Solved

OU (GPO not pushing across VPN connection?)

Posted on 2009-07-07
26
973 Views
Last Modified: 2012-05-07
Issue with GPO not pushing to some workstations that link via a VPN connection.
If I place the users or computers in the OU at this location then it all works fine. But for some reason the systems that are on the other side of the VPN are not receiving that new GPO policy.
I tried a GPUPDATE /Force with no difference, I checked the server on that end and seems to be receiving the policy fine but the local policy's on the workstations are not changing.  What is really strange is I thought I would just manually change the local policy as it's only a few workstations and even then it didn't work.  I racked my head on this for a while but no luck yet...
Not sure where to go with this... Would it be the Firewall blocking something I wonder??

Thanks for the help guys....
KC
0
Comment
Question by:KCDean
  • 14
  • 9
  • 3
26 Comments
 
LVL 5

Expert Comment

by:tdukie13
ID: 24797406
Hi,
What is the configuration for the computers connecting via VPN? Are they members of the domain? Are you pushing User and Computer based policies?

Third-party firewalls can cause issues, but it is unlikely that the Windows firewall is causing the issue.

Best,
T
0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 24797426
It is a site to site VPN or a client VPN connecting the PCs in question to the main AD site?

0
 
LVL 1

Author Comment

by:KCDean
ID: 24797505
Answers for Tdukie.

All systems are connected to the domain. (Yes)
Pushing User and Computer based policies. (Yes)

Answers for mikelee

VPN is site to site systems are pingable.
0
 
LVL 5

Expert Comment

by:tdukie13
ID: 24797560
KC,
Can you run an RSOP on a remote workstation? Do you get any security errors (or other errors)? To run RSOP you will want to have the Windows Firewall disabled.

Best,
T
0
 
LVL 5

Expert Comment

by:tdukie13
ID: 24797677
RSOP = Resultant Set of Policy (Just in case you haven't used the tool before)

T
0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 24797728
Not sure if this will solve your problem or not but it certainly won't hurt. I assume the PCs on the remote end of the VPN have a seperate IP range from your other networks correct? If so, then you need to create a new site and subnet inside of "AD sites and services" since you have a new site.

0
 
LVL 1

Author Comment

by:KCDean
ID: 24797829
Just for kicks guys I dropped my own user account and computer account into that locked OU and I would say with in 20 mins my computer was locked down to that OU specifications. I was quite surprised to see how fast that kicked in. I changed it and then went on doing my own work and then 20 mins later I look for my run command and it's gone. Clicked in right away that the GPO is working great on the local subnet.

Mikelee correct the VPN's are setup as diffent ranges, the AD Sites and services is something I setup  years ago, it's always worked fine. Not sure if that's the correct tree to bark up!

Tdukie I ran the RSOP last week sometime I don't recall any errors, but what should I look for when its finished loading?
0
 
LVL 1

Author Comment

by:KCDean
ID: 24798080
I ran the RSOP and I received an denied access error. I adjusted some of the local permisions and its rebooting as I type.....
0
 
LVL 5

Expert Comment

by:tdukie13
ID: 24803131
You were denied from running the RSOP? The Windows Firewall can block that...
0
 
LVL 1

Author Comment

by:KCDean
ID: 24803191
Checked the windows firewall its off..
0
 
LVL 5

Expert Comment

by:tdukie13
ID: 24803222
Can you RDP to an affected workstation? From a command line you can run "gpresult" which is a basic version of RSOP. If you can mark/copy/paste it up I will take a look.

Best,
T
0
 
LVL 1

Author Comment

by:KCDean
ID: 24804056

C:\Documents and Settings\RDCounter2\Desktop>gpresult >gp.txt
INFO: The user "%$%$\RDCounter2" does not have RSOP data.

hmmm under that user this is what I get when I run the gpresult command.
0
 
LVL 5

Expert Comment

by:tdukie13
ID: 24804135
Is the domain server listed as the primary DNS at the remote location?
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 1

Author Comment

by:KCDean
ID: 24804181
No it is not, its pulling the active directory structure fine including OU's and GPO's.  The main DNS server is located at the central office.
0
 
LVL 1

Author Comment

by:KCDean
ID: 24804212
I figured out how to make the local policy work, I just created a local account identical to the Active Directory account.   Then I can lock it down that way but man defeats the purpose of the whole system. Sure would be nice to make it work the way it suppose to... I have a feeling that firewall/Router is blocking it...
0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 24804632
Are you saying that an Active Directory DNS server is NOT listed first as the DNS server on the client machine in question? If so, then that it your issue. AD DNS sservers should be the ONLY DNS servers that any domain member should be pointed to.




0
 
LVL 1

Author Comment

by:KCDean
ID: 24804737
Ok well I'm going to try that then I'll point the clients DNS to the local server at that location and see it it pulls it then.... I'll let you know.
0
 
LVL 1

Author Comment

by:KCDean
ID: 24804875
MikeLee I was thinking that was the issue but it turns out it still not pulling the GPO when using that account.

Both Primary and Secondary DNS entries are set static now to both local and central server. No changes...
0
 
LVL 1

Author Comment

by:KCDean
ID: 24805658
Well I setup the local policy and local account its now lock down so much that it can only be used for work purposes.

This is the error message I get when I attempt to log the RSOP.... For interest sake.. I have done a flushdns just in case, it's caching something stale.

The latest versions of the ADM files below are not available. The can be due to insufficient permissions or unavailable network resources. The local copy of ADM Files will be used.
Then it gives exact location errors of the ADM files stating.
Error - The system cannot find the path specified
0
 
LVL 5

Expert Comment

by:tdukie13
ID: 24805725
Can you ping names of other workstations/servers from the affected machines by FQDN?
0
 
LVL 1

Author Comment

by:KCDean
ID: 24805947
Tdukie

Yep I can ping machines on that side with no problems.
0
 
LVL 1

Author Comment

by:KCDean
ID: 24805968
flush/register did nothing as well.
0
 
LVL 5

Accepted Solution

by:
tdukie13 earned 500 total points
ID: 24813338
KC,
This is a tough one. I am running out of ideas However, I do remember an issue I had similar to this with group policy applying. I had to do somethng with this folder: C:\WINDOWS\security\Database, and the .edb files that are in there. I believe I copied the contents from that folder on a working machine to an affected machine and gave the computer a reboot. Could have corrupted local policies....

Good luck,
T
0
 
LVL 1

Author Comment

by:KCDean
ID: 24854639
Interesting I'm on holidays but when I get back I will take a look at that, for now I have adjusted the local policy as it's only two machines that needed adjusting...
0
 
LVL 5

Expert Comment

by:tdukie13
ID: 24858541
Fair enough. If it is just two then it may be a local corruption, let me know either way - I am curious.

Best,
T
0
 
LVL 1

Author Closing Comment

by:KCDean
ID: 31600753
Could never find a resolution but everyone tried there best I ended up seting each computer individually as there was only 2 systems that needed this adjustment.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now