Clients not Picking up Correct GPO Names
Windows 2003 SP2 DC
Windows Server 2008
Windows Server 2003
Windows 7
Windows 8 Vista
Clients not picking up Correct GPO names and updates
Working with WSUS setting up new GPO for WSUS
I had one GPO Name WSUS trying to create unique GPO Names for WSUS
During my setup I found that the Default Domain Policy had WSUS settings so I edited the Default Domain Policy and Disabled all the WSUS setting in the Default Domain Policy
And Modified WSUS settings.
Ran gpupdate /force on the DC that runs the PDC
Ran gpupdate /force on all computers
Most got the correct gpo name
I ran RSOP on every computer/server and on the one that are working shows only the WSUS GPO Name
The problem is on some of the servers and computers
When I ran RSOP on them I found That the Default Domain Policy GPO Name and WSUS GPO name were present
Why is this happening?
Once you disable a setting it should not be picked up.
Where is this information kept?
Do I have a caching issue here?
How can I fix this.
Thanks Tom
Windows Server 2008
Windows Server 2003
Windows 7
Windows 8 Vista
Clients not picking up Correct GPO names and updates
Working with WSUS setting up new GPO for WSUS
I had one GPO Name WSUS trying to create unique GPO Names for WSUS
During my setup I found that the Default Domain Policy had WSUS settings so I edited the Default Domain Policy and Disabled all the WSUS setting in the Default Domain Policy
And Modified WSUS settings.
Ran gpupdate /force on the DC that runs the PDC
Ran gpupdate /force on all computers
Most got the correct gpo name
I ran RSOP on every computer/server and on the one that are working shows only the WSUS GPO Name
The problem is on some of the servers and computers
When I ran RSOP on them I found That the Default Domain Policy GPO Name and WSUS GPO name were present
Why is this happening?
Once you disable a setting it should not be picked up.
Where is this information kept?
Do I have a caching issue here?
How can I fix this.
Thanks Tom
ASKER
Arnold
I changed them to not configured should I disable them?
I am trying to run group results wizard but not having good luck with that
Do you have some instructions on how to use it ?
Thanks
To
I changed them to not configured should I disable them?
I am trying to run group results wizard but not having good luck with that
Do you have some instructions on how to use it ?
Thanks
To
Group Policy Results wizard.
If you are only interested in the application of user settings, during the selection of the computer system, there is an option to disregard the computer selection.
The same applies to the looking at computer settings by disabling the consideration of the user portion.
For the overall
Identify the system you want to test, then you will be allowed to query for the username and the list will only provide info on users who've previously logged into this system. You can not test a workstation for settings of a user who has never logged into this workstation.
At the conclusion of the wizard, there is a settings tab. this reflects the settings from all Computer GPOs and User GPOs that apply to the computer/user along with the Winning GPO that controls these settings.
If you are only interested in the application of user settings, during the selection of the computer system, there is an option to disregard the computer selection.
The same applies to the looking at computer settings by disabling the consideration of the user portion.
For the overall
Identify the system you want to test, then you will be allowed to query for the username and the list will only provide info on users who've previously logged into this system. You can not test a workstation for settings of a user who has never logged into this workstation.
At the conclusion of the wizard, there is a settings tab. this reflects the settings from all Computer GPOs and User GPOs that apply to the computer/user along with the Winning GPO that controls these settings.
ASKER
Arnold
I got the wizard working thanks
You mentioned I might have a bad GPO and that got me thinking had a six hour drive today and had plenty of time to think this thru
On the Default Domain Policy I had WSUS settings as I mentioned before and one setting was "Enable client-side targeting" which had "servers;vista;xp;win7;win
What I did was blank the Target Group name for this computer filed now it is empty. Then Click Not Configured
In all my research I saw somewhere where this might be a problem
Running RSOP on all machines I just have one now that has setting from the Default Domain Policy which has all the settings as not configured
But because I blanked out the Target Group setting is that the reason I have this issue?
