Solved

GPO Inheritance Problems

Posted on 2004-03-27
48
6,036 Views
Last Modified: 2010-08-05
Greetings. I am having a problem not with creating a GPO Object, however with the Inheritance of such an object. I am using Windows 2003 Server and for my GPO's have used the Group Policy Management Console. I have already setup my Default Domain Policy (less restrictive) and then a more restrictive policy for my Customers (Customer Policy). The Default Domain Policy seems to be working fine on the server itself, however it is not being Delegated to the Customer OU, nor the Customer Group within that OU. Furthermore, neither the Default Domain Policy, nor the Customer Policy are being Inherited by the Customer OU. I have ensured that all policies are Enabled and Linked, however at this point they just do not seem to be Inherited. Here is the pertinent information:

Default Domain Policy - under Delegation there is all No's under Inherited (Authenticated Users, Customers, Domain Admins, etc... all have No under the Inheritance column within the Group Policy Management Console for the Default Domain Policy GPO)

Customer Policy - under Delegation there is all No's under Inherited (Authenticated Users, Customers, Domain Admins, etc... all have No under the Inheritance column within the Group Policy Management Console for the Customer Policy GPO)

After many a hours searching Google and MSKB and whitepapers i am at a loss as to how to change Inherited from No to Yes... please help if you can!
0
Comment
Question by:netcenter
  • 28
  • 19
48 Comments
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
First off..it's sounds like you have configured the Default Domain CONTROLLER policy - if it works on the server that's pretty much the telltale sign.  By default, the Domain Policy does not affect the server object itself as long as the DC's account remains in the Domain Controllers OU.

So, that being said - make sure the Default Domain Policy is actually what you're working on.

As a refresher, Group Policies are applied to the User and Computer objects (accounts) only.  You cannot apply GPOs to Security Groups.

This is what you should have:

Domain Policy - linked to domain (already there by default) - servers are located in the Domain Controllers OU.
Create a Customer OU - place the Users and Computers for the Customers in that OU.
Link your Customer Policy to the Customer OU.

This should work now as expected.




0
 
LVL 6

Expert Comment

by:karel_jespers
Comment Utility
some additional info:

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q322176

also
take care of the use GPO No override and Block inheritance
permissions necessairy that a gpo will be applied Set Apply Group Policy to Allow. Set Read to Allow.


0
 

Author Comment

by:netcenter
Comment Utility
This is the Default Domain Policy that is linked to the  Domain Controller (thenetcenter.net)

Default Domain Policy
Data collected on: 3/28/2004 11:31:58 AM hide all

Generalhide
Detailshide
Domain thenetcenter.net
Owner THENETCENTER\Domain Admins
Created 3/6/2004 4:09:46 PM
Modified 3/27/2004 1:12:06 PM
User Revisions 8 (AD), 8 (sysvol)
Computer Revisions 42 (AD), 42 (sysvol)
Unique ID {31B2F340-016D-11D2-945F-00C04FB984F9}
GPO Status Enabled

Linkshide
Location Enforced Link Status Path
thenetcenter Yes Enabled thenetcenter.net

This list only includes links in the domain of the GPO.
Security Filteringhide
The settings in this GPO can only apply to the following groups, users, and computers:Name
NT AUTHORITY\Authenticated Users
THENETCENTER\Customers

WMI Filteringhide
WMI Filter Name None
Description Not applicable

Delegationhide
These groups and users have the specified permission for this GPOName Allowed Permissions Inherited
NT AUTHORITY\Authenticated Users Read (from Security Filtering) No
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read No
NT AUTHORITY\SYSTEM Edit settings, delete, modify security No
THENETCENTER\Customers Read (from Security Filtering) No
THENETCENTER\Domain Admins Edit settings, delete, modify security No
THENETCENTER\Enterprise Admins Edit settings, delete, modify security No

Computer Configuration (Enabled)hide
Windows Settingshide
Security Settingshide
Account Policies/Password Policyhide
Policy Setting
Enforce password history 24 passwords remembered
Maximum password age 42 days
Minimum password age 1 days
Minimum password length 7 characters
Password must meet complexity requirements Enabled
Store passwords using reversible encryption Disabled

Account Policies/Account Lockout Policyhide
Policy Setting
Account lockout threshold 0 invalid logon attempts

Account Policies/Kerberos Policyhide
Policy Setting
Enforce user logon restrictions Enabled
Maximum lifetime for service ticket 600 minutes
Maximum lifetime for user ticket 10 hours
Maximum lifetime for user ticket renewal 7 days
Maximum tolerance for computer clock synchronization 5 minutes

Local Policies/Security Optionshide
Accountshide
Policy Setting
Accounts: Guest account status Disabled

Deviceshide
Policy Setting
Devices: Unsigned driver installation behavior Do not allow installation

Network Securityhide
Policy Setting
Network security: Force logoff when logon hours expire Disabled

Public Key Policies/Autoenrollment Settingshide
Policy Setting
Enroll certificates automatically Enabled
Renew expired certificates, update pending certificates, and remove revoked certificates Disabled
Update certificates that use certificate templates Disabled
 

Public Key Policies/Encrypting File Systemhide
Propertieshide
Policy Setting
Allow users to encrypt files using Encrypting File System (EFS) Enabled

Certificateshide
Issued To Issued By Expiration Date Intended Purposes
Administrator Administrator 3/6/2007 4:14:42 PM File Recovery

For additional information about individual settings, launch Group Policy Object Editor.
Public Key Policies/Trusted Root Certification Authoritieshide
Propertieshide
Policy Setting
Allow users to select new root certification authorities (CAs) to trust Enabled
Client computers can trust the following certificate stores Third-Party Root Certification Authorities and Enterprise Root Certification Authorities
To perform certificate-based authentication of users and computers, CAs must meet the following criteria Registered in Active Directory only

User Configuration (Enabled)hide
Windows Settingshide
Remote Installation Serviceshide
Client Installation Wizard optionshide
Policy Setting
Custom Setup Disabled
Restart Setup Disabled
Tools Disabled

Security Settingshide
Public Key Policies/Autoenrollment Settingshide
Policy Setting
Enroll certificates automatically Enabled
Renew expired certificates, update pending certificates, and remove revoked certificates Disabled
Update certificates that use certificate templates Disabled
 

Software Restriction Policieshide
Enforcement
Policy Setting
Apply software restriction policies to All software files except libraries (such as DLLs)
Apply software restriction policies to the following users All users
 
Designated File Types
File Extension File Type
ADE ADE File
ADP ADP File
BAS BAS File
BAT Windows Batch File
CHM Compiled HTML Help file
CMD Windows Command Script
COM Application
CPL Control Panel extension
CRT Security Certificate
EXE Application
HLP Help File
HTA HTML Application
INF Setup Information
INS Internet Communication Settings
ISP Internet Communication Settings
LNK Shortcut
MDB MDB File
MDE MDE File
MSC Microsoft Common Console Document
MSI Windows Installer Package
MSP Windows Installer Patch
MST MST File
OCX ActiveX Control
PCD PCD File
PIF Shortcut to Program
REG Registration Entries
SCR Screen Saver
SHS Scrap object
URL Internet Shortcut
VB VB File
WSC Windows Script Component
 
