA6-77A8-11D2-9B6C-0000F8080861}{88E729D6-BDC1-11D1-BD2A
-00C04FB9603F}][{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B66650-4972-11D1-A7CA-0
000F87571E3}]
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------

Author

Commented:
This info just in:
I was just looking in one of our labs.
It seems that any policy infomation that is being dragged down(when it is being dragged down) seems to be either choosing it from server2+3 or server 1.
comparing 2 different machines sitting right next to each other, i typed in \\soc.tas.edu.au\sysvol on both of them and they both showed different file structure.
This must have something to do with the reason that policies are not being applied!
Also when i typed gpresult onto the machine connecting to sever 2 and 3 it received a "INFO: The user "soc\frente" does not have any RSOP data"

The pc connecting to server1 was fine
Frente69

Please see the information provided on this site.  It fixed my issue and I think it will fix yours...

http://www.eventid.net/display.asp?eventid=13568&source=

Netelligen

Author

Commented:
Thanks Netelligen

The File Replication Service successfully added the connections shown below to the replica set:
    "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"
 
    Inbound from    "server2.soc.tas.edu.au"
    Inbound from    "server3.soc.tas.edu.au"
    Outbound to    "server3.soc.tas.edu.au"
    Outbound to    "server2.soc.tas.edu.au"

I think this sounds like a positive message to me :-)!
Once it finish's re-adding itself to the replication group,.. should this iron out the group pol errors that are happening on clients(or did it for you?)
 
I will post again later and let you know how it goes either way :-))

Author

Commented:
OK,.. it has finsihed,..
now GPOTOOL is reporting:
Error: Cannot access \\server1.soc.tas.edu.au\sysvol\soc.tas.edu.au\policies\{047EB295-9725-4152-8C06-F65A4A67B200}, error 2
Error: Cannot access \\server2.soc.tas.edu.au\sysvol\soc.tas.edu.au\policies\{047EB295-9725-4152-8C06-F65A4A67B200}, error 2
Error: Cannot access \\server3.soc.tas.edu.au\sysvol\soc.tas.edu.au\policies\{047EB295-9725-4152-8C06-F65A4A67B200}, error 2
before it was only erroring for server 2 and 3,.... now its erroring 1 2 and 3
plus
Error: Version mismatch on server1.soc.tas.edu.au, DS=262173, sysvol=29
Error: Version mismatch on server2.soc.tas.edu.au, DS=262173, sysvol=29
Error: Version mismatch on server3.soc.tas.edu.au, DS=262173, sysvol=29
plus i am getting Sysvol version: not found as well!
its doing this alot!
Lead IT Security Analyst, Global Threat Management
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
John Gates, CISSPLead IT Security Analyst, Global Threat Management
CERTIFIED EXPERT

Commented:
Also in the meantime please go to www.netiq.com and download thier admonitor product (free)  Let me know what it says.
John Gates, CISSPLead IT Security Analyst, Global Threat Management
CERTIFIED EXPERT

Commented:
Thier site is a little rough to navigate :(  Here you go:
http://www.netiq.com/adcheck/default.asp

Author

Commented:
Our site is a 10.*.*.*
junior  campus has a 10.10.*.*
and senior 10.20.*.*

it looks like we are running a seperate scope for each part of the school

ADCHECK reports seem to check out ok:
Verifying replication topology of entire network...
Detected no timeout errors...
Detected no configuration errors...
Detected no system errors...
Network replication appears to be functioning correctly!

