Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] - نسخه متنی

Roberta Bragg

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
ارسال به دوستان
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات
توضیحات
افزودن یادداشت جدید







Chapter 9. Troubleshooting Group Policy


Good news! I love being the bearer of good news! The Group Policy Management Console (GPMC) provides infrastructure and processes that will enable you to effectively troubleshoot many Group Policy problems. But GPMC does not answer all your troubleshooting issues. The problem is that Group Policy relies on more than Group Policy. Proper Group Policy processing relies on all of these:

User and computer account placement
Is the account within the hierarchy of the object that the Group Policy Object (GPO) is linked to?

Link status
Is the GPO linked and enabled?

DNS
Is DNS working appropriately?

The health of Active Directory
Is replication timely and occurring appropriately?

The health of the file replication service (FRS)
Is file replication occurring appropriately and in a timely fashion?

The client
Is the client authenticating to the domain or using cached credentials?

The proper design of the GPO
Are the right choices being made in its implementation?

GPO inheritance
Which policies does the client receive last? Are any policies enforced or blocked? Is loopback processing used?


Because so many factors contribute to whether a GPO does what it is designed to do, it's important to have a strategy for determining what might be wrong. Like most troubleshooting strategies, the first step is to create a decision tree that reduces the number of things that have to be done to resolve the problem. Figure 9-1 illustrates the GPO troubleshooting decision. Table 9-1 lists where to find information necessary to perform troubleshooting.

Figure 9-1. The GPO troubleshooting tree.

Chapter 7, "Group Policy"; Determining If the Policy Has Been Applied"

3

Is GPO application correct?

Troubleshooting Group Policy Application Issues

4

No: Are clients using cached credentials?

Troubleshooting Networking Problems

5

No: Is the network running properly?

Troubleshooting Networking Problems

6

No: Is Active Directory or FRS replication operating correctly?

Troubleshooting Active Directory and FRS Replication

7

Yes: Are settings configured correctly?

Troubleshooting GPOs

The first step is to determine if the reported problem is a Group Policy problem or the way things are supposed to be. For example, the help desk may report that it cannot connect to some computers to remotely assist those users with computer problems. However, the help desk can remotely assist other users, and the computers in question can be pinged by the help desk operators. Is this a Group Policy problem? Or is it the way things are supposed to be? Are there computers that should not be remotely connected to? Before classifying the problem as a Group Policy problem, make sure that you know what the security policy is. Don't troubleshoot and change a GPO without first understanding your organization's security policy.

After determining that there is a problem, you still must determine if it is a Group Policy problem. That is, is a Group Policy not having the desired effect, or are other issues thought to be a Group Policy issue? If a Group Policy has been implemented and is not working as expected, then troubleshooting Group Policy is the next step. However, a number of security-related activities may not be due to Group Policy issues. Local configuration such as file permissions, a local IPSec policy, or personal firewall may be blocking access to a specific computer. Networking problems may also play a role. The instructions in this chapter only relate to Group Policy problems and presume that a specific GPO has been identified. An inspection of the Group Policies applied to a specific computer or user can be used to determine whether the problem is a result of a Group Policy Object's application. If that is the case, return to the first question: Is this the way things are supposed to be? If not, removing the offending setting or GPO (or removing the user or computer account from its application either by changing the OU location of the account or by using security filtering) can solve the problem.

Determining if the GPO has been applied is a critical step because the answer may determine whether to test networking issues or GPO configuration next. If the GPO hasn't been applied, then a number of issues may be preventing itfrom networking issues to replication or a poor Group Policy design or implementation. If the GPO is being applied but is not doing what was expected, then the problem is either in GPO design or application. By asking questions and looking for answers in an organized way, the problem may be resolved in a more efficient manner. Approaching troubleshooting in the order listed is one way to do so.

However, there are no hard and fast rules, and even information about the experience and knowledge level of the individuals who maintain the network and Active Directory and configure the GPOs can play a role. For example, if network problems are rampant in your organization, then networking may be the reason that a GPO is not applied. If the Active Directory is not working as it should, then that is usually the cause, and if administrators do not understand Group Policy, then its configuration is probably the issue. This means that you may be able to more clearly predict the most likely cause of the problem for your environment. If everything in your environment runs equally well (or is equally messed up), I would suggest that you verify network issues first, simply because this is generally easier and because network issues can cause problems with replication and with Group Policy.

TIP: Install Resource Kit Tools and Support Tools

Many important troubleshooting and monitoring tools for Group Policy are provided in the Support Tools group on the Windows Server 2003 installation CD. Other tools are available in the Windows Server 2003 Resource Kit available for free download from http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&DisplayLang=en. Install the tools, read their help files, and become comfortable with their use before you need them. Get a copy of the Windows Server 2003 Resource Kit.

That said, dcdiag.exe, a support tool, runs a number of tests that require a properly functioning DNS server with correct DC records to return a pass. If you run dsdiag and get a pass on these tests, you can eliminate connectivity and DNS issues. You may also eliminate Active Directory replication and File Replication Service (FRS) issues. Errors returned by dsdiag may not explicitly point to the cause of the Group Policy problem, but because it can eliminate many problems and identify general areas for further research, it's a good baseline tool. Run it periodically, before you have a problem, as a general monitor of Group Policy health.


/ 194