Trusted Publishers
Allow the following users to select trusted publishers End users
Before trusting a publisher, check the following to determine if the certificate is revoked None
 

Software Restriction Policies/Security Levelshide
Policy Setting
Default Security Level Unrestricted

Software Restriction Policies/Additional Ruleshide
Path Ruleshide
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
Security Level Unrestricted
Description  
Date last modified 3/24/2004 7:34:37 PM
 
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\*.exe
Security Level Unrestricted
Description  
Date last modified 3/24/2004 7:34:37 PM
 
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\System32\*.exe
Security Level Unrestricted
Description  
Date last modified 3/24/2004 7:34:37 PM
 
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%
Security Level Unrestricted
Description  
Date last modified 3/24/2004 7:34:37 PM
 

Internet Explorer Maintenancehide
Browser User Interface/Customized Title Barhide
Title Bar Text
Adams Center For Technology

Administrative Templateshide
Control Panel/Printershide
Policy Setting
Prevent addition of printers Disabled
Prevent deletion of printers Disabled


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Here is the Default Domain Controllers Policy - note there is no Title Bar Text defined

Default Domain Controllers Policy
Data collected on: 3/28/2004 11:31:45 AM hide all

Generalhide
Detailshide
Domain thenetcenter.net
Owner THENETCENTER\Domain Admins
Created 3/6/2004 4:09:46 PM
Modified 3/17/2004 7:16:40 PM
User Revisions 0 (AD), 0 (sysvol)
Computer Revisions 3 (AD), 3 (sysvol)
Unique ID {6AC1786C-016F-11D2-945F-00C04fB984F9}
GPO Status Enabled

Linkshide
Location Enforced Link Status Path
Domain Controllers Yes Enabled thenetcenter.net/Domain Controllers

This list only includes links in the domain of the GPO.
Security Filteringhide
The settings in this GPO can only apply to the following groups, users, and computers:Name
NT AUTHORITY\Authenticated Users

WMI Filteringhide
WMI Filter Name None
Description Not applicable

Delegationhide
These groups and users have the specified permission for this GPOName Allowed Permissions Inherited
NT AUTHORITY\Authenticated Users Read (from Security Filtering) No
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read No
NT AUTHORITY\SYSTEM Edit settings, delete, modify security No
THENETCENTER\Domain Admins Edit settings, delete, modify security No
THENETCENTER\Enterprise Admins Edit settings, delete, modify security No

Computer Configuration (Enabled)hide
Windows Settingshide
Security Settingshide
Local Policies/Audit Policyhide
Policy Setting
Audit account logon events Success
Audit account management Success
Audit directory service access Success
Audit logon events Success
Audit object access No auditing
Audit policy change Success
Audit privilege use No auditing
Audit process tracking No auditing
Audit system events Success

Local Policies/User Rights Assignmenthide
Policy Setting
Access this computer from the network BUILTIN\Pre-Windows 2000 Compatible Access, NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS, NT AUTHORITY\Authenticated Users, BUILTIN\Administrators, Everyone
Act as part of the operating system  
Add workstations to domain NT AUTHORITY\Authenticated Users
Adjust memory quotas for a process BUILTIN\Administrators, NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE
Allow log on locally BUILTIN\Print Operators, BUILTIN\Server Operators, BUILTIN\Account Operators, BUILTIN\Backup Operators, BUILTIN\Administrators
Back up files and directories BUILTIN\Server Operators, BUILTIN\Backup Operators, BUILTIN\Administrators
Bypass traverse checking BUILTIN\Pre-Windows 2000 Compatible Access, NT AUTHORITY\Authenticated Users, BUILTIN\Administrators, Everyone
Change the system time BUILTIN\Server Operators, BUILTIN\Administrators
Create a pagefile BUILTIN\Administrators
Create a token object  
Create permanent shared objects  
Debug programs BUILTIN\Administrators
Deny access to this computer from the network THENETCENTER\SUPPORT_388945a0
Deny log on as a batch job  
Deny log on as a service  
Deny log on locally THENETCENTER\SUPPORT_388945a0
Enable computer and user accounts to be trusted for delegation BUILTIN\Administrators
Force shutdown from a remote system BUILTIN\Server Operators, BUILTIN\Administrators
Generate security audits NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE
Increase scheduling priority BUILTIN\Administrators
Load and unload device drivers BUILTIN\Print Operators, BUILTIN\Administrators
Lock pages in memory  
Log on as a batch job THENETCENTER\SUPPORT_388945a0, NT AUTHORITY\LOCAL SERVICE
Log on as a service NT AUTHORITY\NETWORK SERVICE
Manage auditing and security log BUILTIN\Administrators
Modify firmware environment values BUILTIN\Administrators
Profile single process BUILTIN\Administrators
Profile system performance BUILTIN\Administrators
Remove computer from docking station BUILTIN\Administrators
Replace a process level token NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE
Restore files and directories BUILTIN\Server Operators, BUILTIN\Backup Operators, BUILTIN\Administrators
Shut down the system BUILTIN\Print Operators, BUILTIN\Server Operators, BUILTIN\Backup Operators, BUILTIN\Administrators
Synchronize directory service data  
Take ownership of files or other objects BUILTIN\Administrators

Local Policies/Security Optionshide
Domain Controllerhide
Policy Setting
Domain controller: LDAP server signing requirements None

Domain Memberhide
Policy Setting
Domain member: Digitally encrypt or sign secure channel data (always) Enabled

Microsoft Network Serverhide
Policy Setting
Microsoft network server: Digitally sign communications (always) Enabled
Microsoft network server: Digitally sign communications (if client agrees) Enabled

Network Securityhide
Policy Setting
Network security: LAN Manager authentication level Send NTLM response only

User Configuration (Enabled)hide
No settings defined.

