Premkumar Yogeswaran's Blog

Active Directory | PowerShell | DNS | DHCP | Exchange Server | VM Ware

Archive for May, 2013

Group Policy Not Being Applied? 10 Things to Check

Posted by Premkumar Yogeswaran on May 29, 2013


Group Policy is a solid tool and is very stable. Microsoft has made constant improvements to it since Windows 2000. It allows for the configuration and deployment of pretty much anything in your Active Directory environment. From deploying software to setting the default printer, it works. But when it doesn’t, Microsoft has provided great guidelines and tools in order to troubleshoot. If Group Policy is not being applied, we can fix it. Let’s look at the top ten issues!

Start with the Scope

1.

The most common issue seen with Group Policy is a setting not being applied. The first place to check is the Scope Tab on the Group Policy Object (GPO). If you are configuring a computer side setting, make sure the GPO is linked to the Organization Unit (OU) that contains the computer. If the GPO configures a user side setting, it needs to be linked to the OU containing the correct user. Remember, GPOs cannot be linked to an OU that just contains security groups.

2.

Next, check the security filtering. Make sure that the computers or users needing the policy are in a group that is specified here. Remember that domain users includes all users, domain computers includes all computer, and authenticated users includes both users and computer.

3.

Some GPOs make use of WMI filters. These filters can dynamically apply GPOs based on a host of factors. You want a GPO to apply if a device is attached, use WMI. However, that WMI filter has to evaluate to True for the object processing the GPO. This means that if you have a WMI checking a user only setting, you can’t scope your GPO only to computers. You can use the WMI validator to check the status of a WMI filter.

This GPO is linked to an OU named Domain Sites, applies to Authenticated Users, and doesn’t have a WMI Filter linked to it.

Dive into Delegation

4.

In order for a GPO to apply, the object (a user or a computer) has to have two GPO permissions. It must have Read and Apply Group Policy permissions. By default, an object added to the scope tab receives both of these permissions. However, deny permission on the delegation tab would take precedence.

This GPO does not have any Deny permissions set (which show as Advanced settings).

Learn Your Links (and also LoopBack)

5.

GPOs process is a very specific order. The acronym, LSDOU, shows that Local GPOs apply first. This is followed by Site, Domain, and finally OU GPOs. In a nutshell, the GPO closest to the object applies last. If you have a GPO linked at the domain that enables Offline Files and a Junior Admin disabled Offline files at the OU level, his GPO wins.

6.

When a GPO is created, it lives in the Group Policy Objects container. When you link a GPO to an OU, you are merely creating a shortcut. These links can be enabled or disabled very easily. In the picture below, the Configuration GPO link is disabled. Notice how the link arrow is greyed instead of black (like the Default Domain Policy).

7.

GPOs can also be set to Enforced. An Enforced GPO appears with a lock of the link icon. A GPO upstream (one linked to a higher OU or the domain) that is enforced can cause you problems. For example, if the Default Domain Policy was enforced, every setting in it would apply to every object in the domain. It does not matter if another GPO is linked an OU and is enforced. With enforcement, the highest GPO wins.

8.

The final piece of trickery with Links is the Block Inheritance setting. When an OU is set to Block Inheritance, all GPOs (except those enforced) linked above that OU are ignored. In the example below, the Domain Sites OU will not process the Default Domain Policy.

9.

When a computer first starts up, it will process all computer side policies that are linked to the computer’s OU (and above). When a user logs on, any user side settings will process that are linked to the user’s OU (and above). When loopback is enabled, this process has one more additional step. After the user side items process, any user side settings linked to the computer’s OU (and above) are also applied. Although this does slow down Group Policy Processing, I still love it and find it insanely helpful! With Loopback, I can take a User Side Setting (like setting the homepage in IE) and apply it to a group of computers (such as those in a lab)! Bear in mind that loopback now requires both the User and Computer objects to be added to the scope tab on the GPO. Before Windows Vista, the computer did not need to read permission for the GPO.

Read Carefully

10.

Finally, make sure that the GPO is doing what you intend for it to do. When a setting says “Enable Turn Off Audio Mode”, it is very easy to get confused. Ready carefully over any GPO descriptions when configuring your GPO.

Refer – http://deployhappiness.com/top-10-ways-to-troubleshoot-group-policy/

Advertisements

Posted in Active Directory | Leave a Comment »

Disabling the Knowledge Consistency Checker (KCC) from automatically creating replication topology for a site

Posted by Premkumar Yogeswaran on May 21, 2013


The Knowledge Consistency Checker (KCC) is a component that automatically generates and maintains the intra-site and inter-site replication topology. You can disable the KCC’s automatic generation of intra-site or inter-site topology management, or both.

Intra-site link connection

Inter-site link connection

Prerequisites

At Windows Server 2003 domain controller, you have to install the support tools kit.

