Domain policies not being pulled across

[badsurname]

Hi all, I have an interesting problem and would like to see if anyone else is experiencing the same issue and perhaps see if there is a known solution.

We have an issue at present with a number of computers on the network randomly deciding not to pull all of the network policies across. Our servers are running Windows Server 2003 SP2 and the majority of the PCs are running Windows XP SP2 with the occasional SP1 machine that has slipped through the net.

In the last six or seven weeks we have begun to find a number of our newer computers not pulling across the network policies for the more restricted accounts such as those for the students and teaching staff.

As far as I am aware, this has only happened on our newest machines, which not surprisingly have the latest updates and patches. The problem is, no amount of trickery seems to allow these machines to behave as they should once they go wrong. This extends to gpupdate /force, deleting the machine accounts from AD, reimaging and renaming said machines (obviously placing them in their room OU in AD).

At present this has only affected a small percentage of our computers but I am fearful that this will become significantly worse. The fact that this also seems to be happening at random makes it difficult to diagnose. I have spoken to a friend of mine who works at a local college that appears to be having a similar problem occuring during the same period of time and coinciding with a mass update of their clients. Of course that could always be a red herring, we have also updated all of our machines but this is only happening to the newest computers at present.

As I am sure you can tell, this has caused more than a few headaches with my brain currently in a state of frazzled disrepair.

Has anyone experienced the same problem?

[StewartKnight]

are you using static IP's or DHCP?

[badsurname]

Hi there, we're using DHCP addresses for the client machines.

[pooley]

Are the network cards gigabit ?

Had this problem and has to disable mediasense to get gpo to apply properly.

http://support.microsoft.com/kb/239924/

[badsurname]

On the new machines they are indeed gigabit adapters. I'll give that a try and see what happens. Thank you. That may well match the correlation that I have noticed

[badsurname]

OK, my initial tests have come up with a negative for that idea. I added the new registry key, restarted the computer, applied gpupdate /force, restarted and still found I had the same issue as before. I must admit, this is proving to be more than a little frustrating.

[pooley]

Any errors in Event viewer ?

[timbo343]

Ive had this before.. One or more of your DCs is not replicating correctly. Download something called Ultra sound. Stick it on one of your DCs and this will find out which one is not replicating correctly.

[badsurname]

Ive had this before.. One or more of your DCs is not replicating correctly. Download something called Ultra sound. Stick it on one of your DCs and this will find out which one is not replicating correctly.

Thank you for your help. I have identified a potential problem, but I will have to defer the possible solution until a time when no-one is using the network.

[timbo343]

you can do it when people are using the network, i did. If you have a spare server running that aint a dc, make it a dc, and then de-mote the faulty one.

[badsurname]

The problem is the old Primary Domain Controller, which was turned off without being demoted or decomissioned. I'd feel happier dealing with that at a time when it won't cause trouble. I've gone home for the night, so I'll decomission it in the morning and let you know what happens.

[badsurname]

OK, we have completely removed all traces of the old Global Catalogue server. Ultrasound shows healthy communication between the new GC and DC. Propagation seems to be working well and yet I still cannot force the policy to be pulled across on all the computers.

It is causing me to wonder if the fault could lie with the machines themselves. It does only seem to occur at present on the newer machines, which do have gigabit controllers, however the registry entry to stop media sense has not proven to be successful.

That said, I am not ruling out the possibility of DC replication issues. I have been informed this morning that computers cannot logon when the secondary domain controller is taken offline. This is despite the fact that the GC is still online and supposedly has responsibility for this function. I haven't tested this personally and I do not know what is causing it, but it does make me think it may be related.

I will keep people informed of my findings as I progress and as always, input is greatly appreciated.

[HodgeHi]

I had an issue where the gigabit card (in one machine though) would not get GPO although it had done previously. I had to change it to 10/100mb instead even though it was running on a gigabit switch.

I've not used ultrasound before. Does it do the same as replmon?

[badsurname]

I've not used replmon so I wouldn't know I'm afraid. It looks like a more powerful version of it from what I can see though.

I have tried switching the ethernet controller to 100MB/s manually, but this has met with no success.

[HodgeHi]

Was the DC that was downed get re-installed or left off-line for a long period of time?

Can't recall the length of time it needs to be off-line before the other DCs think it is down for good.