Announcement

Collapse
No announcement yet.

DNS settings for group policy management

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • DNS settings for group policy management

    Hi everyone,

    I've been experimenting with creating GPO's but when I attempt a gpupdate /force on the client machines, I receive an error saying the processing of Group Policy failed. I did a \\ourdomain.com\SysVol\ourdomain.com\Policies from the client machines and the GPO ID of the policy I created is not in the folder (not redirecting properly). When I do \\192.168.1.114\SysVol\ourdomain.com\Policies from the client machines the policy is shown. When I ping our domain it resolves to the IP of our Exchange server (.115) on some machines and our DC (.114) on others.

    Since this is an obvious DNS issue my question is, how would I go about updating the records without breaking anything? We want \\ourdomain.com to redirect to our DC (.114), not our Exchange server (.115). Or am I missing something basic here, such as manually copying the policy from our DC to our Exchange server?

  • #2
    Re: DNS settings for group policy management

    Assuming the Exchange server is NOT a DC, something is VERY wrong if sysvol ends up on it.

    Tell us more about your infrastructure so we can give better advice.
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: DNS settings for group policy management

      We're running Essential Business Server 2008 which consists of 3 servers with unique roles: Management (DC), Messaging (Exchange), and Security (Forefront TMG firewall). As far as I know, the Management server is responsible for Group Policy Management but I have also seen entries in the Messaging server as well. When I create GPO's in the Management server, they seem to be replicated onto the Messaging server as well. The thing is, I'm not seeing the policy being copied onto the sysvol of the Messaging server. Some stinks here but I can't quite figure out what it is.

      Edit:
      So upon further investigation, I found out the Management and Messaging servers are using the File Replication Service and are configured according to the FRS wiki but it obviously isn't syncing properly. If I could get this to work then that would basically solve my problem unless anyone thinks otherwise. It makes sense in case either of our servers takes a dump on us, we'd have redundant sysvol directories for group policy.
      Last edited by crowntech; 1st September 2011, 21:34. Reason: update

      Comment


      • #4
        Re: DNS settings for group policy management

        IMHO get a consultant to have a look at the setup. As I said, Exchange is not normally on a DC (shouldnt be, anyway) so the Exchange server should not have Sysvol on it.

        Go into ADUC and check which servers are DCs -- if Exchange is, and if replication is broken, you have problems as the usual fix (unpromote and repromote to DC) will break Exchange.
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: DNS settings for group policy management

          Originally posted by crowntech View Post
          \\ourdomain.com\SysVol\ourdomain.com\Policies
          Does this folder even exist on the Exchange server? If it's not a DC then it shouldn't be there like Tom said. Please confirm.

          Run dcdiag on the two servers and see what errors they show.
          Run repadmin /syncall and see if you get any errors.
          And finally, what DNS servers are configured on the NIC's of the two servers?
          Regards,
          Jeremy

          Network Consultant/Engineer
          Baltimore - Washington area and beyond
          www.gma-cpa.com

          Comment


          • #6
            Re: DNS settings for group policy management

            I have confirmed the sysvol does exist on our Exchange server which makes it a DC, something I was unaware of due to the unusual circumstances and lack of documentation.

            Upon running dcdiag, here are the errors I am seeing

            Management server:
            Starting test: FrsEvent
            There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems.
            MGMTSERVER failed test SystemLog

            Messaging server:
            Starting test: FrsEvent
            There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems.
            MSSGSERVER failed test SystemLog

            Both are also failing to process the created GPOs (FRS not working).

            Upon running repadmin /syncall on both servers, they complete with no errors.

            For DNS, Management and Messaging have 1 NIC each and have been manually configured to point to each other for DNS. Our Security server has 2 NICs, one with public IP and another with private IP. The LAN NIC points to our internal DNS servers (Management and Messaging), while the WAN NIC points to an ISP DNS server.

            Just a side note, I didn't design or implement any of this. When I came aboard I was told to figure out this cluster**** of a system. It's been a fun 6 months!