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The title bar text is showing on the Domain Controller (the server), however is not being applied to the Customer OU, nor the Customer security group or the accounts within that OU. This is baffling to me.
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Here is the Customer Policy that is linked to the Customer OU. None of this is happening when any users within that OU logon:

Customer Policy
Data collected on: 3/28/2004 11:58:12 AM hide all

Generalhide
Detailshide
Domain thenetcenter.net
Owner THENETCENTER\Domain Admins
Created 3/25/2004 10:03:02 AM
Modified 3/28/2004 11:37:40 AM
User Revisions 69 (AD), 69 (sysvol)
Computer Revisions 136 (AD), 136 (sysvol)
Unique ID {AE5413EA-B93E-4E1C-A87A-3806AD05827A}
GPO Status Enabled

Linkshide
Location Enforced Link Status Path
ACT Customers Yes Enabled thenetcenter.net/ACT Customers

This list only includes links in the domain of the GPO.
Security Filteringhide
The settings in this GPO can only apply to the following groups, users, and computers:Name
NT AUTHORITY\Authenticated Users

WMI Filteringhide
WMI Filter Name None
Description Not applicable

Delegationhide
These groups and users have the specified permission for this GPOName Allowed Permissions Inherited
NT AUTHORITY\Authenticated Users Read (from Security Filtering) No
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read No
NT AUTHORITY\SYSTEM Edit settings, delete, modify security No
THENETCENTER\Domain Admins Edit settings, delete, modify security No
THENETCENTER\Enterprise Admins Edit settings, delete, modify security No

Computer Configuration (Enabled)hide
Windows Settingshide
Security Settingshide
Account Policies/Kerberos Policyhide
Policy Setting
Enforce user logon restrictions Enabled

Local Policies/Audit Policyhide
Policy Setting
Audit account logon events Success

Local Policies/Security Optionshide
Accountshide
Policy Setting
Accounts: Administrator account status Disabled

Deviceshide
Policy Setting
Devices: Prevent users from installing printer drivers Enabled
Devices: Unsigned driver installation behavior Do not allow installation

Interactive Logonhide
Policy Setting
Interactive logon: Do not display last user name Enabled
Interactive logon: Message text for users attempting to log on By using this computer you are agreeing to abide by the terms and conditions of our Computer Policy., All passwords are assigned by an ACT Administrator., Printing Costs are as follows:, $0.25 per page - black and white, $1.00 per page - color
Interactive logon: Message title for users attempting to log on "Welcome to the Adams Center For Technology"
Interactive logon: Prompt user to change password before expiration 7 days

Microsoft Network Serverhide
Policy Setting
Microsoft network server: Amount of idle time required before suspending session 15 minutes

Network Accesshide
Policy Setting
Network access: Sharing and security model for local accounts Classic - local users authenticate as themselves

Shutdownhide
Policy Setting
Shutdown: Allow system to be shut down without having to log on Disabled
Shutdown: Clear virtual memory pagefile Enabled

Event Loghide
Policy Setting
Maximum security log size 16384 kilobytes
Maximum system log size 16384 kilobytes
Prevent local guests group from accessing security log Enabled
Prevent local guests group from accessing system log Enabled
Retain security log 7 days
Retain system log 7 days
Retention method for security log By days
Retention method for system log By days

Public Key Policies/Autoenrollment Settingshide
Policy Setting
Enroll certificates automatically Enabled
Renew expired certificates, update pending certificates, and remove revoked certificates Disabled
Update certificates that use certificate templates Disabled
 

Public Key Policies/Encrypting File Systemhide
Propertieshide
Policy Setting
Allow users to encrypt files using Encrypting File System (EFS) Enabled

Public Key Policies/Trusted Root Certification Authoritieshide
Propertieshide
Policy Setting
Allow users to select new root certification authorities (CAs) to trust Enabled
Client computers can trust the following certificate stores Third-Party Root Certification Authorities and Enterprise Root Certification Authorities
To perform certificate-based authentication of users and computers, CAs must meet the following criteria Registered in Active Directory only

Software Restriction Policieshide
Enforcement
Policy Setting
Apply software restriction policies to All software files except libraries (such as DLLs)
Apply software restriction policies to the following users All users
 
Designated File Types
File Extension File Type
ADE ADE File
ADP ADP File
BAS BAS File
BAT Windows Batch File
CHM Compiled HTML Help file
CMD Windows Command Script
COM Application
CPL Control Panel extension
CRT Security Certificate
EXE Application
HLP Help File
HTA HTML Application
INF Setup Information
INS Internet Communication Settings
ISP Internet Communication Settings
LNK Shortcut
MDB MDB File
MDE MDE File
MSC Microsoft Common Console Document
MSI Windows Installer Package
MSP Windows Installer Patch
MST MST File
OCX ActiveX Control
PCD PCD File
PIF Shortcut to Program
REG Registration Entries
SCR Screen Saver
SHS Scrap object
URL Internet Shortcut
VB VB File
WSC Windows Script Component
 
Trusted Publishers
Allow the following users to select trusted publishers End users
Before trusting a publisher, check the following to determine if the certificate is revoked None
 

Software Restriction Policies/Security Levelshide
Policy Setting
Default Security Level Unrestricted

Software Restriction Policies/Additional Ruleshide
Path Ruleshide
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
Security Level Unrestricted
Description  
Date last modified 3/25/2004 11:34:26 AM
 
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\*.exe
Security Level Unrestricted
Description  
Date last modified 3/25/2004 11:34:26 AM
 
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\System32\*.exe
Security Level Unrestricted
Description  
Date last modified 3/25/2004 11:34:26 AM
 
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%
Security Level Unrestricted
Description  
Date last modified 3/25/2004 11:34:26 AM
 

Administrative Templateshide
Network/Network Connectionshide
Policy Setting
Prohibit installation and configuration of Network Bridge on your DNS domain network Enabled
Prohibit use of Internet Connection Sharing on your DNS domain network Enabled

Network/Offline Fileshide
Policy Setting
At logoff, delete local copy of user’s offline files Enabled
Causes the local copy of any offline file accessed by the user
to be deleted when the user logs off of the computer.
 
Delete only the temporary offline files. Enabled
 
Policy Setting
Prevent use of Offline Files folder Enabled
Prohibit user configuration of Offline Files Enabled
Prevents users from changing any cache configuration settings.
 
Policy Setting
Remove 'Make Available Offline' Enabled
Synchronize all offline files when logging on Enabled

Printershide
Policy Setting
Allow printers to be published Disabled
Allow pruning of published printers Disabled
Disallow installation of printers using kernel-mode drivers Enabled
Printer browsing Disabled

System/Disk Quotashide
Policy Setting
Default quota limit and warning level Enabled
Specify a quota limit and warning level applied to users when
they first write to a quota-enabled volume.
 
