Solved

Group Policy: Some users not picking up GPO

Posted on 2009-07-16
16
1,139 Views
Last Modified: 2012-05-07
I create a new Group Policy two days ago for a CustomerService OU. There are 6 users in that OU. The new GPO is called DesktopBackground. Only 2 of the 6 users picked it up thus far. The computers were restarted multiple times, and I even did a GPUPDATE /force on those machines.

I then tried running GPRESULT, and noticed that the DesktopBackground GPO is not even in the list under User Configuration section of the GPRESULT command for the remaining 4 users.
0
Comment
Question by:pzozulka
  • 8
  • 4
  • 3
  • +1
16 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24872000
When you run the RSoP report does it show that the GPO is being filtered out or not applying for another reason.
Any warnings or errors in your logs?
Next step may be to crank up logging.
Thanks
Mike
0
 
LVL 8

Author Comment

by:pzozulka
ID: 24872203
I forget how to run the RSoP report? I recall there is a way to do it from the users computer, but maybe I'm wrong. I ran RSoP via Active Directory, and noticed everything looked OK. See snap shot below.

Will check the logs shortly.
snapshot.bmp
0
 
LVL 3

Expert Comment

by:Lisij
ID: 24872602
where are those users getting background file from?
Those computers that dont get it, are they any different from those that do get it? XP vs. Vista, etcetcetc
Your server 2000 or 2003? If 2K3, run gpmc.msc, gives much better picture of the GPOs application.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24872646
In GPMC you right click group policy results to start RSOP (see attachment)
You can also run gpresult /v from the command line (I like GPMC better)
Thanks
Mike

RSOP-GPMC.jpg
0
 
LVL 8

Author Comment

by:pzozulka
ID: 24873036
Lisij: The background file is located on a server share. All 6 users are in the same OU, so they all should be picking up the GPO. They all run Win XP SP3. We have server 2003, but don't have GPMC installed.

mkline71: Most of the Admins like the standard Group Policy viewer instead of GPMC so we can't install it, at least for now.

0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24873106
When you create a new policy you will get the view you attached above.
I highly recommend GPMC for managing policies....at least on one machine.
Thanks
Mike
0
 
LVL 8

Author Comment

by:pzozulka
ID: 24873526
OK, will try to install GPMC, and report back shortly.
0
 
LVL 8

Author Comment

by:pzozulka
ID: 24906032
Sorry it took a while, but needed to install .NET framework before installing GPMC and couldn't restart the server until last night.

I tried running RSoP, but I'm not seeing anything significant to tell me why certain users are not picking up the GPO.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 24907080
You probably have a broken replication set:

Please review the following for troubleshooting and fixing Group policy issues like this:
http://www.experts-exchange.com/articles/OS/Microsoft_Operating_Systems/Server/2003_Server/Diagnosing-and-repairing-Events-1030-and-1058.html
0
 
LVL 8

Author Comment

by:pzozulka
ID: 24910116
Hmm, so I discovered FRS problems on 1 of 3 domain controllers. According to the article, If you discover FRS problems, you may stop right there and seek DNS troubleshooting and fixing. Not sure where to begin with DNS, all "looks" well.

Here are some of the errors for today: (FYI - The 2 other DCs are newer and have been in place under 6 months, they have no problems)

Event Type:      Error
Event Source:      NtFrs
Event Category:      None
Event ID:      13506
Date:            7/21/2009
Time:            12:43:31 AM
User:            N/A
Computer:      MILLA
Description:
The File Replication Service failed a consistency check
  (!memcmp(Header->FileObjId.ObjectId, &Coc->FileGuid, sizeof(GUID)))
in "StuExecuteInstall:" at line 2847.
 
The File Replication Service will restart automatically at a later time. If this problem persists a subsequent entry in this event log describes the recovery procedure.
 For more information about the automatic restart right click on My Computer and then click on Manage, System Tools, Services, File Replication Service, and Recovery.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
*****************************************************************************
Event Type:      Error
Event Source:      NtFrs
Event Category:      None
Event ID:      13505
Date:            7/21/2009
Time:            12:44:12 AM
User:            N/A
Computer:      MILLA
Description:
The File Replication Service has stopped after taking an assertion failure.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
*****************************************************************************
Event Type:      Error
Event Source:      NtFrs
Event Category:      None
Event ID:      13555
Date:            7/21/2009
Time:            12:43:31 AM
User:            N/A
Computer:      MILLA
Description:
The File Replication Service is in an error state. Files will not replicate to or from one or all of the replica sets on this computer until the following recovery steps are performed:
 
 Recovery Steps:
 
 [1] The error state may clear itself if you stop and restart the FRS service. This can be done by performing the following in a command window:
 
    net stop ntfrs
    net start ntfrs
 
If this fails to clear up the problem then proceed as follows.
 
