Solved

Group Policy will not load away from Terminal Server.  What am I doing wrong?

Posted on 2008-06-20
8
329 Views
Last Modified: 2013-11-21
Hi there,

I hope someone here can help me as I'm sooo stuck.

I am having a problem trying to get group policy to work. The was it is setup is as follows:

Location 1
MS Server 2003 - User using Terminal Server and the group policy works fine

Location 2
This location is connected to location 1 via Draytek Lan to Lan and is talking to each other.
MS Server 2003 R2 joined domain to Location 1

On any PC in location 1 as a terminal server user, the group policy loads perfect with all the correct restrictions but when anyone logins in from location 2 (not terminal server), the policy will not apply at all but logs in ok.

I am soooo confused and I need help so plllleeeaassse, can you try and help me find why this is the case.

Many Thanks in advance.
0
Comment
Question by:Iekos
  • 4
  • 4
8 Comments
 
LVL 5

Expert Comment

by:kollenh
ID: 21833905
Missing a little bit of information to be effective for you so here is where to start:
-Are the client computers in location 2 domain members?  (I'm assuming so because you state they log in ok)
-What role does the "MS Server 2003 R2 joined domain to Location 1" fill for you; DC, DHCP, DNS?
-What domain controller is authenticating the login at Location 2?
-What are the DNS settings being assigned to clients at Location2, and which server does that represent?
-What is the result of 'gpresult /scope:computer' when you run it on a computer in Location 2?
-Where are you applying the Group Policy in your domain, at the top-level or a child OU?
0
 
LVL 5

Author Comment

by:Iekos
ID: 21834555
Hi There..  sorry for the delay in the response..  Here are the answers you require:

Location 1
Draytek 2820n Router: fixed ip range 200.200.200.254
IP Range:  100.100.100.0/254
Server 2003 running the following: Fixed IP at 100.100.100.1
SUB: 255.255.255.0
GATE: 100.100.100.254
DNS1: 100.100.100.1  DNS2: BLANK
DNS SERVICE ENABLED ON THIS SERVER: YES
DC:  YTS.LOCAL
Exchange
Terminal Server
4 Desktop PC's running as dumb terminals connection to 100.100.100.1 via RDP and group policy working fine.

Location 2
Draytek 2820n Router: fixed ip 200.200.200.254 connected dial out VPN lan to lan to Location 1
IP Range:  200.200.200..0/254
SUB: 255.255.255.0
GATE: 200.200.200.254
DNS1:  100.100.100.1  DNS2:  200.200.200.1
DNS SERVICE ENABLED ON THIS SERVER:  YES
Server 2003 R2:  Fixed IP 200.200.200.1
DNS
FILE PRINT SHARING
5 Desktop PC connecting to the YTS.LOCAL domain OK but will not load the group policy with the restrictions :)

Your Question:
-What domain controller is authenticating the login at Location 2?
Answer:  This is no DC in Location 2's server as it joins Location 1's domain

Your Question:
-What is the result of 'gpresult /scope:computer' when you run it on a computer in Location 2?
Answer:  I'm not at the desk right now but I will be in 30min

Your Question:
-Where are you applying the Group Policy in your domain, at the top-level or a child OU?
Answer:  In a child OU

Hope this helps..
0
 
LVL 5

Expert Comment

by:kollenh
ID: 21834703
Is the "dial out VPN lan to lan to Location 1" an always-active connection?   Any idea what the latency is between your sites?

I'm sure you've already done this but just so we don't skip the basics, make sure that the Desktop PCs are members of the child OU (or a child of that child) where the Policy is applied.  Also make sure that they are a member of any security group you may be using for filtering.

Say, I just noticed that the server in Location 2 has DNS running; are the desktops there pointed to it for DNS?  If so, and it's not a DC then you're probably missing the needed SRV records for clients to do proper lookups.  Group Policy failing is usually a DNS or Replication issue, so good chance you'll find the issue in your DNS arrangement.
0
 
LVL 5

Author Comment

by:Iekos
ID: 21835380
OK.  I see.  Now first thing is that I need you to understand that I am quite new to active directory and I am still learning so please bare with me.

Yes the Lan to Lan is always on and im not too sure what the latency is between them.

Now adding the Desktop PC's as members of the child OU.  No I haven't done this at all and I didn't realize this is essential.  At my last place of work, new PC's werent added to AD and so I didnt think this was required.  Please can you guide me on how I can do this.  As to security group, the only the only things I have dont to AD is to create a child OU and edit its group policy so that when clients log in they cant do certain things.

