• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 435
  • Last Modified:

Group policies not applying

Here is my scenario I need help with...

The domain server was stolen at my customer's. They have 7 users

Now installing a new domain controller.
Un-join all computers from the old domain using a local admin user on each machine
Rejoin to new domain controller
Only using default group policies
The GPO's are not applying
When using GPO Results wizard and attempt to connect to one of the computers I get "The RPC server is unavailable"
Server is a windows 2008 SP2 (same as old server)
Client computers are all Win 7

Any ideas where to start with troubleshooting

I did already disable the firewall on one of the Win 7 machines and it still does not work.
0
Gerhardpet
Asked:
Gerhardpet
  • 10
  • 10
  • +1
1 Solution
 
Minoru7Commented:
Did you try disabling the firewall on the server?
0
 
rharland2009Commented:
Try this.
Unjoin one of the computers from the domain again.

Delete C:\WINDOWS\security\Database\secedit.sdb.

Reboot.

Rejoin to the domain.

gpupdate /force /boot

See if that works.
0
 
GerhardpetAuthor Commented:
No so far I have disabled the firewall only on one of the Win 7 computers but that does not help

I can ping the server from Win 7 machine but can not ping the Win 7 from the server
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
Minoru7Commented:
To me it sounds like either a DNS problem where the clients aren't able to register their own records, or the Windows firewall on the server is getting in the way of at least one way of the communication.  I'd start by testing with the Windows firewall off.  That'll instantly rule out the firewall.
0
 
Sushil SonawaneCommented:
Please make following changes in registry then check.

1.  Click Start , type regedit in the Start Search box, and then press ENTER.  

2.  Locate the RequireSecuritySignature registry entry under the following registry subkey:
 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
 
3.  Right-click RequireSecuritySignature , and then click Modify .  

4.  In the Value data box, type 0 , and then click OK .  

5.  Exit Registry Editor.  

6.  Reboot the Windows 7 and test again.
0
 
GerhardpetAuthor Commented:
Turning the server firewall off then I can ping the Win 7 from the server but still does not work to apply the GPO

I will try the regedit
0
 
Minoru7Commented:
Actually, what probably has happened is a half join to the domain.  I would bet that you'll see some errors in the logs regarding the join.  Now that you have the firewall off, I would remove the computer from the domain and then add it back.  

The registry hack isn't necessary with Windows 7 as it understands that method of communication with the server.  There's no reason to turn off secure communication.
0
 
Minoru7Commented:
Just as a side note.  The only reason I've ever had to turn off secure communication (signing), as in that registry hack, is for Apple computers to communicate with a domain controller, because they were unable to use signed communications.
0
 
GerhardpetAuthor Commented:
Ok I unjoined again and now I can't ping the server from Win 7

When I try to join I get "the domain controller could not be found"

I can still ping the Win 7 from the server
0
 
GerhardpetAuthor Commented:
btw...I have the firewall disabled on both the server and win 7

Before I was able to ping the server from win 7 but not now
0
 
Minoru7Commented:
Make sure in AD Sites and Services that you have the subnet of the PCs created and added to the default site.  Also, verify that the DNS on the Win7 machine is correct.  If the subnet isn't in Sites and Services, then the machine won't be able to find the domain controller that is assigned to it.
0
 
Minoru7Commented:
Can you ping the server by IP, but not by name?
0
 
GerhardpetAuthor Commented:
Not sure what you mean by
Make sure in AD Sites and Services that you have the subnet of the PCs created and added to the default site.
Can you explian?

Already checked DNS and win 7 is using the server as DNS
0
 
GerhardpetAuthor Commented:
I have tried both and can't ping by name and the same for IP...no response either way
0
 
Minoru7Commented:
Not being able to ping by IP seems to be a different problem altogether.  There shouldn't be any reason why you can't ping by IP, unless routing on your workstation isn't correct.  You have the correct default gateway?  Are they on separate subnets?  

And otherwise, open Active Directory Sites and Services.  Expand Sites.  In Subnets, create a subnet for the network.  For instance, if you are IP address 192.168.96.3 with mask of 255.255.255.0, create a subnet such as 192.168.96.0/24.  When creating it, there is a Site drop-down.  Make sure to choose the default site where the domain controller resides.
0
 
Minoru7Commented:
By the way, does the server have itself configured as the DNS server?
0
 
GerhardpetAuthor Commented:
By the way, does the server have itself configured as the DNS server?
Yes

Default gateway is configured
No separate subnets
Created subnet under sites and services

Rebooting server now to see if that will help
0
 
Minoru7Commented:
By the way, did you restart the computer after removing it from the domain?  Even if you did, once the server is back up, I would suggest rebooting the workstation again.
0
 
GerhardpetAuthor Commented:
By the way, did you restart the computer after removing it from the domain?
Yes

Now I can ping again from win 7 to server. Don't know what that was...after reboot it works

Now the win 7 is joined again and I can log in as domain admin on win 7 but GP does not apply

If I run "gpresult /r /scope computer" I get access denied. That is with the domain admin username
0
 
GerhardpetAuthor Commented:
One win 7 computer is working and now I have to rejoin the other 6 computers. But I have the firewall disabled on the server.
0
 
Minoru7Commented:
As long as you have a good firewall on the outside of the network, you may not need to have the Windows firewall turned on.  it's your choice.  Otherwise, you'll need to track down all the ports that need to be opened on your server and configure the Windows firewall accordingly.  

I would run a gpupdate /force on those Windows workstations and then verify in the Windows logs that it completed successfully.  That is...after you remove them from the domain and add them back after a reboot.
0
 
GerhardpetAuthor Commented:
My customer is using Untangle as the a firewall so I will leave the Win 2008 firewall disabled. I really appreciate your help on this.

Thank you very much.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 10
  • 10
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now