Default quota limit:
 
Value 10
Units MB
 
Default warning level:
 
Value 5
Units MB
 
Policy Setting
Enable disk quotas Enabled
Enforce disk quota limit Enabled
Log event when quota limit exceeded Enabled
Log event when quota warning level exceeded Enabled

System/Error Reportinghide
Policy Setting
Display Error Notification Enabled
Report Errors Enabled
Do not display links to any Microsoft provided 'more information' web sites. Disabled
Do not collect additional files Disabled
Do not collect additional machine data Disabled
Force queue mode for application errors Disabled
Corporate upload file path: \\FS1\Errors
Replace instances of the word 'Microsoft' with: Adams Center For Technology
 

System/Error Reporting/Advanced Error Reporting settingshide
Policy Setting
Default application reporting settings Enabled
Default: Report all application errors
Report all errors in Microsoft applications. Enabled
Report all errors in Windows components. Enabled
 
Policy Setting
Report operating system errors Enabled
Report unplanned shutdown events Enabled

System/System Restorehide
Policy Setting
Turn off Configuration Enabled
Turn off System Restore Enabled

Windows Components/Internet Explorerhide
Policy Setting
Security Zones: Do not allow users to add/delete sites Enabled
Security Zones: Do not allow users to change policies Enabled

Windows Components/Internet Information Serviceshide
Policy Setting
Prevent IIS installation Enabled

Windows Components/Task Schedulerhide
Policy Setting
Hide Advanced Properties Checkbox in Add Scheduled Task Wizard Enabled
Hide Property Pages Enabled
Prevent Task Run or End Enabled
Prohibit Browse Enabled
Prohibit Drag-and-Drop Enabled
Prohibit New Task Creation Enabled
Prohibit Task Deletion Enabled

Windows Components/Windows Installerhide
Policy Setting
Disable Windows Installer Enabled
Disable Windows Installer Always
 
Policy Setting
Prohibit User Installs Enabled
User Install Behavior: Prohibit User Installs
 

Windows Components/Windows Media Playerhide
Policy Setting
Prevent Automatic Updates Enabled

Windows Components/Windows Updatehide
Policy Setting
Configure Automatic Updates Enabled
Configure automatic updating: 4 - Auto download and schedule the install
The following settings are only required
and applicable if 4 is selected.
Scheduled install day:  0 - Every day
Scheduled install time: 09:00
 

User Configuration (Enabled)hide
Windows Settingshide
Folder Redirectionhide
My Documentshide
Setting: Advanced (Specify locations for various user groups)hide
Group Path
THENETCENTER\Customers \\FS1\Home\%USERNAME%\My Documents

Optionshide
Grant user exclusive rights to My Documents Enabled
Move the contents of My Documents to the new location Enabled
Policy Removal Behavior Leave contents

Internet Explorer Maintenancehide
URLs/Important URLshide
Name URL
Home page URL http://www.thenetcenter.net
Search bar URL http://www.google.com
Online support page URL Not configured
 

URLs/Favorites and Linkshide
Policy Setting
Place favorites and links at the top of the list in the order specified below Not configured
Delete existing Favorites and Links, if present Not configured
Delete existing channels, if present Not configured
Favorites
Name URL
The Adams Center For Technology http://www.thenetcenter.net
 

Administrative Templateshide
Control Panelhide
Policy Setting
Force classic Control Panel Style Enabled
Prohibit access to the Control Panel Enabled

Desktophide
Policy Setting
Do not add shares of recently opened documents to My Network Places Enabled
Hide My Network Places icon on desktop Enabled
Prohibit adjusting desktop toolbars Enabled
Prohibit user from changing My Documents path Enabled
Remove Properties from the My Computer context menu Enabled
Remove Properties from the My Documents context menu Enabled
Remove the Desktop Cleanup Wizard Enabled

Network/Network Connectionshide
Policy Setting
Ability to rename LAN connections or remote access connections available to all users Disabled
Prohibit access to properties of a LAN connection Enabled

Start Menu and Taskbarhide
Policy Setting
Add Logoff to the Start Menu Enabled
Remove and prevent access to the Shut Down command Enabled
Remove links and access to Windows Update Enabled
Remove Network Connections from Start Menu Enabled
Remove Run menu from Start Menu Enabled

System/Ctrl+Alt+Del Optionshide
Policy Setting
Remove Change Password Enabled
Remove Lock Computer Enabled
Remove Task Manager Enabled

System/User Profileshide
Policy Setting
Limit profile size Enabled
Custom Message You have exceeded your profile storage space. Before you can log off, you need to move some items from your profile to network or local storage.
Max Profile size (KB) 30000
Include registry in file list Disabled
Notify user when profile storage space is exceeded. Enabled
Remind user every X minutes: 15
 

Windows Components/Internet Explorer/Administrator Approved Controlshide
Policy Setting
Media Player Enabled
ActiveMovie Control Enabled
Windows Media Player Enabled
 
Policy Setting
Shockwave Flash Enabled
Shockwave Flash Enabled
 

Windows Components/Internet Explorer/Browser menushide
Policy Setting
File menu: Disable Save As Web Page Complete Enabled
File menu: Disable Save As... menu option Enabled
Tools menu: Disable Internet Options... menu option Enabled

Windows Components/Internet Explorer/Internet Control Panelhide
Policy Setting
Disable the Advanced page Enabled
Disable the Connections page Enabled
Disable the Content page Enabled
Disable the General page Enabled
Disable the Privacy page Enabled
Disable the Programs page Enabled
Disable the Security page Enabled

Windows Components/Internet Explorer/Offline Pageshide
Policy Setting
Disable adding channels Enabled
Disable adding schedules for offline pages Enabled
Disable all scheduled offline pages Enabled
Disable channel user interface completely Enabled
Disable downloading of site subscription content Enabled
Disable editing and creating of schedule groups Enabled
Disable editing schedules for offline pages Enabled
Disable offline page hit logging Enabled
Disable removing channels Enabled
Disable removing schedules for offline pages Enabled

Windows Components/Internet Explorer/Persistence Behaviorhide
Policy Setting
File size limits for Internet zone Enabled
Per domain (in kilobytes) 1024
Per document (in kilobytes) 128
 

Windows Components/Internet Explorer/Toolbarshide
Policy Setting
Configure Toolbar Buttons Enabled
Show Back button Enabled
Show Forward button Enabled
Show Stop button Enabled
Show Refresh button Enabled
Show Home button Enabled
Show Search button Enabled
Show Favorites button Enabled
Show History button Enabled
Show Media button Enabled
Show Folders button Enabled
Show Fullscreen button Enabled
Show Tools button Enabled
Show Mail button Enabled
Show Font size button Enabled
Show Print button Enabled
Show Edit button Enabled
Show Discussions button Disabled
Show Cut button Enabled
Show Copy button Enabled
Show Paste button Enabled
Show Encoding button Disabled
 
Policy Setting
Disable customizing browser toolbar buttons Enabled
Disable customizing browser toolbars Enabled

Windows Components/Microsoft Management Consolehide
Policy Setting
Restrict the user from entering author mode Enabled

Windows Components/Task Schedulerhide
Policy Setting
Hide Advanced Properties Checkbox in Add Scheduled Task Wizard Enabled
Hide Property Pages Enabled
Prevent Task Run or End Enabled
Prohibit Browse Enabled
Prohibit Drag-and-Drop Enabled
Prohibit New Task Creation Enabled
Prohibit Task Deletion Enabled

Windows Components/Windows Explorerhide
Policy Setting
Do not move deleted files to the Recycle Bin Enabled
No "Computers Near Me" in My Network Places Enabled
No "Entire Network" in My Network Places Enabled
Remove "Map Network Drive" and "Disconnect Network Drive" Enabled
Remove Hardware tab Enabled
Remove Security tab Enabled

