Quick GPO question.

Frapple · 2 Feb 2010 at 09:40

Currently editing the default domain policy using Windows 7 Admin Tools on my local machine so I get access to the latest options (we have 2003 domain controllers) for all Win7 users.

For some reason the changes I'm making to the group policy aren't being reflected on the domain controllers, from what I can tell in dc\SYSVOL\domain\Policies folders they were last updated 6 days ago on dc2 and 9 days ago on dc1 (just changed to today on one as I was typing this, logged in, started Group Policy Management, tried again on dc2 but no luck)

Fairly sure this is causing the following error when trying to gpupdate /force

Updating Policy...

User policy could not be updated successfully. The following errors were encount
ered:

The processing of Group Policy failed. Windows attempted to read the file \\domain\SysVol\domain\Policies\{29C28925-9D2C-40D9-BA32-F43E850270EC}
\gpt.ini from a domain controller and was not successful. Group Policy settings
may not be applied until this event is resolved. This issue may be transient and
could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller
has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
Computer policy could not be updated successfully. The following errors were enc
ountered:

The processing of Group Policy failed. Windows attempted to read the file \\domain\SysVol\domain\Policies\{29C28925-9D2C-40D9-BA32-F43E850270EC}
\gpt.ini from a domain controller and was not successful. Group Policy settings
may not be applied until this event is resolved. This issue may be transient and
could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller
has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.

To diagnose the failure, review the event log or run GPRESULT /H GPReport.html f
rom the command line to access information about Group Policy results.

Assuming I can't just copy/paste the policies from one dc to the other, bound to be more controls somewhere. Is there any way to schedule/force sync of the policies between dc's?

Suppose I should stick to group policy management on the domain controllers from now on as this seems to be causing headaches all over.

Edit: Wasn't really a quick question at all was it?

Raumarik · 2 Feb 2010 at 10:06

Have you checked the eventlogs on the servers for replication? Only time I've seen problems like that (granted we're not using Win7 yet) is when the servers are spamming error messages, usually related to network settings, firewalls etc.

Burnsy2023 · 2 Feb 2010 at 10:45

Halfmad said:
Have you checked the eventlogs on the servers for replication? Only time I've seen problems like that (granted we're not using Win7 yet) is when the servers are spamming error messages, usually related to network settings, firewalls etc.

Indeed, check replication. A dcdiag should give you some useful information

BlueMhz · 2 Feb 2010 at 12:52

Does sounds like a replication problem.

Frapple · 2 Feb 2010 at 13:37

Bah had a long reply typed out but bluescreen, new hard drive arrived but it's DOA! Not having a good week here...

Thanks for the replies, event viewer has given me a lot more to go on. There's definitely some issue between the two domain controllers.

Even looking a the GPO through the domain controller that had a folder modification version of today only brings back 10% of the settings that were created two+ weeks ago.

Tried a fix that thought time was out of sync, no luck. Found a registry workaround that'll attempt tonight.