The client PC's DNS is assigned by DHCP which is on the router.  The router has setting that can force DNS but I have not implemented it at all..  Maybe that is the cause..  emmmmm..  

Its now quite late and I cant get to the PC's so may I continue this tomorrow?

Many Thanks for your help and chat soon
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 5

Accepted Solution

by:
kollenh earned 500 total points
ID: 21835547
Ok, thanks for letting me know.  I'll try to spell out each step just in case you're not familiar with what I'm talking about.  I am not likely to be around tomorrow (working) but I'll try to drop in front of the computer at some point and check in on you.

Linking Policies, background info:  When you create and link a Policy to an OU within Active Directory, it will only apply to objects (that users, computers, etc.) within that specific OU or a child.  I'm not sure if your Policy has user and/or computer settings but both objects will need to be in the OU for the settings to take effect.  Think of a user and a computer as separate entities when it comes to creating a Policy; you can have settings for both in one Policy but that doesn't guarantee that if you apply the Policy that both computer AND user will recieve the changes.

The first step is to look at what DNS server is being assigned via DHCP to those desktops at location 2 and ensure it has all the required SRV records.  If it doesn't, this is a big part of why things aren't working properly.  To check the DNS server, open up the DNS snap-in, (if it's your first time opening, you may have to right-click --> Connect to DNS server) and open the Forward Lookup Zones.  Under there you should find one for your AD domain titled like "_msdcs.yts.local" - this is where all the information for your clients to find AD resources is located.  If the DNS server at Location 2 doesn't have this information and clients are pointed to him, this is a big part of why things are failing.  The only real viable fix for you is to change the DHCP scope to assing the '100.100.100.1' server or promote the server at location 2 to another DC (which I would actually recommend if you only have a single DC).

Regarding moving the computer objects, if you open up the Active Directory Users & Computers snap-in and browse to where the computers are currently located, you can simply drag & drop then into the new OU - just like in Windows Explorer.

Security on a Policy:  Unless you changed the default security or filtering when you created the Policy, I wouldn't worry about that part.  I can explain more if you're interested but I'd focus on problem resolution first.
0
 
LVL 5

Author Comment

by:Iekos
ID: 21837013
I am in the office..  I'm ready to try what you have suggested and I shall post an update soon..

How do I do this please?
"The only real viable fix for you is to change the DHCP scope to assing the '100.100.100.1' server or promote the server at location 2 to another DC (which I would actually recommend if you only have a single DC)."

I'm guessing first is to make location 2 into a DC and to be different to location 1's DC or the same?
Will AD replicate across the two locations?
0
 
LVL 5

Author Comment

by:Iekos
ID: 21837081
Great News..

The problem has been solved..

I dragged and dropped a computer into the CHILD OU and the policy loaded as expected :)

I am sooooo happy lol..

Thank you very very much for your help.

Shall I still create another DC?

I now also have another annoying problem.
The desktops are Dell PC's and I cant get the group policy to change the home page or desktop picture.  I think this is due to Dell forcing this in the registry :(
Do I launch another ticket for this?
0
 
LVL 5

Expert Comment

by:kollenh
ID: 21857099
Sorry I didn't get back to you sooner... glad I was able to get you down the correct path towards your solution!  Actually I think your other problem is related to the same issue.  Home page and desktop background are "user-side" settings, mean that your Policy settings need to be adjusted under User Configuration and in order for it to take effect, the user object must be in the same OU as where the Policy is linked, just as with the computer objects.  An alternative to moving the user objects would be to link the same Policy to the OU where they current are, provided you want that Policy to apply to all those users.

If you can spare some time, cruise the TechNet site, you'll find a lot of information about working with Group Policy.  My suggestion from personal experience is to play with it much as possible in your own lab-type environment (meaning not your regular user account and workstation) because it's the best way to learn.

Regarding if you still need another DC, think about this:  Currently all your domain information is stored in one place.  If anything irrecoverable happens to that server, you will lose your entire domain environment, including all the Policies, etc.  If you have the licensing, consider installing server on another system, even if it's older computer, just to have the redundancy.  If you don't have the hardware to spare, load up Virtual Server 2005 R2 and run the 2nd Domain Controller in a virtual environment - it wont need much in the way of resources.  That's what I've done for smaller companies.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now