GPO's not applying to member servers only - Post thorough troubleshooting

1

The ol' GPO not applying issue that's been seen many times before.....

Since the 29th April, none of my member servers are processing any GPO's.

I've had a lot of experience with managing AD and GPO's so am posting here after performing many obvious checks. This issue just seems a little strange to me:

Checks performed:

  • No change in config made at the time GPO's stopped processing
  • All GPO's process fine on DC’s (GPOs Not corrupt)
  • All GPO's have the right status enabled to apply to the relevant computer/user config
  • All GPO's have relevant security membership for these to apply (Authenticated Users).
  • Domain replication is working fine with no errors (dcdiag, repadmin /replsum).
  • I can even telnet on all Directory Service ports required for domain communication.
  • All relevant services are running on both member and DC DNS, Computer Browser, Server, TCP/IP NETBIOS Helper etc.
  • DFS-R service is running on both DC's.
  • FRS in not in use and the service is disabled but has been disabled way before this issue appeared.
  • DNS is working fine and can resolve DC names from the member server.
  • The NIC has the two DC’s present as DNS servers and the DNS suffixes are present.
  • I can browse to the gtp.ini file within the sysvol share on the domain using the FQDN but cannot open the file. This points to a NTFS permission issue but the file has read & execute permissions for authenticated users.
  • Gpudate /force at the server shows the same error as below (EventID: 1058).
  • Gpresult /r doesn't show any issues and everything that should be applied is present.
  • Access is not denied to any of the locations trying to be accessed.
  • Authentication works fine.
  • Time/date is not out of sync on any member servers.

Even though browsing to and through \domain.local\sysvol\domain.local\policies\ is possible, it’s extremely slow to respond initially. This improves after first enumeration.

The fact that they process fine on the DC’s points to a firewall issue and am currently speaking to our hosted support team at the datacentre to find out whether anything is missing there.

Errors seen on Member Server Application Event Log Group Policy Drive Maps: 4098

The user 'G:' preference item in the 'Drive Mappings {FF057D4C-4453-4B05-9617-28DA586479B1}' Group Policy Object did not apply because it failed with error code '0x80070005 Access is denied.' This error was suppressed.

System Event Log Microsoft-Windows-GroupPolicy EventID: 1058

The processing of Group Policy failed. Windows attempted to read the file \domain.local\SysVol\domain.local\Policies{FF057D4C-4453-4B05-9617-28DA586479B1}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: a) Name Resolution/Network Connectivity to the current domain controller. b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). c) The Distributed File System (DFS) client has been disabled.

Microsoft-Windows-GroupPolicy EventID: 1085

Windows failed to apply the Group Policy Scheduled Tasks settings. Group Policy Scheduled Tasks settings might have its own log file. Please click on the "More information" link.

GroupPolicy Operational Log Microsoft-Windows-GroupPolicy EventID: 7017

The system calls to access specified file completed. \domain.local\SysVol\domain.local\Policies{42A99E50-622B-4CCA-B7AF-30F44916599D}\gpt.ini The call failed after 113782 milliseconds.

Within the GroupPolicy tracing log on the local server I see the following error repeatedly:

0x80070040 "The specified network name is no longer available

The only software change made on all server was on the 28th April when I removed McAfee VSE and installed TrenMicro's OfficeScan 11 client but am not seeing any events relating to McAfee leftovers. I've also since removed OfficeScan 11 to test and make sure it's not this that's the cause. I think it's just a co-incidence tbh but will keep looking.

System event log errors starting appearing at 09:09 on the 29th whereas AV removal and installation occurred at 16:46 the previous day.

Anyway, can anyone see anything I've missed as part of my troubleshooting?

group-policy
asked on Server Fault May 6, 2020 by jshizzle • edited May 6, 2020 by jshizzle

0 Answers

Nobody has answered this question yet.


User contributions licensed under CC BY-SA 3.0