psychopenguin1
asked on
Windows Server 2003 GPO overwriting 2008 GPO
Basic problem: The old 2003 GPO is still applying even though I've created a new GPO in 2008
Setup:
Server1 = Windows 2003 with 2003 AD acting as BDC. Up until 3 months ago it was the only server in the domain. It also supplied all DNS and DHCP services as well. It was recently demoted from PDC when the second server was installed.
Server2 = Windows 2008 R2. Recently added because Server1 was failing drives and having intermitten problems. We added it to the domain and promoted it (after upgrading the schema on the 2003 server) to PDC. All was running well until today.
Users = From the beginning (3 years ago), I've always authenticated users on the domain and redirected their My Documents and Desktop to a share on Server1. Total computers are 15 - all Windows 7 Pro but 3 are still XP.
GPO = I've been using a GPO called "User GPO Default Policy" that I made and this is where all the policies came from for Folder Redirection. This policy was created on the 2003 server and worked just fine until today. Today I tried to change one of the Folder Redirection settings (Start Menu) from the 2008 server Group Policy Manager to point from the old share on the 2003 server to a new share on the 2008 server. After a "gpupdate /force" and also a reboot of both servers (a couple of times), the settings would not apply. I would go to one of the user computers, log out / log in and nothing changed on the new share. I keep looking in the new share to see the new folders that should be automatically created upon login, but nothing. So, I created a brand new GPO in the 2008 GPM, link it to the OU and then delete the old GPO completely (probably shouldn't have done that). Now, when the users login, their Documents are not available.
One more thing to note, when I would try and create or change the Folder Redirection from the 2003 GPM, it would tell me I didn't have access to that directory located on the 2008 server. However, I could browse to that share on Server2 just fine from Server1. The share on Server2 is "User Redirection" and I want the policy to do basic redirection and create each users folder under this share (remember I've already done this on Server1 before). Permissions for the share on Server1 are:
CREATOR OWNER = Full Control (Subdirectory and files)
SYSTEM = Full Control
Administrators = Full Control
Authenticated Users = Full Control (Subdirectory and files)
When I do a "gpresult", it still show the policy coming from Server1.
Setup:
Server1 = Windows 2003 with 2003 AD acting as BDC. Up until 3 months ago it was the only server in the domain. It also supplied all DNS and DHCP services as well. It was recently demoted from PDC when the second server was installed.
Server2 = Windows 2008 R2. Recently added because Server1 was failing drives and having intermitten problems. We added it to the domain and promoted it (after upgrading the schema on the 2003 server) to PDC. All was running well until today.
Users = From the beginning (3 years ago), I've always authenticated users on the domain and redirected their My Documents and Desktop to a share on Server1. Total computers are 15 - all Windows 7 Pro but 3 are still XP.
GPO = I've been using a GPO called "User GPO Default Policy" that I made and this is where all the policies came from for Folder Redirection. This policy was created on the 2003 server and worked just fine until today. Today I tried to change one of the Folder Redirection settings (Start Menu) from the 2008 server Group Policy Manager to point from the old share on the 2003 server to a new share on the 2008 server. After a "gpupdate /force" and also a reboot of both servers (a couple of times), the settings would not apply. I would go to one of the user computers, log out / log in and nothing changed on the new share. I keep looking in the new share to see the new folders that should be automatically created upon login, but nothing. So, I created a brand new GPO in the 2008 GPM, link it to the OU and then delete the old GPO completely (probably shouldn't have done that). Now, when the users login, their Documents are not available.
One more thing to note, when I would try and create or change the Folder Redirection from the 2003 GPM, it would tell me I didn't have access to that directory located on the 2008 server. However, I could browse to that share on Server2 just fine from Server1. The share on Server2 is "User Redirection" and I want the policy to do basic redirection and create each users folder under this share (remember I've already done this on Server1 before). Permissions for the share on Server1 are:
CREATOR OWNER = Full Control (Subdirectory and files)
SYSTEM = Full Control
Administrators = Full Control
Authenticated Users = Full Control (Subdirectory and files)
When I do a "gpresult", it still show the policy coming from Server1.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Here's the ouput for Server1 - which looks to be the problem. Altough I'm not quite sure what the solution would be.
Default-First-Site\SERVER1
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: bd7a95fa-7510-44bf-9d19-1d
DSA invocationID: bd7a95fa-7510-44bf-9d19-1d
Source: Default-First-Site\SERVER2
******* 95 CONSECUTIVE FAILURES since 2011-03-17 12:32:16
Last error: 8524 (0x214c):
The DSA operation is unable to proceed because of a DNS lookup failure.
Naming Context: CN=Configuration,DC=compan
Source: Default-First-Site\SERVER2
******* WARNING: KCC could not add this REPLICA LINK due to error.
Naming Context: CN=Schema,CN=Configuration
Source: Default-First-Site\SERVER2
******* WARNING: KCC could not add this REPLICA LINK due to error.
Naming Context: DC=company,DC=local
Source: Default-First-Site\SERVER2
******* WARNING: KCC could not add this REPLICA LINK due to error.
Default-First-Site\SERVER1
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: bd7a95fa-7510-44bf-9d19-1d
DSA invocationID: bd7a95fa-7510-44bf-9d19-1d
Source: Default-First-Site\SERVER2
******* 95 CONSECUTIVE FAILURES since 2011-03-17 12:32:16
Last error: 8524 (0x214c):
The DSA operation is unable to proceed because of a DNS lookup failure.
