Remote Location (VPN) on domain, Group Policy not updating

I have 3 locations with one DC (Win SBS 2003).  Offices are connected via VPN routers (Netgear FVS318 Prosafe). My DC at main location is DHCP server, routers are DHCP server at each remote site. I have them all on the domain, DNS is set as the DC. Connect ok although very slow for the first while, I understand this to be normal until all permissions are applied.
For the problem, It is not applying Group Policies.  I built some of the systems at my main location were DC is and they had all Policies applied at the time, some were built at remote sites.  When started at remote site, some policies were lost, and those built there will not acquire them. Example, I enforce the firewall and setup my VNC port through Group Policy. When the machine was moved, firewall is still enforced, VNC port isn't.  New machines are not getting anything. I ran gpresult and get INFO: The policy object does not exist.  Strange thing is, it runs my logon scripts at the locations, it took a few reboots before it would, but does 90% of the time now. I have added new DHCP scopes on DC to show other IP ranges.   Each office has it's own, 192.168.0.*, 192.168.1.*,192.168.2.*  Still no luck.  I ran Specops Gpupdate and get offline or firewalled.

Is there something I am missing. Is there anything extra I have to set on the DC to allow the different IP ranges or Group Policy of VPN?

Any help would be greatly appreciated. Been searching here for a while and read a bit about slow connections but haven't found where to change it.
XStoneDogXAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jay_Jay70Commented:
you need to look at the slow kink detection policy as outlined here
http://support.microsoft.com/kb/227260
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
XStoneDogXAuthor Commented:
Thanks for the link. That is what I was hoping would fix my problem but no luck. I have applied it to the GP but the problem still remains that some of my systems are not getting any GP settings at all.  And just made a few changes to my GP to see if that would fix the ones that I build and then moved that had some group policy and no luck there either. Must be something else not allowing it through.

Do they use a port? The VPN should by pass everything but can't see what else could cause this. Specops Gpupdate window says Offline or Firewalled.  I tried debugging Specops get the following log. I did a search on the last text there (RPC Server is unavailable) but can't find any info regarding my situation.


11/02/2008 9:15:29 PM	8564:3	SpecopsGpupdate: Starting Tracing for Specops Gpupdate, the time is '11/02/2008 9:15:29 PM', assembly name is 'SpecopsGpupdate, Version=1.0.2.13, Culture=neutral, PublicKeyToken=null'.
11/02/2008 9:15:29 PM	8564:3	SpecopsGpupdate: ---> Program.Main
11/02/2008 9:15:29 PM	8564:3	  SpecopsGpupdate: Command to execute is 'gpupdate'.
11/02/2008 9:15:29 PM	8564:3	  SpecopsGpupdate: The selection is of a type that do not need expansion, only remove the command.
11/02/2008 9:15:29 PM	8564:3	  SpecopsGpupdate: Number of computers selected is '1'
11/02/2008 9:15:29 PM	8564:3	  SpecopsGpupdate: Group Policy refresh selected.
11/02/2008 9:15:32 PM	8564:3	  SpecopsGpupdate: ---> Program.GetNumberOfThreads
11/02/2008 9:15:32 PM	8564:3	  SpecopsGpupdate: <--- Program.GetNumberOfThreads
11/02/2008 9:15:32 PM	8564:3	  SpecopsGpupdate: ---> SpecopsGpupdate.UpdateGroupPolicies
11/02/2008 9:15:32 PM	8564:3	    SpecopsGpupdate: Main form initialized.
11/02/2008 9:15:32 PM	8564:3	    SpecopsGpupdate: Main form shown.
11/02/2008 9:15:32 PM	8564:3	    SpecopsGpupdate: The WOL starter is running.
11/02/2008 9:15:32 PM	8564:3	  SpecopsGpupdate: <--- SpecopsGpupdate.UpdateGroupPolicies
11/02/2008 9:15:32 PM	8564:3	SpecopsGpupdate: <--- Program.Main
11/02/2008 9:15:32 PM	8564:8	SpecopsGpupdate: Processing computer 'LDAP://server.xxxxxxxx.local/CN=Montague,OU=SBSComputers,OU=Computers,OU=MyBusiness,DC=xxxxxxxx,DC=local'.
11/02/2008 9:15:33 PM	8564:8	SpecopsGpupdate: Operating System version is '5.1 (2600)'
11/02/2008 9:15:33 PM	8564:8	SpecopsGpupdate: Hostname 'montague.xxxxxxxx.local', force update 'True', Windows 2000 'False'.
11/02/2008 9:15:33 PM	8564:8	SpecopsGpupdate: This is a non-Windows 2000 box that is updated.
11/02/2008 9:15:33 PM	8564:8	SpecopsGpupdate: The command is 'gpupdate /force /wait:0'.
11/02/2008 9:16:15 PM	8564:8	SpecopsGpupdate: An exception occurred when calling the WMI method, exception is 'The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)'.

Open in new window

0
XStoneDogXAuthor Commented:
Another bit of odd behavior which I failed to mention and the reason for trying the new DHCP scope addition.  I can't browse to those systems by IP since joining the domain.  I have to use the system name.  Not sure if that helps troubleshoot or makes it more confusing.  lol

0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Jay_Jay70Commented:
well confusing! lol, so you can browse via name and get through the VPN ok, but not via IP?

DNS updating?
0
XStoneDogXAuthor Commented:
Sorry, after some more testing it is only in one location that you can't type in \\192.168.2.1, you have to use the computer name, odd as it is only local systems that it won't work for.  From the main location either will work. DNS seems to be working well.  Main issue is the Group Policy not transferring to remote sites.
0
Jay_Jay70Commented:
hmmmm! This is a weird one....do you have DC's at any of these sites at all, or is it all remote logon over WAN?
0
XStoneDogXAuthor Commented:
Only the one DC at main location.  They are logging in over VPN. They don't seem to have a problem finding the DC.  I have my WinXP reinstall disk slipstreamed to have my NIC drivers included and they were able to join the domain during install from remote location.  Some things run extremely slow there, but was told that is normal when first setup, and Group Policy will not update at all.
0
Jay_Jay70Commented:
hmm thats really odd, i have around 50 sites that authenticate to my central DC's (retail stores) and they all get the policy, im just struggling to think why that would not work at all..

have you trialled moving the comps into a new OU with a new policy just to see if they get any better results?

if you have made the slow link changes after the initial install - then you may need to run the network ID wizard again to make them apply

if the above fails ill send you a copy oh what my policies look like and we can compare
0
XStoneDogXAuthor Commented:
Are all your IP ranges the same, or differnt for each location? DHCP server at each location, or your DC doing it all? Do you have the Windows Firewall enabled?  

Doing some more research myself and read to test if you could ping 2048 k of data, and mine won't. Could this be the problem?

I will move them to a new OU tonight when we close and see if that helps. The network ID wizard I have never run on any machine, I just have them connect on install.  Maybe this would fix the issue. I will try that as well.  

I will let you know what I find. If you do have different IP ranges, did you have to configure those on your server? Just trying to troubleshoot the minor problem of browsing by IP.

