Announcement

Collapse
No announcement yet.

GPO pulled from different DC's

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • GPO pulled from different DC's

    Hi guys,

    Long time no speak (type).

    Anyway, I've joined up with a new company and I am experiencing some strange issues regarding group policies being applied sporadicaly.

    We have multiple locations but I'll stick to this location only for now. We have 3 DC's here at this location, 1 - 2008 Enterprise, and 2 - 2003 Enterprise servers that serve as DC's.

    1 - 2003 Exch - Primary - Operations Master RID/PDC/Infrastructure
    2 - 2003 ENT - Schema Master/ Domain naming master
    3 - 2008 DFS - no roles

    Clients WinXP Pro

    It seems as though when group policies are being pulled, it pulls or looks for the file on different DC's. Now normally this wouldn't be a problem because of replication, but it is either very slow or there is some network connectivity issues going here. I'm leaning toward network connectivity, but after looking in replmon and checking sites and services, it all seems to be in place and working as it should. Also, there seems to be folders missing in SYSVOL on the DFS server that are not present on the other two DC's as well.

    Is there anywhere else I can look or check out that you guys know of to investigate? Any help or suggestions is much appreciated.
    Last edited by Mudd; 29th October 2010, 01:02.

  • #2
    Re: GPO pulled from different DC's

    Look for sysvol folder on DC's. It is here all the GPO's are stored. I don't know why there will be a sysvol folder on DFS server. What files are missing in sysvol folder. Generally, all GPO folders are stored in sysvol folders, if someone has moved them somewhere else you will get strange behaviour, because default location GPMC looks for files is sysvol folder.

    Comment


    • #3
      Re: GPO pulled from different DC's

      Hi,

      Try running the following tool to diagnose issues with your gpo
      GP Best Practice Analyser
      http://support.microsoft.com/kb/940122
      Thanks & Regards
      v-2nas

      MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
      Sr. Wintel Eng. (Investment Bank)
      Independent IT Consultant and Architect
      Blog: http://www.exchadtech.blogspot.com

      Show your appreciation for my help by giving reputation points

      Comment


      • #4
        Re: GPO pulled from different DC's

        Originally posted by pharkle35 View Post
        Look for sysvol folder on DC's. It is here all the GPO's are stored. I don't know why there will be a sysvol folder on DFS server. What files are missing in sysvol folder. Generally, all GPO folders are stored in sysvol folders, if someone has moved them somewhere else you will get strange behaviour, because default location GPMC looks for files is sysvol folder.
        Someone has made a DC and DFS server on the same server, and I've read how how DFS can cause problems and that I needed to fix something with DFS, but I'd thought I try here first.

        Anyway, yes there different amounts of folders between three DC's.

        DC1-WIN/2003 Schema, Domain naming,..........9 policy folders.
        DC2-WIN/2003 PRIMARY, Exhange....................5 policy folders.
        DC3-WIN/2008 DFS.........................................5 policy folders.

        Strange things are happening even with file permissions. I'm also leaning to the fact that I think the permission on the SYSVOL/DOMAIN/POLICY folders are different on all three. I'm afraid to start messing and changing things too much, but I'll see what you guys have to say about this first.

        Seems as though policies takes turns coming from different servers but if they were replicating correctly it wouldn't matter cause all the info would be the same, but since it isn't there is something seriously wrong with this setup.

        I'm tempted to demote the WIN/2008 DC from being a DC to at least get one server out of the equation and plus it being a DFS server anyway.

        So I think the rabbit hole goes down further than just GPO's being corrupted or not synced.

        Comment


        • #5
          Re: GPO pulled from different DC's

          Since your SYSVOL share is inconsistent between DCs, I would guess that you have a replication problem. I'm not 100%, but I think mixed mode domains would be using FRS for replication. I would start with a dcdiag including the DNS test. Are there any errors in the File Replication Service event logs?

