?
Solved

Active Directory not updating GPO's

Posted on 2010-09-22
21
Medium Priority
?
247 Views
Last Modified: 2012-05-10
Hello,

I have an issue where AD doesnt want to update peoples policy, I added a trusted site certificate for my sonicwall, because i want to enable DPI-SSL, and it is not putting it through to computers even after GPupdate /force :( anyone have any ideas of what could be causing this problem? Thank you
0
Comment
Question by:morlauskas
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 9
  • 2
21 Comments
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33732626
Run on your one client RSoP.msc and check if your policy is applied. Maybe there is a problem with certificate autoenrollment not with GPO itself?
0
 

Author Comment

by:morlauskas
ID: 33732700
When i run RSop.msc i dont have trusted cvertificate field, but i have it in gpo management. So i cant see it in rsop...
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33732750
Could you tell me please how did you configure your policy?
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 

Author Comment

by:morlauskas
ID: 33732812
I created a new policy, in that policy i imported certificate to computers/.../trusted root certification authorities. Maybe something else neds doing to gpo before the certificate goes out??? thanks
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33732967
OK, and to which OU did you link it? This should be done to computers OU.
0
 

Author Comment

by:morlauskas
ID: 33733017
I linked it to my user UO do i need to link it to the computer UO? My computer UO is the default computer UO in AD and it doesnt seem like it is possible to link a GPO to that UO? or am i not understanding something?
0
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 1600 total points
ID: 33733260
Everything what you configure under Computer Configuration node in GPO has to be linked to OU where are located computers.
Everything what you configure under User Configuration node in GPO has to be linked to OU where are located users.

So, in this case it has to be linked to OU where computers are located. If this certificate should be deployed to every computer/server in your domain you can link it at domain level.

And the last remark. Each policy can be linked only to OUs not to containers. In AD are few standard containers which also stores object account but cannot have policy links (i.e. Builtin, Computers, Users). Then you have to prepare new OU, move user or computer accounts there and you will be able to link GPO.
0
 

Author Comment

by:morlauskas
ID: 33733287
Yeah thanks for the info i created a new UO and linked the SSL GPO and it worked, it is giving me the policy. But when i enable DPI-SSL on my sonicwall firewall, it is still not trusting the certificate any ideas on how it should be applied. I downloaded the certificate off my firewall so i done know if this is the right way to do it. If you dont know we can close this as you did help me and i can open a new ticket. Thanks
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33733336
You're welcome. Nope, you need to trust the same Root CA as sonicwall. This certificate is issued by some CA and it also has to be imported in your path. If it is missing your certificate is still not trusted/verified, so you will have an error message.

Could you tell me please, if you used your own CA for certificate for sonicwall or external company?
0
 

Author Comment

by:morlauskas
ID: 33733351
I dont know if you have used sonicwall before but it gives you the option to download their
ssl.JPG
0
 

Author Comment

by:morlauskas
ID: 33733357
Sorry for double post but pressed enter by mistake this is the certificate that i download off my sonicwall firewal land that the certificate i imported to AD, it is not registered anywhere, but i assumed that if i roll it out to all machines it should work, because it was added to the trusted list?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33733386
OK, I don't know how sonicwall works. So, I've never seen its certificate. Probably you're right.
But it looks like self-signed certificate and your client won't trust it until you will use your own CA to issue certificate. But I could be wrong. Sorry, for not being clear :/
0
 

Author Comment

by:morlauskas
ID: 33733433
CA? sorry for being a noob, but i just started to look into all of this... how do i create my own CA
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33733469
OK, I don't know which server version do you use 2003/2008 ?

Each Windows Server has role called Certificate Authority which is responsible for creating certificates. If you want to use it, you have to add the CA role first. It fulfills your internal needs until you don't need sell your certificates to 3rd parties ;)

You can issue a certificate within your domain and then each client in your domain will trust the same Root CA. Each certificate issued later will be accepted by your clients until you wouldn't revoke it.

Setting up CA role is not very complicated, but proper management and securing is a "good" part of that :]
0
 

Author Comment

by:morlauskas
ID: 33733498
Is there a good tutorial on creating your own CA or is it just a matter of reading the material in the server 2003 book?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33733558
I don't know any good tutorial which contains all necessary information. You can read this article about your own PKI (Public Key Infrastructure)

http://www.microsoft.com/windowsserver2003/technologies/pki/default.mspx

and dig in the Internet about other related subjects. You need to know ho to define Stand-Alone CA and Enterprise CA.

The best method to check how it works and what you can do with your own CA is to test it in a test environment (based on VPC or VMWare) :)
0
 

Author Comment

by:morlauskas
ID: 33734183
But say for example iu get the untrusted certificate pop up, i add the exemption and it works fine it never asks for it again, so i want to roll out that sort of thing across the domain, and i though that certificate will do the trick...
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33734311
I think not :|
You need trusted certficate to roll out
0
 
LVL 33

Assisted Solution

by:digitap
digitap earned 400 total points
ID: 33734329
Have a look at this article.  I think it's going to answer some of your questions.http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7813
0
 

Author Closing Comment

by:morlauskas
ID: 33770578
Thanks for the information
0
 
LVL 33

Expert Comment

by:digitap
ID: 33770606
thanks for the points!
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question