Thanks for you help. Hope I can get this worked out before my busy season hits.  lol.  If not I will just switch them back to Workgroups to get past it and try again later.
0
Jay_Jay70Commented:
yes, i have different IP ranges at each site....although, my central server doesnt handle DHCP for each site...i either have a local DHCP server which is a domain member OR i have static IP's as the stores may have 5 machines max without a server....and we use a standard set of IP classing per machine type so its standard across the board....as long as your clients are actually getting a lease....i wouldnt be too concerned with DHCP Setup...

the other thing i forgot to note for my setup,
comp settings - windows settings - admin templates - system/logon - always wait for the network at computer startup and logon - enabled

That was a huge turning point in my remote site functionality, but again, any changes to the policies you make, you will need to rejoin the domain intially as if they arent getting the policy at all, then the changes wont take affect of course :)


Network ID wizard is my standard way of joining machines to the domain nowdays, it establishes the links way too well...

Final thing to play with, in AD sites and Services, make sure you have a subnet object for each site...and assign it to your central location

We will get this sorted dont worry - it works in hundreds of places and i refuse to let yours be the one that doesnt :) that and i will work night and day to make sure you dont have to go to workgroup environments - i am more than happy to start my well known speil on the evil of workgroups and get my lecturing voice on if you like **grin**
0
XStoneDogXAuthor Commented:
I am running SBS, I assume that Network ID Wizard is the Network Configuration Wizard.  I tried to run it on one machine not in use and says it is already a member of the domain so there was no need.  I can take it off the domain and set it if that is what you suggest.  Does that effect previous logged on users profiles,  I remember doing this before and having the profiles all reset but that could have been when I changed my domain name.  I will try to do it remotely via VNC but that is not always the best way to reset network settings, lol.  One of them is close enough if it doesn't work I can run over there tonight.

I had set the wait for network previous as I was at one point trying to connect via wireless to the network and that was part of that troubleshooting.  Didn't work but have since wired the full office so no lose there. I had never been in the AD Sites and Services before, so I set that up.

Really appreciate the info, I will let you know how it goes remotely taking it off the domain and reconnecting it.  

0
Jay_Jay70Commented:
ahhh SBS! gotcha! in that case i may need to get someone in who will be able to work with the way the policies run etc....

Yah, unjoin and rejoin - profiles will be fine - its in the SID...last time would have been becos of the domain name change...

I just joined two in store to my domain here....as we speak..so far its good so SBS may be the catch
0
XStoneDogXAuthor Commented:
Well, just did the reconnect with no luck.  It connected alright and it ran my logon scripts but no luck with the Group Policy.  I will make some new OU and try that suggestion. It seems like it is something blocking just the GP settings.

Just a thought. From my previous post I mentioned the log file from SpecopsGpupdate. I get this error:

The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)

Is that of any relevance?

As you have this setup in multiple locations, is it normal that it takes close to 2 minutes for the logon and another minute or so for scripts to run? As well, just generally a slow system doing things like browsing My Computer and Control Panel for the first 10-15 minutes after boot?
0
Jay_Jay70Commented:
you may be looking at problems relating to editing the default SBS setup...I know Jeff talk s a lot about this sort of thing, let me ask him for some help with the SBS side of things...

Certainly doesnt take 2 mins for my logong...its barely any different the LAN connections

that RPC error is hugely relevant though - a lot of the time thats DNS related - you are looking only internally for DNS yes? no ISP settings at a client level?

Ill mail Jeff now
0
Jay_Jay70Commented:
the only other thing to check is ANY 3rd party on windows firewall being enabled on any of the machines or the servers.....can get ugly with RPC connections
0
XStoneDogXAuthor Commented:
hmm.  no 3rd party firewalls, I have McAfee Enterprise 8.5 running on all computers but I don't believe it blocks anything.  I have it on all local systems to with no problems here.

I do have a secondary DNS of my ISP on those systems in case the VPN goes down they can still access the internet.  Should I disable that?  I will kick myself if that is what is causing this.  lol


0
Rob WilliamsCommented:
You mention; "DNS is set as the DC"
But, is it only the DC? Make sure there are no other DNS entries, such as the ISP as an alternate/secondary. This is the source of 70% of slow logons.

Doesn't look like it's related to the problem, but your FVS318 has an option to enable NetBIOS over the VPN, I would enable that, if it's not done.

And before Jeff gets here :-)  .........
How did you join the PC's to the SBS domain? You need to use the http://SBSservername/connectcomputer   wizard to assure everything is properly configured.

Jay_Jay70, is you man for DNS, and the suggestions for slow links are usually very helpful with VPN's.

One other thing; if you added the PC's with the connect computer wizard, they likely have the Windows firewall enabled. If so, the firewall will automatically have the necessary exceptions for most services, however by default some may only have the exception for connections from the same subnet. You can re-configure the firewall scope options to allow the remote subnet, or turn off the firewall, how ever turning it off is likely restricted by group policy, exceptions are not.
0
Rob WilliamsCommented:
XStoneDogX sorry missed your last post.
Get rid of that secondary DNS !!!
0
Rob WilliamsCommented:
I must be dyslexic, or didn't read above carefully enough. I missed Jay_Jay70's comments about 2nd DNS as well . Sorry James :-)
0
XStoneDogXAuthor Commented:
Well, I am about to kick my own a$$ for setting that.  lol.  I thought I was being smart having a backup.

I logged into the routers to take out the secondary DNS and of course,  now I can't access either of them.  On dyndns so may have to wait a few to see if they get updated.  Sounds like this will fix my "slowness" and crossing my fingers that it fixes my GP updating.

Regarding the windows firewall, your right, I can't disable the ones I originally setup locally as they have some GP still in place that stop me, but I will see if I can match them to what I have in my main office and check the subnet settings.

Thanks again.  Crossing my fingers these routers update soon.  Would love to try this tonight.
0
Rob WilliamsCommented:
>>"I thought I was being smart having a backup. "
In theory it's the right thing to do, but Windows doesn't quit work the way we want it to, or the way it should.

As for the firewall just check the exceptions and the scope options it will show "allow all computers including those on the Internet", or "subnet". Yo will be able to edit the exceptions. Go to Windows firewall | Exceptions | highlight the exception such as File and print and choose edit | then for each port, in this case 4, highlight and choose edit scope.
0
Rob WilliamsCommented:
>>"On dyndns so may have to wait a few to see if they get updated. "
I don't follow? is the tunnel down? Can you access through the tunnel with LAN IP of router, or are you off site?

0
XStoneDogXAuthor Commented:
Ya, tunnel is down. Only have Dynamic IP from ISP here so if it changes, have to wait for router to update dyndns.org to bring the tunnel back up.  Very rare that it happens, but changing the Secondary DNS on the router reset it apparently.
0
Jay_Jay70Commented:
hello lads :)

No worries Rob - great minds think alike...

