Re: Group policy and File Replication Service
- From: "Darren Mar-Elia \(MVP\)" <dmanonymous@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 18 Jan 2006 14:35:52 -0800
I was referring to the instance when it is on the network, but its SYSVOL
isn't up-to-date.
GPOTool is not very intensive and you can tell it to run against only a
particular DC(s).
--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
Check out http://www.gpoguy.com -- The Windows Group Policy Information Hub:
FAQs, Whitepapers and Utilities for all things Group Policy-related
And, the Windows Group Policy Guide is out from Microsoft Press!!! Check it
out at http://www.microsoft.com/mspress/books/8763.asp
GPOGUY Blog: http://blogs.dirteam.com/blogs/gpoguy
"Amanda" <Amanda@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:FCB5B53D-7CEA-4B7D-9817-8D1B290CEE90@xxxxxxxxxxxxxxxx
> How does the client authenticate to a dc that isn't on the network? so
> there's a separate sysvol for each dc?
>
> Is it ok to run GPOTool.exe any time or will it cause network problems?
>
> "Darren Mar-Elia (MVP)" wrote:
>
>> I'm not sure of the effect of removing those intermittent DCs from the
>> replica set--if a client can still authenticate to a DC, then you will
>> have
>> problems if SYSVOL is missing or out of date--so in addition to removing
>> it
>> from FRS replication, you need to stop and disable the Netlogon service
>> on
>> that DC to block authentication to it.
>>
>> To answer your question, here is the way this works. GPO changes are
>> typically made against the PDC emulator DC in an environment. Those
>> changes
>> replicate in both AD and SYSVOL to every other DC. When a computer or
>> user
>> goes to process GP, it reads the list of GPOS it needs to process from
>> AD,
>> based on the normal DC locator process, and then gets the settings out of
>> those GPOs from SYSVOL. If either location is out-of-date or out-of-sync
>> or
>> just not there, then you will have problems. An easy way to see
>> out-of-sync
>> DCs from a GP perspective is to run GPOTool.exe against all your DCs. It
>> will tell you the state of this data from a GP perspective.
>>
>> --
>> Darren Mar-Elia
>> MS-MVP-Windows Server--Group Policy
>> Check out http://www.gpoguy.com -- The Windows Group Policy Information
>> Hub:
>> FAQs, Whitepapers and Utilities for all things Group Policy-related
>> And, the Windows Group Policy Guide is out from Microsoft Press!!! Check
>> it
>> out at http://www.microsoft.com/mspress/books/8763.asp
>> GPOGUY Blog: http://blogs.dirteam.com/blogs/gpoguy
>>
>>
>>
>> "Amanda" <Amanda@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:0BF6F5EA-2911-4D1C-A353-ADF6EC7E68A6@xxxxxxxxxxxxxxxx
>> > Oh one other thing. so given that the replication partners causing the
>> > erros
>> > are offline, is that error really what's resulting in the group policy
>> > failure? I'm just trying really hard to connect the dots. I assumed on
>> > initial glance at the logs, that these file rep service errors had to
>> > the
>> > source of the problem, but now i'm not sure...now that i know they
>> > aren't
>> > even online. then there's the issue of there being 2 other DC's across
>> > the
>> > country and connected over a vpn tunnel. ugh. What if I went into dfs
>> > and
>> > took those replication partners offline... the ones that are up/down
>> > all
>> > the
>> > time??
>> >
>> > "Amanda" wrote:
>> >
>> >> I agree with you. I'm sure it does cause problems but alas... The
>> >> situation
>> >> is this, the company that I work for designs software and some of the
>> >> developers require laptops running server and configured as DC's.
>> >> Honestly I
>> >> think some of them are no longer in use period. I'm new onboard and
>> >> have
>> >> been
>> >> trying to determine what's up with the group policy not working.
>> >>
>> >> "Darren Mar-Elia (MVP)" wrote:
>> >>
>> >> > Yikes, they really promise it in the Technet subscription? Wow,
>> >> > that's
>> >> > pretty amazing!
