[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1714
  • Last Modified:

server in dmz is not applying GPO

I have a small citrix farm in my org. The farm has been placed into our DMZ. Right or wrong, this decision was made by our regional firewall admin and is not up for discussion.

Holes have been poked in the firewall to allow specific communications to servers on the corp LAN for f&p, dns and most AD communications. Everything appears to be working fine till you logon as a user and the GPO applied does not apply.

In my troubleshooting, running rsop.msc from the Windows server in the dmz fails and cannot read the GPO from the DC.

Running the group policy results wizard through my dsa.mmc fails and returns the message "rpc server is unavailable".

These two things tell me that the firewall is not allowing some kind of communication to pass.

My firewall admin says all ports are opened.

In further troubleshooting, I noticed that sometimes when I run rsop.msc from the server in the dmz, it does not use our local dc but tries to read from a dc on a whole different subnet in our wan network. The firewall appears to be dropping this communication and only allowing the local DC to communicate with the dmz.  
1 Solution
Bruno PACIIT ConsultantCommented:

The server from which you launch the rsop.msc is in a DMZ, so it is in a IP subnet that is probably not referenced in the AD topology. That probably explains why your server tries to reach any DC somewhere in your organization instead of using the nearest ones.

The only way for a client to know which DC is the nearest is to use AD topology and compare it to its own IP subnet. One of the AD sites declared in the AD topology should match with the IP subnet of the client. In this situation, the client knows it belongs to the matching AD site and then the client asks the DNS for DCs in the same AD site.
If the client cannot find a matching AD site in the AD topology then it asks the DNS server for ANY DC in the domain, without notion of AD site membership.

This probably also explains why your client cannot read the GPO: as there is a firewall between your client and the internal network, when your client choose any DC that is not in the local network the firewall block the IP traffic.

What you have to do at first is declare the IP subnet of the DMZ in the AD topology (Active Directory Sites and Services) and associate it with the nearest AD site (the AD site hosting the DCs you want be used by your DMZ client). Reboot the client to force it to reask for the AD topology and verify again if it still choose DC in other sites.

Have a good day.
You can use portquery tool.
Command like netstat -abnov .
You can telnet port to your dc from DMZ server like DNS(53),LDP(389),RPC(135),GC(3268),Kerberos(88),FRS(445).
The allowing of communication can only be done at firewall level not on the server,as there is no firewall.
From your end look is there any IPSEC policy configured either in group policy or anywhere.
Its a firewall issue & i know its always a issue to convince networking team to convice them issue is at their end.
I too had similar issue but we have to find the solution & give it to them.
nappy_dAuthor Commented:
Yes, I am now working with my AD Enterprise Admin and Firewall Admin to make the necessary changes..

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now