            Comment


            • #7
              Re: DNS settings for group policy management

              Please look through the FrsEvent log and post any errors. There will probably be one or two (or more) recurring errors.

              Also, for now, while we try an get replication working, point DNS on both the Management and Messaging servers to the Management server. (.114)

              As a side note, DC's that are DNS servers should point to themselves once replication has occurred, not to another DNS server. Having them point to each other means that when one goes down they both go down since AD relies on DNS.
              Regards,
              Jeremy

              Network Consultant/Engineer
              Baltimore - Washington area and beyond
              www.gma-cpa.com

              Comment


              • #8
                Re: DNS settings for group policy management

                On the MGMTSERVER:
                EVENT 13508 (At least 1 a day)
                The File Replication Service is having trouble enabling replication from MSSGSERVER to MGMTSERVER for c:\windows\sysvol\domain using the DNS name MSSGSERVER.crownebs.com. FRS will keep retrying.
                Following are some of the reasons you would see this warning.

                [1] FRS can not correctly resolve the DNS name MSSGSERVER.crownebs.com from this computer.
                [2] FRS is not running on MSSGSERVER.crownebs.com.
                [3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.

                This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.


                EVENT 13562 (approximately once a week)
                Following is the summary of warnings and errors encountered by File Replication Service while polling the Domain Controller MGMTSERVER.crownebs.com for FRS replica set configuration information.

                Could not bind to a Domain Controller. Will try again at next polling cycle.

                On the MSSGSERVER:
                EVENT 13568 (When the service is started)
                The File Replication Service has detected that the replica set "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR.

                Replica set name is : "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"
                Replica root path is : "c:\windows\sysvol\domain"
                Replica root volume is : "\\.\C:"
                A Replica set hits JRNL_WRAP_ERROR when the record that it is trying to read from the NTFS USN journal is not found. This can occur because of one of the following reasons.

                [1] Volume "\\.\C:" has been formatted.
                [2] The NTFS USN journal on volume "\\.\C:" has been deleted.
                [3] The NTFS USN journal on volume "\\.\C:" has been truncated. Chkdsk can truncate the journal if it finds corrupt entries at the end of the journal.
                [4] File Replication Service was not running on this computer for a long time.
                [5] File Replication Service could not keep up with the rate of Disk IO activity on "\\.\C:".
                Setting the "Enable Journal Wrap Automatic Restore" registry parameter to 1 will cause the following recovery steps to be taken to automatically recover from this error state.
                [1] At the first poll, which will occur in 5 minutes, this computer will be deleted from the replica set. If you do not want to wait 5 minutes, then run "net stop ntfrs" followed by "net start ntfrs" to restart the File Replication Service.
                [2] At the poll following the deletion this computer will be re-added to the replica set. The re-addition will trigger a full tree sync for the replica set.

                WARNING: During the recovery process data in the replica tree may be unavailable. You should reset the registry parameter described above to 0 to prevent automatic recovery from making the data unexpectedly unavailable if this error condition occurs again.

                To change this registry parameter, run regedit.

                Click on Start, Run and type regedit.

                Expand HKEY_LOCAL_MACHINE.
                Click down the key path:
                "System\CurrentControlSet\Services\NtFrs\Parameter s"
                Double click on the value name
                "Enable Journal Wrap Automatic Restore"
                and update the value.

                If the value name is not present you may add it with the New->DWORD Value function under the Edit Menu item. Type the value name exactly as shown above.


                EVENT 13562 (about once a week)
                Following is the summary of warnings and errors encountered by File Replication Service while polling the Domain Controller MSSGSERVER.crownebs.com for FRS replica set configuration information.

                Could not bind to a Domain Controller. Will try again at next polling cycle.

                Steps taken so far:
                Verified FRS is running on both servers
                Changed the aforementioned registry key to 0

                Any suggestions?

