none
Policy trouble with 2 domain controllers

    Question

  • Until recently, our network had a single 2003 domain controller.  We recently purchased a 2012 server and also made it a domain controller but decided to leave the domain at a 2003 functional level.  We have a mix of XP and Win7 clients.  When I try to implement a GPO on folder redirection, I receive an unknown error during processing on the GP Modeling.  When I run the model twice, once without specifying a DC or specifying the 2003 server, the Folder redirection fails with an unknown error.  When I run modeling and select the 2012 server, it applies correctly.  In the field I'm seeing some clients working, others are not.  Any advice that allows me to keep both DC's up and running?

    Thursday, March 14, 2013 5:56 PM

Answers

  • Am 15.03.2013 12:37, schrieb bjamrok:
    > I can't find this permission difference nor how to correct it.
     
    open a command window and enter
     
    icacls \\DC1\sysvol\%userdnsdomain%\policies\{policy GUID}
    icacls \\DC2\sysvol\%userdnsdomain%\policies\{policy GUID}
     
    check the output.
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Friday, March 15, 2013 12:29 PM
  • Am 15.03.2013 13:58, schrieb bjamrok:
    > Another interesting fact.  I counted my GPO's in the GPMC which is 23
    > GPO's.  In both Sysvols, there are 24 GUID folders and a Policy
    > Definintions folder.  Should I have the extra GUID folder?
     
    Are you replicating with NTFRS or DFSR? But anyway, it doesn't really
    matter. I'd focus on sysvol replication errors now - this extra folder
    should not be there... Each policy has a sysvol GUID folder, and each
    sysvol GUID folder belongs to a policy.
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Friday, March 15, 2013 3:09 PM
  • Am 15.03.2013 20:00, schrieb bjamrok:
    > I believe it's FRS, but can you instruct on how to determine that?
     
    If your domain was promoted using 2003 or earlier - it IS frs. Check
    Event log viewer...
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Saturday, March 16, 2013 12:23 AM
  • Thanks for all your help,

    We ended up getting some outside help, and this issue was ultimatly resolved by:

    Using ADSI editor to reset the permissions on the GPO's that had errors back to default permissions.  This had to be done on both DC's.

    Selected each GPO in the GPMC which prompted to fix the Sysvol permissions to match AD.  This also had to be done on both DC's.

    That cleared all the errors and we saw consistent modeling.

    Thanks.

    • Marked as answer by bjamrok Monday, April 01, 2013 1:18 AM
    Monday, April 01, 2013 1:18 AM

All replies

  • Sounds like you have issues with SYSVOL replication.

    You should have more info in event-log.

    Btw; Make your 2012 the FSMO master of all roles and create your GPO's on that and no longer on the 2003-server.
    Always use last OS!


    --
    Goran Johansson
    http://gjohansson.com/blog

    Thursday, March 14, 2013 7:02 PM
  • The 2012 is the FSMO master of all roles.  I don't see anything in logs pointing to an issue.  When I started using Win 7 clients, i had to create the central store for the W7/2008 ADMX files.  Now that I'm making GPO's with 2012, do I need to do a similar action on the 2003 box to hold GPO info for W8/2012?
    • Edited by bjamrok Thursday, March 14, 2013 7:12 PM
    Thursday, March 14, 2013 7:11 PM
  • No, it should do this automatically.

    Check both DC's SYSVOL folder and see that they look identical.
    If not even after leaving it for time to replicate you have issues with FRS replication and should see some entries in system log about not possible to replicate.

    Everything you do in GPMC should be done with the 2012 server in mind, don't do any modifications (or modelling) with the 2003 box anymore.


    --
    Goran Johansson
    http://gjohansson.com/blog

    • Proposed as answer by G Johansson Thursday, March 14, 2013 7:15 PM
    Thursday, March 14, 2013 7:15 PM
  • I checked sysvol on both and it's same # of files and folders on each.  Running modeling from 2012 DC, I ran same user on same computer against both DCs.  On 2012 modelling shows correct settings, and under the folder redirection gpo, it shows it's applied and Extensions configured shows "folder redirection" and WMI shows "xp"  when modeled against 2003, both these fields are blank
    Thursday, March 14, 2013 7:57 PM
  • I got this error, Any thoughts?  I can't find this permission difference nor how to correct it.

    Friday, March 15, 2013 11:37 AM
  • Am 15.03.2013 12:37, schrieb bjamrok:
    > I can't find this permission difference nor how to correct it.
     
    open a command window and enter
     
    icacls \\DC1\sysvol\%userdnsdomain%\policies\{policy GUID}
    icacls \\DC2\sysvol\%userdnsdomain%\policies\{policy GUID}
     
    check the output.
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Friday, March 15, 2013 12:29 PM
  • Do I need to do this for each policy?  I have 23 GPOs
    Friday, March 15, 2013 12:36 PM
  • Am 15.03.2013 13:36, schrieb bjamrok:
    > Do I need to do this for each policy?  I have 23 GPOs
     
    One should be sufficient to see what's causing the issue.
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Friday, March 15, 2013 12:37 PM
  • I did the above for the first policy.  I saw no discrepency in the permissions.  I did see 2 identical lines for domain\domain admins.  Is that correct.  I'll compare each GUID 1 by 1 now unless there is a better idea.

