Solved

Active Directory not updating GPO's

Posted on 2010-09-22
21
240 Views
Last Modified: 2012-05-10
Hello,

I have an issue where AD doesnt want to update peoples policy, I added a trusted site certificate for my sonicwall, because i want to enable DPI-SSL, and it is not putting it through to computers even after GPupdate /force :( anyone have any ideas of what could be causing this problem? Thank you
0
Comment
Question by:morlauskas
  • 10
  • 9
  • 2
21 Comments
 
LVL 39

Expert Comment

by:Krzysztof Pytko
Comment Utility
Run on your one client RSoP.msc and check if your policy is applied. Maybe there is a problem with certificate autoenrollment not with GPO itself?
0
 

Author Comment

by:morlauskas
Comment Utility
When i run RSop.msc i dont have trusted cvertificate field, but i have it in gpo management. So i cant see it in rsop...
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
Comment Utility
Could you tell me please how did you configure your policy?
0
 

Author Comment

by:morlauskas
Comment Utility
I created a new policy, in that policy i imported certificate to computers/.../trusted root certification authorities. Maybe something else neds doing to gpo before the certificate goes out??? thanks
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
Comment Utility
OK, and to which OU did you link it? This should be done to computers OU.
0
 

Author Comment

by:morlauskas
Comment Utility
I linked it to my user UO do i need to link it to the computer UO? My computer UO is the default computer UO in AD and it doesnt seem like it is possible to link a GPO to that UO? or am i not understanding something?
0
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 400 total points
Comment Utility
Everything what you configure under Computer Configuration node in GPO has to be linked to OU where are located computers.
Everything what you configure under User Configuration node in GPO has to be linked to OU where are located users.

So, in this case it has to be linked to OU where computers are located. If this certificate should be deployed to every computer/server in your domain you can link it at domain level.

And the last remark. Each policy can be linked only to OUs not to containers. In AD are few standard containers which also stores object account but cannot have policy links (i.e. Builtin, Computers, Users). Then you have to prepare new OU, move user or computer accounts there and you will be able to link GPO.
0
 

Author Comment

by:morlauskas
Comment Utility
Yeah thanks for the info i created a new UO and linked the SSL GPO and it worked, it is giving me the policy. But when i enable DPI-SSL on my sonicwall firewall, it is still not trusting the certificate any ideas on how it should be applied. I downloaded the certificate off my firewall so i done know if this is the right way to do it. If you dont know we can close this as you did help me and i can open a new ticket. Thanks
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
Comment Utility
You're welcome. Nope, you need to trust the same Root CA as sonicwall. This certificate is issued by some CA and it also has to be imported in your path. If it is missing your certificate is still not trusted/verified, so you will have an error message.

Could you tell me please, if you used your own CA for certificate for sonicwall or external company?
0
 

Author Comment

by:morlauskas
Comment Utility
I dont know if you have used sonicwall before but it gives you the option to download their
ssl.JPG
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:morlauskas
Comment Utility
Sorry for double post but pressed enter by mistake this is the certificate that i download off my sonicwall firewal land that the certificate i imported to AD, it is not registered anywhere, but i assumed that if i roll it out to all machines it should work, because it was added to the trusted list?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
Comment Utility
OK, I don't know how sonicwall works. So, I've never seen its certificate. Probably you're right.
But it looks like self-signed certificate and your client won't trust it until you will use your own CA to issue certificate. But I could be wrong. Sorry, for not being clear :/
0
 

Author Comment

by:morlauskas
Comment Utility
CA? sorry for being a noob, but i just started to look into all of this... how do i create my own CA
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
Comment Utility
OK, I don't know which server version do you use 2003/2008 ?

Each Windows Server has role called Certificate Authority which is responsible for creating certificates. If you want to use it, you have to add the CA role first. It fulfills your internal needs until you don't need sell your certificates to 3rd parties ;)

You can issue a certificate within your domain and then each client in your domain will trust the same Root CA. Each certificate issued later will be accepted by your clients until you wouldn't revoke it.

Setting up CA role is not very complicated, but proper management and securing is a "good" part of that :]
0
 

Author Comment

by:morlauskas
Comment Utility
Is there a good tutorial on creating your own CA or is it just a matter of reading the material in the server 2003 book?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
Comment Utility
I don't know any good tutorial which contains all necessary information. You can read this article about your own PKI (Public Key Infrastructure)

http://www.microsoft.com/windowsserver2003/technologies/pki/default.mspx

and dig in the Internet about other related subjects. You need to know ho to define Stand-Alone CA and Enterprise CA.

The best method to check how it works and what you can do with your own CA is to test it in a test environment (based on VPC or VMWare) :)
0
 

Author Comment

by:morlauskas
Comment Utility
But say for example iu get the untrusted certificate pop up, i add the exemption and it works fine it never asks for it again, so i want to roll out that sort of thing across the domain, and i though that certificate will do the trick...
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
Comment Utility
I think not :|
You need trusted certficate to roll out
0
 
LVL 33

Assisted Solution

by:digitap
digitap earned 100 total points
Comment Utility
Have a look at this article.  I think it's going to answer some of your questions.http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7813
0
 

Author Closing Comment

by:morlauskas
Comment Utility
Thanks for the information
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
thanks for the points!
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

My last post dealt with using group policy preferences to set file associations, a very handy usage for a GPP. Today I am going to share another cool GPP trick, this may be a specific scenario but I run into these situations frequently in my activit…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now