Solved

server 2008 r2 | group policy

Posted on 2015-01-14
15
50 Views
Last Modified: 2015-02-17
I have an environment that consists of two sites.

When i run a group policy modelling wizards on a domain controller on each site, i get different results.

We are having issues with a GPO not applying in one of the sites

If i use the GPMC and attach to the domain controller in the site, the required gpo is there?
0
Comment
Question by:cmatchett
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
15 Comments
 
LVL 37

Expert Comment

by:Jian An Lim
ID: 40550467
do you have a site level GPO?
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 40550538
You probably have a problem with replication between your domain controllers. Use repadmin to check the replication health status of your domain controllers. I think repadmin gets installed with the RSAT AD tools. It should also be on the domain controllers. It is a command line utility.
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 40550657
navigate to \\DC\sysvol\polices path on both DCs and see if both DCs are showing same number of GPO folders

If there is variation, check file replication services event log for event ID 13568, it might be journal  wrap issues

you could run non-authoritative restore of sysvol on DC where GPO count is not appropriate OR DC where you find 13568 event OR on ADC so that it rebuild sysvol from PDC server
Follow below article
http://support.microsoft.com/kb/290762
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 32

Expert Comment

by:Rodney Barnhardt
ID: 40551161
I would look for the following errors in the event viewer:  Journal wrap, JRNL_WRAP_ERROR, 13508, 13568

If they exist on one DC, but not the other, do the following on the DC with the errors:
Expand HKEY_LOCAL_MACHINE
Go to the following location:
"System|CurrentControlSet|Services\NtFrs\Parameters\Backup/Restore\Process at Startup"
Double click on the value name "BurFlags"
Change the value to "d2"
 
Restart the FRS service
 
The SYSVOL should be recreated and the data will gradually repopulate. Refresh the event viewer until event ID 13516 appears indicting the rebuild is complete.

The reg key entry will change itself back once the rebuild is complete.

If the error is on both servers, then you will need to do a restore. The problem will be locating and ensuring you have a backup prior to the problem.
0
 
LVL 20

Expert Comment

by:compdigit44
ID: 40552507
Have you run dcdiag /v /e > c:\dcdiag.txt to chech the health of AD?

repadmin /showrepl >c:\readmin.txt to check replicaton..

Also check the GPT amd GPC version numbers... The follow link has more details on this for you.
0
 

Author Comment

by:cmatchett
ID: 40553167
in my dcdiag, i am getting

The processing of Group Policy failed. Windows attempted to read the file \\path\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:

a) Name Resolution/Network Connectivity to the current domain controller.

 b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).

c) The Distributed File System (DFS) client has been disabled.

Question, i have tried to link a new gpo and it also isn't applying.

When i do rsop query on the local computer, it shows the gpos that i want to apply in the list.

Is it because of the above?
0
 
LVL 37

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
ID: 40553213
Try Authoritative FRS restore as stated in earlier comment: http://support.microsoft.com/kb/290762

Steps:
1 stop file replication service on all DCs
2 On PDC server, Locate the following subkey in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
In the right pane, double click BurFlags.
In the Edit DWORD Value dialog box, type D4 and then click OK.
3 Start file replication service
4 Ensure that event id 13516 is populated in file replication service event logs
5 open command prompt and enter Net Share, It should show sysvol and netlogon  shares

6 Then logon to other DCs one by one and modify the same registry above with value of D2
7 start the file replication service
8 Check for event id 13516 in file replication service event
9 open command prompt and enter Net Share, It should show sysvol and netlogon shares

Now check if you are able to create new GPO and it get replicated to other DC as well.
0
 

Author Comment

by:cmatchett
ID: 40553228
we are using windows 2008 r2 so the FRS doesn't come into play?
0
 
LVL 37

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
ID: 40553238
So you mean to say that you are running on DFSR Sysvol?

Is File replication Services (NTFRS) is disabled on all your domain controllers?
If not still you are running on FRS Sysvol
Its not mandatory that when you have 2008 R2 DCs, you are on DFSR Sysvol, it depends upon how your domain constructed
If you are upgrading AD from 2003 to 2008 R2 \ 2012, then Sysvol will run through FRS only
If you are creating new 2008 R2 domain with 2003 as domain   functional level, still your sysvol remains on FRS
If you created domain on 2008 R2 with 2008 as domain functional level, then your sysvol will remain on DFSR
OR
U can migrate FRS sysvol to DFSR after you have raised domain functional level to 2008

Check which scenario is applicable in your case

If you have DFSR Sysvol, follow below article to have DFSR Sysvol authoritative restore
http://www.experts-exchange.com/Software/Server_Software/Active_Directory/A_17360-AD-DFSR-Sysvol-Authoritative-Non-Authoritative-Restore-Correct-Sequence.html
0
 

Author Comment

by:cmatchett
ID: 40553254
This domain was created with the domain functional level of 2008 r2

I have checked the sysvol on all of the domain controllers, the GPO exists on all domain controllers.  The versions are all the same.

I have also checked the permissions on the sysvol share.
0
 
LVL 37

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
ID: 40553296
Check if you have any orphaned GPOs, if found remove them
Use below PowerShell script
http://www.jhouseconsulting.com/2012/09/03/finding-orphaned-group-policy-objects-807
0
 

Author Comment

by:cmatchett
ID: 40553327
would orphaned GPOs stop other GPOs from applying?
0
 
LVL 37

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
ID: 40553342
sometimes you might face issues due to orphaned GPOs
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 500 total points
ID: 40553377
Have you checked DFSR propagation test from dfs management snap in on DCs
U need to install DFS management tools from server manager under features for that
http://www.adshotgyan.com/2010/12/dfsr-propagation-test-in-windows-2008.html

If above is not successful, you can do DFSR non-authoritative restore as per article in my earlier comment
0
 

Author Comment

by:cmatchett
ID: 40588381
sorry for only coming back to this now...

restarting the domain controller fixed my modelling issue.

A group policy with loopback processing enabled was always causing issues
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question