Announcement

Collapse
No announcement yet.

Problem Applying Group Policy to Entire AD Tree - Windows 2000 Server

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Problem Applying Group Policy to Entire AD Tree - Windows 2000 Server

    I am having a problem applying a GPO to An Entire AD Tree.

    I have a Parent Domain - Domain.com and under that under that about 10 sub domains - sub1.domain.com, sub2.domain.com ect. At the moment Group Policy Settings are set from domain level under all of the Sub Domains, this is a little hard to manage sometimes so I would like to have a single point of were I can set policys for every user and computer in all sub domains and the parent domain. I thought that I could achive this from setting a GPO from the Site level but have had no luck.

    So far I have applied a group policy to the Site in AD Sites and Services from a domain Controller on the Parent Domain. When looking at the site it contains all servers in the Sub Domains. On checking the reslut from a gpresult, the group policy applies to Servers in the Sub Domains but not to the users and computers. I have checked block policy Inheritance and have also tried setting no overide.

    I have also been recieving the following errors in the Application log on both servers in the Parent Domain that I think might be something to do with the problem:

    Event ID 1000: Windows cannot query for the list of Group Policy objects . A message that describes the reason for this was previously logged by this policy engine.

    Event ID 1000: Windows cannot access the file gpt.ini for GPO The file must be present at the location <>. (). Group Policy processing aborted.

    Event ID 1000: Windows cannot connect to sub1.domain.com.au with (0x0).

    Any help or pointers as to what may be the cause or a better way to go about things would be appriciated

    Thankyou

  • #2
    Re: Problem Applying Group Policy to Entire AD Tree - Windows 2000 Server

    Hi Rounds04

    10 sub domains
    Why all the domain?

    I have a feeling this is going to be like pulling teeth but here goes.

    -Could you draw a diagram of your topology?
    -Could you tell us from what server you configure the GPO and linked it to the site?
    -Are all DCs in the same site?
    -Have you set the subnet for the site?
    -Can you post the full errors?
    -Are there errors on the client machines?
    -Have you read through http://technet2.microsoft.com/Window....mspx?mfr=true (tons of troubleshooting info)
    -Have you read http://www.eventid.net/display.asp?e...serenv&phase=1

    Well that will do for starters and we'll work from there.
    Regards,
    Jeremy

    Network Consultant/Engineer
    Baltimore - Washington area and beyond
    www.gma-cpa.com

    Comment


    • #3
      Re: Problem Applying Group Policy to Entire AD Tree - Windows 2000 Server

      Hi JeremyW Thanks for the reply

      Why All The Domains? Very good question which I have also asked myself, its actually 14 SubDomains, I didn't build the network so hopefully that should change on the next upgrade.

      I've atatched a topology of the network, sorry the quality didn't turn out to well when I atached it, top 2 servers are dc1 & dc2 all others are in Sub Domains.
      The GPO is configured from DC1.domain.com
      All DC's are in the same site
      No Subnet Set for the Site
      Here are the full errors from the dc1.domain.com (below are errors from the client machines)

      Event Type: Error
      Event Source: Userenv
      Event Category: None
      Event ID: 1000
      Date: 13/2/2007
      Time: 05:31:22
      User: Domain\Administrator
      Computer: DC1
      Description:
      Windows cannot query for the list of Group Policy objects . A message that describes the reason for this was previously logged by this policy engine.


      Event Type: Error
      Event Source: Userenv
      Event Category: None
      Event ID: 1000
      Date: 13/2/2007
      Time: 05:31:22
      User: Domain\Administrator
      Computer: DC1
      Description:
      Windows cannot access the file gpt.ini for GPO The file must be present at the location <>. (). Group Policy processing aborted.

      Event Type: Error
      Event Source: Userenv
      Event Category: None
      Event ID: 1000
      Date: 13/2/2007
      Time: 05:21:08
      User: NT AUTHORITY\SYSTEM
      Computer: DC1
      Description:
      Windows cannot connect to sub1.domain.com.au with (0x0).

      And From the Client Computer:
      I'm not sure whether this is related.

      Event Type: Error
      Event Source: Userenv
      Event Category: None
      Event ID: 1085
      Date: 14/02/2007
      Time: 6:58:56 AM
      User: NT AUTHORITY\SYSTEM
      Computer: Computer1
      Description:
      The Group Policy client-side extension Software Installation failed to execute. Please look for any errors reported earlier by that extension.

      For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

      Thanks for the Help
      Attached Files

      Comment


      • #4
        Re: Problem Applying Group Policy to Entire AD Tree - Windows 2000 Server

        -Is the GPO successfully applying to clients in the root domain?
        -Can the clients in the sub-domain successfully connect to one of the DCs in the root domain?

