dcadler
asked on
Windows XP SP3 computer images created with MDT2010 do not execute Group Policies
I have an issue in that new images we have captured starting in August of 2012 do not seem to respond to group policies, even though GPResult shows the policies were applied.
Here are the specifics;
I have a Windows network with two Windows 2008 R2 domain controllers and about 800 Windows XP Sp3 client computers. Since early 2010, we have been using the Microsoft Deployment Toolkit 2010 (MDT2010) to capture images from new base XPSP3 installs on existing hardware and then redeploy them to like hardware. We have been doing this every every new school year since. This school year, we reformatted and installed XP SP3 on our various computer types and captured new images with all of the relevant updates and applications for the new school year. However, none of the newly imaged computers seem to process group policy assignments.
When I run Gpresult form the XP XP3 client, it shows that it is applying the policies, such as drive mapping, browser defaults, etc, but they do actually happen. There are no errors in the System or Application logs of the XP SP3 clients and no errors on the domain controllers.
I can plug an identical hardware computer that is still using the last year image and it does pick up and execute the policies, but the newly imaged, identical hardware XP SP3 computer placed in the same OU does not.
One other thing that has happened between the last school year's imaging and this school year's imaging is that we had a domain controller crash. Initially, we had DC1 and DC2. DC1 crashed over the summer of 2012 and could not be recovered so we installed DC3, joined it to the domain and let it replicate from DC2. I do not see any replication errors in either of the DC's logs. I have spent a log of time chasing this thinking it was related to the DC crash but when I discovered that computes still using the prior year's image were still executing the group policies, I decided that the DC crash could not be the problem.
Has anyone seen this type of behavior? Any ideas?
Thanks,
Dave
Here are the specifics;
I have a Windows network with two Windows 2008 R2 domain controllers and about 800 Windows XP Sp3 client computers. Since early 2010, we have been using the Microsoft Deployment Toolkit 2010 (MDT2010) to capture images from new base XPSP3 installs on existing hardware and then redeploy them to like hardware. We have been doing this every every new school year since. This school year, we reformatted and installed XP SP3 on our various computer types and captured new images with all of the relevant updates and applications for the new school year. However, none of the newly imaged computers seem to process group policy assignments.
When I run Gpresult form the XP XP3 client, it shows that it is applying the policies, such as drive mapping, browser defaults, etc, but they do actually happen. There are no errors in the System or Application logs of the XP SP3 clients and no errors on the domain controllers.
I can plug an identical hardware computer that is still using the last year image and it does pick up and execute the policies, but the newly imaged, identical hardware XP SP3 computer placed in the same OU does not.
One other thing that has happened between the last school year's imaging and this school year's imaging is that we had a domain controller crash. Initially, we had DC1 and DC2. DC1 crashed over the summer of 2012 and could not be recovered so we installed DC3, joined it to the domain and let it replicate from DC2. I do not see any replication errors in either of the DC's logs. I have spent a log of time chasing this thinking it was related to the DC crash but when I discovered that computes still using the prior year's image were still executing the group policies, I decided that the DC crash could not be the problem.
Has anyone seen this type of behavior? Any ideas?
Thanks,
Dave
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
choward16980 - The GPOs are not just app or browser configs, nothing works. Drives don'y map, default printers do not assign, etc. The same GPOs work for images I created the last school year, just not on images (for the exact same hardware) I created for the 2012/2013 school year and, really, any new computer that I have joined to the domain since August. I am wondering if a problem did not happen when my DC1 crashed and we installed DC3 that is causing issues with SIDs assigned to new computers joined to the domain after the DC1 crash. When I re-image, I delete the old computer(s) from AD, then pull down the new image and assign a computer name (often the same name that I deleted from AD earlier, nut not always). I am wondering is something is happening at the point where the computer is joined to the domain now that is causing the GPOs to not execute.
ASKER
OK - Here is an update.
