dslreports logo
 
    All Forums Hot Topics Gallery
spc

spacer

Search Topic:
uniqs
695
share rss forum feed


exocet_cm
Free at last, free at last
Premium
join:2003-03-23
kudos:3

1 edit

[Windows] Windows fails to query list of GPOs

Been hammering at this problem for four days now.
Server 2012 R2 domain at 2012 R2 function level.
DCDIAG reports the entire forest is super healthy (w00t w00t). It specifically said "super healthy" in the report.

Problem is I can't get a random slathering of computers to update user policy. Could be a dozen, could be a thousand, I don't know. Too many computers in our domain to know for sure.

What I do know is this:
• Started after last Patch Tuesday
• Pops up randomly
• Pops up on 7, 8, 8.1, 2K8, 2K8R2 and 2012 R2 OS'. Does not effect any DCs (which are all 2K12R2).

This was the closest I could come across with the problem. »blogs.technet.com/b/askds/archiv ··· 145002=4

We aren't running any legacy 2003 DCs but we did, over time, upgrade to 2K8 from 2K3 then to 2012 R2 from 2K8.

Anybody seen any similar problems? I know last Tuesday's patch Tuesday killed my workstation with 8.1 in which MS pulled the KB. Any problems out there with GPOs not applying?
--
"I have often regretted my speech, never my silence." - Xenocrates
My wife's Etsy shop: »www.laurenCball.com ; After-hours tech: »www.JLTCtech.com


PToN
Premium
join:2001-10-04
Houston, TX
I did experience something like this some time ago. The problem was that AD DFSR was malfunctioning and was not replicating domain data to the other ADs. But at the clients doing a manual gpupdate, would poll the "updated" AD, but as soon as the PC restarted, it would poll the out of date AD causing problems with the GPOs.

So in a nutshell, some of my clients were polling GPOs from SERVER2, and others from SERVER1, and AD DFSR wasnt replicating data over to SERVER2, causing all my problems.

Maybe something similar to what i had?


urbanriot
Premium
join:2004-10-18
Canada
kudos:3
Reviews:
·Cogeco Cable
reply to exocet_cm
Did you evaluate the eventlog on the target PCs?

Occasionally Microsoft will break GPOs by basically changing them on either the workstation OS or the server and when a system can't apply all the settings, it sometimes fails to apply the rest. Basically one setting will trigger a complete 'stop' in terms of applying a GPO to a system. There's been many times throughout my history of working with GPO's that systems receive a couple registry keys / settings but don't receive the rest because a setting is broken.

This may not be your issue but the eventlog might be illuminating. Check both system and application.


exocet_cm
Free at last, free at last
Premium
join:2003-03-23
kudos:3
reply to exocet_cm
I'll keep digging. This has been 13 hours work days for 5 days straight with a ton of clues but everything leads to a dead end.

The glass between my office and the data center looks like this: »gs1.wac.edgecastcdn.net/8019B6/d ··· 1280.jpg

The biggest clue being everything broke after patching on Wednesday following "Patch Tuesday".
--
"I have often regretted my speech, never my silence." - Xenocrates
My wife's Etsy shop: »www.laurenCball.com ; After-hours tech: »www.JLTCtech.com


urbanriot
Premium
join:2004-10-18
Canada
kudos:3
Reviews:
·Cogeco Cable
I've also seen admins forget to 'enforce' policies that should be enforced. No intention to insult but sometimes we focus too deep on an issue and forget to evaluate the obvious.

You could also try splitting the user policy in pieces to determine which settings are not applying or are disrupting the application. However the eventlog evaluation should come first.


exocet_cm
Free at last, free at last
Premium
join:2003-03-23
kudos:3
said by urbanriot:

I've also seen admins forget to 'enforce' policies that should be enforced. No intention to insult but sometimes we focus too deep on an issue and forget to evaluate the obvious.

You could also try splitting the user policy in pieces to determine which settings are not applying or are disrupting the application. However the eventlog evaluation should come first.

Will keep looking and post results.
Thanks
--
"I have often regretted my speech, never my silence." - Xenocrates
My wife's Etsy shop: »www.laurenCball.com ; After-hours tech: »www.JLTCtech.com


exocet_cm
Free at last, free at last
Premium
join:2003-03-23
kudos:3
reply to exocet_cm
...and the verdict is... (drumroll) more than 41 GPOs applied to an OU.
Anything in the OU with more than 41 GPOs fails to apply ALL GPOs.

Working on resolving that but at least we know the problem.
--
"I have often regretted my speech, never my silence." - Xenocrates
My wife's Etsy shop: »www.laurenCball.com ; After-hours tech: »www.JLTCtech.com


urbanriot
Premium
join:2004-10-18
Canada
kudos:3
That's not a Microsoft limitation.


exocet_cm
Free at last, free at last
Premium
join:2003-03-23
kudos:3
said by urbanriot:

That's not a Microsoft limitation.

Not at all.

Something is jacked up with this OU which is unfortunate because it is the parent OU for an entire department
MS limitation is 999 GPO per USER (I think) and we crap out at 41 in this OU.
Nothing stands out in ADSI edit. We created a brand new OU (server 2012 R2 domain) and it looks identical in ADSI to this OU which was carried up from a 2003 domain.

dcdiag verbose logging across all DCs shows healthy with no replication problems. Security is being cleaned up a little bit on the OUs and CNs in ADUC but, besides that, our process of elimination brings it down to 41 GPOs in the OU.
--
"I have often regretted my speech, never my silence." - Xenocrates
My wife's Etsy shop: »www.laurenCball.com ; After-hours tech: »www.JLTCtech.com


exocet_cm
Free at last, free at last
Premium
join:2003-03-23
kudos:3
reply to exocet_cm
Moving the OU objects and recreating the OU does not fix the problem. Now time to combine GPOs.