Avatar of Yashy
Yashy
Flag for United Kingdom of Great Britain and Northern Ireland asked on

Group policy not working over WAN?!

hi guys,

Slightly worrying issue here. I've deployed some printers via group policy on our domain. All servers are 2008 R2. Locally on the LAN (10.0.0.0/24), they work fine and the printers are added. These are for the Domain admins so far.

We allowed the group policy settings to propagate over the VPN connection between our site and our other site (10.45.191.0/24). It's over a 10/10 vpn so it takes around an hour or so. Anyway, we tried two days later to log in to the terminal services on the other site with the same username and the printers were not added.

Could this be due to a firewall setting at the other site that is blocking the printers being added? Port 445 is open between ourselves and the other site, so is 9100. So I'm just wondering whether this is firewall related or whether it's actually routing related?

Many thanks
Yashy
Windows Server 2008Active DirectoryVPN

Avatar of undefined
Last Comment
Yashy

8/22/2022 - Mon
Krzysztof Pytko

What is your WAN link between that point and VPN location?
Check if changing "slow link detection" can help
http://support.microsoft.com/kb/2008977

also run RSoP.msc to check if GPO is being applied on that TS

Regards,
Krzysztof
Yashy

ASKER
Thanks dude. How do i run the rsop.msc? And from which server?
SOLUTION
Krzysztof Pytko

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Awinish

Anything below 512 kbps considered to be slow link, you can reduce the slow link settings. You can use GPOInventory tool to run rsop.msc and other reports to several remote computers.
http://support.microsoft.com/kb/323276
http://support.microsoft.com/kb/323276
Ports required to be opened on the firewall
http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx

You can also download and use to scan if port block is the issue.
http://support.microsoft.com/kb/310456
http://www.windowsecurity.com/articles/mastering-portqryexe-part1.html

Regards
________________________________________
Awinish Vishwakarma
MY BLOG:  http://awinish.wordpress.com
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
PanopticComputerServices

Assuming you have Active Directory Sites and Services setup correctly with that subnet and a domain contoller at the remote site, you can simply force replication.

Otherwise run gpupdate /force from the command prompt on the DC(s) and Workstations

-Eric
Yashy

ASKER
Hey guys,

I ran the gpresult /z>c:\gpresult.txt even on the local LAN and it came back with the following:

The following GPOs were not applied because they were filtered out:
Printers for Quantiv Backend - Security denied.

So I must have thought it was working but it wasn't even on our LAN! Apologies for that.
However, I have added 'Authenticated Users' now to the permitted list of users on this GPO and when I re-ran the same command as before, it is now saying the GPO has applied. However, surely the 'authenticated users' will now make add this policy for everybody in the domain?
Awinish

Authenticated users should not be removed and you can use group policy filtering instead of removing authenticated users.
http://www.grouppolicy.biz/tag/printer/
http://www.grouppolicy.biz/2010/05/how-to-exclude-individual-users-or-computers-from-a-group-policy-object/
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Krzysztof Pytko

Yes, Authenticated Users group is for every user/computer authenticated in a domain. Then policy applies to each object which resides in an OU or domain (depends on GPO link level).

When this group is removed from GPO's DACL that means GPO Filtering is used and you need to know where and how it is applied.

Good resources for that in Awinish' post above :)

Krzysztof
Yashy

ASKER
Thanks for that Awinish. Great article.

Well this is the strange thing now, so on our LAN it is saying that the GPO has been applied. However, at the other site when I run it, I still get:

   The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Printers for Quantiv Backend
            Filtering:  Denied (Security)

This has been going on for an hour now, the VPN between each site is around 10mb/10mb so it's very fast. I did a gpupdate /force at the other end DC and it came up with:

The processing of Group Policy failed. Windows attempted to read the file \\matc
hes.com\SysVol\matches.com\Policies\{C3A6F453-6B4F-4897-973C-93E820789D78}\gpt.i
ni from a domain controller and was not successful. Group Policy settings may no
t be applied until this event is resolved. This issue may be transient and could
 be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller
 has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.

If this is only happening at the remote end, could it be due to VPN?


Awinish

The below error points to either network connectivity issue or firewall settings that system is not able to contact DC to get the GPO from sysvol and apply on its system.

Windows attempted to read the file \\matches.com\SysVol\matches.com\Policies\{C3A6F453-6B4F-4897-973C-93E820789D78}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved

You can run portquery tool as suggested earlier to check with the firewall blocking the ports. You can also take help of userenv logging tool Syspro to read the userenv log.
Check the GPO has been replicated to sysvol and when you run gpupdate /force on the problem machine, verify the event logs.
http://www.sysprosoft.com/policyreporter.shtml
http://blogs.technet.com/b/instan/archive/2008/09/17/what-is-logged-to-the-userenv-log-file.aspx
http://blogs.technet.com/b/askds/archive/2008/11/11/understanding-how-to-read-a-userenv-log-part-1.aspx


Regards
________________________________________
Awinish Vishwakarma
MY BLOG:  awinish.wordpress.com
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Awinish

GPOLOG view is also a good tool, give a try.
http://gplogview.codeplex.com/

Regards
______________________________
Awinish Vishwakarma
MY BLOG:  awinish.wordpress.com
Yashy

ASKER
Awinish, which ports would you query if you used the portqry tool. I've just used it to query TCP 389 from the 10.45.191.0/24 site to our site 10.0.0.0/24 and it's listening. But it fails on the UDP 389.

Any particular ports you would try to see whether it is affecting?
Thanks again for all this information.
ASKER CERTIFIED SOLUTION
Awinish

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Yashy

ASKER
Thanks for your help peeps. The ports on the firewall have now been opened, as some were missing. Much appreciated it.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.