The group policy execution test on the brand new Lenovo Laptop failed for User1 but passed on User2. Both users are members of the domain admins group. User1 could not even run gpresult. When I tried it, I got the following error;
"The processing of Group Policy failed. Windows attempted to read the file \\lssc.local\SysVol\lssc.l ocal\Polic ies\{9F290 071-DA81-4 B93-AAD0-2 AC2D70E905 C}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
Computer Policy update has completed successfully."
However, when I logged onto the new Lenovo laptop as User2, GPresult ran fine and the group policies all seemed to execute.
So, to summarize my problem;
1. If I log into a Windows XP computer that was imaged in the prior school year, users are able to get group policy execution and run GPResult. Including User1 and User2 mentioned above
2. If I log onto a Windos XP computer that was imaged with images I created since August 2012, I do not get group policy execution for most users, although, I on some computers I get group policy execution for user2 mentioned above and some I do not.
3. I have the same problem with new computes that are just joined to the domain and dropped into an OU, without using the imaging process (like I described at the top of this comment)
The group policy execution test on the brand new Lenovo Laptop failed for User1 but passed on User2. Both users are members of the domain admins group. User1 could not even run gpresult. When I tried it, I got the following error;
"The processing of Group Policy failed. Windows attempted to read the file \\lssc.local\SysVol\lssc.l
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
Computer Policy update has completed successfully."
However, when I logged onto the new Lenovo laptop as User2, GPresult ran fine and the group policies all seemed to execute.
So, to summarize my problem;
1. If I log into a Windows XP computer that was imaged in the prior school year, users are able to get group policy execution and run GPResult. Including User1 and User2 mentioned above
2. If I log onto a Windos XP computer that was imaged with images I created since August 2012, I do not get group policy execution for most users, although, I on some computers I get group policy execution for user2 mentioned above and some I do not.
3. I have the same problem with new computes that are just joined to the domain and dropped into an OU, without using the imaging process (like I described at the top of this comment)
ASKER
In case any of you ask, here is the results from my DC2 that has all 5 FSMO Roleswhen I run DCDIAG /V from an Admin command prompt.
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
* Verifying that the local machine LSSC-DC2, is a Directory Server.
Home Server = LSSC-DC2
* Connecting to directory service on server LSSC-DC2.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld, CN=Sites,C N=Configur ation,DC=l ssc,DC=loc al,LDAP_SC OPE_SUBTRE E,(objectC ategory=nt DSSiteSett ings),.... ...
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=Default-First- Site-Name, CN=Sites,C N=Configur ation,DC=l ssc,DC=loc al
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld, CN=Sites,C N=Configur ation,DC=l ssc,DC=loc al,LDAP_SC OPE_SUBTRE E,(objectC lass=ntDSD sa),...... .
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=LSSC-DC2,CN=Se rvers,CN=D efault-Fir st-Site-Na me,CN=Site s,CN=Confi guration,D C=lssc,DC= local
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=LSSC-DC3,CN=Se rvers,CN=D efault-Fir st-Site-Na me,CN=Site s,CN=Confi guration,D C=lssc,DC= local
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\LS SC-DC2
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
......................... LSSC-DC2 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\LS SC-DC2
Starting test: Advertising
The DC LSSC-DC2 is advertising itself as a DC and having a DS.
The DC LSSC-DC2 is advertising as an LDAP server
The DC LSSC-DC2 is advertising as having a writeable directory
The DC LSSC-DC2 is advertising as a Key Distribution Center
The DC LSSC-DC2 is advertising as a time server
The DS LSSC-DC2 is advertising as a GC.
......................... LSSC-DC2 passed test Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Starting test: FrsEvent
* The File Replication Service Event log test
Skip the test because the server is running DFSR.
......................... LSSC-DC2 passed test FrsEvent
Starting test: DFSREvent
The DFS Replication Event Log.
