So I’m in the process of finally getting Active Directory rolled out and am hoping to reap the benefits of easier (l)user management and also more secure machines to extend the time to rebuild, in the process of getting the servers in place globally and getting them all talking to each other I’ve come across some really dull stuff and also spent a lot of time scratching my head at why windows would do something unexpected.
So now I’m so close I can almost taste it (and I’m really looking forward to the complaints as everyone loses local admin rights)
I’ve extended Active Directory using Likewise added in support for AFP on Windows file servers with the added bonus of OSX print queues where the old (and full) XServe RAIDs have been replaced using ExtremeZ-IP, and for purely “green” reasons built in print queue monitoring by user (assigning a cost per page printed) so we can see those that print the most (and no doubt waste the most) and I’ve started to build Group Policy Objects which will hopefully make life easier…. and this is where the story of WTF really starts.
This whole process has taken a long time, mainly because the work has been completed around a large number of other tasks and also because there was no budget to buy the servers, and so the cost justification for each server was based on a benefit elsewhere. Still all the servers are now in place, they are all joined to the AD and all send DNS info backwards and forwards. They also talk to each local SonicWall so that users can be authenticated against AD and assigned into the relevant group and then VPN into their home site when away from the office (VPN rollout commences once every machine is connected to AD and we deploy end point security.)
So on the test machines I can deploy updates and software using GPO’s block users from adding all of those crappy toolbars that they insist got there by “magic” and all sorts of other goodies, if only my bloody GPO’s wouldn’t keep disappearing….
Leave the PDC for a day or so, then open up Group Policy Management to check something or make a change and the message “Object not found” would greet me along with not being able to access the Default Domain Controller Policy and also the Default Domain Policy
*bugger*
I fixed this a number of times using dcgpofix but the problem would always re-occur.
So this time around when it happened whilst working from home I had the ideal time to try and finally fix the problem (still waiting to see if I really have)
Checking in event viewer got me this error “Windows cannot access the file gpt.ini for GPO” and lots of the nasty red-crosses got me to here which in turn led me KB842804 which might have provided the solution.
This is a known issue which SP1 fixes, but only if then do the further registry hack at the end of the article. Seriously *WTF*
Anyway I’m waiting to see if this has finally fixed the issue but in the time I’ve wasted searching for this “answer” I’ve spent a lot of time suing dcgpofix
Now to do the registry hack on the remaining 8 domain controllers and see how it all goes, it would be nice to be able to focus on the next bits of this fun (logon scripts using VBS) and try and crack getting ODBBC connections to deploy using GPO but that would be a much longer story than this one….
Update : Still losing the GPO’s hunting for the magic spell that makes the problem go away (take windows out and shoot the server not being an option disappointingly)