crp0499
asked on
Group Policy issues with WSUS policy
Environment is two server 2012 r2 servers and both are DCs. DC1 holds FSMO.
There are about 30 GPOs in the servers and they all execute just fine.
A few days ago, I spun up a new WSUS server and it came up without a hitch.
I added the GPO to computer config, under admin templates pointing to the server.
Once applied to the domain, I get this error:
Log Name: System
Source: Microsoft-Windows-GroupPol icy
Date: 1/26/2015 1:38:40 PM
Event ID: 1058
Task Category: None
Level: Error
Keywords:
User: domain\journtest
Computer: BULLDOG2-04.domain.org
Description:
The processing of Group Policy failed. Windows attempted to read the file \\child.domain.org\SysVol\ child.doma in.org\Pol icies\{F4B 11368-1AF5 -424B-92C3 -BBEA8185A 13E}\gpt.i ni from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Gr oupPolicy" Guid="{AEA1B4FA-97D1-45F2- A64C-4D69F FFD92C9}" />
<EventID>1058</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>1</Opcode>
<Keywords>0x80000000000000 00</Keywor ds>
<TimeCreated SystemTime="2015-01-26T19: 38:40.5593 67700Z" />
<EventRecordID>12993</Even tRecordID>
<Correlation ActivityID="{0165360B-81DF -43DA-90DA -FDC0154E9 69B}" />
<Execution ProcessID="1240" ThreadID="5712" />
<Channel>System</Channel>
<Computer>BULLDOG2-04.chil d.domain.o rg</Comput er>
<Security UserID="S-1-5-21-353271285 5-21372865 08-2029475 586-3010" />
</System>
<EventData>
<Data Name="SupportInfo1">4</Dat a>
<Data Name="SupportInfo2">816</D ata>
<Data Name="ProcessingMode">0</D ata>
<Data Name="ProcessingTimeInMill iseconds"> 562</Data>
<Data Name="ErrorCode">3</Data>
<Data Name="ErrorDescription">Th e system cannot find the path specified. </Data>
<Data Name="DCName">DC2.child.do main.org</ Data>
<Data Name="GPOCNName">cn={F4B11 368-1AF5-4 24B-92C3-B BEA8185A13 E},cn=poli cies,cn=sy stem,DC=si sd,DC=doma in,DC=org< /Data>
<Data Name="FilePath">\\child.do main.org\S ysVol\chil d.domain.o rg\Policie s\{F4B1136 8-1AF5-424 B-92C3-BBE A8185A13E} \gpt.ini</ Data>
</EventData>
</Event>
Note that DC2 is referenced.
So, I looked in the systole folder for both DCs and I do NOT see the new GPO in DC2. So, I'm thinking the PC is authenticating against DC2 and since the policy is not there, it's not executing.
I also noted that in the policies folder on DC1, I have 37 policies. In the policies folder on DC2, I have 74. Clearly, something is amiss.
Replication is working. I can create users and they replicate right away.
Testing replication with repadmin and the GUI returns 100% success, no errors. Still, clearly there is a REASON the policies folders are disparate and a reason the GP is not showing up in DC2 policy folder.
So, thoughts on where to start and how to fix issue?
Thanks
Cliff
There are about 30 GPOs in the servers and they all execute just fine.
A few days ago, I spun up a new WSUS server and it came up without a hitch.
I added the GPO to computer config, under admin templates pointing to the server.
Once applied to the domain, I get this error:
Log Name: System
Source: Microsoft-Windows-GroupPol
Date: 1/26/2015 1:38:40 PM
Event ID: 1058
Task Category: None
Level: Error
Keywords:
User: domain\journtest
Computer: BULLDOG2-04.domain.org
Description:
The processing of Group Policy failed. Windows attempted to read the file \\child.domain.org\SysVol\
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Gr
<EventID>1058</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>1</Opcode>
<Keywords>0x80000000000000
<TimeCreated SystemTime="2015-01-26T19:
<EventRecordID>12993</Even
<Correlation ActivityID="{0165360B-81DF
<Execution ProcessID="1240" ThreadID="5712" />
<Channel>System</Channel>
<Computer>BULLDOG2-04.chil
<Security UserID="S-1-5-21-353271285
</System>
<EventData>
<Data Name="SupportInfo1">4</Dat
<Data Name="SupportInfo2">816</D
<Data Name="ProcessingMode">0</D
<Data Name="ProcessingTimeInMill
<Data Name="ErrorCode">3</Data>
<Data Name="ErrorDescription">Th
<Data Name="DCName">DC2.child.do
<Data Name="GPOCNName">cn={F4B11
<Data Name="FilePath">\\child.do
</EventData>
</Event>
Note that DC2 is referenced.
So, I looked in the systole folder for both DCs and I do NOT see the new GPO in DC2. So, I'm thinking the PC is authenticating against DC2 and since the policy is not there, it's not executing.
I also noted that in the policies folder on DC1, I have 37 policies. In the policies folder on DC2, I have 74. Clearly, something is amiss.
Replication is working. I can create users and they replicate right away.
Testing replication with repadmin and the GUI returns 100% success, no errors. Still, clearly there is a REASON the policies folders are disparate and a reason the GP is not showing up in DC2 policy folder.
So, thoughts on where to start and how to fix issue?
Thanks
Cliff
What does dcdiag show on DC2 and one of the properly functioning DC's?
ASKER
Both report 100% passed on dcdiag
ASKER
My most recent policy in DC2 is dated 10/7/2013!
Sounds like you are having a journal wrap issue.
http://support.microsoft.com/kb/290762 - Try using the BurFlags registry key to reinitialize File Replication Service replica sets
http://support.microsoft.com/kb/290762 - Try using the BurFlags registry key to reinitialize File Replication Service replica sets
ASKER
This is 2012 R2 and the article is for 2003 and 2000.
BUT
I considered the same thing. Since both DCs are VMs, I considered demoting DC2 and going to just one DC and then bringing up another.
BUT
I considered the same thing. Since both DCs are VMs, I considered demoting DC2 and going to just one DC and then bringing up another.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ok, so I followed that to the letter and after I set DFSR back to TRUE, and run the two commands, I never see the two events in the log indicating replication and of course, my systole folders do not update.
ASKER
ok, finally, what I found was another event from 12/24/14 that replication had stopped and needed to use wmi to get it going again. I cleared up those errors and then the above worked as expected.
So, I'm back to clean logs and my policy folder on DC2 is empty, waiting for the initial sync.
Is there some way to get that to happen sooner or should I just wait?
So, I'm back to clean logs and my policy folder on DC2 is empty, waiting for the initial sync.
Is there some way to get that to happen sooner or should I just wait?
ASKER
finding more and more info. now see error in log, event id 4012 telling me that my sysvol folder has been out of sync too long and now I must remove it from the DFS replication group and then add it back.
it looks like my replication hasn't been happening for a while and now I have issues. I'm thinking demote and promote again.
it looks like my replication hasn't been happening for a while and now I have issues. I'm thinking demote and promote again.
ASKER
Authoritative was required since the data in the errant DC was older than the stale period.
The authoritative restore fixed it all.
The authoritative restore fixed it all.
Glad to help