......................... LSSC-DC2 passed test DFSREvent
Starting test: SysVolCheck
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... LSSC-DC2 passed test SysVolCheck
Starting test: KccEvent
* The KCC Event log test
Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
......................... LSSC-DC2 passed test KccEvent
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=LSSC-DC2,CN=Se rvers,CN=D efault-Fir st-Site-Na me,CN=Site s,CN=Confi guration,D C=lssc,DC= local
Role Domain Owner = CN=NTDS Settings,CN=LSSC-DC2,CN=Se rvers,CN=D efault-Fir st-Site-Na me,CN=Site s,CN=Confi guration,D C=lssc,DC= local
Role PDC Owner = CN=NTDS Settings,CN=LSSC-DC2,CN=Se rvers,CN=D efault-Fir st-Site-Na me,CN=Site s,CN=Confi guration,D C=lssc,DC= local
Role Rid Owner = CN=NTDS Settings,CN=LSSC-DC2,CN=Se rvers,CN=D efault-Fir st-Site-Na me,CN=Site s,CN=Confi guration,D C=lssc,DC= local
Role Infrastructure Update Owner = CN=NTDS Settings,CN=LSSC-DC2,CN=Se rvers,CN=D efault-Fir st-Site-Na me,CN=Site s,CN=Confi guration,D C=lssc,DC= local
......................... LSSC-DC2 passed test KnowsOfRoleHolders
Starting test: MachineAccount
Checking machine account for DC LSSC-DC2 on DC LSSC-DC2.
* SPN found :LDAP/LSSC-DC2.lssc.local/ lssc.local
* SPN found :LDAP/LSSC-DC2.lssc.local
* SPN found :LDAP/LSSC-DC2
* SPN found :LDAP/LSSC-DC2.lssc.local/ LSSC
* SPN found :LDAP/9ef7f61a-55ca-4c0b-9 540-0dac56 492ca3._ms dcs.lssc.l ocal
* SPN found :E3514235-4B06-11D1-AB04-0 0C04FC2DCD 2/9ef7f61a -55ca-4c0b -9540-0dac 56492ca3/l ssc.local
* SPN found :HOST/LSSC-DC2.lssc.local/ lssc.local
* SPN found :HOST/LSSC-DC2.lssc.local
* SPN found :HOST/LSSC-DC2
* SPN found :HOST/LSSC-DC2.lssc.local/ LSSC
* SPN found :GC/LSSC-DC2.lssc.local/ls sc.local
......................... LSSC-DC2 passed test MachineAccount
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC LSSC-DC2.
* Security Permissions Check for
DC=ForestDnsZones,DC=lssc, DC=local
(NDNC,Version 3)
* Security Permissions Check for
DC=DomainDnsZones,DC=lssc, DC=local
(NDNC,Version 3)
* Security Permissions Check for
CN=Schema,CN=Configuration ,DC=lssc,D C=local
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=lssc,D C=local
(Configuration,Version 3)
* Security Permissions Check for
DC=lssc,DC=local
(Domain,Version 3)
......................... LSSC-DC2 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\LSSC-DC2\netlogon
Verified share \\LSSC-DC2\sysvol
......................... LSSC-DC2 passed test NetLogons
Starting test: ObjectsReplicated
LSSC-DC2 is in domain DC=lssc,DC=local
Checking for CN=LSSC-DC2,OU=Domain Controllers,DC=lssc,DC=loc al in domain DC=lssc,DC=local on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=LSSC-DC2,CN=Se rvers,CN=D efault-Fir st-Site-Na me,CN=Site s,CN=Confi guration,D C=lssc,DC= local in domain CN=Configuration,DC=lssc,D C=local on 1 servers
Object is up-to-date on all servers.
