For some reason our XP Machines (SP3) are not taking changes to SUS Group Policy in a Windows 2000 Domain.

Recently we have re-instated our Primary DNS after system failure, that part of it is fine. However we also moved WSUS from our Secondary DNS (was the only DNS until Primary was Re-instated) to another server. I changed our SUS group policy to point towards the new server however our XP (SP3)machines still are looking at the old SUS server for their updates. Ie HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate still points to the old server. I have tried gpupdate /force but it 'appears' to do nothing, even though it says user and computer policy refresh complete. Furthermore to this nslookup on the XP machines still shows the Secondary DNS as the primary. Neither of these problems appear on our Windows 2000 (SP4) machines. I still fairly new to group policy and WSUS, any help would be greatly appreciated.
edwardrAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

dfxdeimosCommented:
The thing that caught my eye is "nslookup on the XP machines still shows the Secondary DNS as the primary".

Did you push out the new DNS settings to the client machines via DHCP? If so, have these machines updated their DHCP information since then?
0
edwardrAuthor Commented:
Ok - thats solved half my problem - still not sure as to why the Group Policy does not automatically change the setting for what WSUS server to look at.
0
dfxdeimosCommented:
Can you use the RSoP wizard to see if the setting that you intend to apply is actually applying?

http://www.microsoft.com/technet/prodtechnol/ie/ieak/techinfo/deploy/60/en/rsop01.mspx?mfr=true
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

edwardrAuthor Commented:
Thats a pretty funky little tool, was wondering how to find out that info - anyway I went straight to the SUS setting (computer configuration/administrative templates/windows components/windows update) and the 'specify intranet microsoft update service location) is still as the old server. The group policy on the PDC for sus is the new server. Just checking what appears on the 2000 PC's now. Ok, the 2000 RSoP MMC snap in was a little different but the correct settings appear in there. Is there any further information you may need?
0
dfxdeimosCommented:
So if the old information is appearing on the XP SP3 computers that tells you that the policy is not getting applied. Rember that the order of inheritance is Local -> Site -> Domain -> OU, are any other policies specified on any of these levels?
0
edwardrAuthor Commented:
Ok, on the Win 2000 Server I look at Group Policy and there are two Group Policies, Default Domain Policy and SUS Client Policy. The SUS policy has 'no override' ticked. So under this SUS Policy Computer Configuration\Administrative templates\Windows Components\Windows Update the 'Specify intranet Microsoft Update Service Location' is enabled and set to http://newserver for both settings. That I'm fairly happy with. On the client machine concerned the user is signed on the appropriate domain and under the above mentioned path for RSoP the intranet location is enabled. It also indicates the GPO name as Sus Client Policy. Thats what I would expect, however when I open this setting up the Intranet Update Service is set to http://oldserver:8530, I would expect to see http://newserver. With the SUS Policy having 'no override' set I would expect the client machine to show the new server. I have also tried 'gpupdate /force' it doesn't appear to do anything new. Now I'm stuck again.
0
dfxdeimosCommented:
So are the machines that aren't affected and the machines that are affected in the same OU? Is anything set in the default domain policy at the path you specified?
0
edwardrAuthor Commented:
Hrmm, acronyms - OU = Organisational Unit, well until then I didn't know what it was, and I'm afraid I still don't really know what it is. Furthermore I don't really know how to access it. As for the Default Domain Policy there is nothing defined in that path I indicated above. How do I check out the OU?
0
dfxdeimosCommented:
Wikipedia:

--------------------------------------------------------------------
In Microsoft Active Directory (AD), an Organizational Unit (OU) can contain any other unit, including other OUs, users, groups, and computers. OUs in separate Domains may have identical names but are independent of each other. An OU is the smallest unit to which a Group Policy Object (GPO) or a Delegation of Control may be attached. [1]Therefore the primary use of an OU is to assign GPOs and Delegation of Control to users, groups, and computers. [2] The secondary or implied use of OUs is to create collections of users and computers that share similar trusts and privileges.

OUs let an administrator group computers and users so as to apply a common policy to them. OUs give a domain a hierarchical structure, and when well designed can ease administration.

--------------------------------------------------------------------

You would open up Active Directory Users and Computers and when you expand your domain you will see the OUs there. They have a different icon than the folders. You can right click on them and choose "Properties" and then check to see if GPOs are being applied there.
FolderOU.jpg
0
edwardrAuthor Commented:
Ok, when I do as you indicated I get the following (Default Domain Controller Policy) and there are no enabled settings for the Windows Update Server Location. When I right click on the domain I get the second one (Default Domain Policy and SUS Client Policy). Not overly sure what that means except maybe that we only have one OU.
right-click-on-domain-controller.JPG
0
dfxdeimosCommented:
Ok, and all the computer accounts, including the ones that aren't getting the proper settings exist inside of that "Computers" folder inside of your active directory structure.
0
dfxdeimosCommented:
That should have ended with a ?
0
edwardrAuthor Commented:
Yes that is correct.
0
dfxdeimosCommented:
Hmm, this is odd.

What I would do is browse through the WSUS Policy to determine and record all of the available options inside of it. Then I would delete the policy object and perform a "gpudpate /force" to both a known working and non-working system. After the update you should be able to use RSoP to determine that no policy is being applied to either system. Then I would re-create the policy and name it something different, like "Custom WSUS Policy", and apply it at the domain level.

Then you can run another gpupdate /force to confirm that the new policy is coming down.

If the oldserver reappears I will help you find the name of a good exorcist.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
edwardrAuthor Commented:
Excellent - I'll get right on it. Hopefully the exorcist is on speed dial.
0
dfxdeimosCommented:
Ha.

I am leaving work now, so may be slower to respond, but I get e-mail through my phone so I will keep an eye out.
0
edwardrAuthor Commented:
My word I hate computers some times, in the end the event log told me that it couldn't find the GPT.INI file when I re created the WSUS Policy. The share the servers create that holds these policies was active on the old server so the clients were looking at the old server for the new policy I created on the new server. So its all pretty much sorted now, thanks a heap (I just removed the share from the old server).
0
dfxdeimosCommented:
Awesome, you should also ask an admin to delete the image you posted above, it contains your domain name in the title bar of the 2nd image.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DNS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.