Link to home
Start Free TrialLog in
Avatar of Yashy
YashyFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Group policy not working over WAN?!

hi guys,

Slightly worrying issue here. I've deployed some printers via group policy on our domain. All servers are 2008 R2. Locally on the LAN (10.0.0.0/24), they work fine and the printers are added. These are for the Domain admins so far.

We allowed the group policy settings to propagate over the VPN connection between our site and our other site (10.45.191.0/24). It's over a 10/10 vpn so it takes around an hour or so. Anyway, we tried two days later to log in to the terminal services on the other site with the same username and the printers were not added.

Could this be due to a firewall setting at the other site that is blocking the printers being added? Port 445 is open between ourselves and the other site, so is 9100. So I'm just wondering whether this is firewall related or whether it's actually routing related?

Many thanks
Yashy
Avatar of Krzysztof Pytko
Krzysztof Pytko
Flag of Poland image

What is your WAN link between that point and VPN location?
Check if changing "slow link detection" can help
http://support.microsoft.com/kb/2008977

also run RSoP.msc to check if GPO is being applied on that TS

Regards,
Krzysztof
Avatar of Yashy

ASKER

Thanks dude. How do i run the rsop.msc? And from which server?
SOLUTION
Avatar of Krzysztof Pytko
Krzysztof Pytko
Flag of Poland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Anything below 512 kbps considered to be slow link, you can reduce the slow link settings. You can use GPOInventory tool to run rsop.msc and other reports to several remote computers.
http://support.microsoft.com/kb/323276
http://support.microsoft.com/kb/323276
Ports required to be opened on the firewall
http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx

You can also download and use to scan if port block is the issue.
http://support.microsoft.com/kb/310456
http://www.windowsecurity.com/articles/mastering-portqryexe-part1.html

Regards
________________________________________
Awinish Vishwakarma
MY BLOG:  http://awinish.wordpress.com
Assuming you have Active Directory Sites and Services setup correctly with that subnet and a domain contoller at the remote site, you can simply force replication.

Otherwise run gpupdate /force from the command prompt on the DC(s) and Workstations

-Eric
Avatar of Yashy

ASKER

Hey guys,

I ran the gpresult /z>c:\gpresult.txt even on the local LAN and it came back with the following:

The following GPOs were not applied because they were filtered out:
Printers for Quantiv Backend - Security denied.

So I must have thought it was working but it wasn't even on our LAN! Apologies for that.
However, I have added 'Authenticated Users' now to the permitted list of users on this GPO and when I re-ran the same command as before, it is now saying the GPO has applied. However, surely the 'authenticated users' will now make add this policy for everybody in the domain?
Authenticated users should not be removed and you can use group policy filtering instead of removing authenticated users.
http://www.grouppolicy.biz/tag/printer/
http://www.grouppolicy.biz/2010/05/how-to-exclude-individual-users-or-computers-from-a-group-policy-object/
Yes, Authenticated Users group is for every user/computer authenticated in a domain. Then policy applies to each object which resides in an OU or domain (depends on GPO link level).

When this group is removed from GPO's DACL that means GPO Filtering is used and you need to know where and how it is applied.

Good resources for that in Awinish' post above :)

Krzysztof
Avatar of Yashy

ASKER

Thanks for that Awinish. Great article.

Well this is the strange thing now, so on our LAN it is saying that the GPO has been applied. However, at the other site when I run it, I still get:

   The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Printers for Quantiv Backend
            Filtering:  Denied (Security)

This has been going on for an hour now, the VPN between each site is around 10mb/10mb so it's very fast. I did a gpupdate /force at the other end DC and it came up with:

The processing of Group Policy failed. Windows attempted to read the file \\matc
hes.com\SysVol\matches.com\Policies\{C3A6F453-6B4F-4897-973C-93E820789D78}\gpt.i
ni from a domain controller and was not successful. Group Policy settings may no
t be applied until this event is resolved. This issue may be transient and could
 be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller
 has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.

If this is only happening at the remote end, could it be due to VPN?


The below error points to either network connectivity issue or firewall settings that system is not able to contact DC to get the GPO from sysvol and apply on its system.

Windows attempted to read the file \\matches.com\SysVol\matches.com\Policies\{C3A6F453-6B4F-4897-973C-93E820789D78}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved

You can run portquery tool as suggested earlier to check with the firewall blocking the ports. You can also take help of userenv logging tool Syspro to read the userenv log.
Check the GPO has been replicated to sysvol and when you run gpupdate /force on the problem machine, verify the event logs.
http://www.sysprosoft.com/policyreporter.shtml
http://blogs.technet.com/b/instan/archive/2008/09/17/what-is-logged-to-the-userenv-log-file.aspx
http://blogs.technet.com/b/askds/archive/2008/11/11/understanding-how-to-read-a-userenv-log-part-1.aspx


Regards
________________________________________
Awinish Vishwakarma
MY BLOG:  awinish.wordpress.com
GPOLOG view is also a good tool, give a try.
http://gplogview.codeplex.com/

Regards
______________________________
Awinish Vishwakarma
MY BLOG:  awinish.wordpress.com
Avatar of Yashy

ASKER

Awinish, which ports would you query if you used the portqry tool. I've just used it to query TCP 389 from the 10.45.191.0/24 site to our site 10.0.0.0/24 and it's listening. But it fails on the UDP 389.

Any particular ports you would try to see whether it is affecting?
Thanks again for all this information.
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Yashy

ASKER

Thanks for your help peeps. The ports on the firewall have now been opened, as some were missing. Much appreciated it.