Re: Group Policy issue and Solution?
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 01/25/05
- Next message: Steven L Umbach: "Re: When URLs are pushed to a PC from the GPO"
- Previous message: Mark Williams [MSFT]: "Re: Learning GP (books etc)"
- Next in thread: Steven L Umbach: "Re: Group Policy issue and Solution?"
- Maybe reply: Steven L Umbach: "Re: Group Policy issue and Solution?"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 25 Jan 2005 17:48:45 -0600
While it is recommended that other dc's point to the pdc fsmo as their
primary preferred dns server it certainly is possible for it to work
pointing to itself if AD had replicated properly and it's own dns zone
contained all the _srv records for the domain. My guess is there was a
problem with the dns service not responding on one of the AD dns
servers/dc's and the reboots cleared it up. I would also point the second dc
to itself as second in the list of preferred dns servers in case the primary
can not respond. The link below may help.
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382
Question: How do I set up DNS for other domain controllers in the domain
that are running DNS?
Answer: For each additional domain controller that is running DNS, the
preferred DNS setting is the parent DNS server (first domain controller in
the domain), and the alternate DNS setting is the actual IP address of
network interface.
I know dns a bit but you may also want to post in one of the dns newsgroups
if you want the dns gurus to conjecture what happened. As far as not being
able to logon with GP not applying, I do not know of a way to do such. You
might also want to post in the TS newsgroup to see if they have any creative
solutions. --- Steve
"Arby" <XXroger@Blacktech-inc.XXcom> wrote in message
news:eP3AsJuAFHA.4008@TK2MSFTNGP09.phx.gbl...
> Steve,
> Thanks for the reply. I am sorry for the confusion. The issue was that a
> GP that "locked down" terminal server users (desktop changes, security
> settings, etc) could not be found (I got event ID 1000, windows could not
> find the file...). Users logged on without the GP being applied! I was
> hoping that Msoft had a workaround which would prevent this from happening
> as it can be a pretty big security issue.
>
> I know that DNS was the culprit, I just can't figure out exactly how it
> happened. To clarify: Server1 and Server 2 are both AD integrated DNS
> servers. Server2 is the pdc/fsmo. Server1 was pointing to the wrong DNS
> server, but strangely, it was working. I saw the error and pointed serv1
> DNS to serv2. Upon reboot of serv1, the customer started getting the GP
> errors. Only after rebooting serv2 did the error cease.
>
> Thanks for your help...
>
> Roger
>
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:e9fDAAnAFHA.3504@TK2MSFTNGP12.phx.gbl...
>> First I am a bit confused as you say "2 DCs, one of which is a domain
>> controller" which is contradictory. Anyhow it is possible that one of the
>> domain controllers was not properly registered in dns or dns was not
> working
>> for some reason [dns service hung or stopped], again I am a bit confused
>> about the setup. Normally you want the first domain controller [ pdc
>> fsmo]
>> to point to itself and the other domain controller to point to the first
> dc
>> and then itself in it's list of preferred dns servers. It is very hard to
>> say exactly what happened without seeing it before fixing it. At the time
> of
>> the problem, running netdiag and dcdiag on both domain controllers would
>> probably have pinpointed the problem..
>>
>> I don't know of a way to prevent a user to logon if Group Policy is not
>> applied but if you have disabled "cached" logons they will not be able to
>> logon if a domain controller can not be found to authenticate the user.
>> Group Policies are actually applied to a computer/user based on last
>> logon
>
>> if Group Policy can not be refreshed at startup/logon. Any Group Policy
>> changes since last successful application of Group Policy would not be
>> implemented of course. --- Steve
>>
>>
>> "Arby" <XXroger@Blacktech-inc.XXcom> wrote in message
>> news:usRMDGlAFHA.2104@TK2MSFTNGP14.phx.gbl...
>> > Hello,
>> > I recently had an issue with win2000 group policy. I have a customer
> who
>> > has 2 DCs, one of which is a domain controller, and both are DNS
> servers,
>> > and server1 is also a terminal server ( I know that they should not
>> > have
>> > this config, but they have no choice). Everything was working, but I
>> > noticed that server1 had a wrong DNS entry, so it was changed to point
> to
>> > server 2 (they are both AD integrated DNS). The customer made the
> change,
>> > but didn't reboot the server. Shortly thereafter, terminal server
>> > users
>> > started getting Eventid 1000 errors (their group policy was not getting
>> > applied). It seems the GP could not be found. I also could not edit
> the
>> > GP. I rebooted server2, and then everything came back. The GP was
>> > applied,
>> > and I could edit it. The confusing issue is that this setup was
>> > working
>> > until we correctly changed the DNS. What in DNS could have caused the
> GP
>> > to
>> > become inaccessible on ALL domain controllers?
>> >
>> > The second part of my question is this...is there a setting that I can
>> > change to NOT allow logons if group policies are not applied? This
>> > situation caused quite a security issue, and I would like to take the
>> > necessary precautions. Thanks in advance.
>> >
>> > Roger
>> >
>> >
>>
>>
>
>
- Next message: Steven L Umbach: "Re: When URLs are pushed to a PC from the GPO"
- Previous message: Mark Williams [MSFT]: "Re: Learning GP (books etc)"
- Next in thread: Steven L Umbach: "Re: Group Policy issue and Solution?"
- Maybe reply: Steven L Umbach: "Re: Group Policy issue and Solution?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
