Solved

Group policies not applying

Posted on 2013-01-16
22
415 Views
Last Modified: 2013-01-17
Here is my scenario I need help with...

The domain server was stolen at my customer's. They have 7 users

Now installing a new domain controller.
Un-join all computers from the old domain using a local admin user on each machine
Rejoin to new domain controller
Only using default group policies
The GPO's are not applying
When using GPO Results wizard and attempt to connect to one of the computers I get "The RPC server is unavailable"
Server is a windows 2008 SP2 (same as old server)
Client computers are all Win 7

Any ideas where to start with troubleshooting

I did already disable the firewall on one of the Win 7 machines and it still does not work.
0
Comment
Question by:Gerhardpet
  • 10
  • 10
  • +1
22 Comments
 
LVL 7

Expert Comment

by:Minoru7
ID: 38784151
Did you try disabling the firewall on the server?
0
 
LVL 11

Expert Comment

by:rharland2009
ID: 38784163
Try this.
Unjoin one of the computers from the domain again.

Delete C:\WINDOWS\security\Database\secedit.sdb.

Reboot.

Rejoin to the domain.

gpupdate /force /boot

See if that works.
0
 
LVL 1

Author Comment

by:Gerhardpet
ID: 38784172
No so far I have disabled the firewall only on one of the Win 7 computers but that does not help

I can ping the server from Win 7 machine but can not ping the Win 7 from the server
0
 
LVL 7

Accepted Solution

by:
Minoru7 earned 500 total points
ID: 38784213
To me it sounds like either a DNS problem where the clients aren't able to register their own records, or the Windows firewall on the server is getting in the way of at least one way of the communication.  I'd start by testing with the Windows firewall off.  That'll instantly rule out the firewall.
0
 
LVL 18

Expert Comment

by:Sushil Sonawane
ID: 38784285
Please make following changes in registry then check.

1.  Click Start , type regedit in the Start Search box, and then press ENTER.  

2.  Locate the RequireSecuritySignature registry entry under the following registry subkey:
 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
 
3.  Right-click RequireSecuritySignature , and then click Modify .  

4.  In the Value data box, type 0 , and then click OK .  

5.  Exit Registry Editor.  

6.  Reboot the Windows 7 and test again.
0
 
LVL 1

Author Comment

by:Gerhardpet
ID: 38784381
Turning the server firewall off then I can ping the Win 7 from the server but still does not work to apply the GPO

I will try the regedit
0
 
LVL 7

Expert Comment

by:Minoru7
ID: 38784395
Actually, what probably has happened is a half join to the domain.  I would bet that you'll see some errors in the logs regarding the join.  Now that you have the firewall off, I would remove the computer from the domain and then add it back.  

The registry hack isn't necessary with Windows 7 as it understands that method of communication with the server.  There's no reason to turn off secure communication.
0
 
LVL 7

Expert Comment

by:Minoru7
ID: 38784405
Just as a side note.  The only reason I've ever had to turn off secure communication (signing), as in that registry hack, is for Apple computers to communicate with a domain controller, because they were unable to use signed communications.
0
 
LVL 1

Author Comment

by:Gerhardpet
ID: 38784467
Ok I unjoined again and now I can't ping the server from Win 7

When I try to join I get "the domain controller could not be found"

I can still ping the Win 7 from the server
0
 
LVL 1

Author Comment

by:Gerhardpet
ID: 38784478
btw...I have the firewall disabled on both the server and win 7

Before I was able to ping the server from win 7 but not now
0
 
LVL 7

Expert Comment

by:Minoru7
ID: 38784482
Make sure in AD Sites and Services that you have the subnet of the PCs created and added to the default site.  Also, verify that the DNS on the Win7 machine is correct.  If the subnet isn't in Sites and Services, then the machine won't be able to find the domain controller that is assigned to it.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 7

Expert Comment

by:Minoru7
ID: 38784485
Can you ping the server by IP, but not by name?
0
 
LVL 1

Author Comment

by:Gerhardpet
ID: 38784495
Not sure what you mean by
Make sure in AD Sites and Services that you have the subnet of the PCs created and added to the default site.
Can you explian?

Already checked DNS and win 7 is using the server as DNS
0
 
LVL 1

Author Comment

by:Gerhardpet
ID: 38784499
I have tried both and can't ping by name and the same for IP...no response either way
0
 
LVL 7

Expert Comment

by:Minoru7
ID: 38784523
Not being able to ping by IP seems to be a different problem altogether.  There shouldn't be any reason why you can't ping by IP, unless routing on your workstation isn't correct.  You have the correct default gateway?  Are they on separate subnets?  

And otherwise, open Active Directory Sites and Services.  Expand Sites.  In Subnets, create a subnet for the network.  For instance, if you are IP address 192.168.96.3 with mask of 255.255.255.0, create a subnet such as 192.168.96.0/24.  When creating it, there is a Site drop-down.  Make sure to choose the default site where the domain controller resides.
0
 
LVL 7

Expert Comment

by:Minoru7
ID: 38784527
By the way, does the server have itself configured as the DNS server?
0
 
LVL 1

Author Comment

by:Gerhardpet
ID: 38784573
By the way, does the server have itself configured as the DNS server?
Yes

Default gateway is configured
No separate subnets
Created subnet under sites and services

Rebooting server now to see if that will help
0
 
LVL 7

Expert Comment

by:Minoru7
ID: 38784582
By the way, did you restart the computer after removing it from the domain?  Even if you did, once the server is back up, I would suggest rebooting the workstation again.
0
 
LVL 1

Author Comment

by:Gerhardpet
ID: 38784642
By the way, did you restart the computer after removing it from the domain?
Yes

Now I can ping again from win 7 to server. Don't know what that was...after reboot it works

Now the win 7 is joined again and I can log in as domain admin on win 7 but GP does not apply

If I run "gpresult /r /scope computer" I get access denied. That is with the domain admin username
0
 
LVL 1

Author Comment

by:Gerhardpet
ID: 38784742
One win 7 computer is working and now I have to rejoin the other 6 computers. But I have the firewall disabled on the server.
0
 
LVL 7

Expert Comment

by:Minoru7
ID: 38784800
As long as you have a good firewall on the outside of the network, you may not need to have the Windows firewall turned on.  it's your choice.  Otherwise, you'll need to track down all the ports that need to be opened on your server and configure the Windows firewall accordingly.  

I would run a gpupdate /force on those Windows workstations and then verify in the Windows logs that it completed successfully.  That is...after you remove them from the domain and add them back after a reboot.
0
 
LVL 1

Author Comment

by:Gerhardpet
ID: 38790103
My customer is using Untangle as the a firewall so I will leave the Win 2008 firewall disabled. I really appreciate your help on this.

Thank you very much.
0

Featured Post

Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
On some Windows 7 (SP1) computers, Windows Update becomes super slow even the computer is reasonably fast.  There's one solution that seemed to have worked well for me (after trying a few other suggested solutions).
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now