Re: Group policy and File Replication Service
- From: Amanda <Amanda@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 18 Jan 2006 14:59:03 -0800
thank you for all the help. I'll try that tool tonight and see how it goes.
"Darren Mar-Elia (MVP)" wrote:
> I was referring to the instance when it is on the network, but its SYSVOL
> isn't up-to-date.
>
> GPOTool is not very intensive and you can tell it to run against only a
> particular DC(s).
>
> --
> Darren Mar-Elia
> MS-MVP-Windows Server--Group Policy
> Check out http://www.gpoguy.com -- The Windows Group Policy Information Hub:
> FAQs, Whitepapers and Utilities for all things Group Policy-related
> And, the Windows Group Policy Guide is out from Microsoft Press!!! Check it
> out at http://www.microsoft.com/mspress/books/8763.asp
> GPOGUY Blog: http://blogs.dirteam.com/blogs/gpoguy
>
>
>
> "Amanda" <Amanda@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:FCB5B53D-7CEA-4B7D-9817-8D1B290CEE90@xxxxxxxxxxxxxxxx
> > How does the client authenticate to a dc that isn't on the network? so
> > there's a separate sysvol for each dc?
> >
> > Is it ok to run GPOTool.exe any time or will it cause network problems?
> >
> > "Darren Mar-Elia (MVP)" wrote:
> >
> >> I'm not sure of the effect of removing those intermittent DCs from the
> >> replica set--if a client can still authenticate to a DC, then you will
> >> have
> >> problems if SYSVOL is missing or out of date--so in addition to removing
> >> it
> >> from FRS replication, you need to stop and disable the Netlogon service
> >> on
> >> that DC to block authentication to it.
> >>
> >> To answer your question, here is the way this works. GPO changes are
> >> typically made against the PDC emulator DC in an environment. Those
> >> changes
> >> replicate in both AD and SYSVOL to every other DC. When a computer or
> >> user
> >> goes to process GP, it reads the list of GPOS it needs to process from
> >> AD,
> >> based on the normal DC locator process, and then gets the settings out of
> >> those GPOs from SYSVOL. If either location is out-of-date or out-of-sync
> >> or
> >> just not there, then you will have problems. An easy way to see
> >> out-of-sync
> >> DCs from a GP perspective is to run GPOTool.exe against all your DCs. It
> >> will tell you the state of this data from a GP perspective.
> >>
> >> --
> >> Darren Mar-Elia
> >> MS-MVP-Windows Server--Group Policy
> >> Check out http://www.gpoguy.com -- The Windows Group Policy Information
> >> Hub:
> >> FAQs, Whitepapers and Utilities for all things Group Policy-related
> >> And, the Windows Group Policy Guide is out from Microsoft Press!!! Check
> >> it
> >> out at http://www.microsoft.com/mspress/books/8763.asp
> >> GPOGUY Blog: http://blogs.dirteam.com/blogs/gpoguy
> >>
> >>
> >>
> >> "Amanda" <Amanda@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> news:0BF6F5EA-2911-4D1C-A353-ADF6EC7E68A6@xxxxxxxxxxxxxxxx
> >> > Oh one other thing. so given that the replication partners causing the
> >> > erros
> >> > are offline, is that error really what's resulting in the group policy
> >> > failure? I'm just trying really hard to connect the dots. I assumed on
> >> > initial glance at the logs, that these file rep service errors had to
> >> > the
> >> > source of the problem, but now i'm not sure...now that i know they
> >> > aren't
> >> > even online. then there's the issue of there being 2 other DC's across
> >> > the
> >> > country and connected over a vpn tunnel. ugh. What if I went into dfs
> >> > and
> >> > took those replication partners offline... the ones that are up/down
> >> > all
> >> > the
> >> > time??
> >> >
> >> > "Amanda" wrote:
> >> >
> >> >> I agree with you. I'm sure it does cause problems but alas... The
> >> >> situation
> >> >> is this, the company that I work for designs software and some of the
> >> >> developers require laptops running server and configured as DC's.
> >> >> Honestly I
> >> >> think some of them are no longer in use period. I'm new onboard and
> >> >> have
> >> >> been
> >> >> trying to determine what's up with the group policy not working.
> >> >>
> >> >> "Darren Mar-Elia (MVP)" wrote:
> >> >>
> >> >> > Yikes, they really promise it in the Technet subscription? Wow,
> >> >> > that's
> >> >> > pretty amazing!