......................... LSSC-DC2 passed test ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Starting test: Replications
* Replications Check
* Replication Latency Check
DC=ForestDnsZones,DC=lssc, DC=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=DomainDnsZones,DC=lssc, DC=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Schema,CN=Configuration ,DC=lssc,D C=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Configuration,DC=lssc,D C=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=lssc,DC=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
......................... LSSC-DC2 passed test Replications
Starting test: RidManager
* Available RID Pool for the Domain is 16100 to 1073741823
* LSSC-DC2.lssc.local is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 15100 to 15599
* rIDPreviousAllocationPool is 15100 to 15599
* rIDNextRID: 15113
......................... LSSC-DC2 passed test RidManager
Starting test: Services
* Checking Service: EventSystem
* Checking Service: RpcSs
* Checking Service: NTDS
* Checking Service: DnsCache
* Checking Service: DFSR
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: w32time
* Checking Service: NETLOGON
......................... LSSC-DC2 passed test Services
Starting test: SystemLog
* The System Event log test
Found no errors in "System" Event log in the last 60 minutes.
......................... LSSC-DC2 passed test SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Starting test: VerifyReferences
The system object reference (serverReference)
CN=LSSC-DC2,OU=Domain Controllers,DC=lssc,DC=loc al and backlink on
CN=LSSC-DC2,CN=Servers,CN= Default-Fi rst-Site-N ame,CN=Sit es,CN=Conf iguration, DC=lssc,DC =local
are correct.
The system object reference (serverReferenceBL)
CN=LSSC-DC2,CN=Topology,CN =Domain System Volume,CN=DFSR-GlobalSetti ngs,CN=Sys tem,DC=lss c,DC=local
and backlink on
CN=NTDS Settings,CN=LSSC-DC2,CN=Se rvers,CN=D efault-Fir st-Site-Na me,CN=Site s,CN=Confi guration,D C=lssc,DC= local
are correct.
The system object reference (msDFSR-ComputerReferenceB L)
CN=LSSC-DC2,CN=Topology,CN =Domain System Volume,CN=DFSR-GlobalSetti ngs,CN=Sys tem,DC=lss c,DC=local
and backlink on CN=LSSC-DC2,OU=Domain Controllers,DC=lssc,DC=loc al are
correct.
......................... LSSC-DC2 passed test VerifyReferences
Test omitted by user request: VerifyReplicas
Test omitted by user request: DNS
Test omitted by user request: DNS
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : lssc
Starting test: CheckSDRefDom
......................... lssc passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... lssc passed test CrossRefValidation
Running enterprise tests on : lssc.local
Test omitted by user request: DNS
Test omitted by user request: DNS
Starting test: LocatorCheck
GC Name: \\LSSC-DC2.lssc.local
Locator Flags: 0xe00033fd
PDC Name: \\LSSC-DC2.lssc.local
Locator Flags: 0xe00033fd
Time Server Name: \\LSSC-DC2.lssc.local
Locator Flags: 0xe00033fd
Preferred Time Server Name: \\LSSC-DC2.lssc.local
Locator Flags: 0xe00033fd
KDC Name: \\LSSC-DC2.lssc.local
Locator Flags: 0xe00033fd
......................... lssc.local passed test LocatorCheck
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope
provided by the command line arguments provided.
......................... lssc.local passed test Intersite
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
* Verifying that the local machine LSSC-DC2, is a Directory Server.
Home Server = LSSC-DC2
* Connecting to directory service on server LSSC-DC2.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld,
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=Default-First-
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld,
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=LSSC-DC2,CN=Se
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=LSSC-DC3,CN=Se
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\LS
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
......................... LSSC-DC2 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\LS
Starting test: Advertising
The DC LSSC-DC2 is advertising itself as a DC and having a DS.
The DC LSSC-DC2 is advertising as an LDAP server
The DC LSSC-DC2 is advertising as having a writeable directory
The DC LSSC-DC2 is advertising as a Key Distribution Center
The DC LSSC-DC2 is advertising as a time server
The DS LSSC-DC2 is advertising as a GC.
......................... LSSC-DC2 passed test Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Starting test: FrsEvent
* The File Replication Service Event log test
Skip the test because the server is running DFSR.
......................... LSSC-DC2 passed test FrsEvent
Starting test: DFSREvent
The DFS Replication Event Log.
