Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

For some reason our XP Machines (SP3) are not taking changes to SUS Group Policy in a Windows 2000 Domain.

Posted on 2008-11-10
18
Medium Priority
?
314 Views
Last Modified: 2012-05-05
Recently we have re-instated our Primary DNS after system failure, that part of it is fine. However we also moved WSUS from our Secondary DNS (was the only DNS until Primary was Re-instated) to another server. I changed our SUS group policy to point towards the new server however our XP (SP3)machines still are looking at the old SUS server for their updates. Ie HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate still points to the old server. I have tried gpupdate /force but it 'appears' to do nothing, even though it says user and computer policy refresh complete. Furthermore to this nslookup on the XP machines still shows the Secondary DNS as the primary. Neither of these problems appear on our Windows 2000 (SP4) machines. I still fairly new to group policy and WSUS, any help would be greatly appreciated.
0
Comment
Question by:edwardr
  • 10
  • 8
18 Comments
 
LVL 14

Expert Comment

by:dfxdeimos
ID: 22927011
The thing that caught my eye is "nslookup on the XP machines still shows the Secondary DNS as the primary".

Did you push out the new DNS settings to the client machines via DHCP? If so, have these machines updated their DHCP information since then?
0
 

Author Comment

by:edwardr
ID: 22927739
Ok - thats solved half my problem - still not sure as to why the Group Policy does not automatically change the setting for what WSUS server to look at.
0
 
LVL 14

Expert Comment

by:dfxdeimos
ID: 22927826
Can you use the RSoP wizard to see if the setting that you intend to apply is actually applying?

http://www.microsoft.com/technet/prodtechnol/ie/ieak/techinfo/deploy/60/en/rsop01.mspx?mfr=true
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:edwardr
ID: 22927997
Thats a pretty funky little tool, was wondering how to find out that info - anyway I went straight to the SUS setting (computer configuration/administrative templates/windows components/windows update) and the 'specify intranet microsoft update service location) is still as the old server. The group policy on the PDC for sus is the new server. Just checking what appears on the 2000 PC's now. Ok, the 2000 RSoP MMC snap in was a little different but the correct settings appear in there. Is there any further information you may need?
0
 
LVL 14

Expert Comment

by:dfxdeimos
ID: 22928107
So if the old information is appearing on the XP SP3 computers that tells you that the policy is not getting applied. Rember that the order of inheritance is Local -> Site -> Domain -> OU, are any other policies specified on any of these levels?
0
 

Author Comment

by:edwardr
ID: 22945697
Ok, on the Win 2000 Server I look at Group Policy and there are two Group Policies, Default Domain Policy and SUS Client Policy. The SUS policy has 'no override' ticked. So under this SUS Policy Computer Configuration\Administrative templates\Windows Components\Windows Update the 'Specify intranet Microsoft Update Service Location' is enabled and set to http://newserver for both settings. That I'm fairly happy with. On the client machine concerned the user is signed on the appropriate domain and under the above mentioned path for RSoP the intranet location is enabled. It also indicates the GPO name as Sus Client Policy. Thats what I would expect, however when I open this setting up the Intranet Update Service is set to http://oldserver:8530, I would expect to see http://newserver. With the SUS Policy having 'no override' set I would expect the client machine to show the new server. I have also tried 'gpupdate /force' it doesn't appear to do anything new. Now I'm stuck again.
0
 
LVL 14

Expert Comment

by:dfxdeimos
ID: 22945734
So are the machines that aren't affected and the machines that are affected in the same OU? Is anything set in the default domain policy at the path you specified?
0
 

Author Comment

by:edwardr
ID: 22945806
Hrmm, acronyms - OU = Organisational Unit, well until then I didn't know what it was, and I'm afraid I still don't really know what it is. Furthermore I don't really know how to access it. As for the Default Domain Policy there is nothing defined in that path I indicated above. How do I check out the OU?
0
 
LVL 14

Expert Comment

by:dfxdeimos
ID: 22945899
Wikipedia:

--------------------------------------------------------------------
In Microsoft Active Directory (AD), an Organizational Unit (OU) can contain any other unit, including other OUs, users, groups, and computers. OUs in separate Domains may have identical names but are independent of each other. An OU is the smallest unit to which a Group Policy Object (GPO) or a Delegation of Control may be attached. [1]Therefore the primary use of an OU is to assign GPOs and Delegation of Control to users, groups, and computers. [2] The secondary or implied use of OUs is to create collections of users and computers that share similar trusts and privileges.

OUs let an administrator group computers and users so as to apply a common policy to them. OUs give a domain a hierarchical structure, and when well designed can ease administration.

--------------------------------------------------------------------

You would open up Active Directory Users and Computers and when you expand your domain you will see the OUs there. They have a different icon than the folders. You can right click on them and choose "Properties" and then check to see if GPOs are being applied there.
FolderOU.jpg
0
 

Author Comment

by:edwardr
ID: 22945983
Ok, when I do as you indicated I get the following (Default Domain Controller Policy) and there are no enabled settings for the Windows Update Server Location. When I right click on the domain I get the second one (Default Domain Policy and SUS Client Policy). Not overly sure what that means except maybe that we only have one OU.
right-click-on-domain-controller.JPG
0
 
LVL 14

Expert Comment

by:dfxdeimos
ID: 22946001
Ok, and all the computer accounts, including the ones that aren't getting the proper settings exist inside of that "Computers" folder inside of your active directory structure.
0
 
LVL 14

Expert Comment

by:dfxdeimos
ID: 22946006
That should have ended with a ?
0
 

Author Comment

by:edwardr
ID: 22946028
Yes that is correct.
0
 
LVL 14

Accepted Solution

by:
dfxdeimos earned 1000 total points
ID: 22946056
Hmm, this is odd.

What I would do is browse through the WSUS Policy to determine and record all of the available options inside of it. Then I would delete the policy object and perform a "gpudpate /force" to both a known working and non-working system. After the update you should be able to use RSoP to determine that no policy is being applied to either system. Then I would re-create the policy and name it something different, like "Custom WSUS Policy", and apply it at the domain level.

Then you can run another gpupdate /force to confirm that the new policy is coming down.

If the oldserver reappears I will help you find the name of a good exorcist.
0
 

Author Comment

by:edwardr
ID: 22946091
Excellent - I'll get right on it. Hopefully the exorcist is on speed dial.
0
 
LVL 14

Expert Comment

by:dfxdeimos
ID: 22946126
Ha.

I am leaving work now, so may be slower to respond, but I get e-mail through my phone so I will keep an eye out.
0
 

Author Closing Comment

by:edwardr
ID: 31515337
My word I hate computers some times, in the end the event log told me that it couldn't find the GPT.INI file when I re created the WSUS Policy. The share the servers create that holds these policies was active on the old server so the clients were looking at the old server for the new policy I created on the new server. So its all pretty much sorted now, thanks a heap (I just removed the share from the old server).
0
 
LVL 14

Expert Comment

by:dfxdeimos
ID: 22946916
Awesome, you should also ask an admin to delete the image you posted above, it contains your domain name in the title bar of the 2nd image.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This article will help to fix the below errors for MS Exchange Server 2016 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

577 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question