That secondary DNS entry will hugle effect GPO Processing - big time and it will cause those RPC errors also
0
Jay_Jay70Commented:
no no, secondary DNS on the router is fine, its the clients that are the worry
0
XStoneDogXAuthor Commented:
But the router is the DHCP server so it is pushing the secondary to the clients. I may just end up going static but hard to do that from here.  If I take it off the router it should fix it for now.
0
Rob WilliamsCommented:
You will also have to force a reboot ipconfig release/renew of the PC's as James pointed out, before you see an improvement. The leases are probably good for a couple of days.

As per your earlier comment XStoneDogX: You are right, you will lose Internet connectivity if the SBS server is unavailable.
Solution, if possible is a local domain controller/DNS server.
0
XStoneDogXAuthor Commented:
Still can't get into them but figured I would throw this out there.  Regarding the DC/DNS at each location?  I have SBS 2003 at my main location with licenses for all my computers. If I bought a DC for each location, would I then have to get more CALs to cover those computers again?  I don't mind spending the money for Win Server 2003 but the CALs are not cheap when I already purchased them.

Also, it is hard to setup.  Or would they just get all settings from my main server?
0
Rob WilliamsCommented:
You need 2 server licenses (1 for each server/site), but you can use the same CAL's, SBS will look after that.

They are easy to set up. Just add the new servers to the SBS first, using the Computer Management console, then join with the http://SBSservername/connect computer wizard. Then on the new servers, you can promote them, making them active directory integrated, and then will get they will automatically sync with the SBS all there directory and DNS info.

How many PC's at the remote sites? Awfully nice to have the local DC, but it can be cost prohibitive if only a few.
By the way you cannot use SBS at the remote sites, it has to be Server 2003. Only 1 SBS per domain, and a max of 75 PC's in the SBS domain.
0
Rob WilliamsCommented:
One note:
You mention you are with DYNDNS, which works fine, I use it quite a bit. However, in case you are not aware; if you do not have the paid service ($9.95/year for 20 domain names) and your IP doesn't change for 35 days, they consider the link is dormant and remove it from the database. Their DYNDNS client, if used, is supposed to force this refresh, but I don't find it works, and using the router's DDNS option (my preference) will not refresh regardless, if it doesn't change. The paid service works flawlessly.
0
Jay_Jay70Commented:
ah right, router as DHCP....gotcha :) ok - if its pushing to clients then thats your problem

You probably want to go static to be honest, a router cannot update DNS when it leases DHCP addresses....its all about security with AD and DNS...the only thing that can is a Authorised DHCP Server - which is usually windows based:)

I wouldnt tell you to go and spend that sort of money on servers at each site - easy yes, needed, no...

But now i am confused, i thought your DHCP server on the SBS box was doing all your DHCP...the router should be configured for passthrough and not doing anything regarding DHCP at all!
0
Rob WilliamsCommented:
Can you configure the Netgears to do DHCP pass-through i.e. a DHCP helper Jay_Jay70? Never tried it with one. Keeping in mind each site is a different subnet.

Another luxury of having a local server, you can have a proper local DHCP server. But as mentioned may not be justified. I know your businesses are similar size to ours here, and many are small.....unlike Jay_Jay70's.

XStoneDogX is in my "neck of the woods", Jay_Jay70 works with the big guys on the other side of the planet :-) ...where it's not -8 deg C now !
0
Jay_Jay70Commented:
:) i think all they should be able to do it...if not we could be in some trouble - XstoneDogX (got a name brother??) has DHCP setup in a superscope so its all centralised DHCP - very cool

oh wait up - i can see whats going on here - you have DHCP scopes setup for each site, but you are also running DHCP from the routers..the plot thickens but comes a little clearer too :) passthrough is going to be the key or static IP's....

Master Rob...."works with the big guys" - yep yep, and breaks a hell of a lot more too - its all about delegated blame i say!
0
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Hey guys... I've been totally swamped with 3 simultaneous SBS installs this week, so I didn't totally have a chance to read through this question but at a cursory look, it seems as though persistent routes haven't been configured between the IP Subnets.  

Also, there is a VERY good overview of how to configure additional DC's in branch offices at SmallBizServer.net
http://www.smallbizserver.net/Articles/tabid/266/articleType/ArticleView/articleId/223/Default.aspx

This is a subscriber only article, but definitely worth the price of admission for that how-to alone.

Sorry I can't offer more right now, but it's been kinda crazy...

Good Luck!

Jeff
TechSoEasy
0
XStoneDogXAuthor Commented:
ok, so here is the scoop now.  I have disable the secondary DNS and things are starting to work faster.  Seems that was a lot of the problem.  Sill some delays on some systems, but will look at them and see if that is something else.

Group Policy problem is still kind of there. I have been messing with my Firewall setings to see if I can get them to match exactly a system that is working. I have one system after setting file and print sharing to everyone instead of subnet, after a reboot it allowed the group policies to populate.  Only one system so far though. I will let you know more after some more testing.

Just to clarify, this made the changes to my Automatic Updates, but it does not change any Firewall settings, I assume that is a restriction of this setup?  

Regarding the DHCP server, I don't think my router has a pass through, could be wrong though. Is this optimal to have just the one DHCP? I change my DC back to just having the one scope for DHCP for my main office and let the routers hande there own branch offices. Have checked ipconfig /all and they only have the one DNS now.  Is WINS suppose to be setup as well? I have that pointed to the DC, but just wanted to make sure I should.

And what / how do I setup Persistant Routes?  I am sure I am just missing some other little setting on my DC but for the life of me can't figure it out.  It is usually the simple things that cause the big problems.

Name is Mike btw.  
0
XStoneDogXAuthor Commented:
OK. So still the same Group Policy problem.

I have now completely disabled my Windows Firewall and Disable McAfee 8.5 just in case.  It only has the one DNS.  I have disable WINS just in case and have reconnected it to the network using the wizard with no luck.  It must be someone not configured on my DC. At a loss. Priced up Win Server 2003, close to $1000 which is a bit much considering the size of the locations. Only 5 systems in each spot.  Making some headway but am more confused at what it could be now then when I started. lol
0
Rob WilliamsCommented:
Sorry Mike, I have been out and about most of the day. Darn work gets in the way <G>.

Were you able to re-join the domain remotely? If so sounds like everything is in place for group policy. Are you sure it is being applied to the appropriate OU?

A good diagnostic tool is Netdiag. Run it on a problematic PC and see what it comes up with:
http://www.lan-2-wan.com/Diag-FAQ.htm#q1

WINS should not be necessary as GP and AD rely on DNS, however it is recommended in an SBS network, and certainly won't hurt.

The persistent routes Jeff mentioned should not be necessary in your situation assuming the VPN routers (Netgear's) are the default gateway for each local network. If not, i.e. multiple routers present, they will be necessary, assuming I am correct with what Jeff is getting at.

>>"Just to clarify, this made the changes to my Automatic Updates, but it does not change any Firewall settings, I assume that is a restriction of this setup?"
Not quite sure what you mean by this one. They should be 2 different things. SBS clients, can usually edit exceptions, but not disable the firewall.

