dyl666
asked on
Win2k policies / login scripts are not running at remote offices (different IP subnet)
Hi there,
we have a Win2k Active Directory environment, with some old legacy NT4 servers still performing some things such as DNS etc.
I have a problem whereby our regional offices aren't having the global policy applied to them (or the login script specified by the same policy.)
I have a sneaky feeling it's all something to do with IP (WINS?) but I have only a basic understanding of it so don't really know where to start.
I will post 2 IPConfigs; my one from our office, and another one from one of the regional offices: -
Mine:
IP Address. . . . . . . . . . . . : 10.10.50.1
Subnet Mask . . . . . . . . . . . : 255.0.0.0
Default Gateway . . . . . . . . . : 10.10.1.1
DHCP Server . . . . . . . . . . . : 10.10.10.2
DNS Servers . . . . . . . . . . . : 10.10.10.1
Primary WINS Server . . . . . . . : 10.0.0.1
Regional:
IP Address. . . . . . . . . . . . : 10.0.3.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.0.3.254
DHCP Server . . . . . . . . . . . : 10.0.3.254
DNS Servers . . . . . . . . . . . : (external)
Primary WINS Server . . . . . . . : 10.0.0.1
The only thing I can think of is that the subnet masks in the regions are too restrictive; but I think I remember changing this manually one day a looong time ago as a test and then basically couldn't log on.
Help!
we have a Win2k Active Directory environment, with some old legacy NT4 servers still performing some things such as DNS etc.
I have a problem whereby our regional offices aren't having the global policy applied to them (or the login script specified by the same policy.)
I have a sneaky feeling it's all something to do with IP (WINS?) but I have only a basic understanding of it so don't really know where to start.
I will post 2 IPConfigs; my one from our office, and another one from one of the regional offices: -
Mine:
IP Address. . . . . . . . . . . . : 10.10.50.1
Subnet Mask . . . . . . . . . . . : 255.0.0.0
Default Gateway . . . . . . . . . : 10.10.1.1
DHCP Server . . . . . . . . . . . : 10.10.10.2
DNS Servers . . . . . . . . . . . : 10.10.10.1
Primary WINS Server . . . . . . . : 10.0.0.1
Regional:
IP Address. . . . . . . . . . . . : 10.0.3.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.0.3.254
DHCP Server . . . . . . . . . . . : 10.0.3.254
DNS Servers . . . . . . . . . . . : (external)
Primary WINS Server . . . . . . . : 10.0.0.1
The only thing I can think of is that the subnet masks in the regions are too restrictive; but I think I remember changing this manually one day a looong time ago as a test and then basically couldn't log on.
Help!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Everything is working as far as I know (and I'm sure I'd be told pretty quickly :) ) - however I do believe they have a problem where it takes them ages to log on. As in about 30 - 60 seconds. It's not an issue as they don't log off so often but it is annoying when it happens. I assume it's related to the same sort of thing.
ASKER
Chad:
"the subnet mask indicates a network address of 10.0.0.0
therefore anything that gets entered in the zeros are looking like a local subnet client address.
basically the computers at regional are looked at as being local by your computer."
I sort of understand what you're saying; and yet I don't understand why, if my computer (or presumably the server) thinks that the regional pc is local, it wouldn't apply the policy? I'm not questioning the validity of your answer at all, just saying I don't understand the implications!
"the subnet mask indicates a network address of 10.0.0.0
therefore anything that gets entered in the zeros are looking like a local subnet client address.
basically the computers at regional are looked at as being local by your computer."
I sort of understand what you're saying; and yet I don't understand why, if my computer (or presumably the server) thinks that the regional pc is local, it wouldn't apply the policy? I'm not questioning the validity of your answer at all, just saying I don't understand the implications!
There are two parts to an IP address. The network ID and the node(PC) ID.
The subnet mask is used to identify what part of the IP address is network address.
When an IP address is accessed it compares to local subnet mask to determine if it is a local address or not.
If the address is not local subnet... it is sent out via Default gateway. Local will stay on subnet.
your IP subnet of 255.0.0.0 identifies that the first block designates the network address.
Anything after that is the node or computer address. Any IP starting with 10. ... is considered local.
