OpsMgr R2 by Example: the Group Policy MP

The Windows Server Group Policy management pack is available as a single download that contains different libraries to monitor Windows Server Group Policy on Server 2003 and 2008 operating systems.

How to Install

  1. Download the Windows Server Group Policy management pack from the Management Pack Catalog (http://technet.microsoft.com/en-us/opsmgr/cc539535.aspx). The Windows Server Group Policy Management Pack Guide is included in the download and labeled “OM2007_MP_GP2008.doc.”
  2. Read the Management Pack guide, which points out solid tips like the installation order (windows server management packs, group policy 2008 management packs, and then group policy 2003 management packs).
  3. Import the Group Policy 2008 Management Pack (using either the Operations console or PowerShell), and then the Group Policy 2003 Management Pack.
  4. Create a GroupPolicy_Overrides management pack to contain any overrides required for the MP.

Agentless monitoring is not supported by the Windows Server Group Policy management pack.

Tuning / Alerts to look for

The following alerts were encountered and resolved while tuning the various Group Policy management packs (these are listed in alphabetical order by Alert name):

Alert: Application of Group Policy Alert

Issue: The alert monitor on the alert was the Time Skew Monitor. The computer in question was in the wrong time zone.

Resolution: Changed the time zone on the server reporting the alert.

Alert: Application of Group Policy Alert

Issue: Alert that a user in a different forest than the computer account is logging on and that Group Policy from the other forest is not currently allowed.

Resolution: This environment has two different forests. One of them is a new replacement forest and for it group policies are being built to replace the group policies used in the original forest. While users will log into the new forest with credentials for the old forest, the old forest group policies should not apply. This will eventually be resolved when the old forest is decommissioned. In the mean time, the monitor was overridden to not be enabled (override, parameter enabled = false) for All objects of type: Group Policy 2008 Runtime.

Alert: Folder Redirection CSE ProcessedWithErrors

Issue: Group policy client failed 1085 and event 107 (which showed the user that had the issue) before it. This was occurring on a terminal server (citrix).

Resolution: User did not have their home folder mapped correctly.

Alert: GPO Data Retrieval Error

Issue: Event log (application) userenv 1058 error on group policy.

Resolution: Found article #828760 that implies that ACSL sysvol issues with the domain controllers and service pack 1. Used gpupdate /force on the system to see if we could recreate the event. Found that it creates a 1704 message in the event log (information) that it succeeded. Tested accessing of this path from the domain name, and from each of the domain controllers that it should be using to authenticate. There were differences in the dates of the folders indicated within the error message itself. The actual content was consistent however. This was occurring on the all domain computers policy. No indication that this occurred because of a WAN outage.

Alert: GPO Data Retrieval Error

Issue: Every 5 minutes errors were occurring in the application log for Userenv for 1058 and then 1030.

Resolution: Determined that the domain controller had not been patched or rebooted in over six months (checked the system log for the event source of eventlog). Patched and rebooted the DC and the group policy errors stopped occurring.

Alert: Group Policy Preprocessing (Active Directory) Alert

Issue: DNS Issues occurred in the environment causing an inability to resolve names in the environment.

Resolution: Fixed the DNS resolution issue so the environment could resolve names.

Alert: Group Policy Preprocessing (Networking) Alert

Issue: This alert occurs when an event of 1058 is created in the system log for the source of GroupPolicy. This occurs when the system is unable to connect to \\abc.com\SysVol\Policies\abc.com\Policies\{guid}\gpt.ini (where abc.com is the domain name and guid is the guid provided in the alert). Issues like this are caused by network connectivity or network resolution, or FRS latency, or if the DFS client is not running (per the knowledge in the alert). Information on this event is available at http://technet.microsoft.com/en-us/library/cc727259(WS.10).aspx.

Resolution: In this case this was an errorcode number of 5, which is access is denied. From the details on the event copied the file path and verified that the system could open the file with notepad. Logged into a server that had the last event in the System log from the source of GroupPolicy and opened a command prompt (run-as administrator) and did a gpupdate /force. Verified successful creation of a 1502, and 1503. Verified that the majority of these alerts all occurred at the same time. Closed this alert.

Also verified that DNS was providing this information correctly. Opened nslookup and did a resolution for abc.com. Copied the name of the file shown (the gpt.ini file) and replaced the abc.com domain name with the actual IP address (\\1.1.1.1\SysVol\Policies\abc.com\Policies\{guid}\gpt.ini) and verified that each of the domain controllers not only had the gpt.ini file but that it was readable from the path specified.

Alert: Group Policy Preprocessing (Security) Alert

Issue: This alert appears to occur when there is an inability to resolve DNS from the system identified or group policy fails to apply. It is stating that the specified domain either does not exist or could not be contacted.

Resolution: Researching this alert from the system log event number 1054 found this article from Microsoft: http://technet.microsoft.com/en-us/library/cc727331(WS.10).aspx. After researching this, it appears that an event 1500 that has occurred since the 1054 occurred indicates that group policy is now functional.

Copied the name of the server from the alert detail pane, changed the view to Monitoring -> Computers and pasted the name of the server into the filter. Used the Computer Management Action to connect and remotely review the event logs for the server. Closed the alert after verifying that the 1500 has occurred since the 1054 occurred in the system log where the alert occurred.

Logged into a server which had the last event in the System log from the source of GroupPolicy and opened a command prompt (run-as administrator) and did a gpupdate /force. Verified successful creation of a 1502, and 1503. Closed this alert.

Group Policy Management Pack Evolution

The Group Policy File Access Monitor in the Group Policy 2008 management pack version 6.0.6648.0 should be a two-state monitor with a health condition of the 1500 event (or 1051 or 1052 or 1053) and a warning or critical for the 1058 event. This could be accomplished by creating a new custom monitor and disabling the original monitor included in the management pack.

The Machine Account Determination Monitor in the Group Policy 2008 management pack version 6.0.6648.0 should be a two-state monitor with a health condition of the 1500 event (or 1051 or 1052 or 1053) and a warning or critical for the 1054 event. This could be accomplished by creating a new custom monitor and disabling the original monitor included in the management pack.

Advertisements
This entry was posted in Tuning and Configuration. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s