[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

OU (GPO not pushing across VPN connection?)

Posted on 2009-07-07
26
Medium Priority
?
994 Views
Last Modified: 2012-05-07
Issue with GPO not pushing to some workstations that link via a VPN connection.
If I place the users or computers in the OU at this location then it all works fine. But for some reason the systems that are on the other side of the VPN are not receiving that new GPO policy.
I tried a GPUPDATE /Force with no difference, I checked the server on that end and seems to be receiving the policy fine but the local policy's on the workstations are not changing.  What is really strange is I thought I would just manually change the local policy as it's only a few workstations and even then it didn't work.  I racked my head on this for a while but no luck yet...
Not sure where to go with this... Would it be the Firewall blocking something I wonder??

Thanks for the help guys....
KC
0
Comment
Question by:KCDean
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 14
  • 9
  • 3
26 Comments
 
LVL 5

Expert Comment

by:tdukie13
ID: 24797406
Hi,
What is the configuration for the computers connecting via VPN? Are they members of the domain? Are you pushing User and Computer based policies?

Third-party firewalls can cause issues, but it is unlikely that the Windows firewall is causing the issue.

Best,
T
0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 24797426
It is a site to site VPN or a client VPN connecting the PCs in question to the main AD site?

0
 
LVL 1

Author Comment

by:KCDean
ID: 24797505
Answers for Tdukie.

All systems are connected to the domain. (Yes)
Pushing User and Computer based policies. (Yes)

Answers for mikelee

VPN is site to site systems are pingable.
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
LVL 5

Expert Comment

by:tdukie13
ID: 24797560
KC,
Can you run an RSOP on a remote workstation? Do you get any security errors (or other errors)? To run RSOP you will want to have the Windows Firewall disabled.

Best,
T
0
 
LVL 5

Expert Comment

by:tdukie13
ID: 24797677
RSOP = Resultant Set of Policy (Just in case you haven't used the tool before)

T
0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 24797728
Not sure if this will solve your problem or not but it certainly won't hurt. I assume the PCs on the remote end of the VPN have a seperate IP range from your other networks correct? If so, then you need to create a new site and subnet inside of "AD sites and services" since you have a new site.

0
 
LVL 1

Author Comment

by:KCDean
ID: 24797829
Just for kicks guys I dropped my own user account and computer account into that locked OU and I would say with in 20 mins my computer was locked down to that OU specifications. I was quite surprised to see how fast that kicked in. I changed it and then went on doing my own work and then 20 mins later I look for my run command and it's gone. Clicked in right away that the GPO is working great on the local subnet.

Mikelee correct the VPN's are setup as diffent ranges, the AD Sites and services is something I setup  years ago, it's always worked fine. Not sure if that's the correct tree to bark up!

Tdukie I ran the RSOP last week sometime I don't recall any errors, but what should I look for when its finished loading?
0
 
LVL 1

Author Comment

by:KCDean
ID: 24798080
I ran the RSOP and I received an denied access error. I adjusted some of the local permisions and its rebooting as I type.....
0
 
LVL 5

Expert Comment

by:tdukie13
ID: 24803131
You were denied from running the RSOP? The Windows Firewall can block that...
0
 
LVL 1

Author Comment

by:KCDean
ID: 24803191
Checked the windows firewall its off..
0
 
LVL 5

Expert Comment

by:tdukie13
ID: 24803222
Can you RDP to an affected workstation? From a command line you can run "gpresult" which is a basic version of RSOP. If you can mark/copy/paste it up I will take a look.

Best,
T
0
 
LVL 1

Author Comment

by:KCDean
ID: 24804056

C:\Documents and Settings\RDCounter2\Desktop>gpresult >gp.txt
INFO: The user "%$%$\RDCounter2" does not have RSOP data.

hmmm under that user this is what I get when I run the gpresult command.
0
 
LVL 5

Expert Comment

by:tdukie13
ID: 24804135
Is the domain server listed as the primary DNS at the remote location?
0
 
LVL 1

Author Comment

by:KCDean
ID: 24804181
No it is not, its pulling the active directory structure fine including OU's and GPO's.  The main DNS server is located at the central office.
0
 
LVL 1

Author Comment

by:KCDean
ID: 24804212
I figured out how to make the local policy work, I just created a local account identical to the Active Directory account.   Then I can lock it down that way but man defeats the purpose of the whole system. Sure would be nice to make it work the way it suppose to... I have a feeling that firewall/Router is blocking it...
0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 24804632
Are you saying that an Active Directory DNS server is NOT listed first as the DNS server on the client machine in question? If so, then that it your issue. AD DNS sservers should be the ONLY DNS servers that any domain member should be pointed to.




0
 
LVL 1

Author Comment

by:KCDean
ID: 24804737
Ok well I'm going to try that then I'll point the clients DNS to the local server at that location and see it it pulls it then.... I'll let you know.
0
 
LVL 1

Author Comment

by:KCDean
ID: 24804875
MikeLee I was thinking that was the issue but it turns out it still not pulling the GPO when using that account.

Both Primary and Secondary DNS entries are set static now to both local and central server. No changes...
0
 
LVL 1

Author Comment

by:KCDean
ID: 24805658
Well I setup the local policy and local account its now lock down so much that it can only be used for work purposes.

This is the error message I get when I attempt to log the RSOP.... For interest sake.. I have done a flushdns just in case, it's caching something stale.

The latest versions of the ADM files below are not available. The can be due to insufficient permissions or unavailable network resources. The local copy of ADM Files will be used.
Then it gives exact location errors of the ADM files stating.
Error - The system cannot find the path specified
0
 
LVL 5

Expert Comment

by:tdukie13
ID: 24805725
Can you ping names of other workstations/servers from the affected machines by FQDN?
0
 
LVL 1

Author Comment

by:KCDean
ID: 24805947
Tdukie

Yep I can ping machines on that side with no problems.
0
 
LVL 1

Author Comment

by:KCDean
ID: 24805968
flush/register did nothing as well.
0
 
LVL 5

Accepted Solution

by:
tdukie13 earned 2000 total points
ID: 24813338
KC,
This is a tough one. I am running out of ideas However, I do remember an issue I had similar to this with group policy applying. I had to do somethng with this folder: C:\WINDOWS\security\Database, and the .edb files that are in there. I believe I copied the contents from that folder on a working machine to an affected machine and gave the computer a reboot. Could have corrupted local policies....

Good luck,
T
0
 
LVL 1

Author Comment

by:KCDean
ID: 24854639
Interesting I'm on holidays but when I get back I will take a look at that, for now I have adjusted the local policy as it's only two machines that needed adjusting...
0
 
LVL 5

Expert Comment

by:tdukie13
ID: 24858541
Fair enough. If it is just two then it may be a local corruption, let me know either way - I am curious.

Best,
T
0
 
LVL 1

Author Closing Comment

by:KCDean
ID: 31600753
Could never find a resolution but everyone tried there best I ended up seting each computer individually as there was only 2 systems that needed this adjustment.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
Here's a look at newsworthy articles and community happenings during the last month.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question