>> >> >
>> >> > Anyway, to your problem. The periodically offline DCs are only a
>> >> > problem if,
>> >> > when they are online, clients are trying to authenticate to them and
>> >> > they
>> >> > don't have SYSVOL properly shared out. In that case, GP processing
>> >> > will
>> >> > fail. May I ask why they are periodically offline? That causes other
>> >> > problems as you may know, because changes made to AD since the last
>> >> > time
>> >> > they were online won't necessarily replicate out in a timely manner.
>> >> > I
>> >> > would
>> >> > think that you're just asking for trouble with that kind of
>> >> > situation.
>> >> >
>> >> > Darren
>> >> > --
>> >> > Darren Mar-Elia
>> >> > MS-MVP-Windows Server--Group Policy
>> >> > Check out http://www.gpoguy.com -- The Windows Group Policy
>> >> > Information
>> >> > Hub:
>> >> > FAQs, Whitepapers and Utilities for all things Group Policy-related
>> >> > And, the Windows Group Policy Guide is out from Microsoft Press!!!
>> >> > Check it
>> >> > out at http://www.microsoft.com/mspress/books/8763.asp
>> >> > GPOGUY Blog: http://blogs.dirteam.com/blogs/gpoguy
>> >> >
>> >> >
>> >> >
>> >> > "Amanda" <Amanda@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> >> > news:EE5EAE06-5EB0-44E0-8936-D84EC6CD4E5A@xxxxxxxxxxxxxxxx
>> >> > > thank you for your response. The "response by next biz day" that I
>> >> > > was
>> >> > > referring to...this is what I was told when I bought my technet
>> >> > > subscription.
>> >> > >
>> >> > > Anyway, does it matter that the frs errors I'm seeing on the DC
>> >> > > are
>> >> > > for
>> >> > > machines that are not always on the network? Isn't this behavior
>> >> > > expected
>> >> > > when some of the other DC's it's trying to replicate with are
>> >> > > offline?
>> >> > > Would
>> >> > > that still cause a problem with group policies for the users? I
>> >> > > really
>> >> > > appreciate your help on this. I'm confused!!!
>> >> > >
>> >> > > "Darren Mar-Elia (MVP)" wrote:
>> >> > >
>> >> > >> Amanda,
>> >> > >> Alas, there is no "SLA" on public newsgroups--at least, not that
>> >> > >> I
>> >> > >> know
>> >> > >> of.
>> >> > >> But, with respect to your problem, yes, the inability for some
>> >> > >> DCs
>> >> > >> to
>> >> > >> enable
>> >> > >> SYSVOL replication will prevent clients from getting GP
>> >> > >> correctly.
>> >> > >> Every
>> >> > >> DC
>> >> > >> needs to have shared Netlogon and SYSVOL. If they are not, you
>> >> > >> will
>> >> > >> have
>> >> > >> GP
>> >> > >> problems because clients read GP settings from the SYSVOL portion
>> >> > >> of
>> >> > >> a
>> >> > >> GPO.
>> >> > >> So, your first order of business is to fix FRS replication
>> >> > >> between
>> >> > >> all
>> >> > >> your
>> >> > >> DCs. There are a lot of KB articles on FRS problems, but I would
>> >> > >> recommend
>> >> > >> starting with this one:
>> >> > >> http://support.microsoft.com/kb/290762/en-us
>> >> > >>
>> >> > >> --
>> >> > >> Darren Mar-Elia
>> >> > >> MS-MVP-Windows Server--Group Policy
>> >> > >> Check out http://www.gpoguy.com -- The Windows Group Policy
>> >> > >> Information
>> >> > >> Hub:
>> >> > >> FAQs, Whitepapers and Utilities for all things Group
>> >> > >> Policy-related
>> >> > >> And, the Windows Group Policy Guide is out from Microsoft
>> >> > >> Press!!!
>> >> > >> Check
>> >> > >> it
>> >> > >> out at http://www.microsoft.com/mspress/books/8763.asp
>> >> > >> GPOGUY Blog: http://blogs.dirteam.com/blogs/gpoguy
>> >> > >>
>> >> > >>
>> >> > >>
>> >> > >> "Amanda" <Amanda@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> >> > >> news:37E15644-6781-4602-AA57-77E5C0762FE8@xxxxxxxxxxxxxxxx
>> >> > >> >I thought that these posts are supposed to be receive a response
>> >> > >> >by
>> >> > >> >next
>> >> > >> > business day?