Windows Components/Windows Media Player/Networkinghide
Policy Setting
Hide Network Tab Enabled

Windows Components/Windows Media Player/User Interfacehide
Policy Setting
Hide Privacy Tab Enabled
Hide Security Tab Enabled
Set and Lock Skin Enabled
Skin  
 
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Again ALL these policies are Enforced and linked, however they are apparently not inherited. I have ensured that the Security Settings are correct and Apply Security Policy attribute is ticked. Thanks for the link, however been there done that and still nada...
0
 

Author Comment

by:netcenter
Comment Utility
On a further note this is a lab environment (Internet Cafe) where i cannot assign policies to actual computers because there is not a specific computer that a customer would use. This is why it wouldnt work for me to place the computer accounts within my OU, furthermore I must solely use the Customer accounts for the application of my GPO. I have thought about a loopback policy that might help me out, however something still just isn't clicking with this in my brain i fear. Like i said at the top of my IE on the actual server it says Microsoft Internet Explorer provided by Adams Center For Technology, simply none of the policies are taking effect when a user within the Customer OU actually logs on to a computer.
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
Are the Customers using your equipment?  Are the PCs joined to the domain?

You should set a base policy for the Computers in the Domain - something that is static and across the board.  If your computer accounts are not in the Customer OU then the computer part of the GPO won't apply.

Then use the Customer policy to tighten up the rest.

As for the Domain Controller Policy - you should NOT alter that - there shouldn't be any restrictions emposed on the server.  Also, block Policy on the Domain Controller OU so that other settings don't flow onto it.

Try creating a user with a password less than 7 charcters.  Now try a dictionary word 7 or more characters.  Now try a password containing part of the username - if all those things fail then the Domain Policy is working.

Advise.


0
 

Author Comment

by:netcenter
Comment Utility
Yes customers are using the computers in the center. (not currently but will be as of tomorrow). All computers are XP Pro and all are joined to the Domain. I have ensured that DNS is working and the log file for DNS looks perfect. About the computer part of the policy needing to be members of the OU interesting.... i will have to add those then...  that was one part that wasn't clicking in my brain... i wll try the rest and get right back to ya. Thanks.
0
 

Author Comment

by:netcenter
Comment Utility
I have now added the computers to the Customer OU. I have also tried to setup a test account within the OU as stated on the serverwith a password less than 7 charcters and a a dictionary word 7 or more characters, both failed so the Domain Policy seems to be working on the server, however still I am not seeing the Title Bar text within the Domain Policy being applied to the computers. After numerous (5) reboots of the computers in question I still am not seeing any policy effect on them. Any further ideas?
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
Can you type this on one of the XP machines?

gpresult > c:\gpres.txt

Post log here.
0
 

Author Comment

by:netcenter
Comment Utility
INFO: The policy object does not exist.
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
Try from a different PC - this is beginning to look like a DNS thing.

0
 

Author Comment

by:netcenter
Comment Utility
Sadly this does seem to be a DNS problem. I got the same error on another PC. I also tried to logon to this PC using DNS (username@thenetcenter.net) and came up with the error:

The system cannot log you on now because the domain is not available.

I then ensured that my clients ipconfig info shows that the local DNS server 10.1.2.2 (which is the Active Directory server, the same Windows 2003 machine) , along with my ISP DNS server (which i will not name). It seems they are getting the correct DHCP information.

Previously I had been just using the username and Domain. I started a DNS log and I am seeing the clients when logged in locally use the DNS forwarding successfully.... here is an example:

09:07:04 3D8 PACKET  UDP Snd 10.1.2.192      031c R Q [8085 A DR  NOERROR] (3)www(9)alienware(3)com(0)

After making sure the DNS works I tried:

ipconfig /flushdns

and was successful in flushing DNS.

then I tried:

ipconfig /registerdns

Here is the pertinent log file information thereafter:

14:38:02 200 EVENT   The zone netcenter.net is configured to accept updates but the A record for the primary server
in the zone's SOA record is not available on this DNS server. This may indicate
a configuration problem. If the address of the primary server for the zone cannot
be resolved DNS clients will be unable to locate a server to accept updates for this
zone. This will cause DNS clients to be unable to perform DNS updates.

My A record seems not to be working... im guessing this is my local DNS queries, right?...
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
Yes.

You should not be pointing your workstations to the ISP.  

If you have your own DNS you should have it configures like this:

Clients - your DNS only
Server - your DNS only
Forwarding - your ISP (if Forwarding is greyed out then delete the "." (root) zone and restart the server.)

All NICs set to register in DNS.
Forward and Reverse lookup zones should be Active Directory Integrated, set for dynamic updates and NO zone transfers.

On the server, run ipconfig /registerdns then restart the Netlogon service.

In DNS you must see the host (A) records for the server in _msdcs (in all domains - ie. gc, pdc, etc.

Advise.
0
 

Author Comment

by:netcenter
Comment Utility
Clients have been renewed now with only the internal DNS server (10.1.2.2) as their DNS server.
Server has only the Primary DNS server as 10.1.2.2
Forwarding is set to the ISP Primary and Secondary DNS servers

All NIC's are set to register DNS (even though this server only has 1 NIC).
Forward and Reverse lookup zones are Active Directory Integrated, set for dynamic updates and allow zone transfers is NOT ticked.

Have run ipconfig /register dns and restarted Netlogon service.

I am not sure what you mean by this:
 In DNS you must see the host (A) records for the server in _msdcs (in all domains - ie. gc, pdc, etc.

Clients are still able to surf the Internet, however still DNS is not working for logons.
0
 

Author Comment

by:netcenter
Comment Utility
BTW no event errors that time.
0
 

Author Comment

by:netcenter
Comment Utility
I may have found something that might be the culprit with the DNS....

Under both Forward and Reverse lookup zone Properties -> Name Servers Tab
Fully Qualified Domain Name's IP Addy is unknown i have tried to add in its ip and also tried to have it auto resolve it, however it is not finding the IP Addy.... prob b/c it is AD based.... but just giving you as much info as possible.
0
 

Author Comment

by:netcenter
Comment Utility
Found Something Else That Might Help (looking this up now):

Event Type:      Error
Event Source:      NETLOGON
Event Category:      None
Event ID:      5774
Date:            3/29/2004
Time:            11:39:02 AM
User:            N/A
Computer:      FS1
Description:
The dynamic registration of the DNS record '_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.thenetcenter.net. 600 IN SRV 0 100 389 fs1.thenetcenter.net.' failed on the following DNS server:  

DNS server IP address: XX.XX.XX.XX
Returned Response Code (RCODE): 5
Returned Status Code: 9017  

For computers and users to locate this domain controller, this record must be registered in DNS.  