        I did a quick search on the errors and haven't found anything relevant yet but there's obviously something wrong.
        Is all other Group Policy processing working fine? (i.e. are all the other GPOs getting applied correctly)


        On a side note do you have other admins that work with you?
        I'm just wondering if it wouldn't be more cost effective for you to consolidate down to as few domains as possible (1 ideally) now instead of waiting for an upgrade.

        EDIT - let me know if the Event ID link applies at all. Also run netdiag, dcdiag, and gpotool.exe and see if they give you any errors http://www.windowsitpro.com/Article/...396/44396.html
        Last edited by JeremyW; 14th February 2007, 15:57.
        Regards,
        Jeremy

        Network Consultant/Engineer
        Baltimore - Washington area and beyond
        www.gma-cpa.com

        Comment


        • #5
          Re: Problem Applying Group Policy to Entire AD Tree - Windows 2000 Server

          The GPO is not applying to clients in the root domain, Its only applying to Servers.
          Yes clients in the sub domain can succesfully connect to the DC's in the root domain.

          I've added everyone to read and apply group policy, still with no luck.

          Ran DCDiag, NetDiag and GPOTool.exe with no errors

          I tried everything on the Event ID Link, gave the everybody group access to the GPO, I have the GPT.ini files, they are not missing and the permisions on them look fine. The binding order of the NICs is correct.

          Yeah, there are other admins here, I would like to change to 1 domain as soon as possible but will have to wait for the upgrade which wont be for a while yet. Things do work at the moment, they just don't work as well as they could.
          Last edited by Rounds04; 15th February 2007, 03:16.

          Comment


          • #6
            Re: Problem Applying Group Policy to Entire AD Tree - Windows 2000 Server

            What are the setting's you're trying to apply?
            Could you post the output of gpresults from both the servers and a client? (sanitize as necessary)
            Regards,
            Jeremy

            Network Consultant/Engineer
            Baltimore - Washington area and beyond
            www.gma-cpa.com

            Comment


            • #7
              Re: Problem Applying Group Policy to Entire AD Tree - Windows 2000 Server

              Originally posted by JeremyW View Post
              What are the setting's you're trying to apply?
              Could you post the output of gpresults from both the servers and a client? (sanitize as necessary)
              Also check the contents of your SYSVOL folders and trust relationships between domains because it looks like a replication problem (GPOs not in the right place).

              Comment


              • #8
                Re: Problem Applying Group Policy to Entire AD Tree - Windows 2000 Server

                Errm... forgive me if I appear stupid, but what with the Domain boundary being a security boundary, CAN you apply a single GPO to the whole forest?! I thought you had to have a similar GPO in each domain and link it there....?


                Tom
                For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                Anything you say will be misquoted and used against you

                Comment


                • #9
                  Re: Problem Applying Group Policy to Entire AD Tree - Windows 2000 Server

                  Originally posted by Stonelaughter View Post
                  Errm... forgive me if I appear stupid, but what with the Domain boundary being a security boundary, CAN you apply a single GPO to the whole forest?! I thought you had to have a similar GPO in each domain and link it there....?
                  Oh you can link GPOs across domains. The Forest is the real security boundary.

                  Here, this touches on it a little.
                  If you have a number of policy settings to apply to computers in a particular physical location only certain network or proxy configuration settings, for example these settings might be appropriate for inclusion in a site-based policy. Because domains and sites are independent, it is possible that computers in the site might need to cross domains to link the GPO to the site. In this case, make sure there is good connectivity.

                  If, however, the settings do not clearly correspond to computers in a single site, it is better to assign the GPO to the domain or OU structure rather than to the site.
                  http://technet2.microsoft.com/Window....mspx?mfr=true
                  Regards,
                  Jeremy

                  Network Consultant/Engineer
                  Baltimore - Washington area and beyond
                  www.gma-cpa.com

                  Comment


                  • #10
                    Re: Problem Applying Group Policy to Entire AD Tree - Windows 2000 Server

                    Yeah I knew you could do that... i.e. you link it to the site and it applies to all affected machines in the site. But it looks like the OP is trying to link a GPO "to the forest" and have it apply broad-brush across the enterprise... I'm not sure this is possible. If you apply to the Domain it only applies to the Domain; if you apply to the Site it only applies to the site (and I cannot believe that a forest with ten sub-domains is in a single site).

                    How would you apply across a whole FOREST?


                    Tom
                    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                    Anything you say will be misquoted and used against you

                    Comment


                    • #11
                      Re: Problem Applying Group Policy to Entire AD Tree - Windows 2000 Server

                      Well the OP did say everything was in the same site so in theory it should work...AFAIK.

                      There may be some site settings that are tripping the OP up but until he/she comes back and gives us an update, I won't bother speculating.
                      Regards,
                      Jeremy

                      Network Consultant/Engineer
                      Baltimore - Washington area and beyond
                      www.gma-cpa.com

                      Comment

                      Working...
                      X