none
Backup DC Not Enforcing Group Policy or Running Scripts

    Question

  • Hello TechNet,

    Longtime lurker, first time poster. I have recently upgraded our domain from running two 2003 boxes and running FL2000/DL2003, to running two 2008R2 boxes and FL2008R2/DL2008R2. Things seem to be going very well, boxes replicating nicely, logins processing normally, etc... but for one small problem. If a user logs in through the backup DC, their Group Policy won't run. This causes two huge concerns: one, their drives won't map. Two, the CryptoWall GPO I've built isn't running. If they log in through the PDC, everything's fine. The backup is a VM, so for the short-term I have disabled the NIC on it, forcing all users to log in through the PDC. This is fine for now, but it's not a permanent solution.

    Relevant context:
    * In addition to not running GPOs, the backup DC also will not run logon scripts.
    * The backup DC used to be an RDS server. All roles have been removed and it was repurposed as a DC.
    * Users were remoting into this server at one point. As a safeguard, many directories were made hidden/read-only. I believe I have corrected this wherever possible, but it's also possible I've missed something.

    Thank you for reading, I look forward to your wisdom.


    Monday, February 09, 2015 1:37 PM

Answers

  • > One thing I just noticed: SYSVOL and NETLOGON shares are missing. They
    > are shared on the DC, all permissions and security settings are what
    > they should be, but they are totally inaccessable from any other machine.
     
    Then again check Sysvol replication. It MUST complete to make
    sysvol/netlogon available. I'd suggest to do a D2 on the failing DC.
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Friday, February 13, 2015 11:01 AM

All replies

  • > * In addition to not running GPOs, the backup DC also will not run logon
    > scripts.
     
    please run "gpupdate" on this DC2 - output?
     
    Suppose sysvol replication is broken. Check FRS eventlog on the first
    DC1, I'd guess you'll see a Journal Wrap error. If yes and DC1 is your
    PDC: Do NOT follow the solution in the event log entry. Instead, do a D4
    on DC1 and a D2 on DC2.
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Monday, February 09, 2015 5:35 PM
  • Both policies update normally and replication between DC1 and DC2 is functioning normally at this time.

    Also, SYSVOL on both units appears to be correct and the proper sharing is in place.

    • Edited by garm_bel_iblis Thursday, February 12, 2015 1:02 PM Added more information
    Thursday, February 12, 2015 12:57 PM
  • > Both policies update normally and replication between DC1 and DC2 is
    > functioning normally at this time.
     
    What do you mean by "both policies update normally"?
     
    > Also, SYSVOL on both units appears to be correct and the proper sharing
    > is in place.
     
    Did you check NTFRS and DFSR eventlogs on BOTH DCs?
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Thursday, February 12, 2015 1:38 PM
  • > What do you mean by "both policies update normally"?

    > Did you check NTFRS and DFSR eventlogs on BOTH DCs?

    As in, my GPUPDATE output is:
    -Updating Policy...
    -User Policy has completed successfully.
    -Computer Policy has completed successfully.

    Yes, and I'm not seeing any problem with replication whatsoever. Manual replication through sites and services is working, and manual verification of SYSVOL confirms.

    One thing I just noticed: SYSVOL and NETLOGON shares are missing. They are shared on the DC, all permissions and security settings are what they should be, but they are totally inaccessable from any other machine.
    • Edited by garm_bel_iblis Thursday, February 12, 2015 2:38 PM Added new information
    Thursday, February 12, 2015 2:04 PM
  • > One thing I just noticed: SYSVOL and NETLOGON shares are missing. They
    > are shared on the DC, all permissions and security settings are what
    > they should be, but they are totally inaccessable from any other machine.
     
    Then again check Sysvol replication. It MUST complete to make
    sysvol/netlogon available. I'd suggest to do a D2 on the failing DC.
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Friday, February 13, 2015 11:01 AM