> >> >> >
> >> >> > Anyway, to your problem. The periodically offline DCs are only a
> >> >> > problem if,
> >> >> > when they are online, clients are trying to authenticate to them and
> >> >> > they
> >> >> > don't have SYSVOL properly shared out. In that case, GP processing
> >> >> > will
> >> >> > fail. May I ask why they are periodically offline? That causes other
> >> >> > problems as you may know, because changes made to AD since the last
> >> >> > time
> >> >> > they were online won't necessarily replicate out in a timely manner.
> >> >> > I
> >> >> > would
> >> >> > think that you're just asking for trouble with that kind of
> >> >> > situation.
> >> >> >
> >> >> > Darren
> >> >> > --
> >> >> > Darren Mar-Elia
> >> >> > MS-MVP-Windows Server--Group Policy
> >> >> > Check out http://www.gpoguy.com -- The Windows Group Policy
> >> >> > Information
> >> >> > Hub:
> >> >> > FAQs, Whitepapers and Utilities for all things Group Policy-related
> >> >> > And, the Windows Group Policy Guide is out from Microsoft Press!!!
> >> >> > Check it
> >> >> > out at http://www.microsoft.com/mspress/books/8763.asp
> >> >> > GPOGUY Blog: http://blogs.dirteam.com/blogs/gpoguy
> >> >> >
> >> >> >
> >> >> >
> >> >> > "Amanda" <Amanda@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> >> > news:EE5EAE06-5EB0-44E0-8936-D84EC6CD4E5A@xxxxxxxxxxxxxxxx
> >> >> > > thank you for your response. The "response by next biz day" that I
> >> >> > > was
> >> >> > > referring to...this is what I was told when I bought my technet
> >> >> > > subscription.
> >> >> > >
> >> >> > > Anyway, does it matter that the frs errors I'm seeing on the DC
> >> >> > > are
> >> >> > > for
> >> >> > > machines that are not always on the network? Isn't this behavior
> >> >> > > expected
> >> >> > > when some of the other DC's it's trying to replicate with are
> >> >> > > offline?
> >> >> > > Would
> >> >> > > that still cause a problem with group policies for the users? I
> >> >> > > really
> >> >> > > appreciate your help on this. I'm confused!!!
> >> >> > >
> >> >> > > "Darren Mar-Elia (MVP)" wrote:
> >> >> > >
> >> >> > >> Amanda,
> >> >> > >> Alas, there is no "SLA" on public newsgroups--at least, not that
> >> >> > >> I
> >> >> > >> know
> >> >> > >> of.
> >> >> > >> But, with respect to your problem, yes, the inability for some
> >> >> > >> DCs
> >> >> > >> to
> >> >> > >> enable
> >> >> > >> SYSVOL replication will prevent clients from getting GP
> >> >> > >> correctly.
> >> >> > >> Every
> >> >> > >> DC
> >> >> > >> needs to have shared Netlogon and SYSVOL. If they are not, you
> >> >> > >> will
> >> >> > >> have
> >> >> > >> GP
> >> >> > >> problems because clients read GP settings from the SYSVOL portion
> >> >> > >> of
> >> >> > >> a
> >> >> > >> GPO.
> >> >> > >> So, your first order of business is to fix FRS replication
> >> >> > >> between
> >> >> > >> all
> >> >> > >> your
> >> >> > >> DCs. There are a lot of KB articles on FRS problems, but I would
> >> >> > >> recommend
> >> >> > >> starting with this one:
> >> >> > >> http://support.microsoft.com/kb/290762/en-us
> >> >> > >>
> >> >> > >> --
> >> >> > >> Darren Mar-Elia
> >> >> > >> MS-MVP-Windows Server--Group Policy
> >> >> > >> Check out http://www.gpoguy.com -- The Windows Group Policy
> >> >> > >> Information
> >> >> > >> Hub:
> >> >> > >> FAQs, Whitepapers and Utilities for all things Group
> >> >> > >> Policy-related
> >> >> > >> And, the Windows Group Policy Guide is out from Microsoft
> >> >> > >> Press!!!
> >> >> > >> Check
> >> >> > >> it
> >> >> > >> out at http://www.microsoft.com/mspress/books/8763.asp
> >> >> > >> GPOGUY Blog: http://blogs.dirteam.com/blogs/gpoguy
> >> >> > >>
> >> >> > >>
> >> >> > >>
> >> >> > >> "Amanda" <Amanda@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> >> > >> news:37E15644-6781-4602-AA57-77E5C0762FE8@xxxxxxxxxxxxxxxx
> >> >> > >> >I thought that these posts are supposed to be receive a response
> >> >> > >> >by
> >> >> > >> >next
> >> >> > >> > business day?
