Feroz Shaikh said:
Hi,
My current setup has an Windows 2000 Active Directory. I need to modify
certain default Group Policies.
When I make the required changes, I don't
know how to update them.
Whenever I open the gpedit.msc console, I find my
changes gone.
The above sounds like to separate issues. (Or a
confused question.)
1) Replicating the changes to each DC
2) Updating the changed policies to the affected machines/users
Both should be automatic so something in addition is wrong.
Can someone please let me know how to update Group Policies after making
changes.
When you update the GPOs then they SHOULD replicate
to all other DCs (if replication is working.)
When a client starts up (or user logs on) the policies on
the authenticating DC will be applied as per the linkage
and permissions in AD.
Changed policies will also be partially* applied periodically
(within a few minutes to a few hours) to each station or user.
*Partically means that Security and Administrative Templates
are normally applied while running but the Software Updates
are not.
If replication is failing, this is usually a DNS issue, if your
network (including WANs and firewalls) are working correctly.
Replication can of course be limited by firewall filters or
other problems on your network.
Normally when you edit a GPO the tool choose to use the
PDC Emulator because even though technically these objects
are multi-mastered, this is a n all or nothing (entire GPO)
matter. By using a single DC (by default) this means that you
get the safety of a single master while being able to take
advantage of multi-mastering IF you so choose.
BUT, this normally should have nothing to do with your
replication unless you choose to edit the policy in two places
concurrently (or some other admin does.)
I would start by checking DNS and any network or firewall
issues.
DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)
netdiag /fix
....or maybe:
dcdiag /fix
(Win2003 can do this from Support tools):
nltest /dsregdns /server
C-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/
Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.
Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.
Single Label domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]