Analyzing direct replication partners...
server2
     Last successful replication: Friday, 5 September 2003 8:51:28 AM
     Last replication attempt: Friday, 5 September 2003 8:51:28 AM
     Number of recent failures: 0
     Status of last attempt: The operation completed successfully.
     Transport: Intra-site RPC
server3
     Last successful replication: Friday, 5 September 2003 8:51:28 AM
     Last replication attempt: Friday, 5 September 2003 8:51:28 AM
     Number of recent failures: 0
     Status of last attempt: The operation completed successfully.
     Transport: Intra-site RPC
John Gates, CISSPLead IT Security Analyst, Global Threat Management
CERTIFIED EXPERT

Commented:
Is the event ID associated with your jnl_wrap_error evend ID: 13568 ??
John Gates, CISSPLead IT Security Analyst, Global Threat Management
CERTIFIED EXPERT

Commented:
If so on the machine causing the error:

Expand HKEY_LOCAL_MACHINE.
Click down the key path:
   "System\CurrentControlSet\Services\NtFrs\Parameters"
Double click on the value name
   "Enable Journal Wrap Automatic Restore"
and update the value from 0 to 1

What service pack are you up to on your DCs?
John Gates, CISSPLead IT Security Analyst, Global Threat Management
CERTIFIED EXPERT

Commented:
In active directory sites and services do you have a senior and junior site?  and your two subnets listed? and assigned to the seperate sites?

Intrasite RPC looks good for server1 to server2 communications but server three is across a router and RPC should not be used TCP/IP transport should be used to replicate between 1 and 3 server.  Have you right clicked on NTDS Settings and run the knowledge consistancy checker? (right click, check replication topolgy) and then check the logs.

My environment is layed out like this:

campus a
server1 10.1.x.x
server2 10.1.x.x

campus b
server 3 10.2.x.x
server4 10.2.x.x

I have all my dcs set up to be global catalog servers and dns servers.  My ADSS is set up as follows

campus a (subnet 10.1.x.x)
server1 preferred bridgehead
pulls from server 3 via TCP/IP transport
pulls from server2 via RPC (same subnet)

server2 only pulls from server 1 via RPC

campus b (subnet 10.2.x.x)
server 3 preferred bridgehead
pulls from server 1 via TCP/IP transport
pulls from server 4 via RPC (same subnet)

server 4 only pulls from server 3 via RPC

I see this in your post:
server3
    Last successful replication: Friday, 5 September 2003 8:51:28 AM
    Last replication attempt: Friday, 5 September 2003 8:51:28 AM
    Number of recent failures: 0
    Status of last attempt: The operation completed successfully.
     Transport: Intra-site RPC <-----

and though the replication of ad info appear to be ok this may be why Ntfrs is unable to replicate.

let me know if these steps help at all.

Author

Commented:
We were getting the 13568 error, but that is fixed now and files seem to be replicating between all servers without a problem(see coment from 09/03/2003 11:16PM PDT )
We are running SP4 on all servers.
In sites and services we only have a "Default-First-Site-Name" site. I assume that this is a default site name :-)

I have ran the check replication topolgy command as you instructed,.. but i am unable to find any logs that relate to this action. I assume it would show up under file replication service in event viewer?

Group Policies seem have stopped randomly not applying. Nobody seems to be getting them at all anymore.

Most computers are now comming up with this error (even freshly xp installed and added to domain):

Event Type:      Error
Event Source:      Userenv
Event Category:      None
Event ID:      1058
Date:            5/09/2003
Time:            11:40:59 AM
User:            SOC\frente
Computer:      NETWORKOFFICER
Description:
Windows cannot access the file gpt.ini for GPO CN={047EB295-9725-4152-8C06-F65A4A67B200},CN=Policies,CN=System,DC=soc,DC=tas,DC=edu,DC=au. The file must be present at the location <\\soc.tas.edu.au\SysVol\soc.tas.edu.au\Policies\{047EB295-9725-4152-8C06-F65A4A67B200}\gpt.ini>. (The system cannot find the path specified ). Group Policy processing aborted.

Its not an SMB error :-) I have already installed the patch on the machine a fair few times!
John Gates, CISSPLead IT Security Analyst, Global Threat Management
CERTIFIED EXPERT

Commented:
how are your clients getting IP addresses? DHCP?

Author

Commented:
Another thing i just noticed,..
the policy {047EB295-9725-4152-8C06-F65A4A67B200} is there,... however it is called {047EB295-9725-4152-8C06-F65A4A67B200}_NTFRS_19432461 .