......................... LSSC-DC2 passed test DFSREvent
Starting test: SysVolCheck
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... LSSC-DC2 passed test SysVolCheck
Starting test: KccEvent
* The KCC Event log test
Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
......................... LSSC-DC2 passed test KccEvent
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=LSSC-DC2,CN=Se
Role Domain Owner = CN=NTDS Settings,CN=LSSC-DC2,CN=Se
Role PDC Owner = CN=NTDS Settings,CN=LSSC-DC2,CN=Se
Role Rid Owner = CN=NTDS Settings,CN=LSSC-DC2,CN=Se
Role Infrastructure Update Owner = CN=NTDS Settings,CN=LSSC-DC2,CN=Se
......................... LSSC-DC2 passed test KnowsOfRoleHolders
Starting test: MachineAccount
Checking machine account for DC LSSC-DC2 on DC LSSC-DC2.
* SPN found :LDAP/LSSC-DC2.lssc.local/
* SPN found :LDAP/LSSC-DC2.lssc.local
* SPN found :LDAP/LSSC-DC2
* SPN found :LDAP/LSSC-DC2.lssc.local/
* SPN found :LDAP/9ef7f61a-55ca-4c0b-9
* SPN found :E3514235-4B06-11D1-AB04-0
* SPN found :HOST/LSSC-DC2.lssc.local/
* SPN found :HOST/LSSC-DC2.lssc.local
* SPN found :HOST/LSSC-DC2
* SPN found :HOST/LSSC-DC2.lssc.local/
* SPN found :GC/LSSC-DC2.lssc.local/ls
......................... LSSC-DC2 passed test MachineAccount
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC LSSC-DC2.
* Security Permissions Check for
DC=ForestDnsZones,DC=lssc,
(NDNC,Version 3)
* Security Permissions Check for
DC=DomainDnsZones,DC=lssc,
(NDNC,Version 3)
* Security Permissions Check for
CN=Schema,CN=Configuration
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=lssc,D
(Configuration,Version 3)
* Security Permissions Check for
DC=lssc,DC=local
(Domain,Version 3)
......................... LSSC-DC2 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\LSSC-DC2\netlogon
Verified share \\LSSC-DC2\sysvol
......................... LSSC-DC2 passed test NetLogons
Starting test: ObjectsReplicated
LSSC-DC2 is in domain DC=lssc,DC=local
Checking for CN=LSSC-DC2,OU=Domain Controllers,DC=lssc,DC=loc
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=LSSC-DC2,CN=Se
Object is up-to-date on all servers.
......................... LSSC-DC2 passed test ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Starting test: Replications
* Replications Check
* Replication Latency Check
DC=ForestDnsZones,DC=lssc,
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=DomainDnsZones,DC=lssc,
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Schema,CN=Configuration
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Configuration,DC=lssc,D
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=lssc,DC=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
......................... LSSC-DC2 passed test Replications
Starting test: RidManager
* Available RID Pool for the Domain is 16100 to 1073741823
* LSSC-DC2.lssc.local is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 15100 to 15599
* rIDPreviousAllocationPool is 15100 to 15599
* rIDNextRID: 15113
......................... LSSC-DC2 passed test RidManager
Starting test: Services
* Checking Service: EventSystem
* Checking Service: RpcSs
* Checking Service: NTDS
* Checking Service: DnsCache
* Checking Service: DFSR
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: w32time
* Checking Service: NETLOGON
......................... LSSC-DC2 passed test Services
Starting test: SystemLog
* The System Event log test
Found no errors in "System" Event log in the last 60 minutes.
......................... LSSC-DC2 passed test SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Starting test: VerifyReferences
The system object reference (serverReference)
CN=LSSC-DC2,OU=Domain Controllers,DC=lssc,DC=loc
CN=LSSC-DC2,CN=Servers,CN=
are correct.
The system object reference (serverReferenceBL)
CN=LSSC-DC2,CN=Topology,CN
and backlink on
CN=NTDS Settings,CN=LSSC-DC2,CN=Se
are correct.
