For some reason our XP Machines (SP3) are not taking changes to SUS Group Policy in a Windows 2000 Domain.

The thing that caught my eye is "nslookup on the XP machines still shows the Secondary DNS as the primary".

Did you push out the new DNS settings to the client machines via DHCP? If so, have these machines updated their DHCP information since then?

Ok - thats solved half my problem - still not sure as to why the Group Policy does not automatically change the setting for what WSUS server to look at.

Can you use the RSoP wizard to see if the setting that you intend to apply is actually applying?

http://www.microsoft.com/technet/prodtechnol/ie/ieak/techinfo/deploy/60/en/rsop01.mspx?mfr=true

Thats a pretty funky little tool, was wondering how to find out that info - anyway I went straight to the SUS setting (computer configuration/administrative templates/windows components/windows update) and the 'specify intranet microsoft update service location) is still as the old server. The group policy on the PDC for sus is the new server. Just checking what appears on the 2000 PC's now. Ok, the 2000 RSoP MMC snap in was a little different but the correct settings appear in there. Is there any further information you may need?

So if the old information is appearing on the XP SP3 computers that tells you that the policy is not getting applied. Rember that the order of inheritance is Local -> Site -> Domain -> OU, are any other policies specified on any of these levels?

Ok, on the Win 2000 Server I look at Group Policy and there are two Group Policies, Default Domain Policy and SUS Client Policy. The SUS policy has 'no override' ticked. So under this SUS Policy Computer Configuration\Administrative templates\Windows Components\Windows Update the 'Specify intranet Microsoft Update Service Location' is enabled and set to http://newserver for both settings. That I'm fairly happy with. On the client machine concerned the user is signed on the appropriate domain and under the above mentioned path for RSoP the intranet location is enabled. It also indicates the GPO name as Sus Client Policy. Thats what I would expect, however when I open this setting up the Intranet Update Service is set to http://oldserver:8530, I would expect to see http://newserver. With the SUS Policy having 'no override' set I would expect the client machine to show the new server. I have also tried 'gpupdate /force' it doesn't appear to do anything new. Now I'm stuck again.

So are the machines that aren't affected and the machines that are affected in the same OU? Is anything set in the default domain policy at the path you specified?

Hrmm, acronyms - OU = Organisational Unit, well until then I didn't know what it was, and I'm afraid I still don't really know what it is. Furthermore I don't really know how to access it. As for the Default Domain Policy there is nothing defined in that path I indicated above. How do I check out the OU?

Wikipedia:

--------------------------------------------------------------------
In Microsoft Active Directory (AD), an Organizational Unit (OU) can contain any other unit, including other OUs, users, groups, and computers. OUs in separate Domains may have identical names but are independent of each other. An OU is the smallest unit to which a Group Policy Object (GPO) or a Delegation of Control may be attached. [1]Therefore the primary use of an OU is to assign GPOs and Delegation of Control to users, groups, and computers. [2] The secondary or implied use of OUs is to create collections of users and computers that share similar trusts and privileges.

OUs let an administrator group computers and users so as to apply a common policy to them. OUs give a domain a hierarchical structure, and when well designed can ease administration.

--------------------------------------------------------------------

You would open up Active Directory Users and Computers and when you expand your domain you will see the OUs there. They have a different icon than the folders. You can right click on them and choose "Properties" and then check to see if GPOs are being applied there.
FolderOU.jpg

Ok, when I do as you indicated I get the following (Default Domain Controller Policy) and there are no enabled settings for the Windows Update Server Location. When I right click on the domain I get the second one (Default Domain Policy and SUS Client Policy). Not overly sure what that means except maybe that we only have one OU.
right-click-on-domain-controller.JPG

Ok, and all the computer accounts, including the ones that aren't getting the proper settings exist inside of that "Computers" folder inside of your active directory structure.

That should have ended with a ?

Yes that is correct.

Excellent - I'll get right on it. Hopefully the exorcist is on speed dial.

Ha.

I am leaving work now, so may be slower to respond, but I get e-mail through my phone so I will keep an eye out.

My word I hate computers some times, in the end the event log told me that it couldn't find the GPT.INI file when I re created the WSUS Policy. The share the servers create that holds these policies was active on the old server so the clients were looking at the old server for the new policy I created on the new server. So its all pretty much sorted now, thanks a heap (I just removed the share from the old server).

Awesome, you should also ask an admin to delete the image you posted above, it contains your domain name in the title bar of the 2nd image.