Agreed, hard to justify Server 2003 for 5 users.

0
XStoneDogXAuthor Commented:
No need to apologize, your helping me out at your convenience.

I can re-join the domain remotely, and ran that tool. FYI, I turned WINS back on before I ran it. Here is the only things out of the ordinary.

Shouldn't be a problem with the OU's as they worked in those same OU's when they were built at the DC location.

Should I be able to ping /l 2048 as I read if you can't GP won't apply? I can't and not sure how to fix that.

Thanks again,
Mike
NetBT name test. . . . . . . . . . : Passed
    [WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.  
 
WAN configuration test . . . . . . : Skipped
    No active remote access connections.
 
IP Security test . . . . . . . . . : Passed
    Service status  is: Started
    Service startup is: Automatic
    IPSec service is available, but no policy is assigned or active
    Note: run "ipseccmd /?" for more detailed information

Open in new window

0
Jay_Jay70Commented:
Morning Mike/Rob :)

K, still would advise heavily on trialling with static IP's look straight at your DC for DNS...and no other settings, rejoin a machine, and see if it gets policy - that way we narrow out DNS and DC Membership for good...if that fails, we can start looking at ports and firewalls gear that may be causing it :)
0
XStoneDogXAuthor Commented:
Will do.  I am only entering My IP, Subnet, I assume I should use the local router as the gateway, and then my DC IP as the DNS.  Will let you know how it goes.
0
Jay_Jay70Commented:
thats the one
0
XStoneDogXAuthor Commented:
No luck.  I have static there now. Re-joined the domain, even tried the gpupdate /force just in case.  I only have the default domain policies as well as one of my own for WSUS. I am checking by looking at the automatic update settings. Specops Gpupdate shows succesful though.

0
Jay_Jay70Commented:
hmm! the fact that default policies show remove the firewall from the pic, and DNS too now thats working....

Sooo, i wonder if we are now looking at SBS issues kicking us in the nuts...which is where Rob might be able to lend some insight as SBS is out of my world

can you post the results of a gpresult for me? fromt he client
0
XStoneDogXAuthor Commented:
I removed my username and domain name but all else is left intact.  Only looks like two policies are being applied.  strange.
gp.txt
0
Jay_Jay70Commented:
gotcha!
 The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        HRB
            Filtering:  Denied (Security)

is that the policy you are trying to apply by any chance - the HRB one?
0
XStoneDogXAuthor Commented:
I would like to.  It isn't attached to the OU though. The one I am trying atm is called WSUS. I took that one out of the OU while I was troubleshooting to keep it basic. I am trying to put it back in and gpupdate it to see if it will apply though.  Not sure why WSUS isn't showing up on the list when HRB is.
0
Jay_Jay70Commented:
lets create a new policy and say if it turns up - think we are getting closer here :)
0
XStoneDogXAuthor Commented:
I noticed it is only trying to apply user policy.  The WSUS is under Computer. Doesn't make much sense.
0
Jay_Jay70Commented:
do you have GPMC installed? i wouldnt mind taking a look at the policy objects....and where they are located - you can email if you want to keep it secured - just need a screen shot

users are in a users OU - GPO with user settings applied
computers are in a computers OU  - GPO with computer settings applied

all that sort of stuff yeah....there has to be something simple that we have missed
0
XStoneDogXAuthor Commented:
Created a new GP. Called test with only one setting each under computer and user. Linked it to the base so all systems have it.  Just disabled some tabs in IE Options.  Something easy to check but not intrusive if someone is on there system.  It isn't even showing up in gpresults after i gpupdate.  

I don't think the DC is recognizing the computers. Just noticed my license only shows 12 max used.  That is probably the max on at one point in this office.  Definitely have more then that on with the three offices. Plus it isn't even trying to apply Computer settings.  
0
Jay_Jay70Commented:
i am guessing this may be related to not using the connectcomputer wizard?? - your gpresult doesnt show any policies at all - good old SBS grrrr (wait, i just dont know how to use it)
0
XStoneDogXAuthor Commented:
I was under the impression when I bought SBS that it just bundled the software together, but have quickly learned that is not the case from a lot of people.  lol.

Attaching a screenshot of my GP with my domain name hidden. Most of this stuff is default so nothing really concerned about being on the web. I created and OU for each location, and have been linking GPO to all of them testing it out.  

'test' I just created and didn't work. WSUS is just the Auto Update settings and WSUS server address and such. HRB is random stuff like screensaver lock and stuff.


GP.JPG
0
Rob WilliamsCommented:
Sorry guys, I'm not at my desk tonight, at least not for a little while but though I would check in.

There was mention of the http://sbsserver/connectcomputer wizard.  Mike you are familiar with and using that right? It's compulsory to get all permissions and policies to work. To add to the complications if rejoining the SBS domain there are a whole series of hoops you have to jump through including deletion of folders and changing the computer name. My hat goes off to Jeff for the following excellent walk through:
http://techsoeasy.spaces.live.com/blog/cns!AB2725BC5698FCB8!278.entry
That may not be the problem, but if re-joining it's important.

Just for the record; you are running gpupdate /force on the wkstn as opposed to server ?
0
Rob WilliamsCommented:
>>"I  was under the impression when I bought SBS that it just bundled the software together,"
Uh oh !  another one of us <G>.
Forget everything you ever knew about server 2003. We have all assumes SBS is just server 2003 with some bonuses. It's extremely important to use all wizards, and during installation, install all components, and use defaults whenever possible.  Most IT guys break their first SBS domain, by knowing to much. I know I have done it, at least on my 1st 2 machines.

Is this SBS R2, and is it std or premium?
0
Jay_Jay70Commented:
yah as rob mentioned - its seems to be a failry crucial step

K one more test for me - you have created sub OU's under your Mybusiness - Computers OU

I have heard people talk about that being a problem - i dont usually listen to it when it comes to SBS as where i have used it, i just treat it as a standard servers - however, i am a stubborn mule most of the time so its probably best not to listen to me with SBS

Let put a couple of computers back into the root computers OU and attach a policy or two there....then run the gpupdate /force command on those client machines - might even need a reboot - and see if anything applies

Sorry for so much hit and and hope, its just a little hard on the boards if ya know what i mean
0
XStoneDogXAuthor Commented:
Holy sweet crap.  I never use the http://sbsserver/connectcomputer , it has been connecting to the domain during the install.  Never had a problem with local systems but you never now.  That is going to be a pain in the @#$ to rename them all.  I have scripts that run with a lot of if %computername% junk in them.  I have just been removing the computer from the server and running the http://sbsserver/connectcomputer to reconnect since trying to trouble shoot this.  Guess I have a bit of work to do.

Rob: This is SBS (not R2) Std.  I have been running the gpupdate on the workstation as well as pushing it to the workstation from the server just to make sure.

Jay Jay: I can put the computer in the root Computer OU but I don't see the root Computer OU in the Group Policy Management Console to attach a GPO to it?