The system object reference (msDFSR-ComputerReferenceB
CN=LSSC-DC2,CN=Topology,CN
and backlink on CN=LSSC-DC2,OU=Domain Controllers,DC=lssc,DC=loc
correct.
......................... LSSC-DC2 passed test VerifyReferences
Test omitted by user request: VerifyReplicas
Test omitted by user request: DNS
Test omitted by user request: DNS
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : lssc
Starting test: CheckSDRefDom
......................... lssc passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... lssc passed test CrossRefValidation
Running enterprise tests on : lssc.local
Test omitted by user request: DNS
Test omitted by user request: DNS
Starting test: LocatorCheck
GC Name: \\LSSC-DC2.lssc.local
Locator Flags: 0xe00033fd
PDC Name: \\LSSC-DC2.lssc.local
Locator Flags: 0xe00033fd
Time Server Name: \\LSSC-DC2.lssc.local
Locator Flags: 0xe00033fd
Preferred Time Server Name: \\LSSC-DC2.lssc.local
Locator Flags: 0xe00033fd
KDC Name: \\LSSC-DC2.lssc.local
Locator Flags: 0xe00033fd
......................... lssc.local passed test LocatorCheck
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope
provided by the command line arguments provided.
......................... lssc.local passed test Intersite
ASKER
Here is the output from the repadmin command ran on the domain controller, LSSC-DC2, which has all of the FSMO roles.
repadmin /showrepl lssc-dc2 /verbose /all /intersite
Default-First-Site-Name\LS SC-DC2
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 9ef7f61a-55ca-4c0b-9540-0d ac56492ca3
DSA invocationID: 51334a52-0c5d-43ff-9447-a5 05b640bef5
==== INBOUND NEIGHBORS ========================== ========== ==
==== OUTBOUND NEIGHBORS FOR CHANGE NOTIFICATIONS ============
DC=lssc,DC=local
Default-First-Site-Name\LS SC-DC3 via RPC
DSA object GUID: e5b24d33-3605-42bf-8b6e-f5 59abceebec
Address: e5b24d33-3605-42bf-8b6e-f5 59abceebec ._msdcs.ls sc.local
WRITEABLE
Last attempt @ 2013-01-15 23:53:24 was successful.
CN=Configuration,DC=lssc,D C=local
Default-First-Site-Name\LS SC-DC3 via RPC
DSA object GUID: e5b24d33-3605-42bf-8b6e-f5 59abceebec
Address: e5b24d33-3605-42bf-8b6e-f5 59abceebec ._msdcs.ls sc.local
WRITEABLE
Last attempt @ 2013-01-15 16:28:58 was successful.
CN=Schema,CN=Configuration ,DC=lssc,D C=local
Default-First-Site-Name\LS SC-DC3 via RPC
DSA object GUID: e5b24d33-3605-42bf-8b6e-f5 59abceebec
Address: e5b24d33-3605-42bf-8b6e-f5 59abceebec ._msdcs.ls sc.local
WRITEABLE
Last attempt @ 2012-09-23 02:11:02 was successful.
DC=DomainDnsZones,DC=lssc, DC=local
Default-First-Site-Name\LS SC-DC3 via RPC
DSA object GUID: e5b24d33-3605-42bf-8b6e-f5 59abceebec
Address: e5b24d33-3605-42bf-8b6e-f5 59abceebec ._msdcs.ls sc.local
WRITEABLE
Last attempt @ 2013-01-15 23:41:27 was successful.
DC=ForestDnsZones,DC=lssc, DC=local
Default-First-Site-Name\LS SC-DC3 via RPC
DSA object GUID: e5b24d33-3605-42bf-8b6e-f5 59abceebec
Address: e5b24d33-3605-42bf-8b6e-f5 59abceebec ._msdcs.ls sc.local
WRITEABLE
Last attempt @ 2013-01-15 19:03:14 was successful.
