GP Update error

Dear Experts,

In my environment there are 3 domain servers.  First two Windows server 2012 is installed & in the other Windows server 2008 . The problem is when ever I apply group policy after that when I run the command gpupdate /force I get the error i.e. Name resolution issue , File replication & DFS.

When i do the nslookup its pointing to the correct domain. Even i restarted the service for DFS. But same issue. I have attached the file.

Regards,

JCT
gp1.jpg
LVL 1
jct_777Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Manikandan NarayanswamySecurity Specialist & IBM Security GuardiumCommented:
Hi,

This error usually occurs if user or computer does not have the proper access for the path given in the event viewer. Refer the below link and see if it works

http://social.technet.microsoft.com/wiki/contents/articles/1456.event-id-1058-group-policy-preprocessing-networking.aspx?tduid=(a8e8dd89da578e98e2281ffa31e2b7df)(256380)(2459594)(TnL5HPStwNw-rO3KnMHYwwuDJgR1VxBizw)()

Thanks
Manikandan
0
David Johnson, CD, MVPOwnerCommented:
what you should be checking is %logonserver%
0
jct_777Author Commented:
Hi ,

The logon server its giving me is the second domain server.

Regards,

JCT
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

David Johnson, CD, MVPOwnerCommented:
that is the one that is giving you the errors
0
jct_777Author Commented:
Hi ,

If I shutdown the second server & run the gpupdate /force from any client computers it works fine.

As per your advice what shall I do now ?

Regards,

JCT
0
David Johnson, CD, MVPOwnerCommented:
you can try a forced replication You can use this procedure to force Active Directory replication to occur between two domain controllers on a one-time basis when you want changes to be replicated from the server that received the changes to a server in another site sooner than the site link schedule allows. As an alternative, you can synchronize replication with all replication partners.

https://technet.microsoft.com/en-us/library/cc816926%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
 repadmin /showrepl
repadmin /showrepl <servername>
https://technet.microsoft.com/en-us/library/cc794749%28v=ws.10%29.aspx
0
jct_777Author Commented:
Hi,

I have replicated all the domain servers manually. But still some client computers getting that same error.  

Regards,

JCT
0
jct_777Author Commented:
Hi ,

If I run the command echo%logonserver% on the client computer & the output it shows the 1st domain then in that particular pc i get that gpupdate error.

If the echo%logonserver% shows the 2nd or the 3rd dc & i run the command gpupdate /force it works fine.

Please suggest me what to do.

Regards,

JCT
0
jct_777Author Commented:
Dear Administrator ,

I want to close this issue as it is pending for a long time. Still this issue is not solved.

Regards,

JCT
0
David Johnson, CD, MVPOwnerCommented:
did you do a forced replication to DC1 ?
0
jct_777Author Commented:
Hi ,

I did the forced replication but still it gives that same error in most of the computers.

Regards,

JCT
0
jct_777Author Commented:
Dear Administrator ,

I want to close this issue as it is pending for a long time. Still this issue is not solved.

Regards,

JCT
0
David Johnson, CD, MVPOwnerCommented:
remove DC1 as a domain controller and re-promote it as a DC. or remove it as a DC and reinstall and promote it as a DC again.
0
jct_777Author Commented:
Hi ,

Can you please provide me the steps of doing so. Also if i remove it as a domain controller & re-promote it as a DC. or remove it as a DC and reinstall and promote it as a DC again will there be any issue .

May be the clients or other applications may face any issues.

Regards,

JCT
0
DrDave242Commented:
Look through either the File Replication Service (FRS) or Distributed File System Replication (DFSR) event logs on your domain controllers for errors. Depending on how your domain is configured, one of these mechanisms is what controls replication of the SYSVOL folder hierarchy among your DCs, and SYSVOL is where the Group Policy template files are stored.
0
jct_777Author Commented:
Hi,

As you mentioned:-Look through either the File Replication Service (FRS) or Distributed File System Replication (DFSR) event logs on your domain controllers for errors.

Do I need to check the event logs in all the domain servers. What should be the event ID ??

Regards,

JCT
0
DrDave242Commented:
Yes, check all three domain controllers. I'm afraid I don't remember the specific event IDs you'll be looking for, but any events of type Error that relate to replication will be relevant. Feel free to post what you find here, if you'd like.
0
jct_777Author Commented:
Hi ,

In the event log in of of the domain server it give me the following error:-

Error      Group Policy         1058 None.

I have attached the pic.

Regards,

JCT
Gpupdate-error.jpg
0
DrDave242Commented:
That means that the server in question (the one on which that event is logged) couldn't access the Group Policy template file for that particular GPO. This could be because the GPO hasn't replicated to the DC it was connecting to, or it could be for some other reason. Try accessing the UNC path in that event from that machine and see what error you get.

I still think you'll get more from the FRS or DFSR event logs on the DCs, though. Those logs are located under the Applications and Services folder, which you can see in the screenshot you posted.
0
jct_777Author Commented:
Hi ,

From the concerned server if i try to access the UNC path it gives me error i.e windows cannot access. the same path if i try to access from client pc it opens up a notepad.

If I try to access the UNC path without the group policy from the concerned server i.e.\\Domain\Sysvol\Domain\Policies\ it opens up. I have attached the snapshots of the errors & also for the DFS Replication that is their in the Applications Services Log


Regards,

JCT
DFSR-Information.jpg
Different.jpg
same.jpg
Warning.jpg
0
DrDave242Commented:
If you look in the Policies folders of all three DCs, does that particular .gpt file show up in all three, or is it missing from one (or more)?
0
jct_777Author Commented:
Hi ,

Its showing up only in one DC. Other two DC's its not showing in the policies folders.

