Group Policy Objects (GPO) Exported Using Group Policy Administrator are getting corrupted during th (NETIQKB28384)

  • 7728384
  • 02-Feb-2007
  • 06-Sep-2007

Resolution

fact
Group Policy Administrator 3.0

fact
NetIQ Group Policy Administrator 5.0

fact
Windows 2000 Server

fact
Group Policy Administrator 4.x

symptom

Group Policy Objects (GPO) exported using Group Policy Administrator become corrupted during Active Directory replication.



symptom

Group Policy Objects (GPO) exported using Group Policy Administrator become corrupted during Active Directory replication.  The corrupt GPOs are listed with the following name in the SYSVOL directory on the domain controller:

  • ADM_NTFRS_xxx
  • User_NTFRS_xxx
  • Machine_NTFRS_xxx

Once the GPOs are corrupt, they must be deleted and recreated in order to implement the correct settings.



cause

Part of the data of a group policy is stored in Active Directory and part in the SYSVOLfolder on the domain controllers. To ensure successful replication of GPOs to all domain controllers, both Active Directory replication and File System replication must be successful. File Replication Service (FRS) is a multiple-threaded, multiple-master replication engine that is responsible for replicating the contents of the SYSVOL folder. There have been several issues reported with FRS that causes replication failures.  Microsoft has addressed a number of these issues in Windows 2000 SP3. A few post-SP3 hot fixes have also been made available and should be applied.

The GPA Repository provides functionality to create, edit and store GPOs in a SQL database instead of in a production Active Directory environment. The Check out and Check in functions used to edit GPOs incorporate the Microsoft's Group Policy Editor tool. When used on a live Active Directory domain, GP Edit makes changes on the PDC emulator by default. Though there are options to change this to point to another domain controller, the recommendation is to use the PDC emulator. Similarly when exporting a GPO from the  Repository, there is an option to specify the domain controller to which the AD and SYSVOL sections of the GPO should be exported.



fix

To address the impact of replication issues, NetIQ has defined a set of recommendations concerning both which version of Microsoft?s FRS software should be used and how to use NetIQ utilities to limit FRS problems.  They are as follows:

  • All domain controllers in a domain should have the same FRS fixes.
  • Install, at a minimum, Windows 2000 SP3.  Additionally, we encourage customers to implement any Post SP3 FRS Fixes Microsoft releases.
    • 811370: Issues That Are Fixed in the Post-Service Pack 3 Release of Ntfrs.exe
  • Ensure morphed folders with NTFRS _GUID folders are all cleaned up on all domain controllers prior to attempting an export.
    • 328492:Folder Name Is Changed to "FolderName_NTFRS_<xxxxxxxx
    1. Do NOT delete the undesirable folder and rename the other one. This can lead to even more naming conflicts
    2. Rename the original folders and the changed folders to different names, then wait for the new names to propagate throughout the system. This ensures that the folder then has a common name throughout the SYSVOL, and that the names and GUIDs match on all members.
    3. After the new name has propagated, choose the folder to be kept and rename it back to the original name. Other changed folders can then be deleted safely
    • NOTE: Before deleting any folders, it is a best practice to ensure that a backup of the original (and complete) data exists.
  • Ensure that the PDC Emulator is explicitly targeted for the export of GPOs from the GPA Repository.
  • Apply NetIQ GPA hotfix Q26953b.  This hotfix optimizes the algorithm for GPO export operations from the Repository, reducing the number of delete operations performed on the SYSVOL folders. This optimization helps overcome Windows NT File Replication Service (NTFRS) limitations on quick deletions and recreation of files and folders that could cause NTFRS replication issues.  For more information on the hotfix, please refer to the following Knowledge Base article:
    • NETIQKB26953: What is the purpose of hotfix NETIQKB26953? 
          


note
NetIQ has also worked with Microsoft to understand when and how FRS failures occur, allowing administrators to better avoid them and, when they do happen, suggest means of addressing them.  We strongly encourage customers to inform Microsoft when issues do arise, as we know these issues are a high priority for customers.

note
Other FRS-related Microsoft Knowledge Base Articles:

Articles discussing post-SP3 fixes and improvements to the FRS:

  • 811217: Improvements in the Post-Service Pack 3 Release of Ntfrs.exe
  • 811370: Issues That Are Fixed in the Post-Service Pack 3 Release of Ntfrs.exe

Articles discussing post-SP2 and pre-SP3 changes and improvements to the FRS:

  • 307319: Changes to the File Replication Service
  • 321557: Improvements in the Post-SP2 Release of Ntfrs.exe That Is Packaged with an Updated Ntfs.sys Driver


note

NetIQ recommends that all domain controllers in the domain have their FRS binaries which are at least as recent as Service Pack 3.

Date Time Version Size Filename
7/22/200211:05 AM5.0.2195.5429734,480 Ntfrs.exe
7/22/200211:05 AM5.0.2195.542954,544 Ntfrsapi.dll
7/22/200211:05 AM5.0.2195.542921,264 Ntfrsprf.dll
7/22/200211:05 AM5.0.2195.542980,384 Ntfrsres.dll
7/22/200211:05 AM5.0.2195.5280534,576 Ntfs.sys


Additional Information

Formerly known as NETIQKB28384

Feedback service temporarily unavailable. For content questions or problems, please contact Support.