Server is Windows 2008 R2. All our workstations are Windows 7. I made some changes to the group policy on the server then ran gpupdate on a workstation and received the following error:
The processing of Group Policy failed. Windows attempted to read the file \company.com\SysVol\company.com\Policies{91B01BF1-B9BB-4A8B-86D8-9A1C06548C2F}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: a) Name Resolution/Network Connectivity to the current domain controller. b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). c) The Distributed File System (DFS) client has been disabled.
So I browsed to that location on the server and found the file it’s looking for, gpt.ini, and checked the security rights and authenticated users have read and execute rights. On my test pc I was able to Start - Run and browse to the gpt.ini file also so it doesn’t appear to not have rights to it.
I looked on one of the test machines next to me and found the DFS in the Control panel (Administrative Tools - DFS Management) but am not sure what I should be looking at or what I need to do with it. I also tried to find DFS on my computer and it does not exist in that location.
I just need the group policy to update to all machines and need to make it happen from the server, if possible. Thank you in advance for any assistance you can provide.
7 Spice ups
craigduff
(cduff)
2
Did you wait for it to replicate to all DCs in your environment, or force a replication?
1 Spice up
I just forced a replication from the primary to the secondary then tested again and the gpupdate gave the exact same error.
ls-it
(L.S)
4
Try dcdiag and see if there are any errors.
And repadmin /showreps.
1 Spice up
On the server or on the test workstation?
ls-it
(L.S)
8
Have you tried a different PC, it may just be that one?
1 Spice up
I’ve tried the test PC and my PC and both gave the exact same error.
I ran the dcdiag and repadmin /showreps on the server and all ran successfully.
I’ll check out the link you provided.
I checked the event viewer on both machines and discovered in the error details that it is pointing to the backup domain controller. Why wouldn’t gpupdate be trying to pull from the primary domain controller? If I forced replication, why wouldn’t the BDC have the updated info? Can change it to pull from the PDC instead?
semicolon
(semicolon)
11
You can’t update Group Policy from the server; it has to be run from the client - at least on your network.You can “push” gpupdate from the server in 2012, but it’s pretty lame, IMHO. it just creates a scheduled task to run gpupdate at some point in the next 10 minutes.This isn’t an attempt to resolve your issue, just addressing this one comment.If you have psexec, run this:
psexec \\COMP01 cmd "/C gpupdate /target:computer"
Or you can use powershell:
Invoke-Command -ComputerName COMP01 -ScriptBlock {gpupdate /target:computer}
# This is a bit long for interactive use, but its bad form to post code with aliases,
# so when running interactively, you can shorten this to:
icm -cn COMP01 {gpupdate /target:computer}
semicolon
(semicolon)
12
Unless you’re running NT4, there’s no such thing as a Backup Domain Controller.
Why wouldn’t gpupdate be trying to pull from the primary domain controller?
A client will pull GP from the DC to which it authenticated/logged on.
Can change it to pull from the PDC instead?
Not really; not without potentially breaking something or removing some of the resiliency in your network - like having clients only logon to one DC.
1 Spice up
max
(m@x)
13
how many domain controllers do you have?
did you check gpt.ini on each of your DC’s?
if you have multiple dc and all of them are in one default site container (active directory sites and services), then your workstations will randomly talk to different dc’s at logon.
1 Spice up
semicolon
(semicolon)
14
This is the question. What command did you run to force the replication? repadmin /syncall? If there’s any cross-site DC’s, you’ll want to add the /e parameter after syncall to ensure it replicates across site links. If you’ve done this, and there were no replication errors…Is this a user or computer config? If a computer config, what is the security filtering on the GPO? Do you have it filtered or targeted to a new security group for the computers? Have the computers been restarted to obtain their new group membership?Does a gpresult /V (run by an admin) show the new GPO being applied or filtered out?
1 Spice up
I just logged onto the 2nd server and launched the group policy editor and the edits I made are there. But the file it’s trying to access: \company.com\SysVol\company.com\Policies{91B01BF1-B9BB-4A8B-86D8-9A1C06548C2F}\gpt.ini; doesn’t exist on the 2nd server. Can I just create the path and copy it over?
max
(m@x)
16
Replication didn’t work. Go to Active Directory Sites and Services (any server)
Expand your default-first-site, expand your server that failed to replicate, expand ntds settings and locate auto generated connections. Find the connection that lists the first, good server. right click and choose replicate from.
Check event logs on the failed server.
1 Spice up
m@x -
I ran the replication but when I check the 2nd server’s event viewer it shows the exact same error code that I posted originally.
max
(m@x)
18
Re-read your last post and noticed that the group policy object was present on the 2nd server.
That means that AD replication worked OK. Your SYSVOL replication is not working.
The replicate now button in ADSS will force AD replication only. So ignore my last suggestion.
Go to server1\sysvol\yourdomain\
create a text file srv1.txt
Go to server2\sysvol\yourdomain\
did it appear in there?
Are you on FRS or DFS-R? Each system has its own tools to work with sysvol.
2 Spice ups
Semicolon wrote:
I used the Active Directory Sites and Services ‘Replicate Now’ option. According to the documentation I read from L.S’s post, it’s a computer config. So how do I check the security filtering on the GPO? My apologies, but prior to my current position, I hadn’t touched a server in ~6 years. And I didn’t do much back then, either. So I’m having to learn everything on the fly. I restarted my test computer then ran the gpresult /V (as admin) on it and it flashed a screen of information so fast I couldn’t read any of it. I threw caution to the wind and tried gpupdate again and it said it ran successfully!!! HOLY SCHNIKIES!!!
I went to another user’s computer and ran gpupdate and it worked. Came back to my computer and tried it and it’s still giving the exact same error. In the event viewer it shows it’s trying to pull it from the 2nd server still. I’m going to restart my computer then try again.