Regards,

JCT
0
DrDave242Commented:
OK, your best bet will be to perform an authoritative sync of DFSR across the three DCs. Read the linked article carefully before beginning the process. It's not too difficult or time-consuming, but it is important to know which DC or DCs are being referred to in each step.

Before you start, determine which DC should be authoritative, as the contents of its SYSVOL folder will be replicated to all of the other DCs as part of this process, replacing their copies of SYSVOL. The authoritative DC will most likely be the one that contains the .gpt file in the error, but you should check to make sure the other DCs don't also contain policies that are missing from that one. If you find that this is the case, you can always manually copy any missing policies to the authoritative DC before starting.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jct_777Author Commented:
Hi,

Can you please clarify the last seven  lines i.e.the authoriative DC....... to the authoriative DC before starting.

Got confused.

Regards,

Jct
0
DrDave242Commented:
Sure. The authoritative DC will be the one whose copy of SYSVOL will be copied out to all of the other DCs as part of this process, so it needs to have the most current set of GPOs in its Policies folder. Any policies not present on that DC will be gone after the authoritative sync has completed.

The only way to determine which DC has the most current set of policies is to look in the Policies folders of all DCs and compare their contents. Inside each Policies folder, you'll find a set of subfolders with GUIDs as their names. Each subfolder corresponds to the GPO with that particular GUID. We've already established that there's at least one of those folders present on only one DC, but you should check the other DCs to see whether their Policies folders contain anything that's missing from that DC. If you do find something, you can simply copy the GUID folder into the Policies folder of the DC you'll designate as authoritative.

Basically, you want to make sure the the DC which you'll designate as authoritative has a complete set of GPOs for the domain before you begin the authoritative sync process.

If your organization also uses scripts stored in the Scripts folder within SYSVOL (the NETLOGON share, in other words), you should also check that folder on all DCs and do the same thing - make sure anything missing from the authoritative DC gets copied there before beginning the steps in the article.
0
jct_777Author Commented:
Hi,

I am on leave will update on 14th of this month.

Regards,

JCT
0
DrDave242Commented:
Any updates?
0
jct_777Author Commented:
Hi  ,

I extended my leave 3rd of Jan. 4th I will joining & will update you.

Regards,

Jct
0
jct_777Author Commented:
Hi,

Today I have checked all three Dc's. As per you advice in DC1 there is around 90 policies.
But in DC2 & DC3 total no. of policies are exactly 50.

Around 40 policies are missing from both the DC's

Please help me what to do.

Regards,

JCT
0
DrDave242Commented:
OK, it sounds like DC1 has the most complete set of GPOs. Therefore, you should perform the authoritative DFSR sync procedure I linked above, using DC1 as the authoritative DC.
0
jct_777Author Commented:
Hi ,

I will try to perform the troubleshooting as it is mentioned in the above links i.e.
OK, your best bet will be to perform an authoritative sync (https://support.microsoft.com/en-us/kb/2218556) of DFSR across the three DCs.

Regards,

JCT
0
DrDave242Commented:
Let me know how it goes.
0
jct_777Author Commented:
Hi ,

I got little bit confused. In the given link:-https://support.microsoft.com/en-us/kb/2218556

Step no :-1:- How to perform a non-authoritative synchronization of DFSR-replicated SYSVOL (like "D2" for FRS)

Do I need to perform the above step in Domain 1 (authorative) as you mentioned above. If so then this option is not there :-

CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<the server name>,OU=Domain Controllers,DC=<domain>

Regards,

JCT
0
jct_777Author Commented:
Hi ,

Waiting for your valuable reply.

Regards,

JCT
0
DrDave242Commented:
Sorry for the delay. Skip the entire non-authoritative section; you only need to perform the steps in How to perform an authoritative synchronization of DFSR-replicated SYSVOL (like "D4" for FRS).
0
jct_777Author Commented:
Has i have mentioned above i was getting the error group policy failed to read the file \\domain\sysvol\etc... \policie no.  yesterday by mistake i deleted this policy no on the domain1. now when i run the command gpupdate on the domain it gives me the same error:- name resolution , file replication & DFS disabled & also pointing that missing policy no.  

Previously those errors was getting on some clients but after deleting that particular policy no i am getting the error on the Domain also.

Regards,

JCT
0
jct_777Author Commented:
Hi ,

I have recovered the deleted policy . Now in main domain if I run gpupdate . It completes successfully.

Regards
JCT
0
DrDave242Commented:
That's good. Do the DFSR event logs on the DCs indicate that SYSVOL replication is working, or is it still failing?
0
jct_777Author Commented:
Hi ,

I will update you tomorrow. I have still the same problem.

Regards,

JCT
0
jct_777Author Commented:
Hi ,

I performed some step that was mentioned on the above link last working day. But when i came today morning i saw some wallpapers are missing from the sysvol\wallpapers folder.

At last I recovered all the wallapapers & also restored back some GPs which was linked to those wallpapers. I don't know why it happened like this.

DFSR services are running . Netlogon service is running. even I  did dcdiag /test:netlogons .Everything is working fine.

But what had caused the problem.

Regards,

JCT
0
DrDave242Commented:
Determining what initially caused SYSVOL to stop replicating may be difficult or impossible at this point, as we don't know how long the problem has been happening. Looking back through the DFSR event logs to find the earliest errors may help, but event logs don't always give the whole picture.

To make sure everything is really working now, you may want to create a test file (a small text file should be fine) and place it in SYSVOL on one of the DCs, then make sure it gets replicated to the others.
0
jct_777Author Commented:
Hi ,

Sorry I didn't updated. I am currently on leave. Will join on 1st February.

Before going for leave i created another group policy i.e.. desktop short cuts  . Have to check whether it got applied or not.

Regards

Regards,

JCT
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.