none
Group Policies not being applied to Computers

    Question

  • Hi I have just recently introduced a new Domain controller (server2012r2) with an existing SBS2008.

    I created a new GPO for folder redirection but it does not apply and I get this error.


    Computer Policy update has completed successfully.
    User Policy could not be updated successfully. The following errors were encount
    ered:

    The processing of Group Policy failed. Windows attempted to read the file \\Domain
    .local\SysVol\domain.local\Policies\{BEFCA76F-4089-417D-B385-FDA0A0EBBB98}\gpt.ini
     from a domain controller and was not successful. Group Policy settings may not
    be applied until this event is resolved. This issue may be transient and could b
    e caused by one or more of the following:
    a) Name Resolution/Network Connectivity to the current domain controller.
    b) File Replication Service Latency (a file created on another domain controller
     has not replicated to the current domain controller).
    c) The Distributed File System (DFS) client has been disabled.

    To diagnose the failure, review the event log or run GPRESULT /H GPReport.html f
    rom the command line to access information about Group Policy results.

    I have checked the NTFRS which was not working on the SBS for a while and fixed that. I have also made sure that there are no errors when running DCDIAG and check both servers with "repadmin /showrepl *" to make sure there are no errors showing.

    any one has an idea what else should I look at?

    Tuesday, December 30, 2014 1:58 AM

Answers

  • Check if there is any firewall port 445 blockage with the source & destination domain controller, from where client workstation is supposed to get policies.
    • Marked as answer by jinxed50 Sunday, January 4, 2015 1:06 AM
    Friday, January 2, 2015 11:57 AM

All replies

  • Hi,

    How many DCs are in your environment?

    Please check the version number of this GPO in all the DCs. If this mismatch, then you can identify the DC which is not processing the GPO properly. Version number is  a hexadecimal value.

    GPT.INI is a file contains the specific GPO configuration settings. This is a decimal number and it is a combination of User node and Machine node.


    Regards,

    Sajoor



    • Edited by Sajoor Tuesday, December 30, 2014 5:27 AM edit
    Tuesday, December 30, 2014 5:26 AM
  • Hi,

    >>I have checked the NTFRS which was not working on the SBS for a while and fixed that.

    Based on your description, please double check NTFRS event logs on both SBS2008 and server 2012 R2 domain controller. If the server 2012 R2 is healthy, you can try to do a non-authoritative retore for Sysvol on SBS 2008. Otherwise, you can try to do a authoritative restore for Sysvol on SBS 2008 and then do a non-authoritative restore on server 2012R2.

    Regarding how to force an authoritative and non-authoritative synchronization for DFSR-replicated SYSVOL, the following article can be referred to for more information.

    How to force an authoritative and non-authoritative synchronization for DFSR-replicated SYSVOL (like "D4/D2" for FRS)

    http://support.microsoft.com/kb/2218556

    Best regards,
    Frank Shen


    Tuesday, December 30, 2014 3:09 PM
    Moderator
  • Hi Thanks for reply guys

    I have just checked the File Replication Service event logs and saw this

    The File Replication Service moved the preexisting files in c:\windows\sysvol\domain to c:\windows\sysvol\domain\NtFrs_PreExisting___See_EventLog.
     
    The File Replication Service may delete the files in c:\windows\sysvol\domain\NtFrs_PreExisting___See_EventLog at any time. Files can be saved from deletion by copying them out of c:\windows\sysvol\domain\NtFrs_PreExisting___See_EventLog. Copying the files into c:\windows\sysvol\domain may lead to name conflicts if the files already exist on some other replicating partner.
     
    In some cases, the File Replication Service may copy a file from c:\windows\sysvol\domain\NtFrs_PreExisting___See_EventLog into c:\windows\sysvol\domain instead of replicating the file from some other replicating partner.
     
    Space can be recovered at any time by deleting the files in c:\windows\sysvol\domain\NtFrs_PreExisting___See_EventLog.

    After this event I have this

    The File Replication Service is no longer preventing the computer SBS-01 from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL.
     
    Type "net share" to check for the SYSVOL share.

    I also checked on the 2012r2 and saw this in event logs for File replication service

    The File Replication Service is having trouble enabling replication from SBS-01 to DC-02 for c:\windows\sysvol\domain using the DNS name SBS-01.Domain.local. FRS will keep retrying.
     Following are some of the reasons you would see this warning.
     
    I stopped the NTFRS and restarted as well as netlogon service 

    After that I am getting 13516 event Id 

    Tuesday, December 30, 2014 4:58 PM
  • Ok so here what i have found out.

    If I create a GPO on Server2012r2 it replicated to SBS2008 I can see it in sysvol but not the other way around.

    I tried doing non- authoritative but when I drill down to the CN=Domain System Volume and right click and properties I can't find the following entry "MsDFSR" on either SBS2008 or 2012R2?

    Tuesday, December 30, 2014 9:17 PM
  • Check if there is any firewall port 445 blockage with the source & destination domain controller, from where client workstation is supposed to get policies.
    • Marked as answer by jinxed50 Sunday, January 4, 2015 1:06 AM
    Friday, January 2, 2015 11:57 AM
  • Thank Mallick and sorry for late reply

    Yes it was the windows firewall that was blocking replication from SBS to 2012r2. After making the exceptions for AD Services everything started to work.

    Sunday, January 4, 2015 1:07 AM
  • Many thanks for your confirmation.
    Monday, January 5, 2015 4:59 AM