• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 252
  • Last Modified:

Active Directory not updating GPO's

Hello,

I have an issue where AD doesnt want to update peoples policy, I added a trusted site certificate for my sonicwall, because i want to enable DPI-SSL, and it is not putting it through to computers even after GPupdate /force :( anyone have any ideas of what could be causing this problem? Thank you
0
morlauskas
Asked:
morlauskas
  • 10
  • 9
  • 2
2 Solutions
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
Run on your one client RSoP.msc and check if your policy is applied. Maybe there is a problem with certificate autoenrollment not with GPO itself?
0
 
morlauskasAuthor Commented:
When i run RSop.msc i dont have trusted cvertificate field, but i have it in gpo management. So i cant see it in rsop...
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
Could you tell me please how did you configure your policy?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
morlauskasAuthor Commented:
I created a new policy, in that policy i imported certificate to computers/.../trusted root certification authorities. Maybe something else neds doing to gpo before the certificate goes out??? thanks
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
OK, and to which OU did you link it? This should be done to computers OU.
0
 
morlauskasAuthor Commented:
I linked it to my user UO do i need to link it to the computer UO? My computer UO is the default computer UO in AD and it doesnt seem like it is possible to link a GPO to that UO? or am i not understanding something?
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
Everything what you configure under Computer Configuration node in GPO has to be linked to OU where are located computers.
Everything what you configure under User Configuration node in GPO has to be linked to OU where are located users.

So, in this case it has to be linked to OU where computers are located. If this certificate should be deployed to every computer/server in your domain you can link it at domain level.

And the last remark. Each policy can be linked only to OUs not to containers. In AD are few standard containers which also stores object account but cannot have policy links (i.e. Builtin, Computers, Users). Then you have to prepare new OU, move user or computer accounts there and you will be able to link GPO.
0
 
morlauskasAuthor Commented:
Yeah thanks for the info i created a new UO and linked the SSL GPO and it worked, it is giving me the policy. But when i enable DPI-SSL on my sonicwall firewall, it is still not trusting the certificate any ideas on how it should be applied. I downloaded the certificate off my firewall so i done know if this is the right way to do it. If you dont know we can close this as you did help me and i can open a new ticket. Thanks
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
You're welcome. Nope, you need to trust the same Root CA as sonicwall. This certificate is issued by some CA and it also has to be imported in your path. If it is missing your certificate is still not trusted/verified, so you will have an error message.

Could you tell me please, if you used your own CA for certificate for sonicwall or external company?
0
 
morlauskasAuthor Commented:
I dont know if you have used sonicwall before but it gives you the option to download their
ssl.JPG
0
 
morlauskasAuthor Commented:
Sorry for double post but pressed enter by mistake this is the certificate that i download off my sonicwall firewal land that the certificate i imported to AD, it is not registered anywhere, but i assumed that if i roll it out to all machines it should work, because it was added to the trusted list?
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
OK, I don't know how sonicwall works. So, I've never seen its certificate. Probably you're right.
But it looks like self-signed certificate and your client won't trust it until you will use your own CA to issue certificate. But I could be wrong. Sorry, for not being clear :/
0
 
morlauskasAuthor Commented:
CA? sorry for being a noob, but i just started to look into all of this... how do i create my own CA
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
OK, I don't know which server version do you use 2003/2008 ?

Each Windows Server has role called Certificate Authority which is responsible for creating certificates. If you want to use it, you have to add the CA role first. It fulfills your internal needs until you don't need sell your certificates to 3rd parties ;)

You can issue a certificate within your domain and then each client in your domain will trust the same Root CA. Each certificate issued later will be accepted by your clients until you wouldn't revoke it.

Setting up CA role is not very complicated, but proper management and securing is a "good" part of that :]
0
 
morlauskasAuthor Commented:
Is there a good tutorial on creating your own CA or is it just a matter of reading the material in the server 2003 book?
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
I don't know any good tutorial which contains all necessary information. You can read this article about your own PKI (Public Key Infrastructure)

http://www.microsoft.com/windowsserver2003/technologies/pki/default.mspx

and dig in the Internet about other related subjects. You need to know ho to define Stand-Alone CA and Enterprise CA.

The best method to check how it works and what you can do with your own CA is to test it in a test environment (based on VPC or VMWare) :)
0
 
morlauskasAuthor Commented:
But say for example iu get the untrusted certificate pop up, i add the exemption and it works fine it never asks for it again, so i want to roll out that sort of thing across the domain, and i though that certificate will do the trick...
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
I think not :|
You need trusted certficate to roll out
0
 
digitapCommented:
Have a look at this article.  I think it's going to answer some of your questions.http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7813
0
 
morlauskasAuthor Commented:
Thanks for the information
0
 
digitapCommented:
thanks for the points!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 10
  • 9
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now