I will try some more of your suggestions and then I may start to redo the names and such.  I have one system not being used at the moment so it gives me something to play with during the day atleast.  Thanks for the advice.  I think I may be getting in over my head, lol.  My local IT guy said it was just a matter of setting my DNS to my DC.  But it seems a lot more complicated then that, although I don't think he uses Group Policies much.

No worries about the hit and hope, I am way further ahead thanks to you guys. I thought it was firewall or IP ranges.



0
Jay_Jay70Commented:
a good trick to it is pre stage all your accounts - create them all in AD and then run the wizard

admittedly, i never ran any of the wizards and my installs always worked ok - its hit and miss i think with SBS

by root i just mean the computers OU - just drag your policy up and link it from the objects container
0
XStoneDogXAuthor Commented:
ok. the Computers under My Business.  There was also a Computer OU under my Domain Name in the Computer and User console.  Will try that.  


Not sure when I am going to be able to reconnect those with new names and redo my scripts.  Will play around with this tomorrow and see what happens.  Going to do it with this one system and see.
0
Jay_Jay70Commented:
cool cool - lets hope we get something cranking
0
Rob WilliamsCommented:
I am not saying connecting in the usual fashion will not work, but I guarantee not all SBS services will not work, at least some policies will not work, and some permissions will not be set as required.

If the server is set up correctly :-) I'll get to that, just change 1 PC to see if you can resolve the problem, rather than messing with all of them. SBS is a lot different, and once you get familiar with it you will love it. It's an amazing product, but to get everything to work (Exchange, Remote Web Workplace, Sharepoint, and so on) within that one little box, you need to use the wizards. You cannot possibly set everything manually.

As for the server, the initial set up is standard, but on the desktop there is an icon "Continue SBS set UP", you need to use that rather than DCPromo, and cary on from there. Everything you need to do for managing users, computers and services can be done from the server management console, and should. For example adding users and computers should be done from here, rather than Active Directory Users and computers. One of the most important wizards to configure your internet access is the CEICW (Configure e-mail and internet connection wizard) located server management | Internet and e-mail | connect to the Internet.

Following is a good white paper on SBS design and concepts. It pretty compact, so worth reading:
http://www.microsoft.com/downloads/details.aspx?FamilyID=71211053-ccd6-4f2b-bbd9-5e7b97c232ec&displaylang=en
0
XStoneDogXAuthor Commented:
I will try the one system tomorrow morning.  Starting to get a headache trying to figure this out.  I did use the wizards for all the initial setup.  And only use the Server Management Console. I have found it very convenient and everything else, Remote Desktop, Exchange, Sharepoint, I can VPN in from home, faxing, the whole works except for these remote system with Group Policy.  Which is probably due to not connecting with the wizard. Although, in that walkthrough it said it had to be DHCP and I don't think I can do that in my current setup.


One more question, My main reason for wanting to push GP. Some of our software isn't compatible with IE7.  I setup WSUS so I could control what gets updated.  After years of telling my staff to always do Windows Updates, now I am scared someone will and pull down IE7. Is it possible to configure the system without group policies to use my server for windows updates?
0
Jay_Jay70Commented:
you can import reg settings into them yes, but really, group policy is the way to do it - we just need to get it working
0
Rob WilliamsCommented:
You should be able to get group policy working, though you may need to use Jay_Jay70's (= James) slow link references, but if you want a simple solution you can just kill the installation of IE7:
http://www.microsoft.com/downloads/details.aspx?FamilyId=4516A6F7-5D44-482B-9DBD-869B4A90159C&displaylang=en
or manually:
http://www.technipages.com/prevent-internet-explorer-7-from-installing-via-automatic-updates.html
0
XStoneDogXAuthor Commented:
Excellent, thanks. I will add that registry key to my logon script.  Should take that worry away.  I will look over the slow link stuff again.  Most of the work I do on these sytems is after a 9-10 hour day of work so I may have missed something.  

Thanks for your patience with me and all the help.  I am on a trial here but definitely will be subscribing with this as my first experience here.  Hopefully I can help others someday.  lol

Mike
0
Rob WilliamsCommented:
If your logon scripts run remotely, GP should work too, some something is out of whack.

EE is a great site. Lots of help and the folks are quite courteous/professional. Someday you might get some help from some good guys, rather than James and I  :-)

Actually you won't get anybody better with AD, DNS and multi server environments than James. He has a hard time speaking English though. He's from some island they call Australia.  ;-)

Let us know how it goes when you have a chance to make some changes.
--Rob
0
Jay_Jay70Commented:
Ha! hard time speaking english Ehhh... i dont know what you are talking aboot Canada! *grin*

Always a pleasure to help Mike :) these are the kinda Questions that make it worth being around, good company and good chatting :)

And you have a guru in Rob here...check his profile....Remote Location KING of the site :)
0
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Again, I'm just coming into this randomly... since it's now about an 80 comment thread I didn't read it all... but thought I'd comment on your GP issue above.

Your OU's are fine... as long as computer OUs are created under MyBusiness\Computers, and User OU's under MyBusiness\Users.  Once you have these created, they will actually show up in the Add User or Add Computer wizard, and can be designated if you make new user templates.

But on SBS, with Group Policies, you are much better off linking them at the domain/ level, and then using Security Groups to filter them to the appropriate users or computers.  Since there are no other domain trusts this is a much cleaner way to go, and you can be sure they will propagate downward as needed.  (which is why you see all the other GPO's linked where they are).

Jeff
TechSoEasy
0
XStoneDogXAuthor Commented:
I will try the Security Groups.  That would be something very easy to test. I started to go that way so it is all setup, but then switched the OU because it was much easier to change them around. We have staff that move between offices.

Thanks.  Will let you know.
0
Jay_Jay70Commented:
i had no idea about that - good to know :)
0
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
How much more difficult can it be to switch them between Security Groups than between OU's?

And just to follow up on Jay_Jay70's comment:
"Let put a couple of computers back into the root computers OU and attach a policy or two there"

James... this is why you shouldn't be using SBS.  :-)  If you put a couple of computers in the root computers OU you will definitely have problems with Group Policies as well as other things like Exchange permissions and most especially with WSUS.

Jeff
TechSoEasy
0
Jay_Jay70Commented:
lol there we go! told you i was useless with this stuff :)
0
XStoneDogXAuthor Commented:
Ok. starting to think I am missing something else completely here. I have 2 computers I built at the remote locations.  They are not getting anything.  I can't even browse to another computer at that location.  I took them off the domain, rejoined via the connectino wizard and still can't access the XP 'file server' there.  I can access companyweb but not another local site I have running.  I have the firewall disabled.  After running gpupdate and then gpresult I get , The user "xxxx" does not have RSOP data.  I have the feeling I am missing some basic settings.

What extra settings do you have to setup for remote use.  I set the IP ranges under subnets of Sites and Services. DNS is finding them all, I added scopes for the reverse DNS and it has them all in there. DHCP is back to default as each remote site has there own DHCP. I didn't really set anything else up. Someone mentioned static routes but I am not familiar with that.  Is that mandatory? I can handle not having GP but these two systems are getting anywhere. These sytems aren't running the logon scripts either.  I am just at a lose now.  Hoping it is something simple I missed.