                Comment


                • #9
                  Re: DNS settings for group policy management

                  Have you changed the DNS settings as specified in my previous post?

                  After changing the registry, did you reboot? The journal wrap errors are often caused by AV programs. Be sure to exclude %windir%\sysvol from AV scans.

                  Once you've verified the DNS setting and AV settings, check the event log to see if there are any journal wrap errors. If there are none then initiate the replication from ADSS or repadmin. Check the event log again for errors. Post back with an update.
                  Regards,
                  Jeremy

                  Network Consultant/Engineer
                  Baltimore - Washington area and beyond
                  www.gma-cpa.com

                  Comment


                  • #10
                    Re: DNS settings for group policy management

                    Yes, I changed the DNS settings as specified but the site was down before I could edit my previous post. It did ask for a reboot for the Messaging server when I made the DNS changes but there hasn't been one since, I can do one later in the day.

                    There has been a reboot since changing the registry and I have disabled AV on both servers for testing purposes since there isn't an option to exclude a directory.

                    I'm getting the same errors as previously posted. Once I reboot once more, I'll post a status update.

                    Comment


                    • #11
                      Re: DNS settings for group policy management

                      What AV are you using? If you can't make exclusions you need to get a different AV product. It will cause issues with AD and Exchange and SQL and several other things.
                      Regards,
                      Jeremy

                      Network Consultant/Engineer
                      Baltimore - Washington area and beyond
                      www.gma-cpa.com

                      Comment


                      • #12
                        Re: DNS settings for group policy management

                        We're running ClamAV..I've been trying to convince management to switch to Kaspersky or something of the likes but no luck yet.

                        Just a little background, the Management server is the one currently running ClamAV and the Messaging server is running an expired license of Kaspersky/MS Antimalware/Authentium Command AV/AhnLab AV/Virusbuster. I can only guess this was all pre-installed as a part of our "package": Essential Business Server 2008.

                        Now that AV is disabled and DNS changes have been made, a reboot was also done last night. Where to go from here?

                        Comment


                        • #13
                          Re: DNS settings for group policy management

                          It looks like ClamAV can do exclusions.
                          http://support.immunet.com/tiki-read...=11#Exclusions

                          The reg change needs to be done after all the other configuration changes have been made, which it sounds like you've done that. So now you should make the reg change and reboot. Then force replication and post back what errors you're getting.

                          Note that you may need to uninstall the AV on both servers to be sure there's no issues. Especially on the messaging server, you need to get it down to one product.
                          Regards,
                          Jeremy

                          Network Consultant/Engineer
                          Baltimore - Washington area and beyond
                          www.gma-cpa.com

                          Comment


                          • #14
                            Re: DNS settings for group policy management

                            The version of ClamAV we have is different, we have ClamWin AV which allows us to configure which file types to exclude but not configure a directory to be excluded. I think in this particular case excluding file types will not be helpful so I will leave ClamWin disabled in the meantime.

                            As for the Messaging server, it appears the AV products are a part of the Forefront Server Security package. Uninstalling the package would remove all instances of AV and possibly break something else due to the nature of the setup. I have disabled all AV programs for the Messaging server and have not made changes to the registry since. Am I supposed to revert the value back to 1 or leave it at 0?

                            Comment


                            • #15
                              Re: DNS settings for group policy management

                              Originally posted by crowntech View Post
                              the Messaging server is running an expired license of Kaspersky/MS Antimalware/Authentium Command AV/AhnLab AV/Virusbuster.
                              None of these listed are Microsoft products. The only one I've heard of is Kaspersky. The MS Antimalware looks like it's malware after googling it. The others look like small security companies.

                              I would remove all of them, run an offline scan if you can, and then install a reputable AV product. Kaspersky is fine if you have a license but my personal recommendation is ESET.
                              Regards,
                              Jeremy

                              Network Consultant/Engineer
                              Baltimore - Washington area and beyond
                              www.gma-cpa.com

                              Comment

                              Working...
                              X