Announcement

Collapse
No announcement yet.

Winning GPO out of date.

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Winning GPO out of date.

    We had our active directory setup to apply the proxy settings. Everything was working great until our provider changed proxies on us.

    We changed all our GPO's accordingly. There are about 20 out of 600 users who are not being effected by the current changes to the GPO. I run the group policy results wizard for one of those users and machines I find that the child GPO is not current. The revision in the report for the winning GPO is AD (47), Sysvol (43). When I go and look at the user version in the porperties of the GPO it is at AD (47), Sysvol (47).

    I have tried this on 2 different client machines. Getting the same results.

    What is causing AD to apply the old version of the GPO?

    Thanks in advance.

  • #2
    Re: Winning GPO out of date.

    Are the effected users all authenticated by a specific DC ? Any chance you have SYSVOL replication issues to that DC ?

    You can also try to force the refresh of the GPO on th eclients by configuring a GPO that is applied to computers that forces the IE settings from GPO to be refreshed even if not changed in GPO:
    Attached Files
    Last edited by guyt; 31st January 2007, 22:54.
    Guy Teverovsky
    "Smith & Wesson - the original point and click interface"

    Comment


    • #3
      Re: Winning GPO out of date.

      We are having replication issues....But some people on specific DC's are fine and some aren't. Even the people who log directly into the main DC, the one AD sits on, are having the problem.

      How should we trouble shoot the DC. We already tried clearing the DNS cache but haven't noticed an effect.

      Comment


      • #4
        Re: Winning GPO out of date.

        Start fixing the replication issues. Post any logs from the eventviewer which is important. My guess is that you should look at that.
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          Re: Winning GPO out of date.

          I am getting these logs

          Code:
          Event Type:	Error
          Event Source:	Userenv
          Event Category:	None
          Event ID:	1058
          Date:		2/2/2007
          Time:		2:42:08 PM
          User:		NT AUTHORITY\SYSTEM
          Computer:	FULTON31
          Description:
          Windows cannot access the file gpt.ini for GPO cn={31B2F340-016D-11D2-945F-00C04FB984F9},cn=policies,cn=system,DC=fcdjfs,DC=co,DC=franklin,DC=oh,DC=us. The file must be present at the location <\\fcdjfs.co.franklin.oh.us\sysvol\fcdjfs.co.franklin.oh.us\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (Logon Failure: The target account name is incorrect. ). Group Policy processing aborted. 
          
          For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
          and (one for each of the five servers)

          Code:
          Event Type:	Warning
          Event Source:	NtFrs
          Event Category:	None
          Event ID:	13508
          Date:		2/7/2007
          Time:		2:01:42 PM
          User:		N/A
          Computer:	FULTON31
          Description:
          The File Replication Service is having trouble enabling replication from NORTHEAST31 to FULTON31 for c:\windows\sysvol\domain using the DNS name northeast31.fcdjfs.co.franklin.oh.us. FRS will keep retrying. 
           Following are some of the reasons you would see this warning. 
           
           [1] FRS can not correctly resolve the DNS name northeast31.fcdjfs.co.franklin.oh.us from this computer. 
           [2] FRS is not running on northeast31.fcdjfs.co.franklin.oh.us. 
           [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers. 
           
           This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.
          
          For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
          Data:
          0000: d5 04 00 00               Õ...
          and (one for each server)

          Code:
          Event Type:	Warning
          Event Source:	NTDS Replication
          Event Category:	DS RPC Client 
          Event ID:	2088
          Date:		2/7/2007
          Time:		8:30:01 AM
          User:		NT AUTHORITY\ANONYMOUS LOGON
          Computer:	FULTON31
          Description:
          Active Directory could not use DNS to resolve the IP address of the source domain controller listed below. To maintain the consistency of Security groups, group policy, users and computers and their passwords, Active Directory successfully replicated using the NetBIOS or fully qualified computer name of the source domain controller. 
           
          Invalid DNS configuration may be affecting other essential operations on member computers, domain controllers or application servers in this Active Directory forest, including logon authentication or access to network resources. 
           
          You should immediately resolve this DNS configuration error so that this domain controller can resolve the IP address of the source domain controller using DNS. 
           
          Alternate server name: 
           south31 
          Failing DNS host name: 
           1e41d7e3-9bf8-4575-b578-e30e7915a234._msdcs.fcdjfs.co.franklin.oh.us 
           
          NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur.  To log all individual failure events, set the following diagnostics registry value to 1: 
           
          Registry Path: 
          HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client 
           
          User Action: 
           
           1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498. 
           
           2) Confirm that the source domain controller is running Active directory and is accessible on the network by typing "net view \\<source DC name>" or "ping <source DC name>". 
           
           3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on http://www.microsoft.com/dns 
           
            dcdiag /test:dns 
           
           4) Verify that that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows: 
           
            dcdiag /test:dns 
           
           5) For further analysis of DNS error failures see KB 824449: 
             http://support.microsoft.com/?kbid=824449 
           
          Additional Data 
          Error value: 
           11004 The requested name is valid, but no data of the requested type was found. 
          
          
          For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

          Comment


          • #6
            Re: Winning GPO out of date.

            Just an FYI. We ended up finding a script in the policies that set the proxy settings. Appearently scripts are applied after the policy.

            as far as repairing replication:

            Repaired file replication (NTFRS) issues on servers SOUTH31 and NORTHEAST31 by enabling automatic restore of the replica to resolve “JRNL_WRAP_ERROR” messages. (Event ID 1356

            thanks for your feedback

            Comment


            • #7
              Re: Winning GPO out of date.

              Thanks for posting back the fix
              Guy Teverovsky
              "Smith & Wesson - the original point and click interface"

              Comment

              Working...
              X