Group Policy Troubleshooting
You could also get the same results using command prompt which uses (the logon server environment variable that contains the name of the domain controller that the computer uses to log on)
%LOGONSERVER%.
If authentication fails this could be a network connectivity issue and nothing specific to
Active Directory at all.
Each GPO can also be configured with the
WMI filter.
Another issue that can prevent users from authenticating has to do with the
clock
The logon server environment variable will contain the name of the domain controller that
the computer used to log on. LOGONSERVER Remember that you can see the contents of the variable with this command in PowerShell, which is $env:LOGONSERVER. It shows me DC 1.
You can manually force a domain computer to re-sync by using
the w32tm/rsync command.
Many policies and preferences can be configured to apply to the computer or to users as
they log on
A failure of the way group policies are applied
Fast Logon Optimization - Depending on how your domain is configured, the group policy engine that applies policy settings to a local machine may sacrifice the immediate application of some types of policies in order to make logon faster. it can mean that some GPO changes take much longer to be automatically applied than you might expect.
To repair GPO problems with how policies are applied
In either of these examples, you can force all GPOs to be applied completely and immediately with gpupdate/force. If you want to be really thorough, you can run gpupdate/force/sync. Adding the /sync parameter will make you log off and reboot the computer. Some types of group policy can only run when the computer is first booted or when a user first logs on. So a log off and reboot is the only way to make sure that a forced updated GPO has a chance to apply all of the settings.
Now, why is DNS so important?
In order for the computer to contact a domain controller, it needs to find one first. This is done using DNS records.
With the RSop report what can I see?
Is the GPO that I want to apply listed? Was it linked to an OU that contains a computer that I'm troubleshooting? Is the GPO that I care about listed under applied GPOs or under denied GPOs? If it was denied, what was denied reason? Did another GPO win for the policy or preference that I'm trying to configure. Is the security filter set to something besides authenticated users? If so, then that may mean that you have to be in a specific group in order to read or apply the GPO.
To check the status tab in the domain
It may be showing result from a recent test so I'm going to force it to run a new analysis by clicking on Detect Now. What we want to see is that all of our domain controllers are listed under domain controllers with replication in sync. If they are, then we can be sure that there are no replication issues that will affect our group policy objects.
The domain computer will make a DNS request for the
SRV records matching the domain that it's been bound to. SRV is a specification of data in the Domain Name System defining the location, i.e., the hostname and port number, of servers for specified services.
You can go into powershell to see if the SRV records are there:
So I'm going to go ahead to my PowerShell, and I want to go ahead and type in Resolve-DNSName -Type SRV -Name _ldap._tcp.dc._msdcs.example.com. . I should see an SRV record for each of my domain controllers. And I do.
the three most common reasons that this might happen. (Something that you created a GPO to configure won't be configured to one or more computers)
The first, and possibly most common type of GPO failure, has to do with the way group policies are applied. Replication failure is another reason that a GPO might fail to apply as expected.
For example, if you could create a GPO that installs a piece of software, but only if a
WMI reports that a specific piece of hardware is present.
RSoP (Resultant Set of Policy)
____is used to make the implementation and troubleshooting of group policies much simpler for an administrator
the group policy engine usually tries to make GPO application faster by only applying changes to
a GPO instead of the whole GPO.
You might learn about this failure in a number of ways, like (defined policy or a preference fails to apply to a computer)
a person in your organization telling you that something on their computer is missing or not working. If you're using GPO to manage configuration on your machines, then maybe there will be a piece of software that should be present, or there may be a mapped network drive that's missing or a number of things. The common factor will be that something that you created a GPO to configure won't be configured on one or more computers.
Depending on the size and complexity of your Active Directory infrastructure and the reliability and throughput of the network links between your AD sites, it's possible for
a replication to take a few minutes to complete.
A common issue that you might have to troubleshoot is when a GPO-defined policy or a preference fails to
apply to a computer
If the domain controller and computer don't agree on the UTC time, usually within five minutes, then the
authentication attempt will fail.
If the computer is disconnected from a domain network for too long, or if the time is changed by software or a local administrator to be too far out of sync, then the
computer may not automatically re-sync with a domain controller.
A WMI filter lets you apply GPO based on the
configuration of the computer. This is because they look at Windows management instrumentation values to decide if a policy should apply or not.
Any networking issue that would prevent the computer from
contacting the domain controller or its configured DNS servers, which is used to find domain controller, could be an issue.
Once someone logs into a domain computer, information required to authenticate that user is
copied to the local machine. This means that after the first login, you'll be able to log in to the computer, even if the network is disconnected. You won't be authenticated to the domain or authorized access to any domain resources like shared folders.
If I want the full report, like I get from my GP MC, I can run
gpresult /H FILENAME.html.
I'm going to do gpresult /H and then test.html.
gpresult /H test.html This will give me a report that's an HTML web page that I can open in my browser
If we do see any domain controllers in the domain controller with replication in progress list, then we may
have a replication issue.
If replication fails, then different computers on your network can have different
ideas about the state of directory objects, like group policy objects.
If a computer can't contact its DNS servers, or if those DNS servers don't have the SRV records that the computer is looking for, then
it won't be able to find the domain controller.
These filters are expensive because they require the group policy engine to perform some sort of query or calculation on every computer that's
linked to the policy, but then only apply the GPO to computers that match the filter.
if I can't resolve the SRV records for my domain controllers, then my DNS servers may be
misconfigured
How might the DNS Servers be misconfigured?
my domain computers need to use the DNS servers that host my active directory domain records. This will often be one or more of my domain controllers, but it can be a different domain server. the appropriate DNS servers to use for your domain computers should be known and documented. Compare the configuration of the machine to the known good configuration and see if it needs to be adjusted.
From the group policy management console, we can check on the
overall health of the group policy infrastructure
when changes are made to Active Directory, those changes usually take place on a single domain controller. Those changes then have to be
replicated out to other domain controllers.
Knowing which domain control you're connected to is useful information to have if you suspect a
replication issue
any time you troubleshoot an issue, start with the
simplest solution first.
If I run gpresult /R, you can see that I get a
summary report in my terminal.
I'm going to select my domain and take a look at the status tab. This tab will summarize
the Active Directory and assist all replication status for the domain.
Domain computers usually synchronize their time with domain controllers with
the Windows Time service, but this can sometimes fail.
Just because someone is able to log in doesn't mean that
they're able to find a domain controller.
If the computer isn't attached to a network that can route communications to the domain controller, then
this must be fixed
Kerberos is the authentication protocol that AD uses, and it's sensitive to
time differences the relative UTC time. (Coordinated Universal Time - is the primary time standard by which the world regulates clocks and time)
If you're trying to work out why a particular GPO isn't applying to a computer, the first thing to do is
to run the resultant set of policy, or RSOP.
If replication doesn't complete in a reasonable amount of time, you may need to
troubleshoot Active Directory replication.
To get a RSop report you can
use the group policy management console, like we did in an earlier lesson, or you can run a command on a computer directly to generate the report.
Depending on the configuration of your domain and your computers, it's common that local authentication
will continue to work, for a little while least.
If a domain computer isn't able to locate a domain controller that it can use for authentication, then nothing that relies on Active Directory authentication
will work
