Solved

Group Policy not loading on Server

Posted on 2011-09-26
13
218 Views
Last Modified: 2012-05-12
We have 2 Terminal Server, both built identically.
They have both been working fine for a long time.

We have group policies in place to control the user access on the servers. (Start Menu redirection, Destop Icons restrictions, Proxy settings, etc..)

TServer1 runs the GPOs fine, but since 2 days ago TServer2 does not.

Both servers are in the same OU along with a secutiry group that is added to the user accounts so that they will be affected by the GPOs.

I have run GPUDATE /FORCE which does not help either.

What could be stopping TServer2 from running the group policies?

0
Comment
Question by:bax2000
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 3
  • +1
13 Comments
 
LVL 39

Assisted Solution

by:Krzysztof Pytko
Krzysztof Pytko earned 250 total points
ID: 36598777
Please check Event Logs, maybe there is some error message?
Reboot that TS2 server in possible time
and run

gpresult /z in command-line on a TS2 to check if other GPOs are applied

Regards,
Krzysztof
0
 
LVL 37

Expert Comment

by:Carl Webster
ID: 36598823
I agree with iSiek, what do the event logs and gpresult say?

0
 

Author Comment

by:bax2000
ID: 36598930
There are no errors on the event logs. I shows that the GPOs are implemeted succeffully.
I do see that it is trying to run the Group Policy from the wrong domain controller.

I know there is a replication error to that specific server that it is getting the GPOs from.
Have can I change which DC it gets the group policies from?
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 37

Expert Comment

by:Carl Webster
ID: 36598946
You need to worry about fixing the replication errors first.  There really should be no "wrong" domain controller for retrieving GPOs from.  If there are issues with that domain controller, dcpromo it down so the other computers on your network stop using it until you get time to resolve the replication issues.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36599009
You can't. Clients use the closest DC to authenticate for their Site and it doesn't matter if it is working or not :)
Remove that faulty DC from a domain and add it once again. You can check my blog for that at
http://kpytko.wordpress.com/2011/08/29/decommissioning-the-old-domain-controller/

if you cannot do that, use force decommission
http://kpytko.wordpress.com/2011/08/30/decommissioning-broken-domain-controller/

do metadata cleanup
http://kpytko.wordpress.com/2011/08/29/metadata-cleanup-for-broken-domain-controller/

and promote server as DC again
http://kpytko.wordpress.com/2011/09/05/adding-additional-domain-controller/

Krzysztof
0
 
LVL 11

Expert Comment

by:Ackles
ID: 36599722
Before going the Nuke way, I would suggest you have a look at GP Operational logs. It will tell you more clearly what happened.

If it's not showing you anything then we can blast the Nuke's ;)
0
 

Author Comment

by:bax2000
ID: 36708480
I was able to force the replication to the problem DC which seems to have resolved the replication issue as I am no longer getting messages in the event logs, but the still not all the group policies are loading on the TServer2  box.

Where can I find the GP Operational logs?
0
 
LVL 11

Expert Comment

by:Ackles
ID: 36708491
To view the Group Policy operational log
1.Start the Event Viewer.

2.Click the arrow next to Applications and Services Logs.

3.Click the arrow next to Microsoft, and then Windows, and then Group Policy.

4.Click Operational.

A
0
 
LVL 11

Assisted Solution

by:Ackles
Ackles earned 250 total points
ID: 36708509
Please try the following:
1) gpupdate /force, if still doesn't work
2) Restart the computer.

I would suggest, please enable these two policies at domain level, they will really help you:

Computer Configuration | Policies | Administrative Templates | System | Logon Always wait for the network at computer startup and logon policy

This policy will make sure that all GPO's are pushed before the logon happens.

Computer Configuration | Policies | Administrative Templates | System | Verbose vs Normal Status messages

This will show you exactly what is happening during logon, instead of showing spinning wheel.

Hope that helps.

A
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36708517
Try to rebuild SYSVOL accordind to this MS article at
http://support.microsoft.com/kb/315457

Krzysztof
0
 

Accepted Solution

by:
bax2000 earned 0 total points
ID: 36716380
Along with some of the suggestions above I also ran a registry cleaner of the Server with issues.
My GPO issues are now resolved.
Thanks for the help. :)
0
 

Author Closing Comment

by:bax2000
ID: 36902141
Along with some of the suggestions above I also ran a registry cleaner of the Server with issues.
My GPO issues are now resolved.
Thanks for the help. :)
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36716462
You're welcome :)

Krzysztof
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question