Group Policy nightmare.

[bladedanny]

Right here goes, this is a long one, and I'm fresh out of ideas...HELP!

We have recently purchased a new server as the old one is getting old. since installing the new server any new client joined to the domain has not picked up the group policy settings, it does however pickup logon scripts and user's home folder etc.

Also some of the older clients still point to the old server for certain things, such as network desktops, occasionaly the old computers will point to the correct places but sometimes will not, this is very intermitent.

Servers are Server 2003
and clients are 2000/xp new machines are set up with XP and the old clients that aren't working are mainly 2000.

I have checked DNS and the group policy settings and everything looks ok. pinging the domain results in the new server IP, all scripts and file paths have been changed to reflect the server that they are on.

And I'm out of ideas so anything is welcome.

Cheers,

Dan

[maf_001]

I have done loads of new server intergrations, this problem sometimes occures when i do single domain upgrades.

The problem is probaly with your new DC not replicating GPO's here are some test steps that might help,


To test Group policy on the new DC open Group policy management console, right click your domain and choose your new DC, see if you can navigate and change your GPO's when using your new DC.


can you navigate to:
\\newdc\NETLOGON\
\\newdc\SYSVOL\

These are the domain controllers replication folders. If they do not exist your clients will not get GPO's

Did you move all 5 roles from the old DC to the new DC using ntdsutil?
If you have removed your old DC and not moved all the roles your old DC will be holding some information your domain needs.

When you promoted the new DC did you leave both DC's running side by side?
LDAP and GP needs time to repliacte somtimes it can take 2 days (on realy slow networks)

You might spot the problem when checking the above, if not can answer the questions i will be able to help you diagnose the problem further.

Hope this helps

[bladedanny]

Hi, Thanks maf_001,

I have checked all you said and they seem to be fine.

Both servers have been running side by side for a few weeks now, I am only in once a week hense the time its took so far.

It wasn't me who transfered the roles but the guy who did knows what he's doing and I'm pretty sure he moved all 5 across.

GPOs seem to be there and identical on each DC but client are not picking them up.

Any more suggestions? lol

Thanks,

Dan

[bladedanny]

Just ran gpresult on one of the 'offending' clients and I'm a bit worrid about this bit under user settings


The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)

westways computers
Filtering: Not Applied (Empty)

clicker5 install
Filtering: Not Applied (Empty)

core software
Filtering: Not Applied (Empty)

What could be causing this?

btw the above listed GPOs are all of the GPOs that are supposed to run

attched is the full readout from gpresult.

Cheers,

Dan

[maf_001]

which DC is WestWaysPDC? the new or old one?

also check AD sites and services, expand your site and you should see both your servers, check that both have replication partners in the NTDS Settings if not create the partners and check the replication topology.

[bottletop]

What speed is the network running at?

Is it running gigabit, I have had similar issues in the past of GPOs not applying or some will apply ie the user ones but not the computer or even both.

One way I have found to get around this is to try regediting:

A couple of options you can try:

(1)

start up regedit:

HKEY_local_Machine > software > microsoft > windows NT > current version > winlogon >

add the following Dword

GpNetworkStartTimeoutPolicyValue
120 decimal

(you can change the value to a higher one if needed)

(2)

HKEY_Local_Machine>system>Currentcontrolset>servic es>tcpip>Parameters>

add the following dword
DisableDHCPMediaSense set value to 1

These might give you a chance.

Please not that these regedits are case sensitive.

Hope this helps

[bladedanny]

Hi,

@maf_001
WestWaysPDC is the old server.

Both servers are listed in AD sites and services and both have replication.

@bottletop
The network should be running at 100mbs (or there abouts) The speed is not classed as slow

Thanks,

Dan

[maf_001]

Hrm it is strange that it is looking at your old server for the GPO's and not getting them, you could move all the roles back to the old server to see if the new server is causing the problems. Once you have moved them back your clients should get GPOS after a gpupdate /force. This would rule out your new DC.

if you need the process to move all five roles let me know.

Mark

[bladedanny]

I have just ran gpresult on a few other machines (windows 2000) and they are getting the policy from pcd (the new one) but are still not picking up all the policies.

Thanks,

It't too late in the day to start messing with roles, also alot of people are using the network at the moment, and If anything stoped working I would be hunted down. It may have to wait for the holidays.

Cheers, I'll keep you all informed,

Dan

[RabbieBurns]

was dhcp updated to include the new DC as the primary dns?

[sted]

What speed is the network running at?

Is it running gigabit, I have had similar issues in the past of GPOs not applying or some will apply ie the user ones but not the computer or even both.

would they be dell pcs (intel nics) connected to a hp switch by any chance? if so flash the switch problem vanishes

[bladedanny]

@Rabbieburns
Yeah DHCP has been updated so DNS points to new server.

@sted
no they are viglen machines on 3com/netgear switch