USER ACTION  
Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. You can find this program on the Windows Server 2003 installation CD in Support\Tools\support.cab. To learn more about  DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by  this domain controller, run 'nltest.exe /dsregdns' from the command prompt on the domain  controller or restart Net Logon service. Nltest.exe is available in the Microsoft Windows  Server Resource Kit CD.
  Or, you can manually add this record to DNS, but it is not recommended.  

ADDITIONAL DATA
Error Value: DNS bad key.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 05 00                     ..      
0
 

Author Comment

by:netcenter
Comment Utility
C:\Program Files\Support Tools>DCDiag

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\FS1
      Starting test: Connectivity
         The host b7da6eff-1513-48d1-8fcf-adf1dbdb8a7b._msdcs.thenetcenter.net c
ould not be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name
         (b7da6eff-1513-48d1-8fcf-adf1dbdb8a7b._msdcs.thenetcenter.net)
         couldn't be resolved, the server name (fs1.thenetcenter.net) resolved
         to the IP address (10.1.2.2) and was pingable.  Check that the IP
         address is registered correctly with the DNS server.
         ......................... FS1 failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\FS1
      Skipping all tests, because server FS1 is
      not responding to directory service requests

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : thenetcenter
      Starting test: CrossRefValidation
         ......................... thenetcenter passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... thenetcenter passed test CheckSDRefDom

   Running enterprise tests on : thenetcenter.net
      Starting test: Intersite
         ......................... thenetcenter.net passed test Intersite
      Starting test: FsmoCheck
         ......................... thenetcenter.net passed test FsmoCheck

C:\Program Files\Support Tools>
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
Have you renamed the domain at ant point?
0
 

Author Comment

by:netcenter
Comment Utility
No.
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
Try this:

dcdiag /fix

Advise
0
 

Author Comment

by:netcenter
Comment Utility
C:\Program Files\Support Tools>DCDiag

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\FS1
      Starting test: Connectivity
         The host b7da6eff-1513-48d1-8fcf-adf1dbdb8a7b._msdcs.thenetcenter.net c
ould not be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name
         (b7da6eff-1513-48d1-8fcf-adf1dbdb8a7b._msdcs.thenetcenter.net)
         couldn't be resolved, the server name (fs1.thenetcenter.net) resolved
         to the IP address (10.1.2.2) and was pingable.  Check that the IP
         address is registered correctly with the DNS server.
         ......................... FS1 failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\FS1
      Skipping all tests, because server FS1 is
      not responding to directory service requests

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : thenetcenter
      Starting test: CrossRefValidation
         ......................... thenetcenter passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... thenetcenter passed test CheckSDRefDom

   Running enterprise tests on : thenetcenter.net
      Starting test: Intersite
         ......................... thenetcenter.net passed test Intersite
      Starting test: FsmoCheck
         ......................... thenetcenter.net passed test FsmoCheck

C:\Program Files\Support Tools>
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
Try this from FS1

nltest /dsregdns

0
 

Author Comment

by:netcenter
Comment Utility
Just noticed that the server doesnt have a Connection Specific DNS Suffix (not sure if it matters or not):

C:\DOCUME~1\ADMINI~1>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : fs1
   Primary Dns Suffix  . . . . . . . : thenetcenter.net
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : thenetcenter.net

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 XT Network Connection
   Physical Address. . . . . . . . . : 00-0F-1F-02-12-E5
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 10.1.2.2
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.1.2.1
   DNS Servers . . . . . . . . . . . : 10.1.2.1

C:\DOCUME~1\ADMINI~1>
0
 

Author Comment

by:netcenter
Comment Utility

C:\Program Files\Support Tools>nltest /dsregdns
Flags: 0
Connection Status = 0 0x0 NERR_Success
The command completed successfully

C:\Program Files\Support Tools>
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 51

Expert Comment

by:Netman66
Comment Utility
You can add it.

Are you able to run dcdiag now successfully?
0
 

Author Comment

by:netcenter
Comment Utility
Nope. I added the Connection Specific Suffix and it still did not fix the prob (still have Netlogon errors up the wazoo, and dcdiag still is showing exactly the same printout as above).

I did just have a brainstorm and under both Forward and Reverse lookup zone Properties -> Name Servers Tab if i click Browse and look for an A Records or CNAME records there are none. The only records I have are the Start of Authority and Name Server Records.
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
Host records should be there....

I'm not sure why there aren't registering properly.

In DNS - expand Forward Lookup then your Domain.
Right-click the domain name on the left pane and select Properties.
On the SOA tab manually add your server.
On the Name Servers tab make sure only your server is there.

Run - ipconfig /flushdns
         ipconfig /registerdns

Restart the Netlogon service.

advise.
0
 

Author Comment

by:netcenter
Comment Utility
I think I have found the prob (btw none of the above worked). For some reason my Forwarding is set to netcenter.net instead of what is the real domain suffix thenetcenter.net .... this bascially means that it is trying for a different namespace. I have tried figuring out how to rename and have not been successful. I have also created an A record and have flushed/registered again. At this point I am starting to believe it is best for me to completely redo my DNS server configuration... are you in agreement...

Advise please.
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
Be careful.  Active Directory depends on DNS.

Not sure what you mean by Forwarding set to netcenter.net?  Forwarding should simply be to an IP - that of the ISP.

Do you have another server online?
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
If you absolutely must...Delete the contents ONLY of the Forward and Reverse Lookup zones.

Restart the Netlogon service on the DC - check to be sure that ALL the service records show up in DNS.

Run some test afterwards to make sure everything is correct - do not reboot your server until DNS is working properly.

0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
You Forward Zone should be named after your domain - thenetcenter.net (if that is your AD domain).  Do not mix external DNS names with internal.

0
 

Author Comment

by:netcenter
Comment Utility
Nah what i mean is under dnsmgt -> Forward Lookup Zones the actual server data file is called netcenter.net instead of thenetcenter.net... this DNS server is simply supposed to resolve local LAN DNS addresses (behind a router), not actual live DNS. What I am not understanding is why my clients are able to access the internet and resolve that way, however they are not able to resolve locally.

The DNS records are as follows:

- DNS
   - Forward Lookup Zones
    [  ] netcenter.net
              same as parent folder    Start of Authority(SOA)   [1] fs1.thenetcenter.net, hostmaster.thenetcenter.net  
              same as parent folder    Name Server(NS)           fs1.thenetcenter.net.  
              fs1                               Host (A)                         10.1.2.2  
   - Reverse Lookup Zones
    [  ] 10.1.2.x Subnet
              same as parent folder    Start of Authority(SOA)   [1] fs1.thenetcenter.net, hostmaster.thenetcenter.net  
              same as parent folder    Name Server(NS)           fs1.thenetcenter.net.  


