Group Policy will not load away from Terminal Server. What am I doing wrong?
Hi there,
I hope someone here can help me as I'm sooo stuck.
I am having a problem trying to get group policy to work. The was it is setup is as follows:
Location 1
MS Server 2003 - User using Terminal Server and the group policy works fine
Location 2
This location is connected to location 1 via Draytek Lan to Lan and is talking to each other.
MS Server 2003 R2 joined domain to Location 1
On any PC in location 1 as a terminal server user, the group policy loads perfect with all the correct restrictions but when anyone logins in from location 2 (not terminal server), the policy will not apply at all but logs in ok.
I am soooo confused and I need help so plllleeeaassse, can you try and help me find why this is the case.
Many Thanks in advance.
I hope someone here can help me as I'm sooo stuck.
I am having a problem trying to get group policy to work. The was it is setup is as follows:
Location 1
MS Server 2003 - User using Terminal Server and the group policy works fine
Location 2
This location is connected to location 1 via Draytek Lan to Lan and is talking to each other.
MS Server 2003 R2 joined domain to Location 1
On any PC in location 1 as a terminal server user, the group policy loads perfect with all the correct restrictions but when anyone logins in from location 2 (not terminal server), the policy will not apply at all but logs in ok.
I am soooo confused and I need help so plllleeeaassse, can you try and help me find why this is the case.
Many Thanks in advance.
ASKER
Hi There.. sorry for the delay in the response.. Here are the answers you require:
Location 1
Draytek 2820n Router: fixed ip range 200.200.200.254
IP Range: 100.100.100.0/254
Server 2003 running the following: Fixed IP at 100.100.100.1
SUB: 255.255.255.0
GATE: 100.100.100.254
DNS1: 100.100.100.1 DNS2: BLANK
DNS SERVICE ENABLED ON THIS SERVER: YES
DC: YTS.LOCAL
Exchange
Terminal Server
4 Desktop PC's running as dumb terminals connection to 100.100.100.1 via RDP and group policy working fine.
Location 2
Draytek 2820n Router: fixed ip 200.200.200.254 connected dial out VPN lan to lan to Location 1
IP Range: 200.200.200..0/254
SUB: 255.255.255.0
GATE: 200.200.200.254
DNS1: 100.100.100.1 DNS2: 200.200.200.1
DNS SERVICE ENABLED ON THIS SERVER: YES
Server 2003 R2: Fixed IP 200.200.200.1
DNS
FILE PRINT SHARING
5 Desktop PC connecting to the YTS.LOCAL domain OK but will not load the group policy with the restrictions :)
Your Question:
-What domain controller is authenticating the login at Location 2?
Answer: This is no DC in Location 2's server as it joins Location 1's domain
Your Question:
-What is the result of 'gpresult /scope:computer' when you run it on a computer in Location 2?
Answer: I'm not at the desk right now but I will be in 30min
Your Question:
-Where are you applying the Group Policy in your domain, at the top-level or a child OU?
Answer: In a child OU
Hope this helps..
Location 1
Draytek 2820n Router: fixed ip range 200.200.200.254
IP Range: 100.100.100.0/254
Server 2003 running the following: Fixed IP at 100.100.100.1
SUB: 255.255.255.0
GATE: 100.100.100.254
DNS1: 100.100.100.1 DNS2: BLANK
DNS SERVICE ENABLED ON THIS SERVER: YES
DC: YTS.LOCAL
Exchange
Terminal Server
4 Desktop PC's running as dumb terminals connection to 100.100.100.1 via RDP and group policy working fine.
Location 2
Draytek 2820n Router: fixed ip 200.200.200.254 connected dial out VPN lan to lan to Location 1
IP Range: 200.200.200..0/254
SUB: 255.255.255.0
GATE: 200.200.200.254
DNS1: 100.100.100.1 DNS2: 200.200.200.1
DNS SERVICE ENABLED ON THIS SERVER: YES
Server 2003 R2: Fixed IP 200.200.200.1
DNS
FILE PRINT SHARING
5 Desktop PC connecting to the YTS.LOCAL domain OK but will not load the group policy with the restrictions :)
Your Question:
-What domain controller is authenticating the login at Location 2?
Answer: This is no DC in Location 2's server as it joins Location 1's domain
Your Question:
-What is the result of 'gpresult /scope:computer' when you run it on a computer in Location 2?
Answer: I'm not at the desk right now but I will be in 30min
Your Question:
-Where are you applying the Group Policy in your domain, at the top-level or a child OU?
Answer: In a child OU
Hope this helps..
Is the "dial out VPN lan to lan to Location 1" an always-active connection? Any idea what the latency is between your sites?
I'm sure you've already done this but just so we don't skip the basics, make sure that the Desktop PCs are members of the child OU (or a child of that child) where the Policy is applied. Also make sure that they are a member of any security group you may be using for filtering.
Say, I just noticed that the server in Location 2 has DNS running; are the desktops there pointed to it for DNS? If so, and it's not a DC then you're probably missing the needed SRV records for clients to do proper lookups. Group Policy failing is usually a DNS or Replication issue, so good chance you'll find the issue in your DNS arrangement.
I'm sure you've already done this but just so we don't skip the basics, make sure that the Desktop PCs are members of the child OU (or a child of that child) where the Policy is applied. Also make sure that they are a member of any security group you may be using for filtering.