Thanks
Mike
0
Jay_Jay70Commented:
sounds like (well in my world, which isnt SBS, so i may be wrong) your AD side of things is setup fine, DNS, DHCP, Accounts etc, you have even connected them correctly now

were these machines imaged by any chance?
0
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
I'd go back to my first comment that you haven't set up the static routes on the SBS (assuming that the SBS is your default gateway).  The entry would be something like:

route add -p 192.168.0.0 mask 255.255.255.0 192.168.2.2

(where your remote site is using 192.168.0.x and your SBS's IP is 192.168.2.2)

Jeff
TechSoEasy
0
XStoneDogXAuthor Commented:
hmm.  something I am not familiar with at all.

So my SBS DC is 192.168.0.1

Remote sites are 192.168.1.0 and 192.168.2.0

I need to add

route add -p 192.168.1.0 mask 255.255.255.0 192.168.0.1

Is that entered in the command line or in a wizard on SBS? Want to make sure I set it properly, as well, do I have to set static routes in the routers in each location? I know there is the option in the router but never know anything about them.

Thanks guys.  
0
Jay_Jay70Commented:
but DNS is updating, machines are joining, connectivity is there>..Where do static routes fall into play?? im lost
0
XStoneDogXAuthor Commented:
Sorry, on that same topic.  SBS is my default gateway for my main location, but remote locations have there own routers as the default gateway? is this correct?
0
Jay_Jay70Commented:
yes, thats fine, if you arent running ISA etc...
0
XStoneDogXAuthor Commented:
K, should be ok then. not running ISA.  

Looking at the static routes in my router,

It says destinatino IP, IP subnet, and Gateway.

If I was at 192.168.0.* and wanted to set a static route to 192.168.1.* would I set the gateway as 192.168.0.254 or 192.168.1.254 (use .254 as gateway address for each location)?

Also, on a completely other topic. Slow link detection? If it isn't updating Group Policy because of slow link, how does setting a group policy to disable slow link detection going to fix it. I don't see anything in that article that says how to set it to pull it down to get the new policy to allow it over slow link.  Maybe it just works but I don't follow.
0
Jay_Jay70Commented:
with the GPO side of things....it wont work until you rejoin the domain :)
0
XStoneDogXAuthor Commented:
So when you join the domain it must not check for slow link otherwise it still wouldn't work. On these systems it isn't pulling any GP. gpresults show not found even after rejoining.
0
Jay_Jay70Commented:
i wonder if it works on a push bases rather than a pull - interesting thoughts
0
XStoneDogXAuthor Commented:
regarding the imaging,  nope.  I have an install disk with all my settings built into it, theme, removed 'My Music' etc. but not imaged.  I usually setup all my computers in my office, then move them to remote location, so they get GP when first setup. These two I reinstalled there.

Some more weird behavior, I can browse to the DC by IP but if I do by name, it asks for username and password.  lol.  No clue why that would happen.  
0
Jay_Jay70Commented:
are your other location s experiencing the same problems?
0
XStoneDogXAuthor Commented:
No, but this is the only location with the machines built on site.  They are experiencing the same issue with our internal website (our own, not the companyweb one).  It works on other systems in the remote sites, just not all of them.
0
Jay_Jay70Commented:
unbeleivable - the fact that you have other sites working points that AD is ok....but buggered if i know what is going on in that one site - maybe its a bodgy firewall
0
XStoneDogXAuthor Commented:
Well, I am at a complete loss.  I seem to have it setup right, but it just doesn't like me.  If SBS is this fussy, it will be the last time I use it.  I have used every wizard since I started except the Computer Connect one. I am going to follow those instructions posted above to remove my system and add it as a new computer name and see what happens. If that works, then I have a huge job infront of me renaming all these computers, redoing scripts, and the like.  Seems a little foolish though imo.  Some of these systems seem to work fine, folder redirects are working, scripts are running, everything but GP is set. Then I have a handful of other systems that just refuse to work.  Funny thing is, I have them all in the same OU now and all the same GP. Everyone of them is set the same just to make sure it wasn't something set wrong.  Oh well,  I will let you know if it works.

Thanks
Mike
0
Jay_Jay70Commented:
yah i have plenty of respect for SBS in a small business environment, single site, single purpose, its a perfect setup...but the minute you wanna really use the capabilities of Active Directory, well, its time to move to standard windows in my opinion
0
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
I've set up SBS with multiple off-site locations a number of times... including the one that's keeping me busy this week, and they all work just fine.  

At this point I'd ask that you post a COMPLETE ipconfig /all and a ROUTE PRINT from the SBS as well as a sample remote workstation.

Jeff
TechSoEasy
0
XStoneDogXAuthor Commented:
I would love to use SBS if there was tech support locally. I live on an island and although there are plenty IT, noone uses SBS regularly enough to help me.  

Ok. So redid one of the systems following the instructions by techsoeasy (thanks for the link) and it is now at the same stage as all the other machines in the remote offices that I built locally.  It has folder redirects, runs scripts, but not applying all the GP.  

Just saw your post TechSoEasy.  Will run those and post them shortly.  Thanks
0
Rob WilliamsCommented:
Bah! SBS is great  :-)

With SBS once set up and everything is working is great, you can hand a user a computer and tell them to go logon. Their My Docs will be redirected, outlook automatically configured, remote access automatically configured, and on and on. Swear it's harder to learn than 2003 though. I think you are better of not being an IT guy.

Mike, on the static routes, with all due respect to Jeff, I'm not sure you need them. They certainly won't hurt, but if I understand your configuration correctly, the default gateway will look after the route for you. If you need the routes I can give them to you, but to confirm:
Main site is 192.168.0.0/24
Other sites are:
192.168.1.0/24 & 192.168.2.0/24

Could you also post an IPConfig /all  from the SBS.

You mention you have rejoined some of the remote machines. Does netdiag show anything different than before, on those machines? The local machines that you cannot access, can you ping them?
0
Rob WilliamsCommented:
Whoops, took a call between starting to type and Jeff last post/request for IPconfig. Sorry for duplicate request.
0
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
My point of static routes was if the SBS was the default gateway, since it's not, then you're right, they wouldn't help... but I would think having the SBS as the default gateway would be a preferred configuration.

Jeff
TechSoEasy
0
Rob WilliamsCommented:
Agreed if SBS has 2 NICs (thus the request for ipconfig) the static routes would be necessary for SBS LAN PC's to access those on the other sites.
If not the Netgear site-to-site should look after all routing.