Here is the latest portion of my DNS server log:


15:00:26 3D8 PACKET  UDP Rcv XX.XX.XX.XX   278d R Q [8081   DR  NOERROR] (7)newchat(10)livehelper(3)com(0)

15:00:26 3D8 PACKET  UDP Snd 10.1.2.192      042f R Q [8081   DR  NOERROR] (7)newchat(10)livehelper(3)com(0)


0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
Create a new SOA with thenetcenter.net - match the wrong one's info.

Once it's created delete the wrong entry.

0
 

Author Comment

by:netcenter
Comment Utility
K I finally got a chance to do this.... i still am having troubles here are some rather interesting event logs:

Event Type:      Warning
Event Source:      LSASRV
Event Category:      SPNEGO (Negotiator)
Event ID:      40961
Date:            3/29/2004
Time:            6:26:46 PM
User:            N/A
Computer:      FS1
Description:
The Security System could not establish a secured connection with the server DNS/ispservername.  No authentication protocol was available.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Data:
0000: 8b 01 00 c0               ‹..À    


Event Type:      Error
Event Source:      NETLOGON
Event Category:      None
Event ID:      5774
Date:            3/29/2004
Time:            6:28:33 PM
User:            N/A
Computer:      FS1
Description:
The dynamic registration of the DNS record 'thenetcenter.net. 600 IN A 10.1.2.2' failed on the following DNS server:  

DNS server IP address: 69.60.160.34
Returned Response Code (RCODE): 5
Returned Status Code: 9017  

For computers and users to locate this domain controller, this record must be registered in DNS.  

USER ACTION  
Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. You can find this program on the Windows Server 2003 installation CD in Support\Tools\support.cab. To learn more about  DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by  this domain controller, run 'nltest.exe /dsregdns' from the command prompt on the domain  controller or restart Net Logon service. Nltest.exe is available in the Microsoft Windows  Server Resource Kit CD.
  Or, you can manually add this record to DNS, but it is not recommended.  

ADDITIONAL DATA
Error Value: DNS bad key.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 05 00                     ..      

::::::::::::::::::::::::::::::::::::::::
I have the domain name thenetcenter.net registered with my ISP for my website... i am unsure at this point whether or not this is causing a large problem with my authentication.... any futher ideas everything looks good on my DNS logs atm except for these rather interesting lines:
:::::::::::::::::::::::::::::::::::::::::

17:50:39 EDC EVENT   DNS server has updated its own host (A) records.  In order to ensure that its
DS-integrated peer DNS servers are able to replicate with this server, an attempt
was made to update them with the new records through dynamic update.  An error
was encountered during this update, the record data is the error code.



If this DNS server does not have any DS-integrated peers, then this error

should be ignored.



If this DNS server's Active Directory replication partners do not have the
correct IP address(es) for this server, they will be unable to replicate with it.



To ensure proper replication:

1) Find this server's Active Directory replication partners that run the DNS
server.

2) Open DnsManager and connect in turn to each of the replication partners.

3) On each server, check the host (A record) registration for THIS server.

4) Delete any A records that do NOT correspond to IP addresses of this server.

5) If there are no A records for this server, add at least one A record
corresponding to an address on this server, that the replication partner can
contact.  (In other words, if there multiple IP addresses for this DNS server,
add at least one that is on the same network as the Active Directory DNS server
you are updating.)

6) Note, that is not necessary to update EVERY replication partner.  It is
only necessary that the records are fixed up on enough replication partners so
that every server that replicates with this server will receive (through
replication) the new data.

...
17:57:07 5F4 PACKET  UDP Snd 10.1.2.192      0256 R U [05a8       REFUSED] (12)thenetcenter(3)net(0)
...
17:57:07 5F4 PACKET  UDP Snd 10.1.2.192      0258 R U [05a8       REFUSED] (1)2(1)1(2)10(7)in-addr(4)arpa(0)

::::::::::::::::::::::::
FYI - 10.1.2.192 is a DHCP client
::::::::::::::::::::::::
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
The fact that the internal AD domain and the external ISP-registered domain is the same is certainly a problem.

The logs indicate that your AD server is trying to register itself with the ISP.

If you only have one server and there isn't too much loaded on it you should wipe it and reinstall using the internal namespace of thenetcenter.local.

This will remove the issues you are seeing.

The last entry tells me your clients are trying to create a reverse entry on the ISP's server.

Since your server has only one NIC what I think is happening is that thenetcenter.net is being resolved external to your network and will continue to be - so the clients and the server will always look to the ISP instead of staying local for the domain.  If you added another NIC and made you network go "through" the server to get to the internet you might be able to resolve the issue and not have to change the AD namespace.

0
 

Author Comment

by:netcenter
Comment Utility
Shouldnt be too much of a problem I don't think .... that is if it won't mess my computer accounts up since all my clients are already joined to the domain, and rebuilding GPO's should be pretty easy.

So what Im gathering is that if i call the active directory thenetcenter.local the client machines will be called client.thenetnetcenter.local and then my server would be fs1.thenetcenter.local. The ISP DNS servers would not recognize the domain thenetcenter.local and would allow authentication to take place... or would I need to notify them as to the domain so they could authorize it and allow for authentication to take place?

The only problem I forsee is that I have a smoothwall corperate server doing my DHCP and PPOE authentication (i am on a DSL connection), thus being my router and containing my sole public static IP. I am guessing I could use port forwarding on that and install another NIC on the Win2k3 server thus allowing my Win2k3 server to share my sole "public" IP and be part of my DMZ. I could also have my ISP release my domain name (thenetcenter.net) and could just setup a webserver (again doing port forwarding and in my DMZ) and have that in house as well. I could then use my Win2k3 server as my DNS server and change my DNS settings with my registrar.... am i getting this other scenario correct?
0
 

Author Comment

by:netcenter
Comment Utility
Hmmm let me rethink that...
                                                                                         

                                                                                                         {{INTERNET}}
                                                                                                                 ^
                                                                                                                  "           [SMOOTHWALL SERVER]
                                                                                                                  " XX.XX.XX.XX OUTSIDE INTERFACE ETH0
[Win2K3]

ETH0 - 10.1.1.2 : DNS thenetcenter.net (or thenetcenter.local) --> {CISCO 10/100 MicroSwitch} <--10.1.1.1 - DMZ ETH1

ETH1 - 10.1.2.2 : File Server Adapter    --> {Catalyst 2950 Switch} <---------10.1.2.1 - LOCAL DEFAULT GW
                                                                            ^
                                                                             "  
                                                                             "   LOCAL CLIENTS

Kinda a crude sketch, however i think this is right.... and I would do port forwarding for DNS on port 53
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 500 total points
Comment Utility
Local gateway should be the server, not the switch.

This is what I would do...

ISP > Smoothwall > Your Server > LAN

Smoothwall only acting as a Firewall - no services offered.

Subnet1 - between Smoothwall and Server (ETH0) - subnet 10.1.1.0/24 (Smoothwall 10.1.1.1/255.255.255.0, ETH0 10.1.1.2/255.255.255.0)
ETH0 - No File & Print, no NetBIOS over TCP/IP, no Microsoft Network, DNS set to ISP, DNS NOT dynamically updating, gateway=smoothwall.
ETH0 - make sure this interface is at the top of the binding order.

