Solved

Group Policy not functioning correctly in active directory

Posted on 2013-06-05
8
1,941 Views
Last Modified: 2013-06-06
Hi All,

I had 2 domain controllers running windows server 2012std, single forest, single domain.
Recently my primary domain controller crashed, and i had to remove it from the network and to seize all fsmo roles.

netdom query fsmo shows all roles are holding available domain controller now
after seizing all roles, i manually cleaned up every reference of old dc from DNS as well.

I noticed that since that group policy was not applying to domain computers .

I ran dcdiag and it showed several failures. here is output:


-----------------------------------------------------------------------------------------------------------------------------------------
Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = MAIN
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\MAIN
      Starting test: Connectivity
         ......................... MAIN passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\MAIN
      Starting test: Advertising
         ......................... MAIN passed test Advertising
      Starting test: FrsEvent
         ......................... MAIN passed test FrsEvent
      Starting test: DFSREvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... MAIN passed test DFSREvent
      Starting test: SysVolCheck
         ......................... MAIN passed test SysVolCheck
      Starting test: KccEvent
         ......................... MAIN passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... MAIN passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... MAIN passed test MachineAccount
      Starting test: NCSecDesc
         ......................... MAIN passed test NCSecDesc
      Starting test: NetLogons
         ......................... MAIN passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... MAIN passed test ObjectsReplicated
      Starting test: Replications
         ......................... MAIN passed test Replications
      Starting test: RidManager
         ......................... MAIN passed test RidManager
      Starting test: Services
         ......................... MAIN passed test Services
      Starting test: SystemLog
         An error event occurred.  EventID: 0x00000422
            Time Generated: 06/05/2013   21:32:36
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\mydomain.com\SysVol\mydomain.com\Policies\{A725E367-D42B-4FA3-811F-9FD4EA81C0AF}\gpt
.ini from a domain controller and was not successful. Group Policy settings may
not be applied until this event is resolved. This issue may be transient and cou
ld be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 06/05/2013   21:37:36
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\mydomain.com\SysVol\mydomain.com\Policies\{A725E367-D42B-4FA3-811F-9FD4EA81C0AF}\gpt
.ini from a domain controller and was not successful. Group Policy settings may
not be applied until this event is resolved. This issue may be transient and cou
ld be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 06/05/2013   21:42:37
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\mydomain.com\SysVol\mydomain.com\Policies\{A725E367-D42B-4FA3-811F-9FD4EA81C0AF}\gpt
.ini from a domain controller and was not successful. Group Policy settings may
not be applied until this event is resolved. This issue may be transient and cou
ld be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 06/05/2013   21:47:37
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\mydomain.com\SysVol\mydomain.com\Policies\{A725E367-D42B-4FA3-811F-9FD4EA81C0AF}\gpt
.ini from a domain controller and was not successful. Group Policy settings may
not be applied until this event is resolved. This issue may be transient and cou
ld be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 06/05/2013   21:52:37
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\mydomain.com\SysVol\mydomain.com\Policies\{A725E367-D42B-4FA3-811F-9FD4EA81C0AF}\gpt
.ini from a domain controller and was not successful. Group Policy settings may
not be applied until this event is resolved. This issue may be transient and cou
ld be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 06/05/2013   21:57:37
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\mydomain.com\SysVol\mydomain.com\Policies\{A725E367-D42B-4FA3-811F-9FD4EA81C0AF}\gpt
.ini from a domain controller and was not successful. Group Policy settings may
not be applied until this event is resolved. This issue may be transient and cou
