Question

Locked

Windows Server 2003 GPO

By CCrabtree ·
Hello everyone!

I'm having an interesting problem with a Windows Server 2003 Domain Controller.

This unit is running R1, not R2, is a secondary Domain controller, runs DHCP, secondary DNS, and is our primary print server.

Our Primary DC is a file server and primary DNS. Our tertiary DC is a pure DC, but is at a remote location.

Now that you know the background, here's the situation:

PDC updates GPO just fine. It uses the GPO I created: "T Domain Controller GPO". All settings are applied and I get the A-OK from the event viewer. Running GPRESULT gives me the correct info, and I have no issues with it.

The Secondary DC, however, does not. I get numerous "Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this." errors in the event log, and it does not pull settings at all. Below is a comparison of GPRESULT information:

Primary DC:

-----------------
RSOP data for AEROSPACE\Administrator on PDC : Logging Mode
--------------------------------------------------------------------

OS Type: Microsoft(R) Windows(R) Server 2003, Standard Editi
on
OS Configuration: Primary Domain Controller
OS Version: 5.2.3790
Terminal Server Mode: Remote Administration
Site Name: Default-First-Site-Name
Roaming Profile:
Local Profile: C:\Documents and Settings\Administrator
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
CN=PDC,OU=Domain Controllers,DC=aerospace,DC=com
Last time Group Policy was applied: 1/10/2008 at 11:37:39 AM
Group Policy was applied from: PDC.aerospace.com
Group Policy slow link threshold: 500 kbps
Domain Name: AEROSPACE
Domain Type: Windows 2000

Applied Group Policy Objects
-----------------------------
T Domain Controllers Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)

The computer is a part of the following security groups
-------------------------------------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Pre-Windows 2000 Compatible Access
BUILTIN\Users
Windows Authorization Access Group
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
PDC$
Domain Controllers
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS


USER SETTINGS
--------------
CN=Administrator,OU=Administrators,DC=aerospace,DC=com
Last time Group Policy was applied: 1/10/2008 at 11:07:09 AM
Group Policy was applied from: PDC.aerospace.com
Group Policy slow link threshold: 500 kbps
Domain Name: AEROSPACE
Domain Type: Windows 2000

Applied Group Policy Objects
-----------------------------
Administrative Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Domain Computer Group Policy
Filtering: Disabled (GPO)

Unrestricted Domain Computer Group Policy
Filtering: Disabled (GPO)

Domain Laptop Group Policy
Filtering: Disabled (GPO)

Test MSI Pusher GPO
Filtering: Disabled (GPO)

Local Group Policy
Filtering: Not Applied (Empty)

The user is a part of the following security groups
---------------------------------------------------
Domain Users
Everyone
BUILTIN\Administrators
BUILTIN\Users
BUILTIN\Pre-Windows 2000 Compatible Access
REMOTE INTERACTIVE LOGON
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
Domain Admins
Executive_BC
Group Policy Creator Owners
Enterprise Admins
Schema Admins
------------------

Now take a look at the Secondary DC log: (SDC)

------------------

RSOP data for AEROSPACE\Administrator on SDC : Logging Mode
--------------------------------------------------------------------

OS Type: Microsoft(R) Windows(R) Server 2003, Standard Edit
on
OS Configuration: Additional/Backup Domain Controller
OS Version: 5.2.3790
Terminal Server Mode: Remote Administration
Site Name: Default-First-Site-Name
Roaming Profile:
Local Profile: C:\Documents and Settings\Administrator
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
CN=SDC,OU=Domain Controllers,DC=aerospace,DC=com
Last time Group Policy was applied: 1/10/2008 at 11:38:14 AM
Group Policy was applied from: SDC.aerospace.com
Group Policy slow link threshold: 500 kbps
Domain Name: AEROSPACE
Domain Type: Windows 2000

Applied Group Policy Objects
-----------------------------
T Domain Controllers Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)

The computer is a part of the following security groups
-------------------------------------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Pre-Windows 2000 Compatible Access
BUILTIN\Users
Windows Authorization Access Group
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
Domain Controllers
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS


USER SETTINGS
--------------
CN=Administrator,OU=Administrators,DC=aerospace,DC=com
Last time Group Policy was applied: 1/10/2008 at 11:28:14 AM
Group Policy was applied from: SDC.aerospace.com
Group Policy slow link threshold: 500 kbps
Domain Name: AEROSPACE
Domain Type: Windows 2000

Applied Group Policy Objects
-----------------------------
Default Domain Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Main Site Policy
Filtering: Not Applied (Empty)

Local Group Policy
Filtering: Not Applied (Empty)

The user is a part of the following security groups
---------------------------------------------------
Domain Users
Everyone
BUILTIN\Administrators
BUILTIN\Users
BUILTIN\Pre-Windows 2000 Compatible Access
REMOTE INTERACTIVE LOGON
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
Domain Admins
Group Policy Creator Owners
Enterprise Admins
Schema Admins


I cannot really see any problems, except that it says it cannot query the list for GPO... when it's querying itself. Please let me know if you see something I'm not.

This conversation is currently closed to new comments.

21 total posts (Page 1 of 3)   01 | 02 | 03   Next
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Not sure if this will help but it will give a clearer picture.

by Jacky Howe In reply to Windows Server 2003 GPO

Comparing files 1.txt and 2.TXT
***** 1.txt
RSOP data for AEROSPACE\Administrator on PDC : Logging Mode
--------------------------------------------------------------------
***** 2.TXT
RSOP data for AEROSPACE\Administrator on SDC : Logging Mode
--------------------------------------------------------------------
*****

***** 1.txt

OS Type: Microsoft(R) Windows(R) Server 2003, Standard Editi
on
OS Configuration: Primary Domain Controller
OS Version: 5.2.3790
***** 2.TXT

OS Type: Microsoft(R) Windows(R) Server 2003, Standard Edit
on
OS Configuration: Additional/Backup Domain Controller
OS Version: 5.2.3790
*****

***** 1.txt
------------------
CN=PDC,OU=Domain Controllers,DC=aerospace,DC=com
Last time Group Policy was applied: 1/10/2008 at 11:37:39 AM
Group Policy was applied from: PDC.aerospace.com
Group Policy slow link threshold: 500 kbps
***** 2.TXT
------------------
CN=SDC,OU=Domain Controllers,DC=aerospace,DC=com
Last time Group Policy was applied: 1/10/2008 at 11:38:14 AM
Group Policy was applied from: SDC.aerospace.com
Group Policy slow link threshold: 500 kbps
*****

***** 1.txt
This Organization
PDC$
Domain Controllers
***** 2.TXT
This Organization
EFSSVR14$
Domain Controllers
*****

***** 1.txt
CN=Administrator,OU=Administrators,DC=aerospace,DC=com
Last time Group Policy was applied: 1/10/2008 at 11:07:09 AM
Group Policy was applied from: PDC.aerospace.com
Group Policy slow link threshold: 500 kbps
***** 2.TXT
CN=Administrator,OU=Administrators,DC=aerospace,DC=com
Last time Group Policy was applied: 1/10/2008 at 11:28:14 AM
Group Policy was applied from: SDC.aerospace.com
Group Policy slow link threshold: 500 kbps
*****

***** 1.txt
-----------------------------
Administrative Policy

***** 2.TXT
-----------------------------
Default Domain Policy

*****

***** 1.txt
-------------------------------------------------------------------
Domain Computer Group Policy
Filtering: Disabled (GPO)

Unrestricted Domain Computer Group Policy
Filtering: Disabled (GPO)

Domain Laptop Group Policy
Filtering: Disabled (GPO)

Test MSI Pusher GPO
Filtering: Disabled (GPO)

***** 2.TXT
-------------------------------------------------------------------
Main Site Policy
Filtering: Not Applied (Empty)

*****

***** 1.txt
Domain Admins
Executive_BC
Group Policy Creator Owners
***** 2.TXT
Domain Admins
Group Policy Creator Owners
*****

Collapse -

Hmmm

by CCrabtree In reply to Not sure if this will hel ...

