Difference between revisions of "Active Directory/Documentation/Planning"
Jump to navigation
Jump to search
Line 58: | Line 58: | ||
===Unable to Update Group Policy=== | ===Unable to Update Group Policy=== | ||
====Details==== | ====Details==== | ||
+ | When I run gpupdate /force, I get the following error message and the following event is logged: | ||
+ | |||
+ | |||
+ | Log Name: System | ||
+ | Source: Microsoft-Windows-GroupPolicy | ||
+ | Date: 11/22/2006 10:41:49 AM | ||
+ | Event ID: 1055 | ||
+ | Task Category: None | ||
+ | Level: Error | ||
+ | Keywords: | ||
+ | User: WOLFTECH\pgmurphy.admin | ||
+ | Computer: VPCVista.ece.ncsu.edu | ||
+ | Description: | ||
+ | The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following: | ||
+ | a) Name Resolution failure on the current domain controller. | ||
+ | b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller). | ||
+ | Event Xml: | ||
+ | <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> | ||
+ | <System> | ||
+ | <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{aea1b4fa-97d1-45f2-a64c-4d69fffd92c9}" /> | ||
+ | <EventID>1055</EventID> | ||
+ | <Version>0</Version> | ||
+ | <Level>2</Level> | ||
+ | <Task>0</Task> | ||
+ | <Opcode>1</Opcode> | ||
+ | <Keywords>0x8000000000000000</Keywords> | ||
+ | <TimeCreated SystemTime="2006-11-22T15:41:49.553Z" /> | ||
+ | <EventRecordID>1285</EventRecordID> | ||
+ | <Correlation ActivityID="{1AEBF62E-E81B-4BD5-9F36-F1B4AC1812AE}" /> | ||
+ | <Execution ProcessID="1044" ThreadID="2868" /> | ||
+ | <Channel>System</Channel> | ||
+ | <Computer>VPCVista.ece.ncsu.edu</Computer> | ||
+ | <Security UserID="S-1-5-21-2670277017-1606584948-3883025002-1338" /> | ||
+ | </System> | ||
+ | <EventData> | ||
+ | <Data Name="SupportInfo1">1</Data> | ||
+ | <Data Name="SupportInfo2">1753</Data> | ||
+ | <Data Name="ProcessingMode">0</Data> | ||
+ | <Data Name="ProcessingTimeInMilliseconds">125</Data> | ||
+ | <Data Name="ErrorCode">1317</Data> | ||
+ | <Data Name="ErrorDescription">The specified account does not exist. </Data> | ||
+ | </EventData> | ||
+ | </Event> | ||
====Cause==== | ====Cause==== | ||
====Solution==== | ====Solution==== |
Revision as of 13:18, 22 November 2006
Tasks
Group Policies
Block Incompatible GPOs
Use WMI filters to block incompatible GPOs. Todo:
- Default Domain Policy - Still deciding how to handle GP differences between WinXP and Vista.
- Domain-Laptop Policy - Still deciding how to handle GP differences between WinXP and Vista.
- FW-NCSU-WolfTech-Defrag C-1.0-20050408 - Not necessary, Vista has builtin defrag scheduling.
- SW-NCSU-NCSU-Wolfcall (with autologin)-1.2.0-20040601 - Not Vista compatible.
- SW-NCSU-NCSU-Wolfcall (with autologin)-1.2.1-20050510 - Not Vista compatible.
- SW-NCSU-NCSU-Wolfcall (with autologin)-1.2.1-20060829 - Not Vista compatible.
- SW-NCSU-NCSU-Wolfcall (without autologin)-1.2.1-20050615 - Not Vista compatible.
- SW-NCSU-Symantec-AntiVirus (UNI03NT)-10.0.2.2021-20060530 - Not Vista compatible.
- SW-ECE-Symantec-AntiVirus (SERPENT)-10.0.2.2021-20060530 - Not Vista compatible.
Domain Policy
Options:
- Create separate domain policies for Vista and Windows 2000/XP/2003.
- Creates more complexity by having completely separate group policy environments for different OS's.
- OS's may have different security levels/inconsistent security policies.
- Reduces predictability.
- Complicates determining security compliance.
- Compatibility issues could vary on different OS's
- Use common domain policy for all OS's and create a separate domain policy for Vista only policies.
- This would prevent any unintended consequences on XP/2003 computers.
- Reduces complexity by having common security policies for all OS's.
- Would be a good idea to reconsider settings using both updated Windows XP Security Guide and new Windows Vista Security Guide.
- Use common domain policy for all OS's including Vista only policies.
- Will require testing to make sure Vista only policies don't cause problems on XP/2003 computers.
- Reduces complexity by having common security policies for all OS's.
- Would be a good idea to reconsider settings using both updated Windows XP Security Guide and new Windows Vista Security Guide.
Observations:
- Security settings in Vista and Windows XP are very similar. The only obvious difference is that Vista has new policies to control new features such as privilege elevation.
Test Software
Compatible
Incompatible
Untested
Migration Wizard
Deployment
WDS Server
- Brought up ECE00WDS.
- Created WDS GPO template.
- Created image.
- Installed Vista from WDS.
Todo:
- Apply Member Server template.
- Setup DFS Replication between WDS Servers
Create Unattended Image
- Created Image
Todo:
- Make image actually install unattended.
Resolve Errors
Unable to Update Group Policy
Details
When I run gpupdate /force, I get the following error message and the following event is logged:
Log Name: System Source: Microsoft-Windows-GroupPolicy Date: 11/22/2006 10:41:49 AM Event ID: 1055 Task Category: None Level: Error Keywords: User: WOLFTECH\pgmurphy.admin Computer: VPCVista.ece.ncsu.edu Description: The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following: a) Name Resolution failure on the current domain controller. b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller). Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{aea1b4fa-97d1-45f2-a64c-4d69fffd92c9}" /> <EventID>1055</EventID> <Version>0</Version> <Level>2</Level> <Task>0</Task> <Opcode>1</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2006-11-22T15:41:49.553Z" /> <EventRecordID>1285</EventRecordID> <Correlation ActivityID="{1AEBF62E-E81B-4BD5-9F36-F1B4AC1812AE}" /> <Execution ProcessID="1044" ThreadID="2868" /> <Channel>System</Channel> <Computer>VPCVista.ece.ncsu.edu</Computer> <Security UserID="S-1-5-21-2670277017-1606584948-3883025002-1338" /> </System> <EventData> 1 1753 0 125 1317 The specified account does not exist. </EventData> </Event>