Policy trouble with 2 domain controllers

Ask a question

Thursday, March 14, 2013 5:56 PM

0

Until recently, our network had a single 2003 domain controller. We recently purchased a 2012 server and also made it a domain controller but decided to leave the domain at a 2003 functional level. We have a mix of XP and Win7 clients. When I try to implement a GPO on folder redirection, I receive an unknown error during processing on the GP Modeling. When I run the model twice, once without specifying a DC or specifying the 2003 server, the Folder redirection fails with an unknown error. When I run modeling and select the 2012 server, it applies correctly. In the field I'm seeing some clients working, others are not. Any advice that allows me to keep both DC's up and running?
- Reply
- Quote

All Replies

Thursday, March 14, 2013 7:02 PM

0

Sounds like you have issues with SYSVOL replication.

You should have more info in event-log.

Btw; Make your 2012 the FSMO master of all roles and create your GPO's on that and no longer on the 2003-server.
Always use last OS!
--
Goran Johansson
http://gjohansson.com/blog
- Reply
- Quote
Thursday, March 14, 2013 7:11 PM

0
The 2012 is the FSMO master of all roles. I don't see anything in logs pointing to an issue. When I started using Win 7 clients, i had to create the central store for the W7/2008 ADMX files. Now that I'm making GPO's with 2012, do I need to do a similar action on the 2003 box to hold GPO info for W8/2012?
- Edited by bjamrok Thursday, March 14, 2013 7:12 PM
- Reply
- Quote
Thursday, March 14, 2013 7:15 PM

0
No, it should do this automatically.

Check both DC's SYSVOL folder and see that they look identical.
If not even after leaving it for time to replicate you have issues with FRS replication and should see some entries in system log about not possible to replicate.

Everything you do in GPMC should be done with the 2012 server in mind, don't do any modifications (or modelling) with the 2003 box anymore.
--
Goran Johansson
http://gjohansson.com/blog
- Proposed As Answer by G Johansson Thursday, March 14, 2013 7:15 PM
- Reply
- Quote
Thursday, March 14, 2013 7:57 PM

0

I checked sysvol on both and it's same # of files and folders on each. Running modeling from 2012 DC, I ran same user on same computer against both DCs. On 2012 modelling shows correct settings, and under the folder redirection gpo, it shows it's applied and Extensions configured shows "folder redirection" and WMI shows "xp" when modeled against 2003, both these fields are blank
- Reply
- Quote
Friday, March 15, 2013 11:37 AM

0

I got this error, Any thoughts? I can't find this permission difference nor how to correct it.
- Reply
- Quote
Friday, March 15, 2013 12:29 PM

1
Am 15.03.2013 12:37, schrieb bjamrok:

> I can't find this permission difference nor how to correct it.

open a command window and enter

icacls \\DC1\sysvol\%userdnsdomain%\policies\{policy GUID}

icacls \\DC2\sysvol\%userdnsdomain%\policies\{policy GUID}

check the output.

NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
- Marked As Answer by Andy QiMicrosoft Contingent Staff, Moderator Wednesday, March 27, 2013 10:28 AM
- Reply
- Quote
Friday, March 15, 2013 12:36 PM

0

Do I need to do this for each policy? I have 23 GPOs
- Reply
- Quote
Friday, March 15, 2013 12:37 PM

0

Am 15.03.2013 13:36, schrieb bjamrok:

> Do I need to do this for each policy? I have 23 GPOs

One should be sufficient to see what's causing the issue.

NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
- Reply
- Quote
Friday, March 15, 2013 12:49 PM

0

I did the above for the first policy. I saw no discrepency in the permissions. I did see 2 identical lines for domain\domain admins. Is that correct. I'll compare each GUID 1 by 1 now unless there is a better idea.
- Reply
- Quote
Friday, March 15, 2013 12:58 PM

0

Another interesting fact. I counted my GPO's in the GPMC which is 23 GPO's. In both Sysvols, there are 24 GUID folders and a Policy Definintions folder. Should I have the extra GUID folder?
- Reply
- Quote
Friday, March 15, 2013 3:09 PM

0
Am 15.03.2013 13:58, schrieb bjamrok:

> Another interesting fact. I counted my GPO's in the GPMC which is 23

> GPO's. In both Sysvols, there are 24 GUID folders and a Policy

> Definintions folder. Should I have the extra GUID folder?

Are you replicating with NTFRS or DFSR? But anyway, it doesn't really

matter. I'd focus on sysvol replication errors now - this extra folder

should not be there... Each policy has a sysvol GUID folder, and each

sysvol GUID folder belongs to a policy.

NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
- Marked As Answer by Andy QiMicrosoft Contingent Staff, Moderator Wednesday, March 27, 2013 10:28 AM
- Reply
- Quote
Friday, March 15, 2013 7:00 PM

0

I believe it's FRS, but can you instruct on how to determine that? I have also learned that in Server 2012 the GPMC has a status tab which replaces many of the past tools from server 08 and 03. I selected each GPO and found 2 that prompted me with a permissions mismatch between sysvol and AD. It gave me a simple OK button to rectify. Before, I had GPO's that failed ACL replication in both the SYSVOL and Active directory categories, now the SYSVOL errors are gone, and I have 18 GPO's with the error only in the AD category.

When running DCdiag agains from the 2012 box against the 2003 box, the 2003 box fails the Advertising (not a time server), services (expects a win32_share_process value), and system log where eventlog=system could not be retrieved.
- Reply
- Quote
Saturday, March 16, 2013 12:23 AM

0
Am 15.03.2013 20:00, schrieb bjamrok:

> I believe it's FRS, but can you instruct on how to determine that?

If your domain was promoted using 2003 or earlier - it IS frs. Check

Event log viewer...

NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
- Marked As Answer by Andy QiMicrosoft Contingent Staff, Moderator Wednesday, March 27, 2013 10:29 AM
- Reply
- Quote
Saturday, March 16, 2013 12:28 AM

0

It's FRS. I see no errors in the Event viewer. Still have policies not working correctly when they use the 2003 DC. I deleted the one orphaned policy and within 1 minute, the 2003 Sysvol was updated and reflected the deletion. Still can't understand what is going on. Is there a way to "reset" the sysvol and AD information on the 2003, and make it re-load it all from the 2012?
- Reply
- Quote
Saturday, March 16, 2013 12:58 AM

0

Ok, as my latest test, I deleted a GPO that I did not need via the GPMC. The GUID is gone from ADSI, but the folders are still in Sysvol. When I try to delete the folder from sysvol, I get an access denied error. So I tried to change ownership to domain\administrator, and still get access denied error. When I deleted the other orphaned policy from sysvol, it worked without issue. Any suggestions?
- Reply
- Quote
Monday, March 18, 2013 11:51 AM

0

Even though security appears to be the same, I can delete a GPO folder from 2003, but not from 2012, even though I logged into each with Administrator credentials. So, can I be running into some other security restrictions on 2012? Maybe UAC?? I'll continue to investigate, but any help is greatly appreciated.
- Reply
- Quote
Monday, March 18, 2013 1:59 PM

0

Found Error 2092 in the logs. One for Schema, one for Partitions. Any ideas?
- Reply
- Quote
Monday, March 18, 2013 7:42 PM

0
Am 16.03.2013 01:58, schrieb bjamrok:

> Ok, as my latest test, I deleted a GPO that I did not need via the

> GPMC. The GUID is gone from ADSI, but the folders are still in

> Sysvol. When I try to delete the folder from sysvol, I get an access

> denied error. So I tried to change ownership to domain\administrator,

> and still get access denied error. When I deleted the other orphaned

> policy from sysvol, it worked without issue. Any suggestions?

Stop NTFRS and set start mode to disabled on ALL Dcs. Make a backup copy

of Sysvol on the PDC emulator. Take ownership of sysvol and grant

yourself full access, do a backup copy again. Then rebuild sysvol

according to http://support.microsoft.com/kb/315457 - D4 on the PDC,

then D2 on all other DCs. That's at least what I would resort to...

NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
- Marked As Answer by Andy QiMicrosoft Contingent Staff, Moderator Wednesday, March 27, 2013 10:29 AM
- Unmarked As Answer by bjamrok Monday, April 01, 2013 1:15 AM
- Reply
- Quote
Monday, April 01, 2013 1:18 AM

0
Thanks for all your help,

We ended up getting some outside help, and this issue was ultimatly resolved by:

Using ADSI editor to reset the permissions on the GPO's that had errors back to default permissions. This had to be done on both DC's.

Selected each GPO in the GPMC which prompted to fix the Sysvol permissions to match AD. This also had to be done on both DC's.

That cleared all the errors and we saw consistent modeling.

Thanks.
- Marked As Answer by bjamrok Monday, April 01, 2013 1:18 AM
- Reply
- Quote

Policy trouble with 2 domain controllers

All Replies

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support by product

Other support links

Not an IT pro?