I see the issue with the user side accounts... and the membership lacks Executive BC... I really wish I could ream the guy that originally set this system up.

Thanks. I'll look into it from here. =)

Collapse -

supposed to propogate through replication

by CG IT In reply to Hmmm

until replication happens, the DC at the remote site won't get any GPO updates and will continue to operate as it has.

Remember if the second DC is in the same domain, then it's considered a site. So in Active Directory Sites and Services you setup a site with the remote office subnet and replicate over the WAN link.

Is there replication?

Collapse -

Yes

by CCrabtree In reply to supposed to propogate thr ...

It's actually on the same site. The servers are right next to each other, the tertiary is off site. All three have full NTDS replication, verified by using each DC specifically and checking the AD data. The AD data and the Sysvol share ARE replicating, however the GPO processing fails. From the GP Result, it looks like only the User account settings fail to be applied by GPO. However, the system settings aren't being applied properly either (WSUS, services etc aren't applied.)

Don't know if it will help, but the last time I rebooted, I had to reset the DHCP manually. It lost all of it's settings. We also had the whole thing crash due to Websense, which I uninstalled. Apparently Websense was never removed, just lapsed.

This is really intriguing.

Collapse -

ok so the DC is in the Domain Controllers OU

by CG IT In reply to Yes

and you applied the GPO to the domain controllers OU?

Domain controllers are always in their own OU and as such have their own security.GPOs for DCs must be applied to the Domain controllers OU and the default domain secuirty don't apply to DCs in an Active Directory environment. Open up admin tools on the DC and you'll see the domain controllers security policy. this is what controls DCs security.

Collapse -

Ture

by CCrabtree In reply to ok so the DC is in the Do ...

This is true, however using the Group Policy Object Editor, I've created a GPO for the DC OU - The PDC applies both User and Computer settings properly. You'll notice the SDC doesn't have the user settings applying, and the Computer settings report applying, but certain services that I set just don't want to run, but work on the PDC.

Collapse -

it appears that the DC at the site [SDC]

by CG IT In reply to Ture

is not getting GP information from the PDC at the "main location".

Since both are in the same domain [one DC at each site], the GPO applied to the DCs OU which contains both DCs isn't getting pushed out to the at the "remote site".

All I can suggest is at the remote site, open up AD users and computers/domain controllers OU and see if both are listed in that OU. It's possible that the remote DC thinks its the only one on the network. That would indicate that AD sites and services the remote site and WAN link aren't configured properly.

Collapse -

well the reason I thought site

by CG IT In reply to Windows Server 2003 GPO

was that the log say GPO applied by SDC.aerospace.com for the the second DC. The first DC say GPO applied by PDC.aerospace.com

Since SDC is applying it's own GPO and not a domain GPO, this indicates a site or child domain configuration.

If both DCs are on the same subnet and belong to the same domain and are in the same domain controllers OU, then any GPO applied to the domain controllers OU would take effect on any DCs in that OU.

when a DC doesn't get the GPO, that indicates a site somewhere that isn't getting the info on a WAN link [site = different subnet].

Collapse -

Well..

by CCrabtree In reply to well the reason I thought ...

So how do I fix it? They're on the same subnet (PDC = 10.20.12.11, SDC = 10.20.12.14) in the same OU, and as far as I can tell have the COMPUTER SETTINGS applied from OU GPO, but the USER SETTINGS are not. And the COMPUTER SETTINGS are iffy at best even when applied from the OU GPO.

Collapse -

User settings? for what on a DC?

by CG IT In reply to Well..

the only users that should be able to log on locally to the DC are Domain admins or enterprise admins.

If your gonna delegate authority for some admin functions on the DC, you can make up a template or use one of the special security groups.


Group Policy is applied local, site, domain and OU order and the OU for domain controllers which has the GPO applied to selectively applies itself to only 1 DC which doesn't make sense.

Back to Networks Forum
21 total posts (Page 1 of 3)   01 | 02 | 03   Next

Related Discussions

Related Forums