Solved

Active Directory Group Policy Management

Posted on 2010-11-23
3
1,160 Views
Last Modified: 2012-06-21
I have a problem accessing my Acitve Directory Default Policy on my Windows 2003 SP2 Servers.
I have 3 Active Directory Domain Controllers. Two of the servers have the FMSO roles and they are WINDOWS 2003 SP2 Servers. A third controller is a Windows 2008 R2 Standard Server.
The DOMAIN is operating at a  Windows 2003 Functional Level. When I open the Group Policy Mangement console on one of the WIndows 2003 domain servers I can look at the Group Policy settings for any number of OTHER policies "BUT" the DEFAULT domain policy. WHen I open the default policy it opens. Then I click on the settings tab and it DIsplays "GENERATING REPORT" for a few seconds then it returns with a ERROR message that reads (An Error occurred while generating report.. An Unknown error occurred while the HTML report was being created.)
Here is the interesting part. I downloaded the Windows 7 Administrators tools and installed them on my administration laptop and I can Open the group policy management tools and open / view / edit the default policy there with no problem. If I open the Group policy management tool on the Windows 2008 R2 Server I can open the default domain policy and also open / view / edit the settings there without any problem. So I guess my question here is Why can't I view the default domain policy on the 2003 Domain servers that hold the FMSO roles especially when the Domain AD is running at the 2003 Functional level?
Strange that the 2008R2 server and the WIndows 7 tools work fine?
This is not a deal breaker since I can get to the default domain policy on the Windows 7 machine but it concerns me. Any ideas what is going on and how to possible correct it?
0
Comment
Question by:NaplesFLDave
3 Comments
 
LVL 15

Accepted Solution

by:
markpalinux earned 500 total points
ID: 34202575


Group Policy lives in the SysVol folder of the domain controllers. It could be that one of your DCs is out of sync as far as the SysVol directories.

Look at the event logs .

Be sure to get a backup of your group policies using the gpmc.

GET BACKUP!!!

Check out this post. - it points you to sonar which is a tool to help troubleshoot.
http://davebritt.blogspot.com/2006/05/gpotool-to-check-gpo-consistency.html

also another tool ultrasound
How to rebuild the SYSVOL tree and its content in a domain
http://support.microsoft.com/kb/315457

Also I would recommend creating a new policy using GPMC look at the guid and the path, be sure this is replicated to all of your DCs.

If you need help looking at the AD replication look at
Microsoft Active Directory Topology Diagrammer
https://www.microsoft.com/downloads/en/details.aspx?FamilyID=cb42fc06-50c7-47ed-a65c-862661742764&displaylang=en


Hope this helps.
Mark
0
 

Author Closing Comment

by:NaplesFLDave
ID: 34204859
These are all good tips. I used the command line tools to SYNC and test the replication of the DOMAIN CONTROLLERS and ALL checks out just fine. I suspect the anomoly may be caused by the Mixed Servers. 2 are 2003 servers and the one 2008 R2. But I will look into the tools outlined to see if they offer any insight.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 34205754
You should not be editing the Default Policies in the first place,...ever.   The Default Domain Policy would only be edited to cover Password Policies because that is the only place it can be done,...but beyond that,...no edits,...ever.  The Default Domain Controllers Policy should be left completely virgin,...no edits,...ever.

Create new policies when you want to make changes.  It is even a good idea to group similar settings together with separate GPOs for each "group",...just don't get carried aways with the idea,...to many individual policies is a bad idea as well.

There is a way to re-create new default "virgin" policies.

http://geekswithblogs.net/DotNetCoder/archive/2007/07/14/113937.aspx

http://support.microsoft.com/kb/833783




0

Join & Write a Comment

Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now