Solved

Group Policy not loading on Server

Posted on 2011-09-26
13
217 Views
Last Modified: 2012-05-12
We have 2 Terminal Server, both built identically.
They have both been working fine for a long time.

We have group policies in place to control the user access on the servers. (Start Menu redirection, Destop Icons restrictions, Proxy settings, etc..)

TServer1 runs the GPOs fine, but since 2 days ago TServer2 does not.

Both servers are in the same OU along with a secutiry group that is added to the user accounts so that they will be affected by the GPOs.

I have run GPUDATE /FORCE which does not help either.

What could be stopping TServer2 from running the group policies?

0
Comment
Question by:bax2000
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 3
  • +1
13 Comments
 
LVL 39

Assisted Solution

by:Krzysztof Pytko
Krzysztof Pytko earned 250 total points
ID: 36598777
Please check Event Logs, maybe there is some error message?
Reboot that TS2 server in possible time
and run

gpresult /z in command-line on a TS2 to check if other GPOs are applied

Regards,
Krzysztof
0
 
LVL 36

Expert Comment

by:Carl Webster
ID: 36598823
I agree with iSiek, what do the event logs and gpresult say?

0
 

Author Comment

by:bax2000
ID: 36598930
There are no errors on the event logs. I shows that the GPOs are implemeted succeffully.
I do see that it is trying to run the Group Policy from the wrong domain controller.

I know there is a replication error to that specific server that it is getting the GPOs from.
Have can I change which DC it gets the group policies from?
0
Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

 
LVL 36

Expert Comment

by:Carl Webster
ID: 36598946
You need to worry about fixing the replication errors first.  There really should be no "wrong" domain controller for retrieving GPOs from.  If there are issues with that domain controller, dcpromo it down so the other computers on your network stop using it until you get time to resolve the replication issues.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36599009
You can't. Clients use the closest DC to authenticate for their Site and it doesn't matter if it is working or not :)
Remove that faulty DC from a domain and add it once again. You can check my blog for that at
http://kpytko.wordpress.com/2011/08/29/decommissioning-the-old-domain-controller/

if you cannot do that, use force decommission
http://kpytko.wordpress.com/2011/08/30/decommissioning-broken-domain-controller/

do metadata cleanup
http://kpytko.wordpress.com/2011/08/29/metadata-cleanup-for-broken-domain-controller/

and promote server as DC again
http://kpytko.wordpress.com/2011/09/05/adding-additional-domain-controller/

Krzysztof
0
 
LVL 11

Expert Comment

by:Ackles
ID: 36599722
Before going the Nuke way, I would suggest you have a look at GP Operational logs. It will tell you more clearly what happened.

If it's not showing you anything then we can blast the Nuke's ;)
0
 

Author Comment

by:bax2000
ID: 36708480
I was able to force the replication to the problem DC which seems to have resolved the replication issue as I am no longer getting messages in the event logs, but the still not all the group policies are loading on the TServer2  box.

Where can I find the GP Operational logs?
0
 
LVL 11

Expert Comment

by:Ackles
ID: 36708491
To view the Group Policy operational log
1.Start the Event Viewer.

2.Click the arrow next to Applications and Services Logs.

3.Click the arrow next to Microsoft, and then Windows, and then Group Policy.

4.Click Operational.

A
0
 
LVL 11

Assisted Solution

by:Ackles
Ackles earned 250 total points
ID: 36708509
Please try the following:
1) gpupdate /force, if still doesn't work
2) Restart the computer.

I would suggest, please enable these two policies at domain level, they will really help you:

Computer Configuration | Policies | Administrative Templates | System | Logon Always wait for the network at computer startup and logon policy

This policy will make sure that all GPO's are pushed before the logon happens.

Computer Configuration | Policies | Administrative Templates | System | Verbose vs Normal Status messages

This will show you exactly what is happening during logon, instead of showing spinning wheel.

Hope that helps.

A
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36708517
Try to rebuild SYSVOL accordind to this MS article at
http://support.microsoft.com/kb/315457

Krzysztof
0
 

Accepted Solution

by:
bax2000 earned 0 total points
ID: 36716380
Along with some of the suggestions above I also ran a registry cleaner of the Server with issues.
My GPO issues are now resolved.
Thanks for the help. :)
0
 

Author Closing Comment

by:bax2000
ID: 36902141
Along with some of the suggestions above I also ran a registry cleaner of the Server with issues.
My GPO issues are now resolved.
Thanks for the help. :)
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36716462
You're welcome :)

Krzysztof
0

Featured Post

Office 365 Training for Admins

Learn how to provision tenants, synchronize on-premise Active Directory, and implement Single Sign-On with these master level course.  Only from Platform Scholar

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question