Mike did you enable the NetBIOS option on the Netgear VPN config? It's not necessary for DNS, but may help with WINS.
0
XStoneDogXAuthor Commented:
ok,  here they are.  I used the freshly connected workstation that I followed the directions on to reconnect.

oh, and I was mistaken, no GP got applied, not even the folder redirects.  But it is running scripts and able to connect to all local websites/shares.


routeserver.txt
routeworkstations.txt
ipconfigserver.txt
ipconfigworkstation.txt
0
XStoneDogXAuthor Commented:
netbios option is enabled.
0
XStoneDogXAuthor Commented:
Where is the DNS suffix search coming from?  that has my domain name with .com instead of .local
0
Rob WilliamsCommented:
Every thing looks good to me, and I see no need for static routes (assuming the gateways are the Netgear VPN routers), except, as you asked, the following:

DNS Suffix Search List. . . . . . : xxxxxxxx.local
                                                 xxxxxxxx.com
                                                                  ^
Connection-specific DNS Suffix  . : xxxxxxxx.com
                                                                       ^

Those could be affecting name resolution and group policy. They should show up with Netdiag as well.
They could have been manually added to the network adapter on that machine, under advanced DNS, or possibly in the Netgear router config, probably, but not necessarily on the DHCP page of the router. Check there and on the primary set up page. Once located and removed do an ipconfig renew, and flush DNS.
0
Jay_Jay70Commented:
mmmm that .com suffix is fairly interesting! where is that coming from?
0
XStoneDogXAuthor Commented:
OK, got that .com off.  I had an Account Name and Domain Name set under the Basic settings in the router.  Should that be set or blank, I set the domain to my .local domain. Should anything be in Account Name, if so, what?  Rebooted machine and still not getting GP with them swtiched to .local
0
Rob WilliamsCommented:
No need for "account name" on router.
Did you try Netdiag again? My favorite tool, if you haven't noticed :-)
0
XStoneDogXAuthor Commented:
I will attach it.  I don't see any significant change.
NetDiag.log
0
Rob WilliamsCommented:
That is weird. I have never seen GP not work, and not get errors in netdiag.
I assume nslookup domain,local    works as well if netdiag is OK.

By the way you domain name is included in ipconfigserver.txt above. you can ask the moderators to remove if you like. You may also want to get rid of the public IP in routeserver.txt  Don't panic, you just probably don't want that here for eternity.
0
Netman66Commented:
Subscribing...I'll read this novel shortly!
0
Rob WilliamsCommented:
Netman66, have we set a record yet?
0
XStoneDogXAuthor Commented:
Y. i remembered that about 3 seconds after I hit submit, lol.  I figured I would wait to make sure you guys got to see it before I asked to have it removed.  The IP will be changed before long anyway.  Will just reboot the router and get a new one. lol  Thanks for the heads up though.


When I run nslookup  xxxxxx.local i get this
Server:   server.xxxxxx.local
Address:   192.168.0.1

*** server.xxxxxxx.local can't find xxxxxx.local: Non-existent domain


not sure what that last part means.
0
Netman66Commented:
Not quite!  I think I hold that one for longest post....I could be wrong though.

0
Jay_Jay70Commented:
Big guns are here now, if he can dig himself out of the snow......you might need to go get a shovel Rob
0
Rob WilliamsCommented:
Mike, what about
nslookup server.xxxxxx.local

You are definitely out numbered now James. The 3 of us form a 150 km radius circle within Atlantic Canada. 3 provinces represented. Not sure who would have more snow, Mike or Netman66. Ours is pretty much gone.
0
XStoneDogXAuthor Commented:
nslookup worked for that:

Server:  server.xxxxxxx.local
Address:  192.168.0.1

Name:    server.xxxxxxx.local
Address:  192.168.0.1

We just got a dumping of snow on Monday, what part of NB are you from Net, you may have more or less. Sorry for the novel, I tend to be long winded sometimes, trait from my mother.
0
Jay_Jay70Commented:
im always outnumbered on the boards, us aussies are a rare breed

Mike, i hardly think its you being long winded...its bloody windows doing its thing - though it keeps me in a job
0
Netman66Commented:
Freddy.  Just had 8 inches with 4 hours of freezing rain on top of it.  What a feakin' mess.

0
XStoneDogXAuthor Commented:
Just a thought.  Looking at my gpresults it says "Connected over a slow link?: Yes" even after rejoining domain.  Is there a way to disable this in the computer itself to allow it to update even over slow link? When I connected to the DC with this test system I am not getting any GPO on it.  So it couldn't have disabled it if had been previously set, which I assume it would have since I can't ping 2048k.
0
XStoneDogXAuthor Commented:
I think that fixed it.  I read that article earlier about the reg keys, but didn't set them as they didn't exist and was trying to apply them through the GPO.  I created the Local Machine key and GPO updated.  Still not very fast logon and for about 10-15 minute local file browsing is slow, But it seems to be working.  Heading to bed but will do some more testing in the mornin to make sure.

Oh, I think you may have me beat Netmann.  We did get a fair bit of snow but it has been raining here, not freezing rain, so it is slowing melting away.

Night guys, thanks for the help.

0
Netman66Commented:
Slow link detection is a PITA.  Yes, if those keys don't exist (because the computer never received a policy) then create them.

Please don't include me in any point distribution - I'm just confirming what you've done.

0
XStoneDogXAuthor Commented:
Ok. I think I am worse off.  I can get them to apply GPO.  I have an office with three systems so I put the reg update in them and they are getting GPO.  Now, since I have done that.  They are so bloody slow they are almost unusable.  It seems authenticating is very slow now. Someone mentioned before that logon in remote sites is very simaliar to on the local LAN?  I am not experiencing this at all.  Are you running logon scripts? I have a lot things locked down, is it faster to just have maybe 1 or 2 security groups and keep things basic?

At a loss again.
0
Netman66Commented:
Is this remote site on a different subnet?

Have you defined it in AD Sites and Services?

Are you redirecting folders?

Do you have roaming profiles?

0
XStoneDogXAuthor Commented:
Yes, different Subnet.

I did add it to Sites and Services, but not 100% familiar with that, hope it is setup right. First setup with remote locations.

It is setup to redirect folders, default for SBS.  

I don't believe roaming profiles are configured. I didn't set them up atleast, unless SBS has it as default.  Not 100% sure what SBS does and doesn't do by default.

I removed them from my custom GPO just in case it was that, I only have them with the default GPO and one extra for WSUS.  Still acting odd.  Strange thing is though, my account seems to work ok, not like it does at my main office, but pretty good.  Other accounts won't run logon scripts anymore, and extremely slow file browsing.  Takes a good 5 mintues to logon.

0
Netman66Commented:
How many users at the remote office?

I may have jumped the gun if you don't have a remote DC - you won't need a Site if that's the case.

Folder redirection could be one cause for slowness.  If everything is at the main site it will definitely take a hit there.

Where are you clients pointing for DNS?  They should only point to you DNS server.  If you have a Cisco router, you may need a helper IP.
0
XStoneDogXAuthor Commented:
I have two remote locations, the one that I pushed GPO to has 3, other one has 5 and I have about 17 at the DC site.

Question then, should I take the subnet info out of the Sites and Services section?

Folder redirects are on for My Docs but that I believe is it, and we don't store anything in that location except maybe a few personal files.  

All machines only have the one DNS, to the DC.  They straightened me out on that one earlier.  lol. No Cisco router, Netgear.

