Group policy etc

[moiebus]

A quick thanks to a very useful bunch of people, been reading for a while and it seems that i am not suffering alone However, the school i work for (which means me) has this problem:
Two servers one W2k3 and one W2k, the newer one for curriculum and the other for Admin(we had another but someone else found out what happens if you boot to CD and don't know what you are doing :twisted: )
The first issue is folder redirection(i have read most of the posts on this) not working for all students ALL of the time. I am only redirecting desktop and start menu its very temperamental. The GP i have(vbs script) for setting default printer per room(OU) only works when the full set of policies work.

All of this started when the curriculum server was upgraded. I have checked(today) after reading about the SYSVOL and FRS to discover that not only is that not working(path not found) but GPM on the W2k3 server has completley lost the will to find anything and just reports errors.
Have tried stopping and restarting the service as per error message and running Net Share. :?:
So... i thought i would share a few of my woes instead of continuing fishing through microsofts Volumes of 'help'.
Thanks in advance

[ChrisH]

Go to the microsoft site and download dcdiag and netdiag and run them both and see if they bring up anything.

[moiebus]

Very quick thank you ChrisH, have downloaded both now i will wait...till Monday. I actually stated the problem started with the server(W2k3) i meant to say it started after the summer when i upgraded all the clients to XP Sp2 from 2000. I deleted the old profiles, i was using mandatory for the pupils but have not been able to get that to work either since.
Cheers again

[NetworkGeezer]

Ah manadatory profiles ....

I suspect that the permisions of the mandatory profile weren't changed to allow changes in the student context. GPOs operate by making registry changes on the user hive (ntuser.man). If this is still set to only give administrators or the user it was copied from full control then that might cause problems.

[ajbritton]

Install this on your server, use it to enable 'full logging' on the problem PCs, logon on to a PC with a problem account then use the log analysis feature to find out excatly what is going on.

[moiebus]

Cheers again, i had the security on the profile folder set as instructed by an MS walktrough(create a user MPM, copy locally ect) but will check again. Have downloaded the suggested program will try and see what shows up on what looks to be a very busy Monday(like there is any other sort!)

[moiebus]

Monday..How nasty? Anyway i ran Netdiag and came up with errors(no surprise there)
-Default Gateway Test (fail) no gateway reachable for this adapter
-DNS test - (fail) FATAL dns registration for " " is incorrect on all DNS servers

Not completely sure what caused this, i have been told today that one of the (i didn't know there were two) network cards was disabled by EDIT last week.

The servers IP address' are correct, however i can not ping the stated IP for the Gateway??

All other tested items (netdiag) are passed.
Having not too much joy at the moment, help please

[Geoff]

The gateway test will fail if:

a) the gateway IP is unpingable (firewalled) this is a reasonable configuration for your border router/firewall and you shouldn't worry about it.
b) you didn't set a gateway IP.

Primary DNS should point to another AD DNS server. Secondary DNS should point to localhost. (Assuming you have 2 DCs).

[djm968]

I disagree with Geoff, the primary DNS should point to itself if it is an AD DNS server.

Check the DNS records for the DC, if the server has two NIC's and one has been disabled this could cause serious issues with DNS

[moiebus]

Okay getting just a little confused right about now The W2K3 server has one NIC. It can not resolve the stated 'gateway', GPM says network path not found. File replication is showing errors relating to the in ability to resolve the share(it explains the possible causes and suggests forcing a stop/start of ntfrs) Which due to the fact it can't reach the other server is obvious.
The W2K server has two NIC's a 10/100 and a 1000. The 10/100 has been disabled. The event log for this machine is altogether more relaxed and has more warnings than anything else suggesting that it can't contact the other server but will try again later(if it feels like it?) AD and GP both work as 'normal' except for the fact its obviously not right. The significant error is that shown from netdiag : no gateway!
Having neither set the servers up or having paid that much attention in the past(or being responsible for them) this is a new one on me. cheers for the help

[kingswood]

I disagree with Geoff, the primary DNS should point to itself if it is an AD DNS server.

Check the DNS records for the DC, if the server has two NIC's and one has been disabled this could cause serious issues with DNS

Yeah- Primary DNS Server (if it is an AD Server) should indeed point to itself.

Paul

[Geoff]

I disagree with Geoff, the primary DNS should point to itself if it is an AD DNS server.

While this will work, it'll also fill your event logs up on the DC with lots of errors complaining about the netlogin service not being able to find the SRV records. This is because the netlogin service starts before the DNS service does. In extreme cases you will actually start to see replication delays or even failures.

It's all explained in this KB article.

http://support.microsoft.com/kb/825036

'Domain controller with DNS installed' is the relevant section. As I explained above, I'm advocating the third method.

[kingswood]

I think Geoff what may have prompted the query about your point was your emphatic "..should point". This is only a third option in a list of three possible (and workable) methods of installing DNS on an AD network- as detailed on the KB article you linked to.

I have installed dozens of servers with DNS on them using the primary DC with DNS installed as the primary DNS reference- as per most training materials (even MS Press) and never had my event log even hint at SRV records not being found (even that can be remedied). Im sure it probably happens, but I have never seen it.

Good link though- thanks.

[GrumbleDook]

I'm another one in favour of pointing the DNS to itself .. and secondary pointing to the other DC.

We do get the odd error but that tends to point at other issues ... and they can be helpful in resolving issues.

Then again, I would recommend DNS & BIND and DNS on Windows Server 2003 to most people though ... and they do talk about the option of alternate pointing for DNS ...

[PiqueABoo]

the gateway IP is unpingable (firewalled) this is a reasonable configuration for your border router/firewall

It's no big deal, but I think a pingable gateway is better. If a Windows box with an unexpired lease starts up and can't find your DHCP server, it will ping the gateway. If it gets a reply it carries on using that lease, if it doesn't get a reply it uses APIPA.

If it does go to APIPA it then checks for the DHCP every few mins so everything will recover shortly after you've fixed a DHCP outage, but users are much less likely to notice when your gateway is pingable.

[This is useful for renumbering in a mostly DHCP environment]

Edit/PS: I remember that Net Logon & DNS thing at startup, but haven't seen it for a while.. is it something that stopped happening with 2K3?