Solved

Active Directory not updating GPO's

Posted on 2010-09-22
21
244 Views
Last Modified: 2012-05-10
Hello,

I have an issue where AD doesnt want to update peoples policy, I added a trusted site certificate for my sonicwall, because i want to enable DPI-SSL, and it is not putting it through to computers even after GPupdate /force :( anyone have any ideas of what could be causing this problem? Thank you
0
Comment
Question by:morlauskas
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 9
  • 2
21 Comments
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33732626
Run on your one client RSoP.msc and check if your policy is applied. Maybe there is a problem with certificate autoenrollment not with GPO itself?
0
 

Author Comment

by:morlauskas
ID: 33732700
When i run RSop.msc i dont have trusted cvertificate field, but i have it in gpo management. So i cant see it in rsop...
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33732750
Could you tell me please how did you configure your policy?
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:morlauskas
ID: 33732812
I created a new policy, in that policy i imported certificate to computers/.../trusted root certification authorities. Maybe something else neds doing to gpo before the certificate goes out??? thanks
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33732967
OK, and to which OU did you link it? This should be done to computers OU.
0
 

Author Comment

by:morlauskas
ID: 33733017
I linked it to my user UO do i need to link it to the computer UO? My computer UO is the default computer UO in AD and it doesnt seem like it is possible to link a GPO to that UO? or am i not understanding something?
0
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 400 total points
ID: 33733260
Everything what you configure under Computer Configuration node in GPO has to be linked to OU where are located computers.
Everything what you configure under User Configuration node in GPO has to be linked to OU where are located users.

So, in this case it has to be linked to OU where computers are located. If this certificate should be deployed to every computer/server in your domain you can link it at domain level.

And the last remark. Each policy can be linked only to OUs not to containers. In AD are few standard containers which also stores object account but cannot have policy links (i.e. Builtin, Computers, Users). Then you have to prepare new OU, move user or computer accounts there and you will be able to link GPO.
0
 

Author Comment

by:morlauskas
ID: 33733287
Yeah thanks for the info i created a new UO and linked the SSL GPO and it worked, it is giving me the policy. But when i enable DPI-SSL on my sonicwall firewall, it is still not trusting the certificate any ideas on how it should be applied. I downloaded the certificate off my firewall so i done know if this is the right way to do it. If you dont know we can close this as you did help me and i can open a new ticket. Thanks
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33733336
You're welcome. Nope, you need to trust the same Root CA as sonicwall. This certificate is issued by some CA and it also has to be imported in your path. If it is missing your certificate is still not trusted/verified, so you will have an error message.

Could you tell me please, if you used your own CA for certificate for sonicwall or external company?
0
 

Author Comment

by:morlauskas
ID: 33733351
I dont know if you have used sonicwall before but it gives you the option to download their
ssl.JPG
0
 

Author Comment

by:morlauskas
ID: 33733357
Sorry for double post but pressed enter by mistake this is the certificate that i download off my sonicwall firewal land that the certificate i imported to AD, it is not registered anywhere, but i assumed that if i roll it out to all machines it should work, because it was added to the trusted list?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33733386
OK, I don't know how sonicwall works. So, I've never seen its certificate. Probably you're right.
But it looks like self-signed certificate and your client won't trust it until you will use your own CA to issue certificate. But I could be wrong. Sorry, for not being clear :/
0
 

Author Comment

by:morlauskas
ID: 33733433
CA? sorry for being a noob, but i just started to look into all of this... how do i create my own CA
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33733469
OK, I don't know which server version do you use 2003/2008 ?

Each Windows Server has role called Certificate Authority which is responsible for creating certificates. If you want to use it, you have to add the CA role first. It fulfills your internal needs until you don't need sell your certificates to 3rd parties ;)

You can issue a certificate within your domain and then each client in your domain will trust the same Root CA. Each certificate issued later will be accepted by your clients until you wouldn't revoke it.

Setting up CA role is not very complicated, but proper management and securing is a "good" part of that :]
0
 

Author Comment

by:morlauskas
ID: 33733498
Is there a good tutorial on creating your own CA or is it just a matter of reading the material in the server 2003 book?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33733558
I don't know any good tutorial which contains all necessary information. You can read this article about your own PKI (Public Key Infrastructure)

http://www.microsoft.com/windowsserver2003/technologies/pki/default.mspx

and dig in the Internet about other related subjects. You need to know ho to define Stand-Alone CA and Enterprise CA.

The best method to check how it works and what you can do with your own CA is to test it in a test environment (based on VPC or VMWare) :)
0
 

Author Comment

by:morlauskas
ID: 33734183
But say for example iu get the untrusted certificate pop up, i add the exemption and it works fine it never asks for it again, so i want to roll out that sort of thing across the domain, and i though that certificate will do the trick...
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33734311
I think not :|
You need trusted certficate to roll out
0
 
LVL 33

Assisted Solution

by:digitap
digitap earned 100 total points
ID: 33734329
Have a look at this article.  I think it's going to answer some of your questions.http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7813
0
 

Author Closing Comment

by:morlauskas
ID: 33770578
Thanks for the information
0
 
LVL 33

Expert Comment

by:digitap
ID: 33770606
thanks for the points!
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question