I tried renaming it, but it just gets renamed back to the latter except the numbers after _NTFRS_ get changed to something different.

so if pc's are looking for \\soc.tas.edu.au\SysVol\soc.tas.edu.au\Policies\{047EB295-9725-4152-8C06-F65A4A67B200}\gpt.ini rather then \\soc.tas.edu.au\SysVol\soc.tas.edu.au\Policies\{047EB295-9725-4152-8C06-F65A4A67B200}_NTFRS_19432461 \gpt.ini could this be the problem?
if so how do i change it back to what it should be called? a fair few of the policies have the _NTFRS_(number) extentions on the end.

Sorry that this seems to be so complex and strange :-(

Author

Commented:
yes they are getting it through DHCP
John Gates, CISSPLead IT Security Analyst, Global Threat Management
CERTIFIED EXPERT

Commented:
on your XP machines start the DFS client service ( I have a feeling it is not running....) reboot the box and see if all is well.
John Gates, CISSPLead IT Security Analyst, Global Threat Management
CERTIFIED EXPERT

Commented:
oops DFS Client on the servers
John Gates, CISSPLead IT Security Analyst, Global Threat Management
CERTIFIED EXPERT

Commented:
also is the TCP/IP NetBIOS Helper Service  running on the dcs?  if not that should be set to started and automatic

Author

Commented:
TCP/IP NetBIOS Helper Service is running on all dc's
Can't find the DFS Client service in services list,.. your not talking about this one are you:
http://www.soc.tas.edu.au/images/dfs.jpg 
?
John Gates, CISSPLead IT Security Analyst, Global Threat Management
CERTIFIED EXPERT

Commented:
If those services are running and the problem still exists we are going to have to troubleshoot the NtFrs tell me a little more about your wireless connections between the campuses..  These are routers between them right?  Is your server 3 a global catalog also?

Author

Commented:
server 3 is running as a global catalog.
Replication is working fine now!!
I at one point i throught that the wireless conn was the issue but i no longer feel this is the case.
The wireless is setup transparently. No routing takes place. to our network it pretty much just looks like it is on the same site but slower.
Group policies are not being applied to any clients at all anymore!
John Gates, CISSPLead IT Security Analyst, Global Threat Management
CERTIFIED EXPERT

Commented:
Did you add your own policies or did you edit the default domain policy?
John Gates, CISSPLead IT Security Analyst, Global Threat Management
CERTIFIED EXPERT

Commented:
on one of the xp machines try gpupdate /force and then gpresult  Post your output here ;-)

Author

Commented:
OK strange,.. when i went to the computer room and did this it said:
"INFO: The user "soc\frente" does not have any RSOP Data"

Any idea what this means? thats all it said!,.. did a search on google and it couldnt find the phrase( minus the username obiously :-))
Frente,

I don't want to step on dimante's toes, he has been riding this out with you the whole way.

I just wanted to give you this link for RSOP management.

RSOP is the Resultant Set Of Policy.

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/proddocs/RSPht1.asp

Hope this helps.

Netelligen

Author

Commented:
Thanks for all the help dimante! You’re a great tech!(and Netelligen  too)
In the end I solved it by moving the policy folders out of the sysvol and putting them somewhere else on the network and making new blank policies in AD and then copying the contents of the old policy to the new policy.

This for some reason killed our exchange server so i was forced to undo all the new policies and put the old ones back(renaming them first so they didn’t have the _NTFRS_*  extension).

Upon doing this all the policies regained the _NTFRS_* extension.
The next morning when i came back in policies were being applied left right and centre the way they should have been the whole time. I checked the sysvol directory and all policies had dropped the _NTFRS_* extension that was causing them not to be found.

So theory suggests that all you need to do is
1: take all policies out of sysvol directory and rename them to not have the _NTFRS_* extension.
2: wait half a day
3: copy them back

Hope this helps someone else!
Frente
CERTIFIED EXPERT

Commented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I will leave the following recommendation for this question in the Cleanup topic area:
    Accept: dimante {http:#9287426}

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

grblades
EE Cleanup Volunteer
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.