Pitfalls of AD/GPO software distribution
For quite some time, software distribution through Group Policies worked perfectly fine for our organization. Until about two days ago, when a whole list of applications got wiped out due to malfunctioning Global Catalog server. Local Security Authority process monopolized the CPU to a point of DoS. PCs could no longer see their group memberships, and every application configured to "Remove when computer falls out of scope", did exactly that, first thing in the morning when those PCs came online.
There was nothing catastrophic - Domain Controller was cold rebooted, PCs rebooted following that, and automatically reinstalled those apps. Other than the brief downtime and the 20 min's of embarrassment for IT while trying to figure out what was going on.
To prevent such things from happening in the future, we are now considering to leave apps on PCs falling out of scope of GPO, which is arguably a safer way of managing software.
Not to start up a flame against M$ and their evil ways, but I'd like to encourage you to share real life stories of the potential pitfalls and lessons learned, since many of us rely on ever-proliferating Active Directory for software distribution...
There was nothing catastrophic - Domain Controller was cold rebooted, PCs rebooted following that, and automatically reinstalled those apps. Other than the brief downtime and the 20 min's of embarrassment for IT while trying to figure out what was going on.
To prevent such things from happening in the future, we are now considering to leave apps on PCs falling out of scope of GPO, which is arguably a safer way of managing software.
Not to start up a flame against M$ and their evil ways, but I'd like to encourage you to share real life stories of the potential pitfalls and lessons learned, since many of us rely on ever-proliferating Active Directory for software distribution...
0 Comments
[ + ] Show comments
Answers (3)
Please log in to answer
Posted by:
Bladerun
17 years ago
Old post, but I wanted to add some input here.
My organization encountered this problem today. Most of the 2600 or so machines in our office pulled off all group policy assigned apps off all machines that booted this morning. Aside from the inconvenience of that, we had exceptionally slow log in times as we have 4 redundant DC's that apparently don't like it when all client machines pull from them at once.
My thanks for the heads up revizor, I read this post long back and was able to quickly diagnose the problem. Rebooting the DC's fixed the issue, and rebooting the client machines allowed all of the applications to reinstall, but it was overall a very painful experience.
My organization encountered this problem today. Most of the 2600 or so machines in our office pulled off all group policy assigned apps off all machines that booted this morning. Aside from the inconvenience of that, we had exceptionally slow log in times as we have 4 redundant DC's that apparently don't like it when all client machines pull from them at once.
My thanks for the heads up revizor, I read this post long back and was able to quickly diagnose the problem. Rebooting the DC's fixed the issue, and rebooting the client machines allowed all of the applications to reinstall, but it was overall a very painful experience.
Posted by:
ShakeDown1
16 years ago
We had a similiar problem other then with our 2000+ workstations we had this issue
http://blogs.msdn.com/spatdsg/archive/2007/03/07/pac-validation.aspx
All the apps removed due to a PAC error. Still no cause found the only fix was a patch that you have to request from microsoft which removes that PAC validation methods.
All our applications got removed and we are still recovering
http://blogs.msdn.com/spatdsg/archive/2007/03/07/pac-validation.aspx
All the apps removed due to a PAC error. Still no cause found the only fix was a patch that you have to request from microsoft which removes that PAC validation methods.
All our applications got removed and we are still recovering
Rating comments in this legacy AppDeploy message board thread won't reorder them,so that the conversation will remain readable.