Thoughts
Thanks
In the mean time I am going to try to add and entry in that field and then disable it see what that does.
I got the wizard working thanks
You mentioned I might have a bad GPO and that got me thinking had a six hour drive today and had plenty of time to think this thru
On the Default Domain Policy I had WSUS settings as I mentioned before and one setting was "Enable client-side targeting" which had "servers;vista;xp;win7;win
What I did was blank the Target Group name for this computer filed now it is empty. Then Click Not Configured
In all my research I saw somewhere where this might be a problem
Running RSOP on all machines I just have one now that has setting from the Default Domain Policy which has all the settings as not configured
But because I blanked out the Target Group setting is that the reason I have this issue?
Thoughts
Thanks
In the mean time I am going to try to add and entry in that field and then disable it see what that does.
Client target should be a single string, not sure whether that entry was being seen as invalid preventing the changes to the GPO from replicating. i.e. ad and sysvol had different numbers.
before you go through again, check whether the GPO sysvol/ad are the same for computer and user settings respectively.
before you go through again, check whether the GPO sysvol/ad are the same for computer and user settings respectively.
ASKER
Arnold
Good call
I checked the SYSVOL on both DC's and they do not match that is the problem here.
So I then went to look at the event logs and I forgot about these
DC1
Event Type: Warning
Event Source: NtFrs
Event Category: None
Event ID: 13508
Date: 3/14/2015
Time: 7:58:17 PM
User: N/A
Computer: TGCS011
Description:
The File Replication Service is having trouble enabling replication from TGCS012 to TGCS011 for c:\windows\sysvol\domain using the DNS name tgcs012.our.network.tgcsne
Following are some of the reasons you would see this warning.
[1] FRS can not correctly resolve the DNS name tgcs012.our.network.tgcsne
[2] FRS is not running on tgcs012.our.network.tgcsne
[3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.
DC 2 PDC All Roles on this one
Event Type: Error
Event Source: NtFrs
Event Category: None
Event ID: 13568
Date: 3/13/2015
Time: 7:10:21 PM
User: N/A
Computer: TGCS012
Description:
The File Replication Service has detected that the replica set "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR.
Replica set name is : "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"
Replica root path is : "c:\windows\sysvol\domain"
Replica root volume is : "\\.\C:"
A Replica set hits JRNL_WRAP_ERROR when the record that it is trying to read from the NTFS USN journal is not found. This can occur because of one of the following reasons.
[1] Volume "\\.\C:" has been formatted.
[2] The NTFS USN journal on volume "\\.\C:" has been deleted.
[3] The NTFS USN journal on volume "\\.\C:" has been truncated. Chkdsk can truncate the journal if it finds corrupt entries at the end of the journal.
[4] File Replication Service was not running on this computer for a long time.
[5] File Replication Service could not keep up with the rate of Disk IO activity on "\\.\C:".
Setting the "Enable Journal Wrap Automatic Restore" registry parameter to 1 will cause the following recovery steps to be taken to automatically recover from this error state.
[1] At the first poll, which will occur in 5 minutes, this computer will be deleted from the replica set. If you do not want to wait 5 minutes, then run "net stop ntfrs" followed by "net start ntfrs" to restart the File Replication Service.
[2] At the poll following the deletion this computer will be re-added to the replica set. The re-addition will trigger a full tree sync for the replica set.
WARNING: During the recovery process data in the replica tree may be unavailable. You should reset the registry parameter described above to 0 to prevent automatic recovery from making the data unexpectedly unavailable if this error condition occurs again.
To change this registry parameter, run regedit.
Click on Start, Run and type regedit.
Expand HKEY_LOCAL_MACHINE.
Click down the key path:
"System\CurrentControlSet\
Double click on the value name
"Enable Journal Wrap Automatic Restore"
and update the value.
If the value name is not present you may add it with the New->DWORD Value function under the Edit Menu item. Type the value name exactly as shown above.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
I checked the reg entry "Enable Journal Wrap Automatic Restore" it was not present but I added it per instructions as a dword and the value was set to 0 zero
Restarted File Replication Service and the same error appeared again
How do I fix event 13568
If we fix this then the GPO will work correct?
