Windows Server TechCenter >
Windows Server Forums
>
Terminal Services
>
TS 2008 and Windows 2003 group policies?
TS 2008 and Windows 2003 group policies?
Hi all,
I deployed Server 2008 Terminal Services as members of a Windows 2003 R2 domain. The servers reside in a ou specially for the TS. For testing reasons, I created a GPO with only the setting to hide the local drives of the Terminal Server and linked it to the TS-OU.
When logging on to the TS, the GPO is not processed. The event log of the TS shows a event 1058 and reports "access denied" on the gpt.ini file. So I checked the permissions ont the sysvol directory - everything looks fine and if I try manually from the TS, I am able to reach the file and the policy directory as well. DNS-resolution also looks well working. Even several recreations of the policy didn't work. All articles I found in the www, didn't help to find the solution yet.
Does anyone have a idea? Hint welcome!
Thanks in advance,
Wolfgang
Answers
- Hi all,
first of all, thank you for your support!
After searching for days, I now managed to fix the problem.
What was the thing? Well, after setting up an fresh domain and joining one of the TS to this virgin domain all worked as expected. So I was deeply convinced, that the Server 2008 was completly innocent and concentrated my investigations on the two Windows 2003 R2 DCs. Remembering the hint of the TS event log, that the DFS Client might be disabled, I recognized that the DFS Service on both DCs was not started, although they were set to "automatic".
I tried to start them manually, but this ended in an error. All services in the dependencies were started, so I used "sc" to have a look at mup and dfsdriver .... and voilà ... the dfsdriver was disabled in the system (I don't know why). After enabling and starting the driver, the dfs service started as well.
Immediately after the DFS Serive was online, the 2008 TS started to process the GPOs and the annoying error messages were gone for ever!
Once again, thank you all for your support!
Greetings,
Wolfgang- Marked As Answer byJeff Pitsch [MVP]MVP, ModeratorFriday, November 06, 2009 2:18 PM
All Replies
- Hi Wolfgang,
You have to create your group policy by using the group policy management console on a Windows Server 2008 server, then the GPO will be processed by the Windows Server 2008 server. Make sure no one edits the GPO on Windows server 2003 after you created it on Sever 2008.
Danny
Now you can follow al the hot TS forum threads on twitter! http://www.twitter.com/mstermserv Founder of www.citrix-guru.com and www.rds-support.eu Linkedin: www.linkedin.com/in/dnyvandam- Proposed As Answer byDanny van Dam Wednesday, November 04, 2009 8:28 AM
- Hi Wolfgang,
Do you set the group policy "Hides these specified drives from My Computer" which is under [User Configuration | Administrative Templates | Windows Explorer ].
If so, you may need to linked this GPO setting to a User-base object OU as it's a User configuration GPO. Or you can enable the "User Group Policy Loopback Processing mode" to make this User configuration GPO applied to your Terminal Servers.
For more information about User Group Policy Loopback Processing mode, you can refer to:
http://support.microsoft.com/kb/231287
Best Regards,
Wilson Jia
This posting is provided "AS IS" with no warranties, and confers no rights. - Hi Danny
thanks for your reply. I used the Group Policy Management Tool of the Windows 2003 DC to create the Policy. I did this in a other domain (W2K3 DC and 2008 TS) and it worked well. Is it possible to connect the Server 2008 gpedit.msc to a 2003 dc? I didn't manage to connect it right now.
Greetings,
Wolfgang - Have a look at this thread from the TS forum about the same problem:
http://social.technet.microsoft.com/forums/en-US/winserverTS/thread/367dd511-a926-4deb-bb5a-78fa67a5fc24/
Danny.
Now you can follow al the hot TS forum threads on twitter! http://www.twitter.com/mstermserv Founder of www.citrix-guru.com and www.rds-support.eu Linkedin: www.linkedin.com/in/dnyvandam - Hi all,
seems to be a security issue in the domain I joined the TS.
In order to check this out, I did a fresh installation of a new W2K3 domain, joined the TS to this domain, created a GPO with Windows 2003 group policy management console and .... it worked.
Very strange - so now I have to troubleshoot the customer domain, why this doesn't work here.
Any ideas highly appreciated.
Thanks,
Wolfgang - Hello Wolfgang,
Maybe an easy one but first try to rejoin the server to the domain. Maybe something went wrong the first time :-)
Robert - Hi Robert,
thank you for your reply.
After investigating the whole day, I found out something really strange:
When I move the computer accounts of the TS boxes to the built in Container "Computers" in AD, the "gpupdate" on the TS box works without errors.
When I move the computer accounts of the TS boxes to a OU other than "Computers" (even a newly created one), the "gpudate" command on the TS box results in an error message. The event log says, that the TS box has no access to the policy ini-file.
Anyone ever heard about such a behaviour?
Greetings,
Wolfgang - Hello,
Did you also remove the computer object from AD??
Robert - Hi Robert,
no, I didn't remove the computer object from AD, I only moved the computer object from a self generated OU to the built in OU computers, then it worked, when moving the computer object back to the OU or even to a newly created OU, I received the error message "acess denied" in the TS event log.
Wolfgang - Hi,
Did you enable the "Block Inheritance" on the TS OU in the GPMC? Where is the GPOs linked to? Is this GPO settting a Computer Configuration?
Please paste here a "gpresult /z" output of TS .
Best Regards,
Wilson Jia
This posting is provided "AS IS" with no warranties, and confers no rights. - Hi all,
first of all, thank you for your support!
After searching for days, I now managed to fix the problem.
What was the thing? Well, after setting up an fresh domain and joining one of the TS to this virgin domain all worked as expected. So I was deeply convinced, that the Server 2008 was completly innocent and concentrated my investigations on the two Windows 2003 R2 DCs. Remembering the hint of the TS event log, that the DFS Client might be disabled, I recognized that the DFS Service on both DCs was not started, although they were set to "automatic".
I tried to start them manually, but this ended in an error. All services in the dependencies were started, so I used "sc" to have a look at mup and dfsdriver .... and voilà ... the dfsdriver was disabled in the system (I don't know why). After enabling and starting the driver, the dfs service started as well.
Immediately after the DFS Serive was online, the 2008 TS started to process the GPOs and the annoying error messages were gone for ever!
Once again, thank you all for your support!
Greetings,
Wolfgang- Marked As Answer byJeff Pitsch [MVP]MVP, ModeratorFriday, November 06, 2009 2:18 PM