I am going to make one last effort today and then put them on a workgroup temporarily if I can't get it to work. We are going to need all systems running at 100% here by Monday as have full staff coming in and it has been announced that location will be opening on Monday.  I will still be doing this, just have to wait a few weeks to start again.  
0
Netman66Commented:
Subnet info can be removed, or you can leave it - it's a matter of choice.  There's no technical reason to keep it if there is no DC at the site.  Sorry about not asking first!

I'm online today (right now) for awhile - if you want another pair of eyes remotely then send me a line at my alias here at gmail.

What DNS information does the Netgear contain?  If it picked up DNS from the ISP then that needs to be addressed with static addressing.

0
Netman66Commented:
Ok, I just had a chance to read this entire thread.

I need to clarify something.  Your main site has a Netgear router with VPN.  You are connecting other (remote) sites to this main site using VPN between the routers - correct?

If so, why do I see a RAS/SLIP setup on the SBS server?  You can VPN the router from outside to connect to the inside - there isn't really a need for this on the server itself.

Next, I saw something in a post about IPSec policies.  If your clients do not VPN directly (which they don't) you can disable the IPSec service on each workstation so it doesn't interfere with normal domain communication.  

You can likely Stop and set to Manual the same service on the SBS server.

Make sure the routers are all set to use your own DNS server - also ensure your DNS server has a Forwarder to at least 2 ISP DNS servers for Internet resolution.

You also have an issue on the SBS server with the Node Type = Unknown - see this to correct it:
http://support.microsoft.com/kb/310570

Let us know.

0
XStoneDogXAuthor Commented:
Ya, Netgear router with VPN, all permanent (3) sites have these. I have the VPN enabled on SBS so I can remote in when I am traveling.  I don't have the netgear client software so I use the built in VPN.  Not sure what IPSec policies the workstations have. Is that something I can/should disable with GPO.  Only two of us ever remote into the VPN outside our offices, so it shouldn't be needed on workstations I guess. I am not as familiar with it as I should be, I ran the SBS wizard and left it.

Things do seem to be running well there now.  Logon scripts are taking awhile, but I do have a lot of custom stuff in them. So it could be just my setup.  

Thanks,
Mike
0
XStoneDogXAuthor Commented:
I have never awarded points before,  I can split them I understand but is there anything I should know before I hit it.  I don't want to start the process and make a mistake.

Thanks for you help all.
0
Netman66Commented:
I have to suggest using the Netgear VPN software to attach to the router rather than attaching to the server.  It just adds a layer of complexity this way.

If it's working - leave things awhile and see if you're happy.

As for points, don't give any to me.

I would split them up between James, Rob and Jeff.

0
XStoneDogXAuthor Commented:
Thank you all so much for getting me past this. It was the first thing that was mentioned that in the end fixed me up but learned a lot and fix some other errors along the way that would have caused a lot of headaches.  Great community, I will be joining the site.

Mike
0
Rob WilliamsCommented:
Thanks XStoneDogX. Sorry I disappeared on you. Nusance project this week took a lot of time.
Does this mean all is working properly, or did you revert to the workgroup? Lasts posts seem as if things were still slow. Logons should only be delayed a few seconds if you are not redirecting my docs and using roaming profiles.

To add to Netman66's comments, using the Netgear ProSafe VPN client ($50)would be more secure as it uses IPSec, you are connecting to a perimeter device, and you can then close port 1723. It does require of course that the client be installed, which may be a problem sometimes. One point I thought I should bring up though, where it uses IPSec, and the site-to-site tunnels use IPSec, you may loose one feature. Using PPTP/SBS VPN you can likely connect, and if routing is set up, access SBS site and remote sites, through the same tunnel. The Netgear, probably won't work that way as it is the same protocol. You will have to connect to each site individually. You can have more than one connection at one time. It's just a funky little 'thing' with lower end VPN's where you cannot re-route the IPSec client traffic through an IPSec site-to-site tunnel.

Cheers All !
--Rob
0
Jay_Jay70Commented:
wow, so after reading the last few days events - what was the solution!?!?!
0
Jay_Jay70Commented:
ah...found it :) Glad its all up and running mate :)
0
XStoneDogXAuthor Commented:
I didn't switch to the Workgroup. I now have the registry setting for slow link applied in the logon script.  Should keeps things running.

Logon is still not as fast as hoped, but I do have folder redirects on for My Docs, and my scripts are quite large. I may change it around so only local systems use the folder redirects but not the end of the world.  They will put up with Slow logons as long as it works well when it is up. lol. I checked My Docs on there systems and noone has over 1 meg, could it still be the cause of the slowness? The logon scripts I kind of need as they setup some proprietary software settings that I can't do through GPO.

I may take your suggestion for the Netgear VPN Client.  It is very rare that I use it on any more then 2-3 other computers outside the office, I could just have it on all them just in case.  

Agian, thanks all. I have seen Expert Exchange on a lot of searching I have done over the years, and finally decided to try it out.  Kicking myself for being to cheap to try it out. Hope I can do some helping in the near future.

Mike


0
Jay_Jay70Commented:
you will be welcome any time :)
0
Rob WilliamsCommented:
How slow is slow (logons)?
0
XStoneDogXAuthor Commented:
Applying Settings takes about 1.5 minutes and then logn scripts take about 2 - 2.5 minutes. In all it takes about 4 minutes before it is up ready use.  Is it neccessory to have "\\SERVER\Clients\Setup\setup.exe /s SERVER" in the scripts,  it seems that is where it hangs the longest.

Locally it is under 1 minute.
0
Jay_Jay70Commented:
hehe that stuff was always ripped out of any SBS scripts i used :) long scripts will be a prick over the WAN and i wouldnt be too keen on folder redirection either
0
Rob WilliamsCommented:
That is a long time. I would have expected 30sec  to 2.5 minutes, with your config.
Technically you should not remove the \\SERVER\Clients\Setup\setup.exe /s SERVER from the script, but I would be awfully tempted. What it does is check if any changes have been made such as printers added, software to deploy, and so on. If it discovers any updates it pushes them out, but the discovery process is slow. Kind of nice to have new printers automatically installed for clients, or Active Sync updated, but you can likely work around that, or just force it to run as needed. Logon scripts shouldn't affect it too much, but re-directed my docs can slow it down a fair amount, even if the contents are small.
0
Jay_Jay70Commented:
it doesnt sound like you are pushing too much out of SBS except for basic authentication etc....despite the beating i will get from Jeff for saying this - i would just remove it.....i understand not everything will work the way SBS says it should - but you arent utilising SBS for much other than Active Directory....
0
XStoneDogXAuthor Commented:
Well.  I disabled the logon scripts and everything is running almost as fast as if it was local.  Seems they were causing delays even before they showed up to run.  I will play with that more when business slows down in the summer.  Thanks again all, just wanted to let you know all was working well.
0
Rob WilliamsCommented:
Wonder if it was slow accessing the script or running the script. If the former you could move the script to a local source. That is more difficult to mange, but if it doesn't change often, it might be an option.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.