>> >> > >> >
>> >> > >> > "Amanda" wrote:
>> >> > >> >
>> >> > >> >> Hello,
>> >> > >> >> I'm having a problem with Group policy. We have 5 DC's on our
>> >> > >> >> network.
>> >> > >> >> The
>> >> > >> >> problem is that some of them are only online part time. I'm
>> >> > >> >> seeing
>> >> > >> >> lots
>> >> > >> >> of
>> >> > >> >> rile replication and kerberos errors in the event log on the
>> >> > >> >> PDC.
>> >> > >> >> The
>> >> > >> >> servers
>> >> > >> >> that that Server1 is having trouble connecting to are the ones
>> >> > >> >> that
>> >> > >> >> are
>> >> > >> >> offline part time. So it isn't surprising to me that these
>> >> > >> >> errors
>> >> > >> >> are
>> >> > >> >> showing
>> >> > >> >> up. The problem is that along with the errors there is an
>> >> > >> >> issue
>> >> > >> >> with a
>> >> > >> >> very
>> >> > >> >> important group policy replicating to all the clients. A popup
>> >> > >> >> is
>> >> > >> >> supposed to
>> >> > >> >> occur when clients logon to the network and that is not
>> >> > >> >> happening
>> >> > >> >> on
>> >> > >> >> most
>> >> > >> >> machines. How do I go about fixing this and are these issues
>> >> > >> >> all
>> >> > >> >> related?
>> >> > >> >> Below is one of the errors I'm getting:
>> >> > >> >>
>> >> > >> >> Event Type: Warning
>> >> > >> >> Event Source: NtFrs
>> >> > >> >> Event Category: None
>> >> > >> >> Event ID: 13508
>> >> > >> >> Date: 1/19/2005
>> >> > >> >> Time: 8:20:43 AM
>> >> > >> >> User: N/A
>> >> > >> >> Computer: Server1
>> >> > >> >> Description:
>> >> > >> >> The File Replication Service is having trouble enabling
>> >> > >> >> replication
>> >> > >> >> from
>> >> > >> >> Server2 to Server1 for drive:\winnt\sysvol\domain using the
>> >> > >> >> DNS
>> >> > >> >> name
>> >> > >> >> Server2.domainname.suffix FRS will keep retrying.
>> >> > >> >> Following are some of the reasons you would see this warning.
>> >> > >> >>
>> >> > >> >> [1] FRS can not correctly resolve the DNS name
>> >> > >> >> martin.here.bates.ctc.edu
>> >> > >> >> from this computer.
>> >> > >> >> [2] FRS is not running on server2.domainname.suffix.
>> >> > >> >> [3] The topology information in the Active Directory for this
>> >> > >> >> replica
>> >> > >> >> has
>> >> > >> >> not yet replicated to all the Domain Controllers.
>> >> > >> >>
>> >> > >> >> This event log message will appear once per connection, After
>> >> > >> >> the
>> >> > >> >> problem
>> >> > >> >> is fixed you will see another event log message indicating
>> >> > >> >> that
>> >> > >> >> the
>> >> > >> >> connection has been established.
>> >> > >> >>
>> >> > >>
>> >> > >>
>> >> > >>
>> >> >
>> >> >
>> >> >
>>
>>
>>
.
- Follow-Ups:
- Re: Group policy and File Replication Service
- From: Amanda
- Re: Group policy and File Replication Service
- References:
- Re: Group policy and File Replication Service
- From: Darren Mar-Elia \(MVP\)
- Re: Group policy and File Replication Service
- From: Amanda
- Re: Group policy and File Replication Service
- From: Darren Mar-Elia \(MVP\)
- Re: Group policy and File Replication Service
- From: Amanda
- Re: Group policy and File Replication Service
- From: Amanda
- Re: Group policy and File Replication Service
- From: Darren Mar-Elia \(MVP\)
- Re: Group policy and File Replication Service
- From: Amanda
- Re: Group policy and File Replication Service
- Prev by Date: Re: Group policy and File Replication Service
- Next by Date: Re: GP ADM Templetes missing..
- Previous by thread: Re: Group policy and File Replication Service
- Next by thread: Re: Group policy and File Replication Service
- Index(es):
Relevant Pages
|
