Servers using old GPO

Posted on 2013-02-06
Last Modified: 2013-02-07
I am having a problem where I am pulling policy results for a user accounts on different servers and getting mixed results on what gpo's are being read.

My setup is 3 domain controllers and 6 Remote Desktop servers all running windows 2k8 R2 with a 2k8 R2 Active Directory domain. The 6 TS servers are in a RD farm config. When I ran the gpresult for the same username against all 6 servers, I got half of them reading and applying the newest versions of the GPOs while the other half are using older versions and not seeing the newly created GPOs. The half that read the old GPOs are also showing GPOs that have been unlinked.

The only thing that I've found different between the servers is which DNS server they are pulling from, which I thought was the main issue, but I am not sure anymore after I did some testing to prove that.

Here's what I've done so far.

1.) Ran GPOTool - Everything came back OK
2.) Ran Repadmin /showrepl - No problems, all servers replicating to each other
3.) Cleared the GPO cache (programdata/microsoft/group policy/history/*.*)on one of the servers that is having a problem and then ran a gpupdate /force - did not fix.
4.) Rebooted other two domain controllers and left one up, then ran gpupdate /force on all 6 servers to refresh from the same Domain Controller ans still had different rsop on half of them.
5.) confirmed that loopback is off on all servers
6.) DNS servers on the single NIC are set to two of the Domain Controllers
7.) Windows firewall is off on each server and the Domain Controllers
8.) The operational log for Group Policy doesn't show any errors when I do a gpupdate /force.
9.)The only errors I get in GP event log is on boot "Group Policy dependency (Network Location Awareness) did not start. As a result, network related features of Group Policy such as bandwidth estimation and response to network changes will not work." followed by "Group policy bandwidth estimation failed. Group policy processing will continue. Assuming fast link." When I checked the service, it is running though. I'm getting this error on machines both good and bad servers.
10.) Made sure that the local profiles are all gone. We are using Roaming profiles, so the RD's are using TEMP folders (which of course I'm making sure are gone before testing)

Any idea's on what might be causing something like this to happen? It feels like a cache issue, but I don't know where any other cache could be hidden or what else is going on.

This has been going on since I installed everything, so it's never worked properly.
Question by:musickmann
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2

Accepted Solution

Sukhoi_37 earned 500 total points
ID: 38863202
If you run a gpresult /r on the server not getting the new policy what does it output?

Does it actually see the new gpo but is denied\not applied?
LVL 19

Expert Comment

by:Miguel Angel Perez Muñoz
ID: 38863351

Author Closing Comment

ID: 38863956
I ran it locally and the GPO's show up under the applied section. I have been running gpresults from one of the domain controllers this whole time. I didn't expect it to be any different if I ran it locally vs remotely on a DC. Just asking, but do you know if this is expected behavior from the servers because they are in a Farm?

Expert Comment

ID: 38864107
I would strongly recommend using the Group Policy Results Wizard from Group Policy Management console as you can specify the workstation\server name from this and check for results remotely.

Not sure why you are getting inconsistencies doing the gpresult remotely (assuming you are using RDP) it could be a cache issue for that rdp session, are you logging in as administrator to run the gpresult?

Another thing to check is on the server via session open command prompt and type in SET if the logonserver the same when running via RDP and locally?

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question