DSfW: Troubleshooting Group Policy Objects

Document ID:7006275
Creation Date:14-Jun-2010
Modified Date:24-Nov-2014
- Micro Focus Products:
  eDirectory
  Open Enterprise Server
- SUSE Products:
  SUSE Linux Enterprise Server

Environment

Novell Open Enterprise Server 11 SP2 (OES11 SP2)
Novell Open Enterprise Server 11 SP1 (OES11 SP1)
Novell Open Enterprise Server 2 SP3 (OES2SP3)
Domain Services for Windows
DSfW

Situation

Tips for Troubleshooting DSfW Group Policy Objects

Tips for Troubleshooting DSfW GPOs

Tips for Troubleshooting Workstations mapping drives

Tips for Troubleshooting Workstations accessing shares

Resolution

Verify the DSFW services are running on all domain controllers
xadcntrl validate
Perform an eDirectory health check TID 3564075
Verify the time,
Check time, timezone, and date are correct on the workstation and server and that time is in sync not only between servers, but between the workstation and server.
Check DNS
DNS needs to be working properly in order to resolve the domain controller and locate the system folders.
Check kdc.log for errors
If the workstation is joined, but fails to login, GPOs will not be updated. Check the /var/opt/novell/xad/log/kdc.log for Decrypt integrity check failed (bad password), locked out (account is locked out), and client not found (account is not found in domain) for the workstation and for the user. See TIDs 7015630, the Kerberos section of tid 7010462, and 7010842 for authentication.
Run gpupdate/force to ensure the workstation receives any updates to the GPO.
To do this open a command prompt (cmd) on the workstation as Administrator. Type gpupdate/force and hit Enter. Run gpresult /z >c:\gpresult.txt to view the complete status of the gpos and out put to a file. Another popular option is gpresult /v for verbose mode.

If there is more than one DC make sure the PDC is active in the dfs tab. To do this
1. Map a drive to the sysvol and specify the domain. Do not specify the server when mapping the drive.
  Below is an example of mapping a drive to a domain called novell.com:
  \\novell.com\sysvol
2. Right click on the domain folder. In this example it would be novell.com
3. Select the DFS tab
4. Select PDC and set as active
Enable GPO debug logging and run gpupdate /force
Here is a "HOW TO" based off of MS article Group Policy Debug Log Settings

Synopsis:
In Windows 7 GPO processing is performed by a service called "Group Policy Client" .
Create the following subkey
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Diagnostics]
For Windows 7
Create a REG_WORD (DWORD) of GPSvcDebugLevel with the Base being hexadecimal and the Value date of 00030002
"GPSvcDebugLevel"=dword:00030002
The resulting log file will be:
%WINDIR%\debug\usermode\gpsvc.log

For XP
Create a REG_WORD (DWORD) of UserEnvDebugLevel with the Base being hexadecimal and the Value date of 00030002
"UserEnvDebugLevel"=dword:00030002
The resulting log file will be:
%WINDIR%\debug\usermode\Userenv.log

DebugLevel can have the following values:
NONE 0x00000000
NORMAL 0x00000001
VERBOSE 0x00000002
LOGFILE 0x00010000
DEBUGGER 0x00020000
The Values can be combined with LOGFILE DEBUGGER and VERBOSE
Delete the REG_WORD or set to 0 to disable.

STEP BY STEP HOW TO:
1. Start regedit - Click Start , click Run , type regedit , and click OK
2. Go to the registry subkey:
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
3. On the Edit menu | New | click Key
4. Give the subkey a name of Diagnostics | press ENTER
5. Right-click the Diagnostics subkey | New | click DWORD Value
6. Type GPSvcDebugLevel (Windows7) or UserEnvDebugLevel (XP) | press ENTER
7. Right-click GPSvcDebugLevel (Windows7) or UserEnvDebugLevel (XP) , and then click Modify
8. In the Value data box enter 0x30002 | click OK
9. Exit regedit
10. Run gpupdate /force
11. Gather the appropriate log
Folder Redirection Debug logging
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
Set: FdeployDebugLevel = Reg_DWORD 0x0f
For XP the log file can be found at: %windir%\debug\usermode\fdeploy.log
For Windows 7 look in the event log

