Solved

Group Policy not loading on Server

Posted on 2011-09-26
13
213 Views
Last Modified: 2012-05-12
We have 2 Terminal Server, both built identically.
They have both been working fine for a long time.

We have group policies in place to control the user access on the servers. (Start Menu redirection, Destop Icons restrictions, Proxy settings, etc..)

TServer1 runs the GPOs fine, but since 2 days ago TServer2 does not.

Both servers are in the same OU along with a secutiry group that is added to the user accounts so that they will be affected by the GPOs.

I have run GPUDATE /FORCE which does not help either.

What could be stopping TServer2 from running the group policies?

0
Comment
Question by:bax2000
  • 4
  • 4
  • 3
  • +1
13 Comments
 
LVL 39

Assisted Solution

by:Krzysztof Pytko
Krzysztof Pytko earned 250 total points
ID: 36598777
Please check Event Logs, maybe there is some error message?
Reboot that TS2 server in possible time
and run

gpresult /z in command-line on a TS2 to check if other GPOs are applied

Regards,
Krzysztof
0
 
LVL 36

Expert Comment

by:Carl Webster
ID: 36598823
I agree with iSiek, what do the event logs and gpresult say?

0
 

Author Comment

by:bax2000
ID: 36598930
There are no errors on the event logs. I shows that the GPOs are implemeted succeffully.
I do see that it is trying to run the Group Policy from the wrong domain controller.

I know there is a replication error to that specific server that it is getting the GPOs from.
Have can I change which DC it gets the group policies from?
0
 
LVL 36

Expert Comment

by:Carl Webster
ID: 36598946
You need to worry about fixing the replication errors first.  There really should be no "wrong" domain controller for retrieving GPOs from.  If there are issues with that domain controller, dcpromo it down so the other computers on your network stop using it until you get time to resolve the replication issues.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36599009
You can't. Clients use the closest DC to authenticate for their Site and it doesn't matter if it is working or not :)
Remove that faulty DC from a domain and add it once again. You can check my blog for that at
http://kpytko.wordpress.com/2011/08/29/decommissioning-the-old-domain-controller/

if you cannot do that, use force decommission
http://kpytko.wordpress.com/2011/08/30/decommissioning-broken-domain-controller/

do metadata cleanup
http://kpytko.wordpress.com/2011/08/29/metadata-cleanup-for-broken-domain-controller/

and promote server as DC again
http://kpytko.wordpress.com/2011/09/05/adding-additional-domain-controller/

Krzysztof
0
 
LVL 11

Expert Comment

by:Ackles
ID: 36599722
Before going the Nuke way, I would suggest you have a look at GP Operational logs. It will tell you more clearly what happened.

If it's not showing you anything then we can blast the Nuke's ;)
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:bax2000
ID: 36708480
I was able to force the replication to the problem DC which seems to have resolved the replication issue as I am no longer getting messages in the event logs, but the still not all the group policies are loading on the TServer2  box.

Where can I find the GP Operational logs?
0
 
LVL 11

Expert Comment

by:Ackles
ID: 36708491
To view the Group Policy operational log
1.Start the Event Viewer.

2.Click the arrow next to Applications and Services Logs.

3.Click the arrow next to Microsoft, and then Windows, and then Group Policy.

4.Click Operational.

A
0
 
LVL 11

Assisted Solution

by:Ackles
Ackles earned 250 total points
ID: 36708509
Please try the following:
1) gpupdate /force, if still doesn't work
2) Restart the computer.

I would suggest, please enable these two policies at domain level, they will really help you:

Computer Configuration | Policies | Administrative Templates | System | Logon Always wait for the network at computer startup and logon policy

This policy will make sure that all GPO's are pushed before the logon happens.

Computer Configuration | Policies | Administrative Templates | System | Verbose vs Normal Status messages

This will show you exactly what is happening during logon, instead of showing spinning wheel.

Hope that helps.

A
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36708517
Try to rebuild SYSVOL accordind to this MS article at
http://support.microsoft.com/kb/315457

Krzysztof
0
 

Accepted Solution

by:
bax2000 earned 0 total points
ID: 36716380
Along with some of the suggestions above I also ran a registry cleaner of the Server with issues.
My GPO issues are now resolved.
Thanks for the help. :)
0
 

Author Closing Comment

by:bax2000
ID: 36902141
Along with some of the suggestions above I also ran a registry cleaner of the Server with issues.
My GPO issues are now resolved.
Thanks for the help. :)
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36716462
You're welcome :)

Krzysztof
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now