Learning Windows Server 2003
6.6. Troubleshooting Group Policy
The process of diagnosing what is going on with GP and why it's not doing what you want it to do can be infuriating at times. Use the steps recommended in the following sections to assist you in tracking down where your problem lies. 6.6.1. Resolving DNS Problems
DNS problems can plague your network and make it nearly impossible for GPOs to be applied. This problem manifests itself primarily in the requirements for logging on to a domain: without DNS, you still might be able to authenticate to a domain controller, but GPOs simply will break. That's because they require various types of DNS SRV records to know which computer has which service to manage. This is a good place to start looking if GP simply doesn't function. 6.6.2. Analyzing Inheritance
If you are a seasoned network professional, you'll be familiar with the concept of inheritance . This also can be a stumbling block with GP. Beware of a couple of options. The first is the No Override function, which does nothing more than cease the processing of any GPOs under the object on which the option is set. Conversely, also be wary of the Block Inheritance function, which stops the processing of GPOs that reside higher in the GPO processing hierarchy. This is a case of knowing what you set and properly documenting it, but it still can eat up hours upon hours of troubleshooting time. 6.6.3. GPO Distribution and Synchronization
Another issue you might see is that of GP distribution and synchronization . Distribution and synchronization both rely on a versioning system managed internally by Windows that keeps track of unique revisions of the two parts of a GPO: the GPC, which is associated with a particular organizational structure in Active Directory, and the Group Policy Template, which is a file located in the C:\WINDOWS\SYSVOL\Policies directory on domain controllers. Usually, these are pushed out from the domain controller that is in the PDC emulator role to all the other domain controllers in a given domain, but if the versioning system is wrong or somehow corrupted, this distribution might not finish completely, or it might not occur at all. Windows comes with a couple of tools that will help you fish out the nonstandard GPOs: GPOTOOL, REPLMON, and the GPMC, which I covered earlier. Look at logs on the affected domain controllers and see if any errors can help you determine the cause. See the next section for more information on the GP logs. Along the same lines is actually realizing when GPOs are distributed, retrieved, and applied. Earlier in this chapter I pointed out that the interval Windows Server 2003 uses to push out new GPOs is 90 minutes for workstations and regular member servers, and five minutes for domain controllers. But this is only for new or revised GPOs. If GP has not changed, nothing is pushed unless you manually push it, either from the command line or through another system-wide GPO that pushes policy regardless of whether a change has occurred. So, remember that GP won't necessarily correct local configuration changes unless the domain GPO changes or you force a refresh. 6.6.4. Getting More Detailed Logs
To troubleshoot GPOs more effectively, you can enable verbose logging, which will give you more data about how GPOs are retrieved and applied to a specific object. This does require a registry change on the client you're troubleshooting. Inside a registry editor, navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon. Select the value UserenvDebugLevel, of type REG_DWORD, and change the value of the key to 0x10002. Restart your system to make sure the change takes effect. Now, any GPO activities will be logged to a file called userenv.log in the %SystemRoot%\Debug\Usermode directory. You also can enable direct logging to the application event log in much the same way. Inside your favorite registry editor, navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics. Select the value RunDi-agnosticLoggingGroupPolicy, of type DWORD, and change the value on the client you're troubleshooting of the key to 1. Restart to apply your changes and GPO activities will be logged in the application log. 6.6.5. Identifying Client Side Extension GUIDs
To troubleshoot problems pertaining to folder redirection, software installation, and other client-side difficulties, it can be useful to determine the GUID of the client-side extensions (CSEs) on each computer. The CSEs are simply "categories" for GPOs pertaining to different areas of the user interface. You can view all of these in one place inside the registry, under: HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\WinLogon\GPExtensions. For reference, some common GUIDs for CSEs are included in Table 6-2. You can use these to match up information that you find in log files.
6.6.6. Locating GPT Files on Domain Controllers
For various reasonsfor example, to diagnose a problem with available GPOs propagating in your domain to administrative workstationsyou might want to inspect the directory structure of the GPTs for certain GPOs. First, you need to retrieve the specific GUID for the policy, and then you can find the folder that contains the hard files associated with that policy. To actually match a specific policy within Active Directory to the specific GPT files on a domain controller inside its SYSVOL share, first you need to locate the GUID on the container in Active Directory where the GPO is applied. Using the GPMC, select the appropriate GPO, and then select the Details tab in the righthand pane. Copy the GUID from there. Then, open Explorer and navigate to \\domainname.com\sysvol, which will open the SYSVOL share on the nearest domain controller. Open the Policies directory, and then open the folder whose name matches the GUID of the GPO you selected within the GPMC. Hopefully, you probably will not need to do this very often, as the interface and propagation techniques for GP in Windows Server 2003 are resilient and efficient. But the information is indeed here, just in case. |