[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2822
  • Last Modified:

Group Policy not functioning correctly in active directory

Hi All,

I had 2 domain controllers running windows server 2012std, single forest, single domain.
Recently my primary domain controller crashed, and i had to remove it from the network and to seize all fsmo roles.

netdom query fsmo shows all roles are holding available domain controller now
after seizing all roles, i manually cleaned up every reference of old dc from DNS as well.

I noticed that since that group policy was not applying to domain computers .

I ran dcdiag and it showed several failures. here is output:


-----------------------------------------------------------------------------------------------------------------------------------------
Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = MAIN
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\MAIN
      Starting test: Connectivity
         ......................... MAIN passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\MAIN
      Starting test: Advertising
         ......................... MAIN passed test Advertising
      Starting test: FrsEvent
         ......................... MAIN passed test FrsEvent
      Starting test: DFSREvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... MAIN passed test DFSREvent
      Starting test: SysVolCheck
         ......................... MAIN passed test SysVolCheck
      Starting test: KccEvent
         ......................... MAIN passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... MAIN passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... MAIN passed test MachineAccount
      Starting test: NCSecDesc
         ......................... MAIN passed test NCSecDesc
      Starting test: NetLogons
         ......................... MAIN passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... MAIN passed test ObjectsReplicated
      Starting test: Replications
         ......................... MAIN passed test Replications
      Starting test: RidManager
         ......................... MAIN passed test RidManager
      Starting test: Services
         ......................... MAIN passed test Services
      Starting test: SystemLog
         An error event occurred.  EventID: 0x00000422
            Time Generated: 06/05/2013   21:32:36
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\mydomain.com\SysVol\mydomain.com\Policies\{A725E367-D42B-4FA3-811F-9FD4EA81C0AF}\gpt
.ini from a domain controller and was not successful. Group Policy settings may
not be applied until this event is resolved. This issue may be transient and cou
ld be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 06/05/2013   21:37:36
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\mydomain.com\SysVol\mydomain.com\Policies\{A725E367-D42B-4FA3-811F-9FD4EA81C0AF}\gpt
.ini from a domain controller and was not successful. Group Policy settings may
not be applied until this event is resolved. This issue may be transient and cou
ld be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 06/05/2013   21:42:37
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\mydomain.com\SysVol\mydomain.com\Policies\{A725E367-D42B-4FA3-811F-9FD4EA81C0AF}\gpt
.ini from a domain controller and was not successful. Group Policy settings may
not be applied until this event is resolved. This issue may be transient and cou
ld be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 06/05/2013   21:47:37
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\mydomain.com\SysVol\mydomain.com\Policies\{A725E367-D42B-4FA3-811F-9FD4EA81C0AF}\gpt
.ini from a domain controller and was not successful. Group Policy settings may
not be applied until this event is resolved. This issue may be transient and cou
ld be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 06/05/2013   21:52:37
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\mydomain.com\SysVol\mydomain.com\Policies\{A725E367-D42B-4FA3-811F-9FD4EA81C0AF}\gpt
.ini from a domain controller and was not successful. Group Policy settings may
not be applied until this event is resolved. This issue may be transient and cou
ld be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 06/05/2013   21:57:37
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\mydomain.com\SysVol\mydomain.com\Policies\{A725E367-D42B-4FA3-811F-9FD4EA81C0AF}\gpt
.ini from a domain controller and was not successful. Group Policy settings may
not be applied until this event is resolved. This issue may be transient and cou