 [2] For Active Directory Domain Controllers that DO NOT host any DFS alternates or other replica sets with replication enabled:
 
If there is at least one other Domain Controller in this domain then restore the "system state" of this DC from backup (using ntbackup or other backup-restore utility) and make it non-authoritative.
 
If there are NO other Domain Controllers in this domain then restore the "system state" of this DC from backup (using ntbackup or other backup-restore utility) and choose the Advanced option which marks the sysvols as primary.
 
If there are other Domain Controllers in this domain but ALL of them have this event log message then restore one of them as primary (data files from primary will replicate everywhere) and the others as non-authoritative.
 
 
 [3] For Active Directory Domain Controllers that host DFS alternates or other replica sets with replication enabled:
 
 (3-a) If the Dfs alternates on this DC do not have any other replication partners then copy the data under that Dfs share to a safe location.
 (3-b) If this server is the only Active Directory Domain Controller for this domain then, before going to (3-c),  make sure this server does not have any inbound or outbound connections to other servers that were formerly Domain Controllers for this domain but are now off the net (and will never be coming back online) or have been fresh installed without being demoted. To delete connections use the Sites and Services snapin and look for
Sites->NAME_OF_SITE->Servers->NAME_OF_SERVER->NTDS Settings->CONNECTIONS.
 (3-c) Restore the "system state" of this DC from backup (using ntbackup or other backup-restore utility) and make it non-authoritative.
 (3-d) Copy the data from step (3-a) above to the original location after the sysvol share is published.
 
 
 [4] For other Windows servers:
 
 (4-a)  If any of the DFS alternates or other replica sets hosted by this server do not have any other replication partners then copy the data under its share or replica tree root to a safe location.
 (4-b)  net stop ntfrs
 (4-c)  rd /s /q  c:\windows\ntfrs\jet
 (4-d)  net start ntfrs
 (4-e)  Copy the data from step (4-a) above to the original location after the service has initialized (5 minutes is a safe waiting time).
 
Note: If this error message is in the eventlog of all the members of a particular replica set then perform steps (4-a) and (4-e) above on only one of the members.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
*****************************************************************************
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 24910332
Assuming you have the 2003 server support tools already loaded onto this DC, go to the command prompt and type:

DCdiag /Test:DNS

If all looks well, then try stopping and restarting the FRS service:

Net Stop NTFRS
and
Net Start NTFRS

Then force replicate between DC's.

remember, we must make sure DNS is fixed prior to getting FRS to work right. The DNS records used for replication are in the MSDCS file folder and are SRV records (also called SeRVice records for domain services).
0
 
LVL 8

Author Comment

by:pzozulka
ID: 24910493
Looks like great advice, I will definitely look deeper into this stuff tomorrow morning, for now I just wanted to share the results of DCdiag /Test:DNS. Looks like it failed.

It mentions an old DC called EINSTEIN, we decommissioned it a while ago, but it looks like it still references it.

Thanks for your help.
Microsoft Windows [Version 5.2.3790]

(C) Copyright 1985-2003 Microsoft Corp.
 

C:\Documents and Settings\zeuss>cd ..
 

C:\Documents and Settings>cd ..
 

C:\>cd "Program Files"
 

C:\Program Files>cd "Support Tools"
 

C:\Program Files\Support Tools>dcdiag /Test:DNS
 

Domain Controller Diagnosis
 

Performing initial setup:

   Done gathering initial info.
 

Doing initial required tests
 

   Testing server: LA\MILLA

      Starting test: Connectivity

         ......................... MILLA passed test Connectivity
 

Doing primary tests
 

   Testing server: LA\MILLA
 

DNS Tests are running and not hung. Please wait a few minutes...
 

   Running partition tests on : DomainDnsZones
 

   Running partition tests on : ForestDnsZones
 

   Running partition tests on : Schema
 

   Running partition tests on : Configuration
 

   Running partition tests on : bcr
 

   Running enterprise tests on : bcr.local

      Starting test: DNS

         Test results for domain controllers:
 

            DC: milla.bcr.local

            Domain: bcr.local
 
 

TEST: Basic (Basc)

Warning: adapter [00000009] Intel(R) Advanced Network Services

Virtual Adapter has invalid DNS server: 10.81.2.20 (<name unavailable>)
 

TEST: Forwarders/Root hints (Forw)

Error: Root hints list has invalid root hint server: b.root-servers.net. (128.9.0.107)

Error: Root hints list has invalid root hint server: l.root-servers.net. (198.32.64.12)
 

TEST: Delegations (Del)

Warning: DNS server: einstein.bcr.local. IP: <Unavailable> Failure:Missing glue A record
 

Summary of test results for DNS servers used by the above domain contro

llers:
 

DNS server: 10.81.2.20 (<name unavailable>)

1 test failure on this DNS server

This is not a valid DNS server. PTR record query for the 1.0.0.12

7.in-addr.arpa. failed on the DNS server 10.81.2.20

Name resolution is not functional. _ldap._tcp.bcr.local. failed o

n the DNS server 10.81.2.20
 

DNS server: 128.9.0.107 (b.root-servers.net.)

