programming4us
programming4us
DESKTOP

Windows Server 2008 and Windows Vista : Troubleshooting GPOs - Group Policy Troubleshooting Essentials

6/6/2014 3:21:28 AM

When you discover a problem with Group Policy processing, you have several options for locating the source of the problem. Because Group Policy processing has many elements with many interdependent pieces of infrastructure, it is important that you take a methodical approach to troubleshooting.

  • Check the required infrastructure. Make sure that required services and components are running and configured as expected.

  • Check computer core configuration. Verify that the computer is connected to the network, is joined to the domain, is authenticated to a domain controller, and has the correct system time.

  • Check the scope of management (SOM). Ensure that the user or computer object is located under the correct organizational unit. Ensure that the GPO is linked to the correct Active Directory node.

  • Verify that default GPO processing has not been altered. Blocking policy inheritance, enforcing a GPO, security filtering, WMI filtering, and Group Policy Preferences item-level targeting alter default policy processing.

  • Ensure that the GPO and the Group Policy Preferences are not disabled. If a GPO or a portion of a GPO is disabled, this can prevent the application of the settings contained within the GPO from applying. Also, if individual settings are disabled (allowed by Group Policy Preferences), the policy might not process the settings. 

Common Problems with GPOs

Although the failure of all or part of Group Policy to process can be caused by many misconfigurations, some problems are common and can easily be identified and fixed. This section describes a variety of scenarios, problems, and solutions for situations in which Group Policy fails or provides undesired results.

Many companies, including Microsoft, have reported that over 70 percent of all GPO problems are associated with DNS. So when a Group Policy problem arises, you should always think DNS first! There can be many hidden issues with DNS; here are the steps you should take to check DNS settings:

  1. Ensure that the client has the correct IP address configurations. If the client cannot contact DNS, GPOs will not apply. You can run the Ipconfig command from the command prompt to verify the IP address.

  2. Make sure that the Dynamic Host Configuration Protocol (DHCP) server has all of the IP configurations correct. These include DNS server, default gateway, domain name, and subnet mask. The DHCP administration tool is available in the Administrative Tools menu.

  3. Make sure that the client is receiving IP information, if it is DHCP enabled. You can run the Ipconfig command with the /all switch to see all related IP information for that computer.

  4. Make sure that the correct records are listed in DNS, for both client and server (including domain controllers). There must be a CNAME entry for all computers on the network (domain controllers, servers, and desktops), and the correct SRV records for the domain controllers must be running the domain. Refer to the article titled “How DNS Support for Active Directory Works,” at http://technet2.microsoft.com/windowsserver/en/library/9d62e91d-75c3-4a77-ae93-a8804e9ff2a11033.mspx?mfr=true, for information about how DNS and Active Directory work together.

  5. Make sure that the correct DNS server is listed in the primary and secondary settings on all computers (domain controllers, servers, and desktops). Without the correct DNS server configured, the domain controller SRV record will not be found and Group Policy will not apply. You can view the current DNS server configured on the computer by running the Ipconfig command with the /all switch.

How It Works: Internal and ISP DNS Servers

If the DHCP service is controlled by the outward-facing router that is receiving the IP address from the ISP, it is likely that this router is receiving the DNS server information from the Internet service provider (ISP). In this case, the DHCP server might be configuring clients with the ISP-delivered DNS server, rather than the internal Active Directory–based DNS server. If so, all computers running Windows that are located on the local LAN must be configured with a manual DNS server, which must be the internal DNS server. The internal DNS server will be configured to forward all requests that are not for the internal domain to the DNS servers at the ISP.

Asynchronous Group Policy Processing

When Group Policy is configured to process GPO settings asynchronously, it might take one, two, or even three reboots or logons to get all of the settings to apply. For your review, asynchronous and synchronous processing are defined as follows:

  • Asynchronous . Windows does not wait for the network stack to initialize before starting and allowing the user receive the desktop.

  • Synchronous . Windows waits for the network stack to initialize, and all Group Policy foreground processing occurs before the user receives the desktop.

If you want all settings to apply on a foreground refresh, you must configure Group Policy to apply synchronously.

Foreground-Only GPO Settings

Some GPO settings do not process in the background. For example, you might see that a GPO setting is updated, and then run GPUpdate to apply the setting. You run Resultant Set of Policy (RSoP) to determine whether the policy has applied, and you notice that it has. However, the setting that you configured in the GPO is still not appearing on the computer.

If the setting is under a CSE such as software installation, folder redirection, Group Policy drive maps, scripts, deployed printer connections, Microsoft Internet Explorer branding, Group Policy printers, or offline files, you will notice this behavior. All of the settings that fall under these CSEs update only on a foreground refresh.

Network Connection

In any case in which you are not connected to the network, you will not get Group Policy updates. When a background or foreground refresh occurs, Group Policy updates occur only if the entire authentication and discovery process occurs. This includes much of what we have discussed in this troubleshooting section, including accessing DNS, authenticating to a domain controller, and providing the correct log-on credentials.

To verify that you have network connectivity, you can use the Ping command. When using the Ping command, you should always Ping many computers and interfaces. At a minimum, you should Ping your own IP address, the IP address of a computer on your subnet, the default gateway, and a domain controller.

To determine which domain controller authenticated your computer at logon, you can run the Set command from a command prompt. This command displays many variables, but the Logonserver variable indicates which domain controller authenticated you. You can also Ping this domain controller name to determine whether you have connectivity.

If you do not have network connectivity, you should answer the following questions:

  • Is the network adapter enabled?

  • Is the network cable plugged in?

  • Did the DHCP server configure IP information?

