Re: Group Policy issue and Solution?
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 01/24/05
- Next message: John Strow: "WXP SP2 and GPO"
- Previous message: Steven L Umbach: "Re: When URLs are pushed to a PC from the GPO"
- In reply to: Arby: "Group Policy issue and Solution?"
- Next in thread: Arby: "Re: Group Policy issue and Solution?"
- Reply: Arby: "Re: Group Policy issue and Solution?"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 24 Jan 2005 17:55:07 -0600
First I am a bit confused as you say "2 DCs, one of which is a domain
controller" which is contradictory. Anyhow it is possible that one of the
domain controllers was not properly registered in dns or dns was not working
for some reason [dns service hung or stopped], again I am a bit confused
about the setup. Normally you want the first domain controller [ pdc fsmo]
to point to itself and the other domain controller to point to the first dc
and then itself in it's list of preferred dns servers. It is very hard to
say exactly what happened without seeing it before fixing it. At the time of
the problem, running netdiag and dcdiag on both domain controllers would
probably have pinpointed the problem..
I don't know of a way to prevent a user to logon if Group Policy is not
applied but if you have disabled "cached" logons they will not be able to
logon if a domain controller can not be found to authenticate the user.
Group Policies are actually applied to a computer/user based on last logon
if Group Policy can not be refreshed at startup/logon. Any Group Policy
changes since last successful application of Group Policy would not be
implemented of course. --- Steve
"Arby" <XXroger@Blacktech-inc.XXcom> wrote in message
news:usRMDGlAFHA.2104@TK2MSFTNGP14.phx.gbl...
> Hello,
> I recently had an issue with win2000 group policy. I have a customer who
> has 2 DCs, one of which is a domain controller, and both are DNS servers,
> and server1 is also a terminal server ( I know that they should not have
> this config, but they have no choice). Everything was working, but I
> noticed that server1 had a wrong DNS entry, so it was changed to point to
> server 2 (they are both AD integrated DNS). The customer made the change,
> but didn't reboot the server. Shortly thereafter, terminal server users
> started getting Eventid 1000 errors (their group policy was not getting
> applied). It seems the GP could not be found. I also could not edit the
> GP. I rebooted server2, and then everything came back. The GP was
> applied,
> and I could edit it. The confusing issue is that this setup was working
> until we correctly changed the DNS. What in DNS could have caused the GP
> to
> become inaccessible on ALL domain controllers?
>
> The second part of my question is this...is there a setting that I can
> change to NOT allow logons if group policies are not applied? This
> situation caused quite a security issue, and I would like to take the
> necessary precautions. Thanks in advance.
>
> Roger
>
>
- Next message: John Strow: "WXP SP2 and GPO"
- Previous message: Steven L Umbach: "Re: When URLs are pushed to a PC from the GPO"
- In reply to: Arby: "Group Policy issue and Solution?"
- Next in thread: Arby: "Re: Group Policy issue and Solution?"
- Reply: Arby: "Re: Group Policy issue and Solution?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
