Irwin W.
asked on
server in dmz is not applying GPO
I have a small citrix farm in my org. The farm has been placed into our DMZ. Right or wrong, this decision was made by our regional firewall admin and is not up for discussion.
Holes have been poked in the firewall to allow specific communications to servers on the corp LAN for f&p, dns and most AD communications. Everything appears to be working fine till you logon as a user and the GPO applied does not apply.
In my troubleshooting, running rsop.msc from the Windows server in the dmz fails and cannot read the GPO from the DC.
Running the group policy results wizard through my dsa.mmc fails and returns the message "rpc server is unavailable".
These two things tell me that the firewall is not allowing some kind of communication to pass.
My firewall admin says all ports are opened.
In further troubleshooting, I noticed that sometimes when I run rsop.msc from the server in the dmz, it does not use our local dc but tries to read from a dc on a whole different subnet in our wan network. The firewall appears to be dropping this communication and only allowing the local DC to communicate with the dmz.
Holes have been poked in the firewall to allow specific communications to servers on the corp LAN for f&p, dns and most AD communications. Everything appears to be working fine till you logon as a user and the GPO applied does not apply.
In my troubleshooting, running rsop.msc from the Windows server in the dmz fails and cannot read the GPO from the DC.
Running the group policy results wizard through my dsa.mmc fails and returns the message "rpc server is unavailable".
These two things tell me that the firewall is not allowing some kind of communication to pass.
My firewall admin says all ports are opened.
In further troubleshooting, I noticed that sometimes when I run rsop.msc from the server in the dmz, it does not use our local dc but tries to read from a dc on a whole different subnet in our wan network. The firewall appears to be dropping this communication and only allowing the local DC to communicate with the dmz.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes, I am now working with my AD Enterprise Admin and Firewall Admin to make the necessary changes..
Command like netstat -abnov .
You can telnet port to your dc from DMZ server like DNS(53),LDP(389),RPC(135),
The allowing of communication can only be done at firewall level not on the server,as there is no firewall.
From your end look is there any IPSEC policy configured either in group policy or anywhere.
Its a firewall issue & i know its always a issue to convince networking team to convice them issue is at their end.
I too had similar issue but we have to find the solution & give it to them.
References:
http://support.microsoft.com/kb/832017
http://www.windowsnetworking.com/kbase/WindowsTips/WindowsServer2008/AdminTips/ActiveDirectory/WhatAllPortsAreRrequiredByDomainControllersAndClientComputers.html