Solved

Random Group Policy Outage for Site to Zone Assignment

Posted on 2014-01-31
5
574 Views
Last Modified: 2014-11-11
Looking into an issue where a fairly important policy that published trusted sites failed to load on a decent number of client machines (I believe mixture of Win7/XP).  End users were getting errors on internal apps that depended on those trusted sites being in place.  This seems to have happened for about 15-20 minutes but it caused a fairly large ripple.  I am trying to troubleshoot and haven't found much.  A colleague was working on another policy which he originally thought may have been a factor but the settings involved aren't applicable and they tested loopback processing in merge (not replace) mode.
On one DC I found two repeats of a 1085 Group Policy Error that fell into the time frame but  I can't find any info out there on this message: Windows failed to apply the ConfigMgr User State Management Extension. settings. ConfigMgr User State Management Extension
0
Comment
Question by:mcburn13
  • 4
5 Comments
 
LVL 4

Expert Comment

by:amclaughlin01
ID: 39825416
If servers were replicating AD and GPOs, it is possible that there might have been a disconnect during that replication.

Are there any computers still experiencing the problem?  If so, you could try running gpresult /r on one of them to verify they are running the correct policies.
0
 
LVL 1

Author Comment

by:mcburn13
ID: 39829645
didn't see any replication errors, and this only happened for about 15-20 minutes.  Going to attempt do enable GP diagnostic logging in case this happens again but if anyone knows of any known issues where a policy will just not apply for no good reason please post here...
0
 
LVL 1

Author Comment

by:mcburn13
ID: 39842579
Still haven't really found any good info on this; all forum/newsgroup/microsoft documentation points to possible misconfiguration issues with the GPO (or other policies), DNS or Replication

I think the best solution is to do some sort of auditing on your group policies either via 3rd party tool like ManageEngine, along with verbose logging.  Can also implement Microsoft Advanced Group Management which comes with Software Assurance.
0
 
LVL 1

Accepted Solution

by:
mcburn13 earned 0 total points
ID: 40426710
My best solution was to:
a) not use wildcards before a subdomain b) not use a slash or anything trailing the .suffix of the URL c) don't use port numbers

Another way to troubleshoot is to import the policy into a lab and remove the URLs one by one, running GPResults each time until it comes up clean- once it does you know the last one you removed was the culprit (tedious but works!)
0
 
LVL 1

Author Closing Comment

by:mcburn13
ID: 40434609
no other acceptable recommendation was given
0

Join & Write a Comment

#Citrix #Internet Explorer #Enterprise Mode #IE 11 #IE 8
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now