1 test failure on this DNS server

This is not a valid DNS server. PTR record query for the 1.0.0.12

7.in-addr.arpa. failed on the DNS server 128.9.0.107
 

DNS server: 198.32.64.12 (l.root-servers.net.)

1 test failure on this DNS server

This is not a valid DNS server. PTR record query for the 1.0.0.12

7.in-addr.arpa. failed on the DNS server 198.32.64.12

Summary of DNS test results:
 

Auth Basc Forw Del  Dyn  RReg Ext

               ________________________________________________________________

Domain: bcr.local

milla       PASS WARN PASS FAIL PASS PASS n/a
 

 ......................... bcr.local failed test DNS
 

C:\Program Files\Support Tools>

Open in new window

0
 
LVL 8

Author Comment

by:pzozulka
ID: 24930840
Looks like I fixed the problem of DNS because DCdiag /Test:DNS is now successful.

I looked under services and NTFRS was already stopped. So I started it up, but about an hour later, I come back and see more Event ID:  13555, 13505, and 13506.

I look at services, and once again see that NTFRS is stopped.


Furthermore, I tried paying close attention to what you wrote below. You mentioned DNS records used for replication are in the MSDCS. Please see the attached snapshot, am I looking in the correct folder? Mojito is a current DC, but I just fixed it to point to Mojito. Before it was pointing to a Decommissioned DC called Einstein. I think after doing that, the DCdiag DNS tests became successful. Am I missing records in there? Should I add anything?

Also, how do I force replication between DCs, and what could be the reason NTFRS keeps stopping?

=====================================================

"Then force replicate between DC's.

remember, we must make sure DNS is fixed prior to getting FRS to work right. The DNS records used for replication are in the MSDCS file folder and are SRV records (also called SeRVice records for domain services)."
DNS.JPG
0
 
LVL 38

Accepted Solution

by:
ChiefIT earned 500 total points
ID: 24931580
The one that is greyed out is a file folder for delegation records. The lookup zone called MSDCS.bcr.local are the SRV records. Since the delegation record is greyed, it means it was not updated and therefore scavaged. I ran into the same problem.

Let's do this is order:
1) remove any metadata of Einstein from any remaining DCs: (How to you ask? follow these directions)
http://www.petri.co.il/delete_failed_dcs_from_ad.htm

2) To fix DNS delete both the MSDCS delegation folder and the MSDCS.BCR.Local forward lookup zone. How to, you ask: Well, here is an example:

3) once you deleted those MSDCS records, you will want to recreate them. Go to the command prompt and type these four lines:
IPconfig /flush DNS
IPconfig /registerDNS
Net Stop netlogon
Net Start Netlogon

4) Now, let's run DCdiag /test:DNS to triple check our work.

5) Once done let's try a less invasive approach to restart replication.
Go to START>>RUN>>and type services.msc Now restart the NTFRS service to see if it works.If not, we may have to use the burflag method to rebuild the sysvol and netlogon share and then re-iniitate FRS.

NOTE: At this point stop right there. The Burflag method includes registry edits and can hose up  your replication. We want to make sure some things are in order before we begin. One would be a True image backup of the system. Also, we want to make sure the Burflag method is compatible with your OS. It must be 2003 server standard or earlier. 2008 and 2003 server R2 shouldn't need the burflag method because of the enhanced features of DFSR instead of FRS. If we must resort to the Burflag method, please reply with your Server's OS's of each server, as well as what server seems to have the FRS event errors in the 13000's.

0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 24931593
OOPs forgot the example to your MSDCS file folder: (yes, I ran into the same issue)
http://www.experts-exchange.com/Networking/Protocols/DNS/Q_24349599.html
0
 
LVL 8

Author Comment

by:pzozulka
ID: 25039628
Sorry it took so long to get back. This worked great. After reading more into this, I suppose I could have also uninstalled the DNS and then reinstall it. To keep it even more simple, I guess we could have dcpromo it all together to decomission that server, that would solve the problem as well, since we have other backup DCs in the environment.

Thanks a lot for your help.
0

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
AD FSMO Issues 14 67
Powershell script update 2 33
automatic login 1 24
Unknown AD user under VMWare OU 4 29
Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and fi…
[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now