    Friday, March 15, 2013 12:49 PM
  • Another interesting fact.  I counted my GPO's in the GPMC which is 23 GPO's.  In both Sysvols, there are 24 GUID folders and a Policy Definintions folder.  Should I have the extra GUID folder?
    Friday, March 15, 2013 12:58 PM
  • Am 15.03.2013 13:58, schrieb bjamrok:
    > Another interesting fact.  I counted my GPO's in the GPMC which is 23
    > GPO's.  In both Sysvols, there are 24 GUID folders and a Policy
    > Definintions folder.  Should I have the extra GUID folder?
     
    Are you replicating with NTFRS or DFSR? But anyway, it doesn't really
    matter. I'd focus on sysvol replication errors now - this extra folder
    should not be there... Each policy has a sysvol GUID folder, and each
    sysvol GUID folder belongs to a policy.
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Friday, March 15, 2013 3:09 PM
  • I believe it's FRS, but can you instruct on how to determine that?  I have also learned that in Server 2012 the GPMC has a status tab which replaces many of the past tools from server 08 and 03.  I selected each GPO and found 2 that prompted me with a permissions mismatch between sysvol and AD.  It gave me a simple OK button to rectify.  Before, I had GPO's that failed ACL replication in both the SYSVOL and Active directory categories, now the SYSVOL errors are gone, and I have 18 GPO's with the error only in the AD category.

    When running DCdiag agains from the 2012 box against the 2003 box, the 2003 box fails the Advertising (not a time server), services (expects a win32_share_process value), and system log where eventlog=system could not be retrieved.

    Friday, March 15, 2013 7:00 PM
  • Am 15.03.2013 20:00, schrieb bjamrok:
    > I believe it's FRS, but can you instruct on how to determine that?
     
    If your domain was promoted using 2003 or earlier - it IS frs. Check
    Event log viewer...
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Saturday, March 16, 2013 12:23 AM
  • It's FRS.  I see no errors in the Event viewer.  Still have policies not working correctly when they use the 2003 DC.  I deleted the one orphaned policy and within 1 minute, the 2003 Sysvol was updated and reflected the deletion.  Still can't understand what is going on.  Is there a way to "reset" the sysvol and AD information on the 2003, and make it re-load it all from the 2012?
    Saturday, March 16, 2013 12:28 AM
  • Ok, as my latest test, I deleted a GPO that I did not need via the GPMC.  The GUID is gone from ADSI, but the folders are still in Sysvol.  When I try to delete the folder from sysvol, I get an access denied error.  So I tried to change ownership to domain\administrator, and still get access denied error.  When I deleted the other orphaned policy from sysvol, it worked without issue.  Any suggestions?
    Saturday, March 16, 2013 12:58 AM
  • Even though security appears to be the same, I can delete a GPO folder from 2003, but not from 2012, even though I logged into each with Administrator credentials.  So, can I be running into some other security restrictions on 2012?  Maybe UAC??  I'll continue to investigate, but any help is greatly appreciated.
    Monday, March 18, 2013 11:51 AM
  • Found Error 2092 in the logs.  One for Schema, one for Partitions.  Any ideas?
    Monday, March 18, 2013 1:59 PM
  • Am 16.03.2013 01:58, schrieb bjamrok:
    > Ok, as my latest test, I deleted a GPO that I did not need via the
    > GPMC.  The GUID is gone from ADSI, but the folders are still in
    > Sysvol.  When I try to delete the folder from sysvol, I get an access
    > denied error.  So I tried to change ownership to domain\administrator,
    > and still get access denied error.  When I deleted the other orphaned
    > policy from sysvol, it worked without issue.  Any suggestions?
     
    Stop NTFRS and set start mode to disabled on ALL Dcs. Make a backup copy
    of Sysvol on the PDC emulator. Take ownership of sysvol and grant
    yourself full access, do a backup copy again. Then rebuild sysvol
    according to http://support.microsoft.com/kb/315457 - D4 on the PDC,
    then D2 on all other DCs. That's at least what I would resort to...
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Monday, March 18, 2013 7:42 PM
  • Thanks for all your help,

    We ended up getting some outside help, and this issue was ultimatly resolved by:

    Using ADSI editor to reset the permissions on the GPO's that had errors back to default permissions.  This had to be done on both DC's.

    Selected each GPO in the GPMC which prompted to fix the Sysvol permissions to match AD.  This also had to be done on both DC's.

    That cleared all the errors and we saw consistent modeling.

    Thanks.

    • Marked as answer by bjamrok Monday, April 01, 2013 1:18 AM
    Monday, April 01, 2013 1:18 AM