Lab environment

Computer FQDN: DC11.contoso.com

IP /Network / Site: 192.168.1.11/24 HKG

Roles: Domain Controller, DNS Server

Operating System: Windows Server 2008 Enterprise 64 bit

Inter-Site link: HKG-TYO

Computer FQDN: DC21.contoso.com

IP /Network / Site: 192.168.1.12/24 HKG

Roles: Domain Controller, DNS Server

Operating System: Windows Server 2008 Enterprise 64 bit

Inter-Site link: HKG-TYO

Computer FQDN: DC02.contoso.com

IP /Network / Site: 192.168.2.11/24 TYO

Roles: Domain Controller, DNS Server

Operating System: Windows Server 2008 Enterprise 64 bit

Inter-Site link: HKG-TYO

Disabling intra-site automatic generation

1. At DC11, log in as Domain Administrator.

2. Launch "Command Prompt".

3. Enter "repadmin /siteoptions".

By default, KCC’s automatic generation was enabled.

4. Enter the following command to disable intra-site automatic generation of HKG:

repadmin /siteoptions /site:HKG +IS_AUTO_TOPOLOGY_DISABLED

Now, intra-site automatic generation of HKG was disabled.

Remark: "repadmin /siteoptions /site:HKG +IS_AUTO_TOPOLOGY_DISABLED" affects all domain controllers in HKG site.

Test result

1. Still in DC11, launch "Active Directory Sites and Services".

2. Expand "Sites > HKG > Servers > DC11 > NTDS Settings".

3. At right pane, delete "<automatically generated>".

4. Go to "Command Prompt", enter "repadmin /kcc %computername%".

"repadmin /kcc"is applied to force the Knowledge Consistency Checker (KCC) on each targeted domain controller to immediately recalculate the inbound replication topology.

5. Back to "Active Directory Sites and Services", refresh "NTDS Settings" of DC11.

KCC doesn’t generate the intra-site connection in DC11.

6. To restore the setting, go to "Command Prompt", enter "repadmin /siteoptions /site:HKG -IS_AUTO_TOPOLOGY_DISABLED".

7. Enter "repadmin /kcc %computername%".

8. Back to "Active Directory Sites and Services", refresh "NTDS Settings" of DC11.

As a result, the intra-site automatic generation of HKG was enabled.

Disabling inter-site automatic generation

1. At DC02, log in as Domain Administrator.

2. Launch "Command Prompt".

3. Enter "repadmin /siteoptions".

4. Enter the following command to disable inter-site automatic generation of TYO:

repadmin /siteoptions /site:TYO +IS_INTER_SITE_AUTO_TOPOLOGY_DISABLED

Now, inter-site automatic generation of TYO was disabled.

Remark: "repadmin /siteoptions /site:TYO +IS_INTER_SITE_AUTO_TOPOLOGY_DISABLED" affects all domain controllers in TYO site.

Test result

1. Still in DC02, launch "Active Directory Sites and Services".

2. Expand "Sites > TYO > Servers > DC02 > NTDS Settings".

3. At right pane, delete "<automatically generated>".

4. Go to "Command Prompt", enter "repadmin /kcc %computername%".

5. Back to "Active Directory Sites and Services", refresh "NTDS Settings" of "DC02".

KCC doesn’t generate the inter-site connection in DC02.

6. To restore the setting, go to "Command Prompt", enter "repadmin /siteoptions /site:TYO -IS_INTER_SITE_AUTO_TOPOLOGY_DISABLED".

7. Enter "repadmin /kcc %computername%".

8. Back to "Active Directory Sites and Services", refresh "NTDS Settings" of DC02.

As a result, the inter-site automatic generation of TYO was enabled.

Remark: To disable intra and inter-site automatic generation, you can enter the following command:

repadmin /siteoptions /site:<site name> +IS_INTER_SITE_AUTO_TOPOLOGY_DISABLED +IS_TO_TOPOLOGY_DISABLED

Remark: You should create the intra or inter-site connection before disabling KCC’s automatic generation.

You can modify the KCC’s automatic generation by ADSI Edit.

1. At a domain controller, log in as Domain Administrator.

2. Launch "ADSI Edit".

3. Right-click "ADSI Edit", select "Connect to".

4. Next to "Select a well known Naming Context", select "Configuration".

5. Click "OK".

6. Expand "Configuration > CN=Configuration,DC=<Domain Name>,DC=com > CN=Sites > CN=<Site Name>".

7. At right pane, right-click "CN=NTDS Site Settings", select "Properties".

8. Next to "options".

9. Click "Edit".

10. In the "Values" box, type the appropriate value:

  • To disable automatic intra-site topology generation, use value 1 (decimal).
  • To disable automatic inter-site topology generation, use value 16 (decimal).
  • To disable both intra-site and inter-site topology generation, use value 17 (decimal).

11. Type "1", click "OK".

12. Click "OK".

13. Close "ADSI Edit".

Reference:

How to disable the Knowledge Consistency Checker from automatically creating replication topology

http://support.microsoft.com/kb/242780

Repadmin for Experts

http://technet.microsoft.com/en-us/library/cc811549(WS.10).aspx

Refer http://terrytlslau.tls1.cc/2011/07/disabling-knowledge-consistency-checker.html

Posted in Active Directory | Leave a Comment »