ld be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 06/05/2013   22:02:38
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\mydomain.com\SysVol\mydomain.com\Policies\{A725E367-D42B-4FA3-811F-9FD4EA81C0AF}\gpt
.ini from a domain controller and was not successful. Group Policy settings may
not be applied until this event is resolved. This issue may be transient and cou
ld be caused by one or more of the following:
         A warning event occurred.  EventID: 0x000003F6
            Time Generated: 06/05/2013   22:05:58
            Event String:
            Name resolution for the name _ldap._tcp.dc._msdcs.mydomain.com. timed out
after none of the configured DNS servers responded.
         A warning event occurred.  EventID: 0x000727AA
            Time Generated: 06/05/2013   22:06:28
            Event String:
            The WinRM service failed to create the following SPNs: WSMAN/MAIN.cp
h.ge; WSMAN/MAIN.
         An error event occurred.  EventID: 0x0000168E
            Time Generated: 06/05/2013   22:06:32
            Event String:
            The dynamic registration of the DNS record '_ldap._tcp.mydomain.com. 600 I
N SRV 0 100 389 MAIN.mydomain.com.' failed on the following DNS server:
         A warning event occurred.  EventID: 0x00002724
            Time Generated: 06/05/2013   22:06:34
            Event String:
            This computer has at least one dynamically assigned IPv6 address.For
 reliable DHCPv6 server operation, you should use only static IPv6 addresses.
         An error event occurred.  EventID: 0x00000422
            Time Generated: 06/05/2013   22:06:46
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\mydomain.com\SysVol\mydomain.com\Policies\{A725E367-D42B-4FA3-811F-9FD4EA81C0AF}\gpt
.ini from a domain controller and was not successful. Group Policy settings may
not be applied until this event is resolved. This issue may be transient and cou
ld be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 06/05/2013   22:06:59
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\mydomain.com\SysVol\mydomain.com\Policies\{A725E367-D42B-4FA3-811F-9FD4EA81C0AF}\gpt
.ini from a domain controller and was not successful. Group Policy settings may
not be applied until this event is resolved. This issue may be transient and cou
ld be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000457
            Time Generated: 06/05/2013   22:07:03
            Event String:
            Driver Microsoft XPS Document Writer required for printer Microsoft
XPS Document Writer is unknown. Contact the administrator to install the driver
before you log in again.
         An error event occurred.  EventID: 0x00000422
            Time Generated: 06/05/2013   22:11:46
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\mydomain.com\SysVol\mydomain.com\Policies\{A725E367-D42B-4FA3-811F-9FD4EA81C0AF}\gpt
.ini from a domain controller and was not successful. Group Policy settings may
not be applied until this event is resolved. This issue may be transient and cou
ld be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 06/05/2013   22:16:46
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\mydomain.com\SysVol\mydomain.com\Policies\{A725E367-D42B-4FA3-811F-9FD4EA81C0AF}\gpt
.ini from a domain controller and was not successful. Group Policy settings may
not be applied until this event is resolved. This issue may be transient and cou
ld be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 06/05/2013   22:21:46
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\mydomain.com\SysVol\mydomain.com\Policies\{A725E367-D42B-4FA3-811F-9FD4EA81C0AF}\gpt
.ini from a domain controller and was not successful. Group Policy settings may
not be applied until this event is resolved. This issue may be transient and cou
ld be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 06/05/2013   22:26:46
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\mydomain.com\SysVol\mydomain.com\Policies\{A725E367-D42B-4FA3-811F-9FD4EA81C0AF}\gpt
.ini from a domain controller and was not successful. Group Policy settings may
not be applied until this event is resolved. This issue may be transient and cou
ld be caused by one or more of the following:
         ......................... MAIN failed test SystemLog
      Starting test: VerifyReferences
         ......................... MAIN passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : mydomain
      Starting test: CheckSDRefDom
         ......................... mydomain passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... mydomain passed test CrossRefValidation

