| Author | Messages | |
JohnTennyson
Posts:2
 | | 09/09/2010 10:06 PM |
| I just fixed a sysvol issue on one of our domain controllers (it
stopped replicating with the rest of the domain controllers) and
everything seems to check out ok.
However I am getting some /weird/ Group Policy Issues:
gpotool reports all is well and the group policy replicates just fine
across all three domain controllers.
the below doesn't seem to matter which domain controller the PC is
logging into the behavior is the same.
Picture a domain with two created OUs X and Y, an XP machine and a
windows 7 machine have been a member of OU X for some time and received
several group policies (call them A B and C) for quite some time. I
link a new policy D into OU Y.
I then move both machines to OU Y, and execute gpupdate /force /wait:-1
they both complete with no errors.
GPRESULT (or GPRESULT /r on win 7) report that on the windows 7 machine
it is in the new OU and gets only policy D as expected. The windows XP
box reports that it is in the new OIT but only gets policy A B and C
none of which are linked to the new OU and doesn't even show D (not
filtered out, nothing). Policy D is set to Authenticated Users and no
WMI filter.
The same behavior seems to happen if I just link policy D to OU X
(windows 7 gets it, xp doesn't even show it in the RSOP data).
There are no errors in either of the PCs or the DCs event logs that
would shed any light on it.
I can't find enough clear info on how XP pulls data on which GPOs to run
vs how Windows 7 does it but something is odd.
Are there any databases that might need to get rebuilt because the DCs
were in an inconsistent state for so long (5 days) if so how do I do it,
or does anyone else have any other ideas. Note: rebuilding the domain
is NOT an option, this is a large-scale production domain.
Thanks in advance for any help or ideas!
--
John Tennyson
Senior Systems Infrastructure Administrator
ACSO/OIT - UMASS Amherst
T 413.545.3327
E xxxxxxxxxxxxxxxx
PGP/GPG or S/MIME Email Encouraged
| | | |
| DarraghOShaughnessy
Posts:161
| | 09/09/2010 10:38 PM |
| Hi John,
The first thing you need to do is turn on user environment logging as this
will tell you exactly how the system is determining what policies to apply.
Post the output if you have it.
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of John Tennyson
Sent: 09 September 2010 20:43
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Group Policy woes on Windows XP after SYSVOL issue.
I just fixed a sysvol issue on one of our domain controllers (it
stopped replicating with the rest of the domain controllers) and
everything seems to check out ok.
However I am getting some /weird/ Group Policy Issues:
gpotool reports all is well and the group policy replicates just fine
across all three domain controllers.
the below doesn't seem to matter which domain controller the PC is
logging into the behavior is the same.
Picture a domain with two created OUs X and Y, an XP machine and a
windows 7 machine have been a member of OU X for some time and received
several group policies (call them A B and C) for quite some time. I
link a new policy D into OU Y.
I then move both machines to OU Y, and execute gpupdate /force /wait:-1
they both complete with no errors.
GPRESULT (or GPRESULT /r on win 7) report that on the windows 7 machine
it is in the new OU and gets only policy D as expected. The windows XP
box reports that it is in the new OIT but only gets policy A B and C
none of which are linked to the new OU and doesn't even show D (not
filtered out, nothing). Policy D is set to Authenticated Users and no
WMI filter.
The same behavior seems to happen if I just link policy D to OU X
(windows 7 gets it, xp doesn't even show it in the RSOP data).
There are no errors in either of the PCs or the DCs event logs that
would shed any light on it.
I can't find enough clear info on how XP pulls data on which GPOs to run
vs how Windows 7 does it but something is odd.
Are there any databases that might need to get rebuilt because the DCs
were in an inconsistent state for so long (5 days) if so how do I do it,
or does anyone else have any other ideas. Note: rebuilding the domain
is NOT an option, this is a large-scale production domain.
Thanks in advance for any help or ideas!
--
John Tennyson
Senior Systems Infrastructure Administrator
ACSO/OIT - UMASS Amherst
T 413.545.3327
E xxxxxxxxxxxxxxxx
PGP/GPG or S/MIME Email Encouraged
| | | |
| john.vanmeter
Posts:41
| | 09/09/2010 11:37 PM |
| I had to follow the instructions in this link
http://support.microsoft.com/kb/315457 to rebuild the sysvol tree.
I've also seen the problem is on the up stream DC that is the
replication partner for the DC that the clients are authenicating too.
If you want to talk off line feel free to contract me, I've done this alot
Best Regards John
On Thu, Sep 9, 2010 at 3:42 PM, John Tennyson <xxxxxxxxxxxxxxxx> wrote:
> I just fixed a sysvol issue on one of our domain controllers (it
> stopped replicating with the rest of the domain controllers) and
> everything seems to check out ok.