Say, I just noticed that the server in Location 2 has DNS running; are the desktops there pointed to it for DNS? If so, and it's not a DC then you're probably missing the needed SRV records for clients to do proper lookups. Group Policy failing is usually a DNS or Replication issue, so good chance you'll find the issue in your DNS arrangement.
ASKER
OK. I see. Now first thing is that I need you to understand that I am quite new to active directory and I am still learning so please bare with me.
Yes the Lan to Lan is always on and im not too sure what the latency is between them.
Now adding the Desktop PC's as members of the child OU. No I haven't done this at all and I didn't realize this is essential. At my last place of work, new PC's werent added to AD and so I didnt think this was required. Please can you guide me on how I can do this. As to security group, the only the only things I have dont to AD is to create a child OU and edit its group policy so that when clients log in they cant do certain things.
The client PC's DNS is assigned by DHCP which is on the router. The router has setting that can force DNS but I have not implemented it at all.. Maybe that is the cause.. emmmmm..
Its now quite late and I cant get to the PC's so may I continue this tomorrow?
Many Thanks for your help and chat soon
Yes the Lan to Lan is always on and im not too sure what the latency is between them.
Now adding the Desktop PC's as members of the child OU. No I haven't done this at all and I didn't realize this is essential. At my last place of work, new PC's werent added to AD and so I didnt think this was required. Please can you guide me on how I can do this. As to security group, the only the only things I have dont to AD is to create a child OU and edit its group policy so that when clients log in they cant do certain things.
The client PC's DNS is assigned by DHCP which is on the router. The router has setting that can force DNS but I have not implemented it at all.. Maybe that is the cause.. emmmmm..
Its now quite late and I cant get to the PC's so may I continue this tomorrow?
Many Thanks for your help and chat soon
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I am in the office.. I'm ready to try what you have suggested and I shall post an update soon..
How do I do this please?
"The only real viable fix for you is to change the DHCP scope to assing the '100.100.100.1' server or promote the server at location 2 to another DC (which I would actually recommend if you only have a single DC)."
I'm guessing first is to make location 2 into a DC and to be different to location 1's DC or the same?
Will AD replicate across the two locations?
How do I do this please?
"The only real viable fix for you is to change the DHCP scope to assing the '100.100.100.1' server or promote the server at location 2 to another DC (which I would actually recommend if you only have a single DC)."
I'm guessing first is to make location 2 into a DC and to be different to location 1's DC or the same?
Will AD replicate across the two locations?
ASKER
Great News..
The problem has been solved..
I dragged and dropped a computer into the CHILD OU and the policy loaded as expected :)
I am sooooo happy lol..
Thank you very very much for your help.
Shall I still create another DC?
I now also have another annoying problem.
The desktops are Dell PC's and I cant get the group policy to change the home page or desktop picture. I think this is due to Dell forcing this in the registry :(
Do I launch another ticket for this?
The problem has been solved..
I dragged and dropped a computer into the CHILD OU and the policy loaded as expected :)
I am sooooo happy lol..
Thank you very very much for your help.
Shall I still create another DC?
I now also have another annoying problem.
The desktops are Dell PC's and I cant get the group policy to change the home page or desktop picture. I think this is due to Dell forcing this in the registry :(
Do I launch another ticket for this?
Sorry I didn't get back to you sooner... glad I was able to get you down the correct path towards your solution! Actually I think your other problem is related to the same issue. Home page and desktop background are "user-side" settings, mean that your Policy settings need to be adjusted under User Configuration and in order for it to take effect, the user object must be in the same OU as where the Policy is linked, just as with the computer objects. An alternative to moving the user objects would be to link the same Policy to the OU where they current are, provided you want that Policy to apply to all those users.
If you can spare some time, cruise the TechNet site, you'll find a lot of information about working with Group Policy. My suggestion from personal experience is to play with it much as possible in your own lab-type environment (meaning not your regular user account and workstation) because it's the best way to learn.
Regarding if you still need another DC, think about this: Currently all your domain information is stored in one place. If anything irrecoverable happens to that server, you will lose your entire domain environment, including all the Policies, etc. If you have the licensing, consider installing server on another system, even if it's older computer, just to have the redundancy. If you don't have the hardware to spare, load up Virtual Server 2005 R2 and run the 2nd Domain Controller in a virtual environment - it wont need much in the way of resources. That's what I've done for smaller companies.
If you can spare some time, cruise the TechNet site, you'll find a lot of information about working with Group Policy. My suggestion from personal experience is to play with it much as possible in your own lab-type environment (meaning not your regular user account and workstation) because it's the best way to learn.
Regarding if you still need another DC, think about this: Currently all your domain information is stored in one place. If anything irrecoverable happens to that server, you will lose your entire domain environment, including all the Policies, etc. If you have the licensing, consider installing server on another system, even if it's older computer, just to have the redundancy. If you don't have the hardware to spare, load up Virtual Server 2005 R2 and run the 2nd Domain Controller in a virtual environment - it wont need much in the way of resources. That's what I've done for smaller companies.
-Are the client computers in location 2 domain members? (I'm assuming so because you state they log in ok)
-What role does the "MS Server 2003 R2 joined domain to Location 1" fill for you; DC, DHCP, DNS?
-What domain controller is authenticating the login at Location 2?
-What are the DNS settings being assigned to clients at Location2, and which server does that represent?
-What is the result of 'gpresult /scope:computer' when you run it on a computer in Location 2?
-Where are you applying the Group Policy in your domain, at the top-level or a child OU?