Subnet2 - your LAN.  ETH1 = 192.168.1.1/24
DNS pointing at itself only, File and Print sharing, Microsoft Network, NetBIOS over TCP/IP.
Catalyst = 192.168.1.2/24 (for management only - disable routing).
DHCP - scope=192.168.1.3-192.168.1.254/24
DNS - Forwarding set to ISP only.  Listening only to 192.168.1.1.  Secure dynamic updates. NO zone transfers.

Try this before resorting to a restructure.

Leave your ISP hosting the site.

0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
Missed a setting....ETH1 (server - LAN side) NO gateway.

RRAS enabled per this document:  http://download.microsoft.com/download/2/e/c/2ec23de9-4bc3-45a0-9127-89ec6bf89391/connectnetwork.doc

0
 

Author Comment

by:netcenter
Comment Utility
K both me and my other techie here have ensured that everything is said as you stated, verfied my binding order, verified my network configurations. Tried it out and clients are not able to get DHCP addys nor surf the web, however server continues to be able to access the Internet. I am going to try to use a packet sniffer / network monitor sometime tomorrow to see if its even broadcasting.

Couple of things though:

I now have two nics now in this computer. I had already reinstalled 2K3 before I got your reply back (I might have to do it again but don't think so because DNS is now working without errors, see below). The only error I am getting deals with reverse lookup (not sure whether it needs to be the 10.1.1.x or 192.1.1.x ). Also my smoothwall corperate server does proxy / filtering / firewall ... it also allows for me to use DNS, DHCP etc... I have verified the DNS and DHCP services are disabled, but as for the rest I need them to work, and as I understand it they still should.

Any ideas?

::::::::::::::::::::::::::::::::::::::::::::::::
C:\Program Files\Support Tools>dcdiag

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site\AD
      Starting test: Connectivity
         ......................... AD passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site\AD
      Starting test: Replications
         ......................... AD passed test Replications
      Starting test: NCSecDesc
         ......................... AD passed test NCSecDesc
      Starting test: NetLogons
         ......................... AD passed test NetLogons
      Starting test: Advertising
         ......................... AD passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... AD passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... AD passed test RidManager
      Starting test: MachineAccount
         ......................... AD passed test MachineAccount
      Starting test: Services
         ......................... AD passed test Services
      Starting test: ObjectsReplicated
         ......................... AD passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... AD passed test frssysvol
      Starting test: frsevent
         ......................... AD passed test frsevent
      Starting test: kccevent
         ......................... AD passed test kccevent
      Starting test: systemlog
         An Error Event occured.  EventID: 0xC0001B58
            Time Generated: 03/31/2004   16:42:22
            Event String: The Network Load Balancing service failed to
         ......................... AD failed test systemlog
      Starting test: VerifyReferences
         ......................... AD passed test VerifyReferences

   Running partition tests on : TAPI3Directory
      Starting test: CrossRefValidation
         ......................... TAPI3Directory passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... TAPI3Directory passed test CheckSDRefDom

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : thenetcenter
      Starting test: CrossRefValidation
         ......................... thenetcenter passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... thenetcenter passed test CheckSDRefDom

   Running enterprise tests on : thenetcenter.local
      Starting test: Intersite
         ......................... thenetcenter.local passed test Intersite
      Starting test: FsmoCheck
         ......................... thenetcenter.local passed test FsmoCheck

C:\Program Files\Support Tools>
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
Ok, logs look good.

Not sure why NLB is setup - if it is, disable it.

As for the Reverse Zone - it should be the internal subnet only.

DHCP needs to be Authorized - right click the server in DHCP manager and select Authorize.

Options 003, 005 and 006 need to be set on the scope.

Once this is done and the clients get addresses then I think you will be off and running.

Advise.
0
 

Author Comment

by:netcenter
Comment Utility
DHCP still not working ( i have ensured now that DHCP is authorized.... however if i provide my clients with static ip (ex: 192.168.1.x) addy and point them to the 192.168.0.1 for their DNS they do in fact have Internet access. So now my sole problem seems to be the DHCP configuration. I have used netmon and it looks like broadcasting is in fact taking place on the LAN subnet (192.168.1.x)

Here is the configuration as is atm:

[-] DHCP
     [-] ad.thenetcenter.net [10.1.1.1]
          [-] Scope [192.168.1.1] Scope

Something about this doesn't look right, however reconcile has been verified successfully. Advise please.
Thanks for your help again btw.
0
 

Author Comment

by:netcenter
Comment Utility
On another note (after the above is finished) i will need to have my XP clients rejoin the domain. I am not sure atm how this is feasable without a reinstall. Any ideas on how to accomplish this (I will also need to recreate their computer accounts) in an easier fashion.
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
You have DHCP servicing the outside network - we don't want that.  Make sure it is only listening on the inside network.

No need to reinstall the client - just back them into a workgroup and rejoin the domain.

0
 

Author Comment

by:netcenter
Comment Utility
Awesome! I now have everything working correctly with DNS, and i have successfully rejoined the domain with my XP clients .... now all that seems to be going crazy is the OU's and group policies.

I have edited and applied the Domain Policy and have tried a user account on one of the XP machines with success.

I am needing to create several OU's now and apply policies to them. I am starting out with a OU called ACT which is being created on the AD Server.

After creating this OU and delegating control I opened Group Policy Manager and clicked on the ACT OU then clicked on Create and Link a GPO here. However I get this error:

Windows cannot find the network path. Verify the network path is correct and the destination computer is not busy or turned off. If Windows still cannot find the network path, contact your administrator.

I have not added any users or computers yet to the ACT OU, thinking that this was part of the problem I added my XP computer accounts and still no luck. Any ideas?
0
 

Author Comment

by:netcenter
Comment Utility
I restarted the server (finally had no customers).... here is the error which I am concerned with now:

Event Type:      Error
Event Source:      Userenv
Event Category:      None
Event ID:      1058
Date:            4/5/2004
Time:            1:18:45 PM
User:            THENETCENTER\Administrator
Computer:      AD
Description:
Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=thenetcenter,DC=local. The file must be present at the location <\\thenetcenter.local\sysvol\thenetcenter.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied. ). Group Policy processing aborted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Looks like a permissions issue to me... please advise.
0
 

Author Comment

by:netcenter
Comment Utility
Problem solved. I think I am in the clear now.

I had to reverse my binding order. Thanks again Netman for your help. Im not sure which is the "accepted answer", however this is d@mn good info on how to setup a network for a small biz with Win2k3.
0
 

Author Comment

by:netcenter
Comment Utility
Policies have been applied. Now it just involves tweaking. Thanks again Netman. Points awarded.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Join & Write a Comment

by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now