>
> However I am getting some /weird/ Group Policy Issues:
>
> gpotool reports all is well and the group policy replicates just fine
> across all three domain controllers.
>
> the below doesn't seem to matter which domain controller the PC is
> logging into the behavior is the same.
>
> Picture a domain with two created OUs X and Y, an XP machine and a
> windows 7 machine have been a member of OU X for some time and received
> several group policies (call them A B and C) for quite some time. I
> link a new policy D into OU Y.
>
> I then move both machines to OU Y, and execute gpupdate /force /wait:-1
> they both complete with no errors.
> GPRESULT (or GPRESULT /r on win 7) report that on the windows 7 machine
> it is in the new OU and gets only policy D as expected. The windows XP
> box reports that it is in the new OIT but only gets policy A B and C
> none of which are linked to the new OU and doesn't even show D (not
> filtered out, nothing). Policy D is set to Authenticated Users and no
> WMI filter.
>
> The same behavior seems to happen if I just link policy D to OU X
> (windows 7 gets it, xp doesn't even show it in the RSOP data).
>
> There are no errors in either of the PCs or the DCs event logs that
> would shed any light on it.
>
> I can't find enough clear info on how XP pulls data on which GPOs to run
> vs how Windows 7 does it but something is odd.
>
> Are there any databases that might need to get rebuilt because the DCs
> were in an inconsistent state for so long (5 days) if so how do I do it,
> or does anyone else have any other ideas. Note: rebuilding the domain
> is NOT an option, this is a large-scale production domain.
>
> Thanks in advance for any help or ideas!
>
> --
> John Tennyson
> Senior Systems Infrastructure Administrator
> ACSO/OIT - UMASS Amherst
>
> T 413.545.3327
> E xxxxxxxxxxxxxxxx
>
> PGP/GPG or S/MIME Email Encouraged
>
>
| | | |
| dmarelia
Posts:394
| | 09/09/2010 11:43 PM |
| John-
I suspect what you're seeing on XP is that the GP engine on that version of the OS does not actually pick up OU moves right away, if you can believe that. The GP engine caches the location for some period of time. I don't recall what the trigger point was however.
I think I recall that Win7 fixed this behavior.
Darren
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of John van Meter
Sent: Thursday, September 09, 2010 2:13 PM
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Group Policy woes on Windows XP after SYSVOL issue.
I had to follow the instructions in this link
http://support.microsoft.com/kb/315457 to rebuild the sysvol tree.
I've also seen the problem is on the up stream DC that is the
replication partner for the DC that the clients are authenicating too.
If you want to talk off line feel free to contract me, I've done this alot
Best Regards John
On Thu, Sep 9, 2010 at 3:42 PM, John Tennyson <xxxxxxxxxxxxxxxx> wrote:
> I just fixed a sysvol issue on one of our domain controllers (it
> stopped replicating with the rest of the domain controllers) and
> everything seems to check out ok.
>
> However I am getting some /weird/ Group Policy Issues:
>
> gpotool reports all is well and the group policy replicates just fine
> across all three domain controllers.
>
> the below doesn't seem to matter which domain controller the PC is
> logging into the behavior is the same.
>
> Picture a domain with two created OUs X and Y, an XP machine and a
> windows 7 machine have been a member of OU X for some time and received
> several group policies (call them A B and C) for quite some time. I
> link a new policy D into OU Y.
>
> I then move both machines to OU Y, and execute gpupdate /force /wait:-1
> they both complete with no errors.
> GPRESULT (or GPRESULT /r on win 7) report that on the windows 7 machine
> it is in the new OU and gets only policy D as expected. The windows XP
> box reports that it is in the new OIT but only gets policy A B and C
> none of which are linked to the new OU and doesn't even show D (not
> filtered out, nothing). Policy D is set to Authenticated Users and no
> WMI filter.
>
> The same behavior seems to happen if I just link policy D to OU X
> (windows 7 gets it, xp doesn't even show it in the RSOP data).
>
> There are no errors in either of the PCs or the DCs event logs that
> would shed any light on it.
>
> I can't find enough clear info on how XP pulls data on which GPOs to run
> vs how Windows 7 does it but something is odd.
>
> Are there any databases that might need to get rebuilt because the DCs
> were in an inconsistent state for so long (5 days) if so how do I do it,
> or does anyone else have any other ideas. Note: rebuilding the domain
> is NOT an option, this is a large-scale production domain.
>
> Thanks in advance for any help or ideas!
>
> --
> John Tennyson
> Senior Systems Infrastructure Administrator
> ACSO/OIT - UMASS Amherst
>
> T 413.545.3327
> E xxxxxxxxxxxxxxxx
>
> PGP/GPG or S/MIME Email Encouraged
>
>
| | | |
|
|