  • Is the computer set up for DHCP or static IP information?

  • Is the DNS server configured properly?

  • Are the IP address and subnet mask correct if configured statically?

GPO Function after WMI Filter Deletion

WMI filters can target specific computers based on the current state, environment, and setup of the computer. However, if you have linked a WMI filter to a GPO, but you no longer want the WMI filter to apply to the GPO, you should not just delete the WMI filter file.

The reason for this is that the WMI filter file is not a part of the GPO—it is linked to a GPO. When you delete the WMI filter file without removing the link to the GPO, the GPO still thinks the WMI filter should be used. When the GPO refers to the WMI filter to return the list of objects to apply the GPO to, it returns a null set, and the GPO will not apply to any object.

Time Synchronization

Kerberos validation and authentication will fail if the time difference between a client computer and its log-on domain controller is greater than five minutes. This failure can in turn cause problems with DNS registration, Group Policy processing, and other essential computer processes. To check a computer’s current system time and date, type the following command exactly as shown at a command prompt.

net time \\%ComputerName%

The output is the current time and date on the local computer:

Current time at \\CLIENT1 is 12/7/2007 2:02 PM

To check the system time on the log-on domain controller, type the following command at a command prompt:

net time

The output is the current time and date on the log-on domain controller:

Current time at \\SERVER1 is 12/7/2007 2:02 PM

Note

You can type net time /set to synchronize the local computer time with the time on the log-on domain controller. To automatically synchronize time for all computers in a domain, you can use the Windows Time Synchronization service (W32Time). For more information about W32Time, refer to the article titled “Basic Operation of the Windows Time Service” at http://support.microsoft.com/kb/224799.

Unavailable PDC Emulator

When the domain controller that controls the PDC emulator role is not available, editing of GPOs will fail. This is because the system relies on the PDC emulator to make changes to all GPOs by default. This is not a hard-coded feature, and in some cases it can be beneficial to not use the PDC emulator. For example, if you want to target a domain controller in a remote site for updating a GPO that will affect users in the site more quickly, you will want to use the domain controller in that site, which might not be the PDC emulator.

If the PDC emulator is not available, you will be prompted to select another domain controller, as shown in Figure 1. In this dialog box, you can select a different domain controller to make the changes to the GPO. The replication of both the Group Policy template (GPT) and Group Policy container (GPC) will still function as normal, and the changes will be sent to all domain controllers as usual.

When the PDC emulator is not available for GPO editing, a dialog box prompts you to select a different domain controller.
Figure 1. When the PDC emulator is not available for GPO editing, a dialog box prompts you to select a different domain controller.
Other  
  •  Windows Server 2008 and Windows Vista : Creating and Using the ADMX Central Store
  •  Windows Server 2008 and Windows Vista : Migrating .adm Templates to ADMX Files
  •  Windows Server 2008 and Windows Vista : ADMX Files,Default ADMX Files, Using Both .adm Templates and ADMX Files
  •  Windows 8 : Configuring networking (part 7) - Managing network settings - Managing a wireless network
  •  Windows 8 : Configuring networking (part 6) - Managing network settings - Adding a second default gateway,Connecting to a wireless network
  •  Windows 8 : Configuring networking (part 5) - Managing network settings - Understanding the dual TCP/IP stack in Windows 8, Configuring name resolution
  •  Windows 8 : Configuring networking (part 4) - Managing network settings - Configuring IP settings
  •  Windows 8 : Configuring networking (part 3) - Managing network settings - Managing network profiles
  •  Windows 8 : Configuring networking (part 2) - Managing network settings - Using the Network and Sharing Center
  •  Windows 8 : Configuring networking (part 1) - What’s new in networking in Windows 8
  •  
    Video
    PS4 game trailer XBox One game trailer
    WiiU game trailer 3ds game trailer
    Top 10 Video Game
    -   Minecraft Mods - MAD PACK #10 'NETHER DOOM!' with Vikkstar & Pete (Minecraft Mod - Mad Pack 2)
    -   Minecraft Mods - MAD PACK #9 'KING SLIME!' with Vikkstar & Pete (Minecraft Mod - Mad Pack 2)
    -   Minecraft Mods - MAD PACK #2 'LAVA LOBBERS!' with Vikkstar & Pete (Minecraft Mod - Mad Pack 2)
    -   Minecraft Mods - MAD PACK #3 'OBSIDIAN LONGSWORD!' with Vikkstar & Pete (Minecraft Mod - Mad Pack 2)
    -   Total War: Warhammer [PC] Demigryph Trailer
    -   Minecraft | MINIONS MOVIE MOD! (Despicable Me, Minions Movie)
    -   Minecraft | Crazy Craft 3.0 - Ep 3! "TITANS ATTACK"
    -   Minecraft | Crazy Craft 3.0 - Ep 2! "THIEVING FROM THE CRAZIES"
    -   Minecraft | MORPH HIDE AND SEEK - Minions Despicable Me Mod
    -   Minecraft | Dream Craft - Star Wars Modded Survival Ep 92 "IS JOE DEAD?!"
    -   Minecraft | Dream Craft - Star Wars Modded Survival Ep 93 "JEDI STRIKE BACK"
    -   Minecraft | Dream Craft - Star Wars Modded Survival Ep 94 "TATOOINE PLANET DESTRUCTION"
    -   Minecraft | Dream Craft - Star Wars Modded Survival Ep 95 "TATOOINE CAPTIVES"
    -   Hitman [PS4/XOne/PC] Alpha Gameplay Trailer
    -   Satellite Reign [PC] Release Date Trailer
    Game of War | Kate Upton Commercial
    programming4us
     
     
    programming4us