Solved

Windows Server 2003 GPO overwriting 2008 GPO

Posted on 2011-03-17
12
677 Views
Last Modified: 2012-05-11
Basic problem: The old 2003 GPO is still applying even though I've created a new GPO in 2008

Setup:

Server1 = Windows 2003 with 2003 AD acting as BDC.  Up until 3 months ago it was the only server in the domain.  It also supplied all DNS and DHCP services as well.  It was recently demoted from PDC when the second server was installed.

Server2 = Windows 2008 R2.  Recently added because Server1 was failing drives and having intermitten problems.  We added it to the domain and promoted it (after upgrading the schema on the 2003 server) to PDC.  All was running well until today.

Users = From the beginning (3 years ago), I've always authenticated users on the domain and redirected their My Documents and Desktop to a share on Server1.  Total computers are 15 - all Windows 7 Pro but 3 are still XP.

GPO = I've been using a GPO called "User GPO Default Policy" that I made and this is where all the policies came from for Folder Redirection.  This policy was created on the 2003 server and worked just fine until today.  Today I tried to change one of the Folder Redirection settings (Start Menu) from the 2008 server Group Policy Manager to point from the old share on the 2003 server to a new share on the 2008 server.  After a "gpupdate /force" and also a reboot of both servers (a couple of times), the settings would not apply.  I would go to one of the user computers, log out / log in and nothing changed on the new share.  I keep looking in the new share to see the new folders that should be automatically created upon login, but nothing.  So, I created a brand new GPO in the 2008 GPM, link it to the OU and then delete the old GPO completely (probably shouldn't have done that).  Now, when the users login, their Documents are not available.

One more thing to note, when I would try and create or change the Folder Redirection from the 2003 GPM, it would tell me I didn't have access to that directory located on the 2008 server.   However, I could browse to that share on Server2 just fine from Server1.  The share on Server2 is "User Redirection" and I want the policy to do basic redirection and create each users folder under this share (remember I've already done this on Server1 before). Permissions for the share on Server1 are:

CREATOR OWNER = Full Control (Subdirectory and files)
SYSTEM = Full Control
Administrators = Full Control
Authenticated Users = Full Control (Subdirectory and files)

When I do a "gpresult", it still show the policy coming from Server1.
0
Comment
Question by:psychopenguin1
  • 8
  • 4
12 Comments
 
LVL 1

Accepted Solution

by:
Hillarys-ICT earned 500 total points
ID: 35163389
Firstly I think some checking of your domain health is in order.
The problems seem to indicate that replication is probably not occurring and possibly that your 2008 server is not being used to process policy's.
Open a command prompt on your 2008 server and run the command: repadmin /showrepl <servername>
servername being the name of your domain controller, so run it for both your 2003 DC and your 2008 DC
(you would need to have installed the admin pack on the 2003 server for the command to be available, 2008 has it as standard)

This will show you if replication was successful and when it last worked.
Athough thinking about that some more, the GPO's are replicated by SYSVOL which is separate to the AD replication.
Have a look in the event log for File system replication as per http://technet.microsoft.com/en-us/library/cc728051%28WS.10%29.aspx

If your replication is not working, it's often DNS that's at fault
0
 

Author Comment

by:psychopenguin1
ID: 35166743
Here's is the output from Server2 using the repadmin command (i've replaced our domain/company name with "company".  I don't have the admin pack installed on the 2003 server, but maybe this will help while I get that installed:

Default-First-Site\SERVER2
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: cb2966f7-31df-4e31-8364-fc2d33f8af01
DSA invocationID: e983bc18-03d6-40b5-ba7a-88b2010447ac

==== INBOUND NEIGHBORS ======================================

DC=company,DC=local
    Default-First-Site\SERVER1 via RPC
        DSA object GUID: bd7a95fa-7510-44bf-9d19-1dcc40738787
        Last attempt @ 2011-03-18 07:59:29 was successful.

CN=Configuration,DC=company,DC=local
    Default-First-Site\SERVER1 via RPC
        DSA object GUID: bd7a95fa-7510-44bf-9d19-1dcc40738787
        Last attempt @ 2011-03-18 07:59:29 was successful.

CN=Schema,CN=Configuration,DC=company,DC=local
    Default-First-Site\SERVER1 via RPC
        DSA object GUID: bd7a95fa-7510-44bf-9d19-1dcc40738787
        Last attempt @ 2011-03-18 07:59:29 was successful.

DC=ForestDnsZones,DC=company,DC=local
    Default-First-Site\SERVER1 via RPC
        DSA object GUID: bd7a95fa-7510-44bf-9d19-1dcc40738787
        Last attempt @ 2011-03-18 07:59:29 was successful.

DC=DomainDnsZones,DC=company,DC=local
    Default-First-Site\SERVER1 via RPC
        DSA object GUID: bd7a95fa-7510-44bf-9d19-1dcc40738787
        Last attempt @ 2011-03-18 07:59:29 was successful.
0
 
LVL 1

Assisted Solution

by:Hillarys-ICT
Hillarys-ICT earned 500 total points
ID: 35166813
Ok.
So what that shows is that your Server2 is successfully receiving replication from Server1
Next thing to check is if Server1 is replicating from Server2
I think you should be able to do that from Server2 by just changing the server name used in the command and still running it from Server2

Have you looked in the event log for File System replication yet?
0
 

Author Comment

by:psychopenguin1
ID: 35168758
Here's the ouput for Server1 - which looks to be the problem.  Altough I'm not quite sure what the solution would be.