How are these sites connected? Is there a Domain controller in the regional site?
The subnet mask is used to identify what part of the IP address is network address.
When an IP address is accessed it compares to local subnet mask to determine if it is a local address or not.
If the address is not local subnet... it is sent out via Default gateway. Local will stay on subnet.
your IP subnet of 255.0.0.0 identifies that the first block designates the network address.
Anything after that is the node or computer address. Any IP starting with 10. ... is considered local.
How are these sites connected? Is there a Domain controller in the regional site?
"why, if my computer (or presumably the server) thinks that the regional pc is local, it wouldn't apply the policy?"
your pc may think it's local, but it's not. That means that instead of routing to get to it, it will try to find it on the local subnet...and it ain't there...so - host not found, policy not applied
your pc may think it's local, but it's not. That means that instead of routing to get to it, it will try to find it on the local subnet...and it ain't there...so - host not found, policy not applied
ASKER
No, no domain controller, only workstations. They are connected via the internet (ADSL) and cisco PIX boxes.
So if I'm understand you correctly, either my subnet needs to change (but wouldn't that then render my WINS server [10.0.0.1] unreachable...?) or I need to change the IP addresses of all the regional pc's to (for example) 11.0.0.x?
Sorry for being a dufus : /
So if I'm understand you correctly, either my subnet needs to change (but wouldn't that then render my WINS server [10.0.0.1] unreachable...?) or I need to change the IP addresses of all the regional pc's to (for example) 11.0.0.x?
Sorry for being a dufus : /
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Group policies don;t apply over a slow link
The default is 500k but the detection is done by ping timing so will likely vary
Change this setting in your default domain policy and it should work
Machine Policy:
Administrative Templates\System\Group Policy Group Policy slow link detection
Defines a slow connection for purposes of applying and updating Group Policy. If the rate at which data is transferred from the domain controller providing a policy update to the computers in this group is slower than the rate specified by this setting, the system considers the connection to be slow. The system's response to a slow policy connection varies among policies. The program implementing the policy can specify the response to a slow link. Also, the policy processing settings in this folder lets you override the programs' specified responses to slow links. To use this setting, in the Connection speed box, type a decimal number between 0 and 4,294,967,200 (0xFFFFFFA0), indicating a transfer rate in kilobits per second. Any connection slower than this rate is considered to be slow. If you type 0, all connections are considered to be fast. If you disable this setting or do not configure it, the system uses the default value of 500 kilobits per second. This setting appears in the Computer Configuration and User Configuration folders. The setting in Computer Configuration defines a slow link for policies in the Computer Configuration folder. The setting in User Configuration defines a slow link for settings in the User Configuration folder. Also, see the Do not detect slow network connections and related policies in Computer Configuration\Administrati
The default is 500k but the detection is done by ping timing so will likely vary
Change this setting in your default domain policy and it should work
Machine Policy:
Administrative Templates\System\Group Policy Group Policy slow link detection
Defines a slow connection for purposes of applying and updating Group Policy. If the rate at which data is transferred from the domain controller providing a policy update to the computers in this group is slower than the rate specified by this setting, the system considers the connection to be slow. The system's response to a slow policy connection varies among policies. The program implementing the policy can specify the response to a slow link. Also, the policy processing settings in this folder lets you override the programs' specified responses to slow links. To use this setting, in the Connection speed box, type a decimal number between 0 and 4,294,967,200 (0xFFFFFFA0), indicating a transfer rate in kilobits per second. Any connection slower than this rate is considered to be slow. If you type 0, all connections are considered to be fast. If you disable this setting or do not configure it, the system uses the default value of 500 kilobits per second. This setting appears in the Computer Configuration and User Configuration folders. The setting in Computer Configuration defines a slow link for policies in the Computer Configuration folder. The setting in User Configuration defines a slow link for settings in the User Configuration folder. Also, see the Do not detect slow network connections and related policies in Computer Configuration\Administrati
I'm curious, because the setup is a bit unusual.
your computer thinks that all the regional ones on on it's local subnet, but the regional computers think yours is across a router. this would typically mean that packets can be routed in one direction, but not in the other.
you may want to try and standardize on Class B or C subnets across the company....