   Running enterprise tests on : mydomain.com
      Starting test: LocatorCheck
         ......................... mydomain.com passed test LocatorCheck
      Starting test: Intersite
         ......................... mydomain.com passed test Intersite


------
I'm planning to add second dc to my network, but first need to resolve this issues. Need your assistance, thanks in advance
0
guramn
Asked:
guramn
  • 3
  • 2
  • 2
  • +1
1 Solution
 
Levi GwynCommented:
Make sure your remaining DC is also a Global Catalog server.
0
 
Bruno PACIIT ConsultantCommented:
Hi,

Looks like the NTFRS replication of the SYSVOL content was not working for a long time ago. So probably your remaining DC does not contain a copy of the GPOs.

To confirm that, take a look in C:\Windows\SYSVOL\domain\policies and check if directories exists in it.
There should be one subdirectory for each GPO in the domain.

If you can not bring back up the crashed DC UNPLUGGED from network (DO NOT PLUG IT on the network as you seized FSMO roles !!!) to be able to copy GPO files I'm afraid you'll have  to delete disfunctioning GPO and recreate them completly from scratch.

Have a good day.
0
 
LMPHelpdeskCommented:
can you add the output from netdom query fsmo for us to review?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Bruno PACIIT ConsultantCommented:
If the Global Catalog function were missing users would not be able to log on at all, and there would not be messages about the missing GPO files in the DCDIAG.

There is no link between GC and GPO.
0
 
LMPHelpdeskCommented:
disregard request for netdom query fsmo...I saw you did it above.  sorry for not reading clearly.  What is you DNS setup on the client systems?  are any of them still referencing the old DC by chance?
0
 
guramnAuthor Commented:
Global Catalog is OK, this dc was GC as well initially.

I manually deleted all old GPOs from the domain. folders for remaining gpos are present in sysvol folder.  but the error still remaining in dcdiag

here is output of netdom command
Schema master               MAIN.mydomain.com
Domain naming master        MAIN.mydomain.com
PDC                         MAIN.mydomain.com
RID pool manager            MAIN.mydomain.com
Infrastructure master       MAIN.mydomain.com
The command completed successfully.
0
 
guramnAuthor Commented:
after deleting corrupted gpo-s and restarting group policy applied to computers.

now dcdiag shows such result:

----------------------------

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = MAIN
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\MAIN
      Starting test: Connectivity
         ......................... MAIN passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\MAIN
      Starting test: Advertising
         ......................... MAIN passed test Advertising
      Starting test: FrsEvent
         ......................... MAIN passed test FrsEvent
      Starting test: DFSREvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... MAIN passed test DFSREvent
      Starting test: SysVolCheck
         ......................... MAIN passed test SysVolCheck
      Starting test: KccEvent
         ......................... MAIN passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... MAIN passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... MAIN passed test MachineAccount
      Starting test: NCSecDesc
         ......................... MAIN passed test NCSecDesc
      Starting test: NetLogons
         ......................... MAIN passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... MAIN passed test ObjectsReplicated
      Starting test: Replications
         ......................... MAIN passed test Replications
      Starting test: RidManager
         ......................... MAIN passed test RidManager
      Starting test: Services
         ......................... MAIN passed test Services
      Starting test: SystemLog
         An error event occurred.  EventID: 0x00000457
            Time Generated: 06/05/2013   23:04:31
            Event String:
            Driver Microsoft XPS Document Writer required for printer Microsoft
XPS Document Writer is unknown. Contact the administrator to install the driver
before you log in again.
         A warning event occurred.  EventID: 0x00001796
            Time Generated: 06/05/2013   23:05:04
            Event String:
            Microsoft Windows Server has detected that NTLM authentication is pr
esently being used between clients and this server. This event occurs once per b
oot of the server on the first time a client uses NTLM with this server.
         An error event occurred.  EventID: 0x000007D1
            Time Generated: 06/05/2013   23:13:32
            Event String:
            Microsoft Antimalware has encountered an error trying to update sign
atures.
         ......................... MAIN failed test SystemLog
      Starting test: VerifyReferences
         ......................... MAIN passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : mydomain
      Starting test: CheckSDRefDom
         ......................... mydomain passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... mydomain passed test CrossRefValidation

   Running enterprise tests on : mydomain.com
      Starting test: LocatorCheck
         ......................... mydomain.com passed test LocatorCheck
      Starting test: Intersite
         ......................... mydomain.com passed test Intersite
-----------------------------
0
 
guramnAuthor Commented:
issue was resolved after removing corrupted gpos and recreating them
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 3
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now