Solved

Active Directory not updating GPO's

Posted on 2010-09-22
21
242 Views
Last Modified: 2012-05-10
Hello,

I have an issue where AD doesnt want to update peoples policy, I added a trusted site certificate for my sonicwall, because i want to enable DPI-SSL, and it is not putting it through to computers even after GPupdate /force :( anyone have any ideas of what could be causing this problem? Thank you
0
Comment
Question by:morlauskas
  • 10
  • 9
  • 2
21 Comments
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33732626
Run on your one client RSoP.msc and check if your policy is applied. Maybe there is a problem with certificate autoenrollment not with GPO itself?
0
 

Author Comment

by:morlauskas
ID: 33732700
When i run RSop.msc i dont have trusted cvertificate field, but i have it in gpo management. So i cant see it in rsop...
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33732750
Could you tell me please how did you configure your policy?
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 

Author Comment

by:morlauskas
ID: 33732812
I created a new policy, in that policy i imported certificate to computers/.../trusted root certification authorities. Maybe something else neds doing to gpo before the certificate goes out??? thanks
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33732967
OK, and to which OU did you link it? This should be done to computers OU.
0
 

Author Comment

by:morlauskas
ID: 33733017
I linked it to my user UO do i need to link it to the computer UO? My computer UO is the default computer UO in AD and it doesnt seem like it is possible to link a GPO to that UO? or am i not understanding something?
0
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 400 total points
ID: 33733260
Everything what you configure under Computer Configuration node in GPO has to be linked to OU where are located computers.
Everything what you configure under User Configuration node in GPO has to be linked to OU where are located users.

So, in this case it has to be linked to OU where computers are located. If this certificate should be deployed to every computer/server in your domain you can link it at domain level.

And the last remark. Each policy can be linked only to OUs not to containers. In AD are few standard containers which also stores object account but cannot have policy links (i.e. Builtin, Computers, Users). Then you have to prepare new OU, move user or computer accounts there and you will be able to link GPO.
0
 

Author Comment

by:morlauskas
ID: 33733287
Yeah thanks for the info i created a new UO and linked the SSL GPO and it worked, it is giving me the policy. But when i enable DPI-SSL on my sonicwall firewall, it is still not trusting the certificate any ideas on how it should be applied. I downloaded the certificate off my firewall so i done know if this is the right way to do it. If you dont know we can close this as you did help me and i can open a new ticket. Thanks
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33733336
You're welcome. Nope, you need to trust the same Root CA as sonicwall. This certificate is issued by some CA and it also has to be imported in your path. If it is missing your certificate is still not trusted/verified, so you will have an error message.

Could you tell me please, if you used your own CA for certificate for sonicwall or external company?
0
 

Author Comment

by:morlauskas
ID: 33733351
I dont know if you have used sonicwall before but it gives you the option to download their
ssl.JPG
0
 

Author Comment

by:morlauskas
ID: 33733357
Sorry for double post but pressed enter by mistake this is the certificate that i download off my sonicwall firewal land that the certificate i imported to AD, it is not registered anywhere, but i assumed that if i roll it out to all machines it should work, because it was added to the trusted list?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33733386
OK, I don't know how sonicwall works. So, I've never seen its certificate. Probably you're right.
But it looks like self-signed certificate and your client won't trust it until you will use your own CA to issue certificate. But I could be wrong. Sorry, for not being clear :/
0
 

Author Comment

by:morlauskas
ID: 33733433
CA? sorry for being a noob, but i just started to look into all of this... how do i create my own CA
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33733469
OK, I don't know which server version do you use 2003/2008 ?

Each Windows Server has role called Certificate Authority which is responsible for creating certificates. If you want to use it, you have to add the CA role first. It fulfills your internal needs until you don't need sell your certificates to 3rd parties ;)

You can issue a certificate within your domain and then each client in your domain will trust the same Root CA. Each certificate issued later will be accepted by your clients until you wouldn't revoke it.

Setting up CA role is not very complicated, but proper management and securing is a "good" part of that :]
0
 

Author Comment

by:morlauskas
ID: 33733498
Is there a good tutorial on creating your own CA or is it just a matter of reading the material in the server 2003 book?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33733558
I don't know any good tutorial which contains all necessary information. You can read this article about your own PKI (Public Key Infrastructure)

http://www.microsoft.com/windowsserver2003/technologies/pki/default.mspx

and dig in the Internet about other related subjects. You need to know ho to define Stand-Alone CA and Enterprise CA.

The best method to check how it works and what you can do with your own CA is to test it in a test environment (based on VPC or VMWare) :)
0
 

Author Comment

by:morlauskas
ID: 33734183
But say for example iu get the untrusted certificate pop up, i add the exemption and it works fine it never asks for it again, so i want to roll out that sort of thing across the domain, and i though that certificate will do the trick...
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33734311
I think not :|
You need trusted certficate to roll out
0
 
LVL 33

Assisted Solution

by:digitap
digitap earned 100 total points
ID: 33734329
Have a look at this article.  I think it's going to answer some of your questions.http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7813
0
 

Author Closing Comment

by:morlauskas
ID: 33770578
Thanks for the information
0
 
LVL 33

Expert Comment

by:digitap
ID: 33770606
thanks for the points!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question