Default-First-Site\SERVER1
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: bd7a95fa-7510-44bf-9d19-1dcc40738787
DSA invocationID: bd7a95fa-7510-44bf-9d19-1dcc40738787


Source: Default-First-Site\SERVER2
******* 95 CONSECUTIVE FAILURES since 2011-03-17 12:32:16
Last error: 8524 (0x214c):
            The DSA operation is unable to proceed because of a DNS lookup failure.

Naming Context: CN=Configuration,DC=company,DC=local
Source: Default-First-Site\SERVER2
******* WARNING: KCC could not add this REPLICA LINK due to error.

Naming Context: CN=Schema,CN=Configuration,DC=company,DC=local
Source: Default-First-Site\SERVER2
******* WARNING: KCC could not add this REPLICA LINK due to error.

Naming Context: DC=company,DC=local
Source: Default-First-Site\SERVER2
******* WARNING: KCC could not add this REPLICA LINK due to error.
0
 
LVL 1

Assisted Solution

by:Hillarys-ICT
Hillarys-ICT earned 500 total points
ID: 35179517
Ok.
Replication is always reported inbound so your Server 2 is receiving changes from Server 1 but Server 1 is not receiving any changes made to the domain by server 2.

You logs are showing that KCC is having a problem. KCC runs intermittently and based on you subnet configuration and site links it manages the replication partners for the domain controllers.
It general does not like it if and manual entry's have been made. To check for this:
Open Sites and services
Expand Sites > your site name > Servers
Then in each server look at the NTDS settings
You should see an <automatically generated> entry for the other server
If the entry does not say <automatically generated> I would make a note of it and then delete it. The KCC should then be able to put it back

The other thing that I have seen cause this issue is a DNS problem which your logs also allude to.

I'm assuming that your domain controllers are also your DNS servers?
Can you have a look in DNS under Forward lookup zones > domain name > _msdcs
There should be entry's like the second attached image for each of your DC;s



Untitled-picture.png
DNS.png
0
 

Author Comment

by:psychopenguin1
ID: 35182576
Here is the screenshot for Sites and Services:
Server1 NTDS
Note that there is NO <automatically generated> for Server2 - there's actually no entry at all for Server2.

Here is the screenshot for the DNS entry:
 Server1 Forward Lookup Zone
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 1

Assisted Solution

by:Hillarys-ICT
Hillarys-ICT earned 500 total points
ID: 35182631
If you look in DNS on server 2 do the same alias entry's appear as on server 1?
If not, point each server at the other for DNS in its network settings and then run the command ipconfig /registerdns
wait about 15 mins and then look in DNS again.
set the DNS back on the network settings after.
0
 

Author Comment

by:psychopenguin1
ID: 35182844
Here's the screenshot from Server2 for NTDS:
 Server2 NTDS
Here's the screenshot from Server2 for DNS:
 Server2 DNS
0
 

Author Comment

by:psychopenguin1
ID: 35182950
I changed the DNS of Server1 to point to Server2 - it was originally pointing to our ISP DNS servers.  Server2 is already pointing to Server1 as its primary and itself (127.0.0.1) as secondary.

When I perform a "ipconfig /registerdns" I get an error:
Registration of DNS records failed: The RPC server is unavailable.
0
 

Author Comment

by:psychopenguin1
ID: 35189412
Okay, it looks like DNS is working well now as both Server1 and Server2 can see each other and there are <automatically generated> entries for both servers for Server1 and Server2.  The same problem still exists - the new domain policy is not applying folder redirection.  I'm assuming this is true because the new folders are not being created in the new location for the specified redirection policy.  The redirection is as follows for all users:

Documents -> \\SERVER1\Users\User Redirect
Desktop -> \\SERVER1\Users\User Redirect
Pictures -> \\SERVER2\User Redirection

The Documents and Desktop are redirecting, but that's because it's part of the old GPO. The "Pictures" redirection is the new GPO and nothing is being created under the root folder.
0
 

Author Comment

by:psychopenguin1
ID: 35192139
Here is the output from the FRS event log today from SERVER2:

The File Replication Service is having trouble enabling replication from server1.domain.local to SERVER2 for c:\windows\sysvol\domain using the DNS name server1.domain.local. FRS will keep retrying.
 Following are some of the reasons you would see this warning.
 
 [1] FRS can not correctly resolve the DNS name server1.domain.local from this computer.
 [2] FRS is not running on server1.domain.local.
 [3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.
0
 

Author Comment

by:psychopenguin1
ID: 35193705
Ok, looks like the problem is solved.  There were a few things going on.  First, File Replication was not happening and that was due in part to the DNS issues stated above.  One of the problems was that Server2 was not resolving the DNS for Server1.  The solution was to make sure the NTDS entries were being generated, but then I went ahead and manually entered the address for Server1 into Server2's HOSTS file - that solved the File Replication warnings.  Also, the users were not part of the group that had permissions on the Server2 share for Folder Redirection.  Server1 had the correct permissions and it seems that the default group permissions have changed for folder creation in Server 2008 from 2003 - or maybe the person who setup our 2003 server (not me) changed user group membership during setup.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

The saying goes a bad carpenter blames his tools. In the Directory Services world a bad system administrator, well, even with the best tools they’re probably not going to become an all star.  However for the system admin who is willing to spend a li…
As network administrators; we know how hard it is to track user’s login/logout using security event log (BTW it is harder now in windows 2008 because user name is always “N/A” in the grid), and most of us either get 3rd party tools, or just make our…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now