Group Policy in Windows Server 2012: Infrastructure Status
You may be asking yourself, “What does infrastructure status have to do with Group Policy”. Well, group policy depends on other technologies to ensure that policy settings are replicated throughout your environment so that end users / computers will get the settings that you configure.
And when you’ve run into problems you start wondering: did replication finish? Are there errors? And if there are, how am I supposed to see what errors have happened?
Since you are a GP admin and not necessarily an AD/DFSR admin, you only want to know that all of the replication that is supposed to be happening for Group Policy Objects is happening. In Windows Server 2012 we have added a feature that will tell you just this.
The feature is called Infrastructure Status and you can find it in the GPMC results pane for each domain object. Simply click the domain that you are interested in and in the result pane you will see a new tab labeled “Status”. This “status” tab will show the status of GPO replication (for both SYSVOL and AD) of all GPOs across your entire domain.
If you suspect you have a replication problem with a single GPO, to speed up your troubleshooting, you can check the infrastructure health status for that GPO. To see the status, open the Group Policy Objects node and select the GPO listed under that node.
Note: The infrastructure health status is not available when you click on GPO links displayed under the domain and OU nodes.
Initially, the Status tab will not have any information about replication status. Once you hit “detect now”, the GPMC contacts all domain controllers in your domain and collects information about Group Policy Object(s) from AD and SYSVOL. It uses a “baseline” domain controller to compare GPO information against GPO information from all other domain controllers. The baseline domain controller defaults to the DC that the GPMC is connected to but can be changed by clicking Change.
The first level of information will show the number of domain controllers that have GPO information “In Synch” with the baseline domain controller and the number of domain controllers that have GPO information that is “In Progress”. Domain controllers that are “In Synch” have all of the same GPO information as the baseline DC. Domain controllers that are “In Progress” do not have all of the same GPO information as the baseline DC. This may mean that there is a problem with GPO replication but it also may mean that replication just has not converged yet. For those DCs that are “In Progress” additional details are provided which explain exactly what is not in sync. The following is the list of reasons a DC can be “In Progress”:
Active Directory |
||
Accessibility |
If the Active Directory service cannot be contacted on a domain controller, this message will be displayed. |
|
GPO Version |
If the GPO version information in AD is different than the baseline domain controller, this message will be displayed and details about the GPOs that are different can be seen by clicking the message. |
|
Number of GPOs |
If the total number of GPOs in AD is different than the baseline domain controller, this message will be displayed and details about the number of GPOs that are different can be seen by clicking the message. |
|
Created Date |
If the created date stored in AD for any GPO is different than the baseline domain controller, this message will be displayed and details about the GPOs with different dates from the baseline DC can be seen by clicking the message. |
|
Modified Date |
If the modified date stored in AD for any GPO is different than the baseline domain controller, this message will be displayed and details about the GPOs with different dates can be seen by clicking the message. |
|
ACLs |
If the Active Directory permissions on any GPO are different than the baseline domain controller, this message will be displayed and details about the GPOs with different permissions can be seen by clicking the message. |
|
File System (SYSVOL) |
||
Accessibility |
If the SYSVOL folder cannot be contacted on a domain controller, this message will be displayed. |
|
GPO Version |
If the GPO version information in the GPT.ini file is different than the baseline domain controller, this message will be displayed and details about the GPOs that are different can be seen by clicking the message. |
|
Number of GPOs |
If the total number of GPOs in SYSVOL is different than the baseline domain controller, this message will be displayed and details about the number of GPOs that are different can be seen by clicking the message. |
|
GPO Contents |
If the content of SYSVOL for any GPO is different than the baseline domain controller, this message will be displayed and details about the GPOs with inconsistent contents can be seen by clicking the message. The content comparison is performed by creating a file hash for all files within each GPO folder on SYSVOL. The hash from the baseline DC is compared to the hash from each DC. |
|
ACLs |
If the SYSVOL permissions on any GPO are different than the baseline domain controller, this message will be displayed and details about the GPOs with different permissions can be seen by clicking the message. |
Within the details of each of the errors a link is provided to help you further investigate why the DC is not In Sync.
Group Policy can be very difficult to troubleshoot and we hope that this feature allows you to find and resolve GP related replication issues more quickly.