          Comment


          • #6
            Re: GPO pulled from different DC's

            W2K8 DC uses DFSR if participating DCs are W2k8 and FFL/DFL at Win2K8 otherwise it uses FRS in mixed mode env.
            Thanks & Regards
            v-2nas

            MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
            Sr. Wintel Eng. (Investment Bank)
            Independent IT Consultant and Architect
            Blog: http://www.exchadtech.blogspot.com

            Show your appreciation for my help by giving reputation points

            Comment


            • #7
              Re: GPO pulled from different DC's

              Originally posted by ScottMcD View Post
              Since your SYSVOL share is inconsistent between DCs, I would guess that you have a replication problem. I'm not 100%, but I think mixed mode domains would be using FRS for replication. I would start with a dcdiag including the DNS test. Are there any errors in the File Replication Service event logs?
              Tried running NETDIAG tests but getting error about DNSAPI.DLL after running netdiag.

              "The procedure entry point DnsGetPrimaryDomainName_UTF8 could not be located in the dynamic link library DNSAPI.DLL

              WTF!!!!

              Crap loads of 13508 and NO 13509 error that would specify a connection was established.

              Trying to fix the DSNAPI.DLL error currently.

              <SIGH>
              Last edited by Mudd; 3rd November 2010, 00:55.

              Comment


              • #8
                Re: GPO pulled from different DC's

                Originally posted by Mudd View Post
                Tried running NETDIAG tests but getting error about DNSAPI.DLL after running netdiag.

                "The procedure entry point DnsGetPrimaryDomainName_UTF8 could not be located in the dynamic link library DNSAPI.DLL

                WTF!!!!

                That means you are using the wrong version of Netdiag. If this is a 2003 server then make sure you use Netdiag from the Windows Server 2003 Support Tools
                Software for IT Pros that I've written: http://www.cjwdev.co.uk/Software.html

                My blog: http://cjwdev.wordpress.com

                Comment


                • #9
                  Re: GPO pulled from different DC's

                  Originally posted by chris128 View Post
                  That means you are using the wrong version of Netdiag. If this is a 2003 server then make sure you use Netdiag from the Windows Server 2003 Support Tools
                  SWEET!

                  That fixes that (ID-10-T) error.

                  Now back to the issue at hand.

                  Thank you.

                  Comment


                  • #10
                    Re: GPO pulled from different DC's

                    After running "netdiag /q" I get this.


                    "Warning: DC1-SERVER is not advertising as a time server.
                    ......................... DC1-SERVER failed test Advertising
                    There are warning or error events within the last 24 hours after the
                    SYSVOL has been shared. Failing SYSVOL replication problems may cause
                    Group Policy problems.
                    ......................... DC1-SERVER failed test frsevent"




                    Another thing to note is, there was another DC that was taken offline back in August. Not sure if this would cause issues or not regarding the SYSVOL replication.

                    Comment


                    • #11
                      Re: GPO pulled from different DC's

                      Update:

                      I just performed a Nonauthoritative Restore using this method on all 3 DC's.

                      1. Stopped NTFRS
                      2. Changed burflags in registry for NTFRS to D2
                      3. Restarted NTFRS.

                      Supposedly this is supposed to get all the partners in the replica set back up to date.

                      I'm going to let it sit over night to see if everything gets synced up but I'm not crossing my fingers.

                      I'll keep you informed.

                      Comment


                      • #12
                        Re: GPO pulled from different DC's

                        Ok so this didn't sync up the folders with all three DC's.

                        Could it be that the permissions on either the SYSVOL share or the policy folders themselves be different on the DC's?

                        Comment


                        • #13
                          Re: GPO pulled from different DC's

                          UPDATE:

                          GPO folders and GPO's are now up to date with the exception of the Default Domain Policy.

                          Currently working on that.

                          Comment


                          • #14
                            Re: GPO pulled from different DC's

                            This issue is now about 99% resolved.

                            Thanks for all your help guys, I can always count on members from Petri.

                            Comment


                            • #15
                              Re: GPO pulled from different DC's

                              Hi guys,

                              Just wanted to share the solution with you. It turned out to be an easy fix. The permissions were all screwed up with them being different on all DC's SYSVOL NTFS/SHARE. Not sure what the previous IT guy was thinking when he did this but it is what it is, or was.

                              Thank again for all the suggestions.

                              Comment

                              Working...
                              X