Thanks TOM
Good call
I checked the SYSVOL on both DC's and they do not match that is the problem here.
So I then went to look at the event logs and I forgot about these
DC1
Event Type: Warning
Event Source: NtFrs
Event Category: None
Event ID: 13508
Date: 3/14/2015
Time: 7:58:17 PM
User: N/A
Computer: TGCS011
Description:
The File Replication Service is having trouble enabling replication from TGCS012 to TGCS011 for c:\windows\sysvol\domain using the DNS name tgcs012.our.network.tgcsne
Following are some of the reasons you would see this warning.
[1] FRS can not correctly resolve the DNS name tgcs012.our.network.tgcsne
[2] FRS is not running on tgcs012.our.network.tgcsne
[3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.
DC 2 PDC All Roles on this one
Event Type: Error
Event Source: NtFrs
Event Category: None
Event ID: 13568
Date: 3/13/2015
Time: 7:10:21 PM
User: N/A
Computer: TGCS012
Description:
The File Replication Service has detected that the replica set "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR.
Replica set name is : "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"
Replica root path is : "c:\windows\sysvol\domain"
Replica root volume is : "\\.\C:"
A Replica set hits JRNL_WRAP_ERROR when the record that it is trying to read from the NTFS USN journal is not found. This can occur because of one of the following reasons.
[1] Volume "\\.\C:" has been formatted.
[2] The NTFS USN journal on volume "\\.\C:" has been deleted.
[3] The NTFS USN journal on volume "\\.\C:" has been truncated. Chkdsk can truncate the journal if it finds corrupt entries at the end of the journal.
[4] File Replication Service was not running on this computer for a long time.
[5] File Replication Service could not keep up with the rate of Disk IO activity on "\\.\C:".
Setting the "Enable Journal Wrap Automatic Restore" registry parameter to 1 will cause the following recovery steps to be taken to automatically recover from this error state.
[1] At the first poll, which will occur in 5 minutes, this computer will be deleted from the replica set. If you do not want to wait 5 minutes, then run "net stop ntfrs" followed by "net start ntfrs" to restart the File Replication Service.
[2] At the poll following the deletion this computer will be re-added to the replica set. The re-addition will trigger a full tree sync for the replica set.
WARNING: During the recovery process data in the replica tree may be unavailable. You should reset the registry parameter described above to 0 to prevent automatic recovery from making the data unexpectedly unavailable if this error condition occurs again.
To change this registry parameter, run regedit.
Click on Start, Run and type regedit.
Expand HKEY_LOCAL_MACHINE.
Click down the key path:
"System\CurrentControlSet\
Double click on the value name
"Enable Journal Wrap Automatic Restore"
and update the value.
If the value name is not present you may add it with the New->DWORD Value function under the Edit Menu item. Type the value name exactly as shown above.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
I checked the reg entry "Enable Journal Wrap Automatic Restore" it was not present but I added it per instructions as a dword and the value was set to 0 zero
Restarted File Replication Service and the same error appeared again
How do I fix event 13568
If we fix this then the GPO will work correct?
Thanks TOM
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Arnold
I reset it back to one (1) for now
Hope not to see this again..
Thanks for all your help
the Problem was FRS not working properly
Glad we figure this out together.
I reset it back to one (1) for now
Hope not to see this again..
Thanks for all your help
the Problem was FRS not working properly
Glad we figure this out together.
Using GPMC and group policy results wizard, you will be able to see the settings that apply and the winning GPO that sets them.
You might have multiple layered GPos that have the same settings. While you working on one, another is the one actually setting it.
i.e. an admin before you created a GPO not related to WSUS but non the less has WSUS settings within, and also has the setting in default domain. Default domain policy was winning, you made a change and now the other "hidden" GPO is now setting those values. Did you disable the settings, or changed them to notset/undefined.......