> >> >> > >> >
> >> >> > >> > "Amanda" wrote:
> >> >> > >> >
> >> >> > >> >> Hello,
> >> >> > >> >> I'm having a problem with Group policy. We have 5 DC's on our
> >> >> > >> >> network.
> >> >> > >> >> The
> >> >> > >> >> problem is that some of them are only online part time. I'm
> >> >> > >> >> seeing
> >> >> > >> >> lots
> >> >> > >> >> of
> >> >> > >> >> rile replication and kerberos errors in the event log on the
> >> >> > >> >> PDC.
> >> >> > >> >> The
> >> >> > >> >> servers
> >> >> > >> >> that that Server1 is having trouble connecting to are the ones
> >> >> > >> >> that
> >> >> > >> >> are
> >> >> > >> >> offline part time. So it isn't surprising to me that these
> >> >> > >> >> errors
> >> >> > >> >> are
> >> >> > >> >> showing
> >> >> > >> >> up. The problem is that along with the errors there is an
> >> >> > >> >> issue
> >> >> > >> >> with a
> >> >> > >> >> very
> >> >> > >> >> important group policy replicating to all the clients. A popup
> >> >> > >> >> is
> >> >> > >> >> supposed to
> >> >> > >> >> occur when clients logon to the network and that is not
> >> >> > >> >> happening
> >> >> > >> >> on
> >> >> > >> >> most
> >> >> > >> >> machines. How do I go about fixing this and are these issues
> >> >> > >> >> all
> >> >> > >> >> related?
> >> >> > >> >> Below is one of the errors I'm getting:
> >> >> > >> >>
> >> >> > >> >> Event Type: Warning
> >> >> > >> >> Event Source: NtFrs
> >> >> > >> >> Event Category: None
> >> >> > >> >> Event ID: 13508
> >> >> > >> >> Date: 1/19/2005
> >> >> > >> >> Time: 8:20:43 AM
> >> >> > >> >> User: N/A
> >> >> > >> >> Computer: Server1
> >> >> > >> >> Description:
> >> >> > >> >> The File Replication Service is having trouble enabling
> >> >> > >> >> replication
> >> >> > >> >> from
> >> >> > >> >> Server2 to Server1 for drive:\winnt\sysvol\domain using the
> >> >> > >> >> DNS
> >> >> > >> >> name
> >> >> > >> >> Server2.domainname.suffix FRS will keep retrying.
> >> >> > >> >> Following are some of the reasons you would see this warning.
> >> >> > >> >>
> >> >> > >> >> [1] FRS can not correctly resolve the DNS name
> >> >> > >> >> martin.here.bates.ctc.edu
> >> >> > >> >> from this computer.
> >> >> > >> >> [2] FRS is not running on server2.domainname.suffix.
> >> >> > >> >> [3] The topology information in the Active Directory for this
> >> >> > >> >> replica
> >> >> > >> >> has
> >> >> > >> >> not yet replicated to all the Domain Controllers.
> >> >> > >> >>
> >> >> > >> >> This event log message will appear once per connection, After
> >> >> > >> >> the
> >> >> > >> >> problem
> >> >> > >> >> is fixed you will see another event log message indicating
> >> >> > >> >> that
> >> >> > >> >> the
> >> >> > >> >> connection has been established.
> >> >> > >> >>
> >> >> > >>
> >> >> > >>
> >> >> > >>
> >> >> >
> >> >> >
> >> >> >
> >>
> >>
> >>
>
>
>
.
- References:
- Re: Group policy and File Replication Service
- From: Darren Mar-Elia \(MVP\)
- Re: Group policy and File Replication Service
- From: Amanda
- Re: Group policy and File Replication Service
- From: Darren Mar-Elia \(MVP\)
- Re: Group policy and File Replication Service
- From: Amanda
- Re: Group policy and File Replication Service
- From: Amanda
- Re: Group policy and File Replication Service
- From: Darren Mar-Elia \(MVP\)
- Re: Group policy and File Replication Service
- From: Amanda
- Re: Group policy and File Replication Service
- From: Darren Mar-Elia \(MVP\)
- Re: Group policy and File Replication Service
- Prev by Date: Re: GP ADM Templetes missing..
- Next by Date: Windows System Policy Editor
- Previous by thread: Re: Group policy and File Replication Service
- Next by thread: GP ADM Templetes missing..
- Index(es):
Relevant Pages
|