==== KCC CONNECTION OBJECTS ========================== ========== ========
Connection --
Connection name : 8f5c9f3e-3430-4f5f-8c93-43 f5b3a4f70d
Server DNS name : LSSC-DC2.lssc.local
Server DN name : CN=NTDS Settings,CN=LSSC-DC2,CN=Se rvers,CN=D efault-Fir st-Site-Na me,CN=Site s,CN=Confi guration,D C=lssc,DC= local
Source: Default-First-Site-Name\LS SC-DC3
No Failures.
TransportType: intrasite RPC
options: isGenerated
ReplicatesNC: DC=DomainDnsZones,DC=lssc, DC=local
Reason: RingTopology
Replica link has been added.
ReplicatesNC: DC=ForestDnsZones,DC=lssc, DC=local
Reason: RingTopology
Replica link has been added.
ReplicatesNC: CN=Schema,CN=Configuration ,DC=lssc,D C=local
Reason: RingTopology
Replica link has been added.
ReplicatesNC: DC=lssc,DC=local
Reason: RingTopology
Replica link has been added.
ReplicatesNC: CN=Configuration,DC=lssc,D C=local
Reason: RingTopology
Replica link has been added.
enabledConnection: TRUE
whenChanged: 20120923063111.0Z
whenCreated: 20120923061610.0Z
Schedule:
day: 0123456789ab0123456789ab
Sun: 111111111111111111111111
Mon: 111111111111111111111111
Tue: 111111111111111111111111
Wed: 111111111111111111111111
Thu: 111111111111111111111111
Fri: 111111111111111111111111
Sat: 111111111111111111111111
1 connections found.
Partition Replication Schedule Loading:
00 01 02 03 04 05 06 07 08 09 10 11
0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3
Sun: 05000000050000000500000005 0000000500 0000050000 0005000000 0500000005 0000000500 0000050000 0005000000
Sun: 05000000050000000500000005 0000000500 0000050000 0005000000 0500000005 0000000500 0000050000 0005000000
Mon: 05000000050000000500000005 0000000500 0000050000 0005000000 0500000005 0000000500 0000050000 0005000000
Mon: 05000000050000000500000005 0000000500 0000050000 0005000000 0500000005 0000000500 0000050000 0005000000
Tue: 05000000050000000500000005 0000000500 0000050000 0005000000 0500000005 0000000500 0000050000 0005000000
Tue: 05000000050000000500000005 0000000500 0000050000 0005000000 0500000005 0000000500 0000050000 0005000000
Wed: 05000000050000000500000005 0000000500 0000050000 0005000000 0500000005 0000000500 0000050000 0005000000
Wed: 05000000050000000500000005 0000000500 0000050000 0005000000 0500000005 0000000500 0000050000 0005000000
Thu: 05000000050000000500000005 0000000500 0000050000 0005000000 0500000005 0000000500 0000050000 0005000000
Thu: 05000000050000000500000005 0000000500 0000050000 0005000000 0500000005 0000000500 0000050000 0005000000
Fri: 05000000050000000500000005 0000000500 0000050000 0005000000 0500000005 0000000500 0000050000 0005000000
Fri: 05000000050000000500000005 0000000500 0000050000 0005000000 0500000005 0000000500 0000050000 0005000000
Sat: 05000000050000000500000005 0000000500 0000050000 0005000000 0500000005 0000000500 0000050000 0005000000
Sat: 05000000050000000500000005 0000000500 0000050000 0005000000 0500000005 0000000500 0000050000 0005000000
repadmin /showrepl lssc-dc2 /verbose /all /intersite
Default-First-Site-Name\LS
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 9ef7f61a-55ca-4c0b-9540-0d
DSA invocationID: 51334a52-0c5d-43ff-9447-a5
==== INBOUND NEIGHBORS ==========================
==== OUTBOUND NEIGHBORS FOR CHANGE NOTIFICATIONS ============
DC=lssc,DC=local
Default-First-Site-Name\LS
DSA object GUID: e5b24d33-3605-42bf-8b6e-f5
Address: e5b24d33-3605-42bf-8b6e-f5
WRITEABLE
Last attempt @ 2013-01-15 23:53:24 was successful.