Naming Context: CN=Configuration,DC=compan
Source: Default-First-Site\SERVER2
******* WARNING: KCC could not add this REPLICA LINK due to error.
Naming Context: CN=Schema,CN=Configuration
Source: Default-First-Site\SERVER2
******* WARNING: KCC could not add this REPLICA LINK due to error.
Naming Context: DC=company,DC=local
Source: Default-First-Site\SERVER2
******* WARNING: KCC could not add this REPLICA LINK due to error.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Here is the screenshot for Sites and Services:
Note that there is NO <automatically generated> for Server2 - there's actually no entry at all for Server2.
Here is the screenshot for the DNS entry:
Note that there is NO <automatically generated> for Server2 - there's actually no entry at all for Server2.
Here is the screenshot for the DNS entry:
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Here's the screenshot from Server2 for NTDS:
Here's the screenshot from Server2 for DNS:
Here's the screenshot from Server2 for DNS:
ASKER
I changed the DNS of Server1 to point to Server2 - it was originally pointing to our ISP DNS servers. Server2 is already pointing to Server1 as its primary and itself (127.0.0.1) as secondary.
When I perform a "ipconfig /registerdns" I get an error:
Registration of DNS records failed: The RPC server is unavailable.
When I perform a "ipconfig /registerdns" I get an error:
Registration of DNS records failed: The RPC server is unavailable.
ASKER
Okay, it looks like DNS is working well now as both Server1 and Server2 can see each other and there are <automatically generated> entries for both servers for Server1 and Server2. The same problem still exists - the new domain policy is not applying folder redirection. I'm assuming this is true because the new folders are not being created in the new location for the specified redirection policy. The redirection is as follows for all users:
Documents -> \\SERVER1\Users\User Redirect
Desktop -> \\SERVER1\Users\User Redirect
Pictures -> \\SERVER2\User Redirection
The Documents and Desktop are redirecting, but that's because it's part of the old GPO. The "Pictures" redirection is the new GPO and nothing is being created under the root folder.
Documents -> \\SERVER1\Users\User Redirect
Desktop -> \\SERVER1\Users\User Redirect
Pictures -> \\SERVER2\User Redirection
The Documents and Desktop are redirecting, but that's because it's part of the old GPO. The "Pictures" redirection is the new GPO and nothing is being created under the root folder.
ASKER
Here is the output from the FRS event log today from SERVER2:
The File Replication Service is having trouble enabling replication from server1.domain.local to SERVER2 for c:\windows\sysvol\domain using the DNS name server1.domain.local. FRS will keep retrying.
Following are some of the reasons you would see this warning.
[1] FRS can not correctly resolve the DNS name server1.domain.local from this computer.
[2] FRS is not running on server1.domain.local.
[3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.
The File Replication Service is having trouble enabling replication from server1.domain.local to SERVER2 for c:\windows\sysvol\domain using the DNS name server1.domain.local. FRS will keep retrying.
Following are some of the reasons you would see this warning.
[1] FRS can not correctly resolve the DNS name server1.domain.local from this computer.
[2] FRS is not running on server1.domain.local.
[3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.
ASKER
Ok, looks like the problem is solved. There were a few things going on. First, File Replication was not happening and that was due in part to the DNS issues stated above. One of the problems was that Server2 was not resolving the DNS for Server1. The solution was to make sure the NTDS entries were being generated, but then I went ahead and manually entered the address for Server1 into Server2's HOSTS file - that solved the File Replication warnings. Also, the users were not part of the group that had permissions on the Server2 share for Folder Redirection. Server1 had the correct permissions and it seems that the default group permissions have changed for folder creation in Server 2008 from 2003 - or maybe the person who setup our 2003 server (not me) changed user group membership during setup.
ASKER
Default-First-Site\SERVER2
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: cb2966f7-31df-4e31-8364-fc
DSA invocationID: e983bc18-03d6-40b5-ba7a-88
==== INBOUND NEIGHBORS ==========================
DC=company,DC=local
Default-First-Site\SERVER1
DSA object GUID: bd7a95fa-7510-44bf-9d19-1d
Last attempt @ 2011-03-18 07:59:29 was successful.
CN=Configuration,DC=compan
Default-First-Site\SERVER1
DSA object GUID: bd7a95fa-7510-44bf-9d19-1d
Last attempt @ 2011-03-18 07:59:29 was successful.
CN=Schema,CN=Configuration
Default-First-Site\SERVER1
DSA object GUID: bd7a95fa-7510-44bf-9d19-1d
Last attempt @ 2011-03-18 07:59:29 was successful.
DC=ForestDnsZones,DC=compa
Default-First-Site\SERVER1
DSA object GUID: bd7a95fa-7510-44bf-9d19-1d
Last attempt @ 2011-03-18 07:59:29 was successful.
DC=DomainDnsZones,DC=compa
Default-First-Site\SERVER1
DSA object GUID: bd7a95fa-7510-44bf-9d19-1d
Last attempt @ 2011-03-18 07:59:29 was successful.