100+ Helpful Posts!
50+ Helpful Posts
hi folks.
This is my first post here.
Some background.
I am in a IT post at a college here in Northen Ireland. I have a background in IT but have never administered a network before. I was to fill a roll here for a few weeks but as a consequence of my predecessor deciding not to return to their job have been given the roll permanently.
I am completely new to all this and I am having to use the web to answer all my queries,
so please be patient.
I have recently implemented a new DC to replace the old one which was beginning to feel the strain.
It is my intention to retain the old DC to run as a printserver in the future. Of course i have many questions regarding promoting the new server to the primart DC etc but that
is for another day and another thread. Right now I have some problems with application of GPO's since the new server was added.
So far.
I ran adprep.exe to updating to Schema 31 on the AD of the old DC.
DCpromo.exe incorporated the new DC.
I manually copied folders to the new DC (to a seperate partition)
Scripts$
Profiles$
yearXX$ (Were yearXX is the year groups at the college and My docs are being redirected)
I set permissions on the shares
Everyone Full
Administrators Full
I edited the folder redirection policies to the new path on the new DC
I edited the path to the profile/scripts to the new path on the new DC
Now the problem....
I initialy tested with a few student accounts and everything seemed to be fine.
However recently students have been logging on to random stations with the following result
- The Folder redirection is not being applied, in addition the restrcitions policy created to prevent students from making system changes is also not applied.
I can ask the student to move to another random station and try again
- Student logs in and both policies are applied
I reboot the original station student was sat at
- student logins in and both policies are applied.
because there is no consitency with attempted logins, I dont know where to start to try and resolve the problem.
In addition, since the move to the new DC students profiles are being synchronised at every logoff.
Do you think this is having an impact?
Thanks for your patience while reading this. I am working hard to get up to speed and generally all i need is a push in the right direction.
All help is appreciated.
Let me know if i can supply any more info.
Thanks in advance
100+ Helpful Posts!
50+ Helpful Posts
The first thing to always check when looking at GP problems is DNS. Hopefully you are using Active Directory Integrated DNS and it replicated to the new server, but now you may need to change the DNS settings on the clients to point to the new DC for their DNS queries.
Getting Started on GPanswers.com
I had a similar problem with roaming profiles. Scott is dead-on with the DNS. If there is a DNS issue on your server or the workstations, group policy processing doesn't happen.
I ran ipconfig/flushdns and arp-d on the affected server (for each NIC) and the workstations started processing group policies again.
Your fix may not be a simple. But definitely look at your DNS. You may only need to clear the DNS cache on your workstations.
You can test by running gpresult on one of the affected workstations and see what/if it's processign GPOs.
100+ Helpful Posts!
50+ Helpful Posts
I have this as a login startup on every machine for this very reason.
arp -d *
nbtstat -R
ipconfig /flushdns
nbtstat -RR
ipconfig /registerdns
100+ Helpful Posts!
50+ Helpful Posts
I'd like to discuss the overall design. I do understand if budget limitations make the following hard to implement, so please take what I will say not as a criticism of your present situation, but perhaps a design-for-the-future goal.
It sounds as if you only have a single DC. Get two minimum. Even if you had to create a second "virtual DC" on another device, it would be worth it for the redundancy.
It sounds as if user's data is being physically stored on a DC instead of being stored on a regular member server. If so, I would advise keeping the old server and applying it to cover this user data storage requirement. If necessary, you can then add the PrintServer functionality there as well.
Another point is that the Security settings applied to DCs from a Group Policy standpoint are very different from those normally applied to Servers and Workstations. The security requirments are totally different. By placing daily use customer data there, you are exposing your domain controllers to situations where a single individual user could, perhaps inadvertantly, tie up DC resources (CPU and/or Disk) which are needed for all users and devices authenticating against it.
Well, that's a start at looking at domain logical and physical design using existing resources. Good luck in your new position.
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote