Solved

server 2008 r2 | group policy

Posted on 2015-01-14
15
46 Views
Last Modified: 2015-02-17
I have an environment that consists of two sites.

When i run a group policy modelling wizards on a domain controller on each site, i get different results.

We are having issues with a GPO not applying in one of the sites

If i use the GPMC and attach to the domain controller in the site, the required gpo is there?
0
Comment
Question by:cmatchett
15 Comments
 
LVL 36

Expert Comment

by:Jian An Lim
ID: 40550467
do you have a site level GPO?
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 40550538
You probably have a problem with replication between your domain controllers. Use repadmin to check the replication health status of your domain controllers. I think repadmin gets installed with the RSAT AD tools. It should also be on the domain controllers. It is a command line utility.
0
 
LVL 36

Expert Comment

by:Mahesh
ID: 40550657
navigate to \\DC\sysvol\polices path on both DCs and see if both DCs are showing same number of GPO folders

If there is variation, check file replication services event log for event ID 13568, it might be journal  wrap issues

you could run non-authoritative restore of sysvol on DC where GPO count is not appropriate OR DC where you find 13568 event OR on ADC so that it rebuild sysvol from PDC server
Follow below article
http://support.microsoft.com/kb/290762
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 32

Expert Comment

by:Rodney Barnhardt
ID: 40551161
I would look for the following errors in the event viewer:  Journal wrap, JRNL_WRAP_ERROR, 13508, 13568

If they exist on one DC, but not the other, do the following on the DC with the errors:
Expand HKEY_LOCAL_MACHINE
Go to the following location:
"System|CurrentControlSet|Services\NtFrs\Parameters\Backup/Restore\Process at Startup"
Double click on the value name "BurFlags"
Change the value to "d2"
 
Restart the FRS service
 
The SYSVOL should be recreated and the data will gradually repopulate. Refresh the event viewer until event ID 13516 appears indicting the rebuild is complete.

The reg key entry will change itself back once the rebuild is complete.

If the error is on both servers, then you will need to do a restore. The problem will be locating and ensuring you have a backup prior to the problem.
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 40552507
Have you run dcdiag /v /e > c:\dcdiag.txt to chech the health of AD?

repadmin /showrepl >c:\readmin.txt to check replicaton..

Also check the GPT amd GPC version numbers... The follow link has more details on this for you.
0
 

Author Comment

by:cmatchett
ID: 40553167
in my dcdiag, i am getting

The processing of Group Policy failed. Windows attempted to read the file \\path\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:

a) Name Resolution/Network Connectivity to the current domain controller.

 b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).

c) The Distributed File System (DFS) client has been disabled.

Question, i have tried to link a new gpo and it also isn't applying.

When i do rsop query on the local computer, it shows the gpos that i want to apply in the list.

Is it because of the above?
0
 
LVL 36

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
ID: 40553213
Try Authoritative FRS restore as stated in earlier comment: http://support.microsoft.com/kb/290762

Steps:
1 stop file replication service on all DCs
2 On PDC server, Locate the following subkey in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
In the right pane, double click BurFlags.
In the Edit DWORD Value dialog box, type D4 and then click OK.
3 Start file replication service
4 Ensure that event id 13516 is populated in file replication service event logs
5 open command prompt and enter Net Share, It should show sysvol and netlogon  shares

6 Then logon to other DCs one by one and modify the same registry above with value of D2
7 start the file replication service
8 Check for event id 13516 in file replication service event
9 open command prompt and enter Net Share, It should show sysvol and netlogon shares

Now check if you are able to create new GPO and it get replicated to other DC as well.
0
 

Author Comment

by:cmatchett
ID: 40553228
we are using windows 2008 r2 so the FRS doesn't come into play?
0
 
LVL 36

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
ID: 40553238
So you mean to say that you are running on DFSR Sysvol?

Is File replication Services (NTFRS) is disabled on all your domain controllers?
If not still you are running on FRS Sysvol
Its not mandatory that when you have 2008 R2 DCs, you are on DFSR Sysvol, it depends upon how your domain constructed
If you are upgrading AD from 2003 to 2008 R2 \ 2012, then Sysvol will run through FRS only
If you are creating new 2008 R2 domain with 2003 as domain   functional level, still your sysvol remains on FRS
If you created domain on 2008 R2 with 2008 as domain functional level, then your sysvol will remain on DFSR
OR
U can migrate FRS sysvol to DFSR after you have raised domain functional level to 2008

Check which scenario is applicable in your case

If you have DFSR Sysvol, follow below article to have DFSR Sysvol authoritative restore
http://www.experts-exchange.com/Software/Server_Software/Active_Directory/A_17360-AD-DFSR-Sysvol-Authoritative-Non-Authoritative-Restore-Correct-Sequence.html
0
 

Author Comment

by:cmatchett
ID: 40553254
This domain was created with the domain functional level of 2008 r2

I have checked the sysvol on all of the domain controllers, the GPO exists on all domain controllers.  The versions are all the same.

I have also checked the permissions on the sysvol share.
0
 
LVL 36

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
ID: 40553296
Check if you have any orphaned GPOs, if found remove them
Use below PowerShell script
http://www.jhouseconsulting.com/2012/09/03/finding-orphaned-group-policy-objects-807
0
 

Author Comment

by:cmatchett
ID: 40553327
would orphaned GPOs stop other GPOs from applying?
0
 
LVL 36

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
ID: 40553342
sometimes you might face issues due to orphaned GPOs
0
 
LVL 36

Accepted Solution

by:
Mahesh earned 500 total points
ID: 40553377
Have you checked DFSR propagation test from dfs management snap in on DCs
U need to install DFS management tools from server manager under features for that
http://www.adshotgyan.com/2010/12/dfsr-propagation-test-in-windows-2008.html

If above is not successful, you can do DFSR non-authoritative restore as per article in my earlier comment
0
 

Author Comment

by:cmatchett
ID: 40588381
sorry for only coming back to this now...

restarting the domain controller fixed my modelling issue.

A group policy with loopback processing enabled was always causing issues
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We recently had an issue where out of nowhere, end users started indicating that their logins to our terminal server were just showing a "blank screen." After checking the usual suspects -- profiles, shell=explorer.exe in the registry, userinit.exe,…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question