CN=Configuration,DC=lssc,D
Default-First-Site-Name\LS
DSA object GUID: e5b24d33-3605-42bf-8b6e-f5
Address: e5b24d33-3605-42bf-8b6e-f5
WRITEABLE
Last attempt @ 2013-01-15 16:28:58 was successful.
CN=Schema,CN=Configuration
Default-First-Site-Name\LS
DSA object GUID: e5b24d33-3605-42bf-8b6e-f5
Address: e5b24d33-3605-42bf-8b6e-f5
WRITEABLE
Last attempt @ 2012-09-23 02:11:02 was successful.
DC=DomainDnsZones,DC=lssc,
Default-First-Site-Name\LS
DSA object GUID: e5b24d33-3605-42bf-8b6e-f5
Address: e5b24d33-3605-42bf-8b6e-f5
WRITEABLE
Last attempt @ 2013-01-15 23:41:27 was successful.
DC=ForestDnsZones,DC=lssc,
Default-First-Site-Name\LS
DSA object GUID: e5b24d33-3605-42bf-8b6e-f5
Address: e5b24d33-3605-42bf-8b6e-f5
WRITEABLE
Last attempt @ 2013-01-15 19:03:14 was successful.
==== KCC CONNECTION OBJECTS ==========================
Connection --
Connection name : 8f5c9f3e-3430-4f5f-8c93-43
Server DNS name : LSSC-DC2.lssc.local
Server DN name : CN=NTDS Settings,CN=LSSC-DC2,CN=Se
Source: Default-First-Site-Name\LS
No Failures.
TransportType: intrasite RPC
options: isGenerated
ReplicatesNC: DC=DomainDnsZones,DC=lssc,
Reason: RingTopology
Replica link has been added.
ReplicatesNC: DC=ForestDnsZones,DC=lssc,
Reason: RingTopology
Replica link has been added.
ReplicatesNC: CN=Schema,CN=Configuration
Reason: RingTopology
Replica link has been added.
ReplicatesNC: DC=lssc,DC=local
Reason: RingTopology
Replica link has been added.
ReplicatesNC: CN=Configuration,DC=lssc,D
Reason: RingTopology
Replica link has been added.
enabledConnection: TRUE
whenChanged: 20120923063111.0Z
whenCreated: 20120923061610.0Z
Schedule:
day: 0123456789ab0123456789ab
Sun: 111111111111111111111111
Mon: 111111111111111111111111
Tue: 111111111111111111111111
Wed: 111111111111111111111111
Thu: 111111111111111111111111
Fri: 111111111111111111111111
Sat: 111111111111111111111111
1 connections found.
Partition Replication Schedule Loading:
00 01 02 03 04 05 06 07 08 09 10 11
0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3
Sun: 05000000050000000500000005
Sun: 05000000050000000500000005
Mon: 05000000050000000500000005
Mon: 05000000050000000500000005
Tue: 05000000050000000500000005
Tue: 05000000050000000500000005
Wed: 05000000050000000500000005
Wed: 05000000050000000500000005
Thu: 05000000050000000500000005
Thu: 05000000050000000500000005
Fri: 05000000050000000500000005
Fri: 05000000050000000500000005
Sat: 05000000050000000500000005
Sat: 05000000050000000500000005
ASKER
I am splitting the points because the suggestions helped me narrow down the issue. The problem was actually caused by several corrupt GPOs. Once I removed them, the remaining policies started working. Thanks
ASKER
dons6718 - I took a brand new out of the box Lenovo W7 laptop, ran through the initial Lenovo new computer setup, joined it to the domain, placed it in an OU that had group policies linked to it. Ran GPUpdate /force and rebooted. When it came up, GPResult shows that it is picking up the group policies but they just do not seem to execute. This would seem to remove the sysprep process as the culprit.