NetLogon Debug Logging
To enable netlogon debugging, at a commnad prompt run: nltest /dbflag:0x2080fff
Then run net stop netlogon and net start netlogon
The log can be found at %windir%\debug\netlogon.log
To disable netlogon debugging, at a commnad prompt run: nltest /dbflag:0x0
Check that the permissions are correct for the netlogon and sysvol in the smb.conf

[netlogon]
comment = Network Logon Service
path = /var/opt/novell/xad/sysvol/sysvol/dsfw.my/scripts
writable = No
share modes = No
nt acl support = Yes
[sysvol]
wide links = yes
comment = Group Policies
path = /var/opt/novell/xad/sysvol/sysvol
writable = Yes
share modes = No
nt acl support = No

For Additional Domain Controllers also check the sysvol-msdfs

[sysvol]
wide links = yes
comment = msdfs link to Group Policies
path = /var/opt/novell/xad/msdfs
msdfs root = Yes
nt acl support = No

[sysvol-msdfs]
wide links = yes
comment = Group Policies
path = /var/opt/novell/xad/sysvol/sysvol
writable = No
share modes = No
nt acl support = No
Check that the acls are correct for the /var/opt/novell/xad/sysvol TID 7009748
From the First Domain controller (ADPH) run gposync.sh and see if there are any errors reported.
The GUID for the GPO will be displayed for each GPO.

Below is an example of running gposync:
The list of Group Policies present in the domain dc=novell,dc=com are:
{31B2F340-016D-11D2-945F-00C04FB984F9}
{4C83E0AF-EF68-4D89-8C31-A6FE84AF60DB}
Syncing {31B2F340-016D-11D2-945F-00C04FB984F9} Group Policy Domain Services for Windows Policy Synchronization Tool
Copyright (c) 2001-2007 Novell, Inc. All rights reserved.

>>> Synchronizing GPO->NMAS...
>>> Updating naming context <dc=novell,dc=com>
>>> Updating NMAS login policy <cn=Domain Password Policy,cn=Password Policies,cn=System,dc=novell,dc=com>
>>> Updating domain policy <cn=Default Domain Policy,cn=System,dc=novell,dc=com>
>>> Updating modification time on Group Policy Template '/var/opt/novell/xad/sysvol/domain/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf'
GPO->NMAS synchronization OK.
Update NMAS Password Policy Links
Syncing {4C83E0AF-EF68-4D89-8C31-A6FE84AF60DB} Group Policy Domain Services for Windows Policy Synchronization Tool
Copyright (c) 2001-2007 Novell, Inc. All rights reserved.

>>> Synchronizing GPO->NMAS...
>>> Updating naming context <dc=novell,dc=com>
>>> Updating NMAS login policy <cn={4C83E0AF-EF68-4D89-8C31-A6FE84AF60DB},cn=Password Policies,cn=System,dc=novell,dc=com>
>>> Updating modification time on Group Policy Template '/var/opt/novell/xad/sysvol/domain/Policies/{4C83E0AF-EF68-4D89-8C31-A6FE84AF60DB}/Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf'
GPO->NMAS synchronization OK.
Update NMAS Password Policy Links

In this example there are two GPOs, the default GPO is {31B2F340-016D-11D2-945F-00C04FB984F9} which is created when DSFW is installed.
Run sysvolsync to synchronization the sysvol on the First Domain controller (ADPH) to the Additional Domain Controllers.

The following results should be returned if the sysvolsync was successful. Note for each ADC there will be an "Exit request sent:"

Exit request sent.
Exit request sent.
Replication Stopped. Status: Successful
If login scripts fail after applying Samba version 3.0.36-0.13.18.1 follow TID 7009466
Use a simple script to test if GPO is being executed. TID 7006270 has a nice simple script to work with.
Here are a list of articles from Microsoft on GPO troubleshooting:
How to enable user environment debug logging in retail builds of Windows
Configuring Administrative Workstation Settings for Group Policy Troubleshooting
Troubleshoot Group Policy with GPLogView
Troubleshooting Group Policy Problems
Your Guide to Group Policy Troubleshooting

Additional Information

If OES2.x and updated samba 3.0.36-0.91 or later is installed please follow TID 7005705