ld be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 06/05/2013   22:02:38
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\mydomain.com\SysVol\mydomain.com\Policies\{A725E367-D42B-4FA3-811F-9FD4EA81C0AF}\gpt
.ini from a domain controller and was not successful. Group Policy settings may
not be applied until this event is resolved. This issue may be transient and cou
ld be caused by one or more of the following:
         A warning event occurred.  EventID: 0x000003F6
            Time Generated: 06/05/2013   22:05:58
            Event String:
            Name resolution for the name _ldap._tcp.dc._msdcs.mydomain.com. timed out
after none of the configured DNS servers responded.
         A warning event occurred.  EventID: 0x000727AA
            Time Generated: 06/05/2013   22:06:28
            Event String:
            The WinRM service failed to create the following SPNs: WSMAN/MAIN.cp
h.ge; WSMAN/MAIN.
         An error event occurred.  EventID: 0x0000168E
            Time Generated: 06/05/2013   22:06:32
            Event String:
            The dynamic registration of the DNS record '_ldap._tcp.mydomain.com. 600 I
N SRV 0 100 389 MAIN.mydomain.com.' failed on the following DNS server:
         A warning event occurred.  EventID: 0x00002724
            Time Generated: 06/05/2013   22:06:34
            Event String:
            This computer has at least one dynamically assigned IPv6 address.For
 reliable DHCPv6 server operation, you should use only static IPv6 addresses.
         An error event occurred.  EventID: 0x00000422
            Time Generated: 06/05/2013   22:06:46
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\mydomain.com\SysVol\mydomain.com\Policies\{A725E367-D42B-4FA3-811F-9FD4EA81C0AF}\gpt
.ini from a domain controller and was not successful. Group Policy settings may
not be applied until this event is resolved. This issue may be transient and cou
ld be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 06/05/2013   22:06:59
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\mydomain.com\SysVol\mydomain.com\Policies\{A725E367-D42B-4FA3-811F-9FD4EA81C0AF}\gpt
.ini from a domain controller and was not successful. Group Policy settings may
not be applied until this event is resolved. This issue may be transient and cou
ld be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000457
            Time Generated: 06/05/2013   22:07:03
            Event String:
            Driver Microsoft XPS Document Writer required for printer Microsoft
XPS Document Writer is unknown. Contact the administrator to install the driver
before you log in again.
         An error event occurred.  EventID: 0x00000422
            Time Generated: 06/05/2013   22:11:46
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\mydomain.com\SysVol\mydomain.com\Policies\{A725E367-D42B-4FA3-811F-9FD4EA81C0AF}\gpt
.ini from a domain controller and was not successful. Group Policy settings may
not be applied until this event is resolved. This issue may be transient and cou
ld be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 06/05/2013   22:16:46
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\mydomain.com\SysVol\mydomain.com\Policies\{A725E367-D42B-4FA3-811F-9FD4EA81C0AF}\gpt
.ini from a domain controller and was not successful. Group Policy settings may
not be applied until this event is resolved. This issue may be transient and cou
ld be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 06/05/2013   22:21:46
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\mydomain.com\SysVol\mydomain.com\Policies\{A725E367-D42B-4FA3-811F-9FD4EA81C0AF}\gpt
.ini from a domain controller and was not successful. Group Policy settings may
not be applied until this event is resolved. This issue may be transient and cou
ld be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 06/05/2013   22:26:46
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\mydomain.com\SysVol\mydomain.com\Policies\{A725E367-D42B-4FA3-811F-9FD4EA81C0AF}\gpt
.ini from a domain controller and was not successful. Group Policy settings may
not be applied until this event is resolved. This issue may be transient and cou
ld be caused by one or more of the following:
         ......................... MAIN failed test SystemLog
      Starting test: VerifyReferences
         ......................... MAIN passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : mydomain
      Starting test: CheckSDRefDom
         ......................... mydomain passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... mydomain passed test CrossRefValidation

   Running enterprise tests on : mydomain.com
      Starting test: LocatorCheck
         ......................... mydomain.com passed test LocatorCheck
      Starting test: Intersite
         ......................... mydomain.com passed test Intersite


------
I'm planning to add second dc to my network, but first need to resolve this issues. Need your assistance, thanks in advance
0
Comment
Question by:guramn
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 4

Expert Comment

by:Levi Gwyn
ID: 39223280
Make sure your remaining DC is also a Global Catalog server.
0
 
LVL 16

Accepted Solution

by:
PaciB earned 500 total points
ID: 39223282
Hi,

Looks like the NTFRS replication of the SYSVOL content was not working for a long time ago. So probably your remaining DC does not contain a copy of the GPOs.

To confirm that, take a look in C:\Windows\SYSVOL\domain\policies and check if directories exists in it.
There should be one subdirectory for each GPO in the domain.

If you can not bring back up the crashed DC UNPLUGGED from network (DO NOT PLUG IT on the network as you seized FSMO roles !!!) to be able to copy GPO files I'm afraid you'll have  to delete disfunctioning GPO and recreate them completly from scratch.

Have a good day.
0
 

Expert Comment

by:LMPHelpdesk
ID: 39223308
can you add the output from netdom query fsmo for us to review?
0
 
LVL 16

Expert Comment

by:PaciB
ID: 39223356
If the Global Catalog function were missing users would not be able to log on at all, and there would not be messages about the missing GPO files in the DCDIAG.

There is no link between GC and GPO.
0
 

Expert Comment

by:LMPHelpdesk
ID: 39223393
disregard request for netdom query fsmo...I saw you did it above.  sorry for not reading clearly.  What is you DNS setup on the client systems?  are any of them still referencing the old DC by chance?
0
 

Author Comment

by:guramn
ID: 39223414
Global Catalog is OK, this dc was GC as well initially.

I manually deleted all old GPOs from the domain. folders for remaining gpos are present in sysvol folder.  but the error still remaining in dcdiag

here is output of netdom command
Schema master               MAIN.mydomain.com
Domain naming master        MAIN.mydomain.com
PDC                         MAIN.mydomain.com
RID pool manager            MAIN.mydomain.com
Infrastructure master       MAIN.mydomain.com
The command completed successfully.
0
 

Author Comment

by:guramn
ID: 39223622
after deleting corrupted gpo-s and restarting group policy applied to computers.

now dcdiag shows such result:

----------------------------

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = MAIN
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\MAIN
      Starting test: Connectivity
         ......................... MAIN passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\MAIN
      Starting test: Advertising
         ......................... MAIN passed test Advertising
      Starting test: FrsEvent
         ......................... MAIN passed test FrsEvent
      Starting test: DFSREvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... MAIN passed test DFSREvent
      Starting test: SysVolCheck
         ......................... MAIN passed test SysVolCheck
      Starting test: KccEvent
         ......................... MAIN passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... MAIN passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... MAIN passed test MachineAccount
      Starting test: NCSecDesc
         ......................... MAIN passed test NCSecDesc
      Starting test: NetLogons
         ......................... MAIN passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... MAIN passed test ObjectsReplicated
      Starting test: Replications
         ......................... MAIN passed test Replications
      Starting test: RidManager
         ......................... MAIN passed test RidManager
      Starting test: Services
         ......................... MAIN passed test Services
      Starting test: SystemLog
         An error event occurred.  EventID: 0x00000457
            Time Generated: 06/05/2013   23:04:31
            Event String:
            Driver Microsoft XPS Document Writer required for printer Microsoft
XPS Document Writer is unknown. Contact the administrator to install the driver
before you log in again.
         A warning event occurred.  EventID: 0x00001796
            Time Generated: 06/05/2013   23:05:04
            Event String:
            Microsoft Windows Server has detected that NTLM authentication is pr
esently being used between clients and this server. This event occurs once per b
oot of the server on the first time a client uses NTLM with this server.
         An error event occurred.  EventID: 0x000007D1
            Time Generated: 06/05/2013   23:13:32
            Event String:
            Microsoft Antimalware has encountered an error trying to update sign
atures.
         ......................... MAIN failed test SystemLog
      Starting test: VerifyReferences
         ......................... MAIN passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : mydomain
      Starting test: CheckSDRefDom
         ......................... mydomain passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... mydomain passed test CrossRefValidation

   Running enterprise tests on : mydomain.com
      Starting test: LocatorCheck
         ......................... mydomain.com passed test LocatorCheck
      Starting test: Intersite
         ......................... mydomain.com passed test Intersite
-----------------------------
0
 

Author Comment

by:guramn
ID: 39224868
issue was resolved after removing corrupted gpos and recreating them
0

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Script for Password Expire Notifications 7 69
DNS Name Pointing 6 31
rds broker service 2 18
Active Directory screwed 9 37
This article will review the basic installation and configuration for Windows Software Update Services (WSUS) in a Windows 2012 R2 environment.  WSUS is a Microsoft tool that allows administrators to manage and control updates to be approved and ins…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now