server in dmz is not applying GPO

Posted on 2009-12-18
Last Modified: 2012-06-27
I have a small citrix farm in my org. The farm has been placed into our DMZ. Right or wrong, this decision was made by our regional firewall admin and is not up for discussion.

Holes have been poked in the firewall to allow specific communications to servers on the corp LAN for f&p, dns and most AD communications. Everything appears to be working fine till you logon as a user and the GPO applied does not apply.

In my troubleshooting, running rsop.msc from the Windows server in the dmz fails and cannot read the GPO from the DC.

Running the group policy results wizard through my dsa.mmc fails and returns the message "rpc server is unavailable".

These two things tell me that the firewall is not allowing some kind of communication to pass.

My firewall admin says all ports are opened.

In further troubleshooting, I noticed that sometimes when I run rsop.msc from the server in the dmz, it does not use our local dc but tries to read from a dc on a whole different subnet in our wan network. The firewall appears to be dropping this communication and only allowing the local DC to communicate with the dmz.  
Question by:nappy_d
    LVL 16

    Accepted Solution


    The server from which you launch the rsop.msc is in a DMZ, so it is in a IP subnet that is probably not referenced in the AD topology. That probably explains why your server tries to reach any DC somewhere in your organization instead of using the nearest ones.

    The only way for a client to know which DC is the nearest is to use AD topology and compare it to its own IP subnet. One of the AD sites declared in the AD topology should match with the IP subnet of the client. In this situation, the client knows it belongs to the matching AD site and then the client asks the DNS for DCs in the same AD site.
    If the client cannot find a matching AD site in the AD topology then it asks the DNS server for ANY DC in the domain, without notion of AD site membership.

    This probably also explains why your client cannot read the GPO: as there is a firewall between your client and the internal network, when your client choose any DC that is not in the local network the firewall block the IP traffic.

    What you have to do at first is declare the IP subnet of the DMZ in the AD topology (Active Directory Sites and Services) and associate it with the nearest AD site (the AD site hosting the DCs you want be used by your DMZ client). Reboot the client to force it to reask for the AD topology and verify again if it still choose DC in other sites.

    Have a good day.
    LVL 24

    Expert Comment

    You can use portquery tool.
    Command like netstat -abnov .
    You can telnet port to your dc from DMZ server like DNS(53),LDP(389),RPC(135),GC(3268),Kerberos(88),FRS(445).
    The allowing of communication can only be done at firewall level not on the server,as there is no firewall.
    From your end look is there any IPSEC policy configured either in group policy or anywhere.
    Its a firewall issue & i know its always a issue to convince networking team to convice them issue is at their end.
    I too had similar issue but we have to find the solution & give it to them.
    LVL 32

    Author Closing Comment

    Yes, I am now working with my AD Enterprise Admin and Firewall Admin to make the necessary changes..

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    My last post dealt with using group policy preferences to set file associations, a very handy usage for a GPP. Today I am going to share another cool GPP trick, this may be a specific scenario but I run into these situations frequently in my activit…
    Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now