Solved

Group policies not applying

Posted on 2013-01-16
22
419 Views
Last Modified: 2013-01-17
Here is my scenario I need help with...

The domain server was stolen at my customer's. They have 7 users

Now installing a new domain controller.
Un-join all computers from the old domain using a local admin user on each machine
Rejoin to new domain controller
Only using default group policies
The GPO's are not applying
When using GPO Results wizard and attempt to connect to one of the computers I get "The RPC server is unavailable"
Server is a windows 2008 SP2 (same as old server)
Client computers are all Win 7

Any ideas where to start with troubleshooting

I did already disable the firewall on one of the Win 7 machines and it still does not work.
0
Comment
Question by:Gerhardpet
  • 10
  • 10
  • +1
22 Comments
 
LVL 7

Expert Comment

by:Minoru7
ID: 38784151
Did you try disabling the firewall on the server?
0
 
LVL 11

Expert Comment

by:rharland2009
ID: 38784163
Try this.
Unjoin one of the computers from the domain again.

Delete C:\WINDOWS\security\Database\secedit.sdb.

Reboot.

Rejoin to the domain.

gpupdate /force /boot

See if that works.
0
 
LVL 1

Author Comment

by:Gerhardpet
ID: 38784172
No so far I have disabled the firewall only on one of the Win 7 computers but that does not help

I can ping the server from Win 7 machine but can not ping the Win 7 from the server
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 7

Accepted Solution

by:
Minoru7 earned 500 total points
ID: 38784213
To me it sounds like either a DNS problem where the clients aren't able to register their own records, or the Windows firewall on the server is getting in the way of at least one way of the communication.  I'd start by testing with the Windows firewall off.  That'll instantly rule out the firewall.
0
 
LVL 18

Expert Comment

by:Sushil Sonawane
ID: 38784285
Please make following changes in registry then check.

1.  Click Start , type regedit in the Start Search box, and then press ENTER.  

2.  Locate the RequireSecuritySignature registry entry under the following registry subkey:
 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
 
3.  Right-click RequireSecuritySignature , and then click Modify .  

4.  In the Value data box, type 0 , and then click OK .  

5.  Exit Registry Editor.  

6.  Reboot the Windows 7 and test again.
0
 
LVL 1

Author Comment

by:Gerhardpet
ID: 38784381
Turning the server firewall off then I can ping the Win 7 from the server but still does not work to apply the GPO

I will try the regedit
0
 
LVL 7

Expert Comment

by:Minoru7
ID: 38784395
Actually, what probably has happened is a half join to the domain.  I would bet that you'll see some errors in the logs regarding the join.  Now that you have the firewall off, I would remove the computer from the domain and then add it back.  

The registry hack isn't necessary with Windows 7 as it understands that method of communication with the server.  There's no reason to turn off secure communication.
0
 
LVL 7

Expert Comment

by:Minoru7
ID: 38784405
Just as a side note.  The only reason I've ever had to turn off secure communication (signing), as in that registry hack, is for Apple computers to communicate with a domain controller, because they were unable to use signed communications.
0
 
LVL 1

Author Comment

by:Gerhardpet
ID: 38784467
Ok I unjoined again and now I can't ping the server from Win 7

When I try to join I get "the domain controller could not be found"

I can still ping the Win 7 from the server
0
 
LVL 1

Author Comment

by:Gerhardpet
ID: 38784478
btw...I have the firewall disabled on both the server and win 7

Before I was able to ping the server from win 7 but not now
0
 
LVL 7

Expert Comment

by:Minoru7
ID: 38784482
Make sure in AD Sites and Services that you have the subnet of the PCs created and added to the default site.  Also, verify that the DNS on the Win7 machine is correct.  If the subnet isn't in Sites and Services, then the machine won't be able to find the domain controller that is assigned to it.
0
 
LVL 7

Expert Comment

by:Minoru7
ID: 38784485
Can you ping the server by IP, but not by name?
0
 
LVL 1

Author Comment

by:Gerhardpet
ID: 38784495
Not sure what you mean by
Make sure in AD Sites and Services that you have the subnet of the PCs created and added to the default site.
Can you explian?

Already checked DNS and win 7 is using the server as DNS
0
 
LVL 1

Author Comment

by:Gerhardpet
ID: 38784499
I have tried both and can't ping by name and the same for IP...no response either way
0
 
LVL 7

Expert Comment

by:Minoru7
ID: 38784523
Not being able to ping by IP seems to be a different problem altogether.  There shouldn't be any reason why you can't ping by IP, unless routing on your workstation isn't correct.  You have the correct default gateway?  Are they on separate subnets?  

And otherwise, open Active Directory Sites and Services.  Expand Sites.  In Subnets, create a subnet for the network.  For instance, if you are IP address 192.168.96.3 with mask of 255.255.255.0, create a subnet such as 192.168.96.0/24.  When creating it, there is a Site drop-down.  Make sure to choose the default site where the domain controller resides.
0
 
LVL 7

Expert Comment

by:Minoru7
ID: 38784527
By the way, does the server have itself configured as the DNS server?
0
 
LVL 1

Author Comment

by:Gerhardpet
ID: 38784573
By the way, does the server have itself configured as the DNS server?
Yes

Default gateway is configured
No separate subnets
Created subnet under sites and services

Rebooting server now to see if that will help
0
 
LVL 7

Expert Comment

by:Minoru7
ID: 38784582
By the way, did you restart the computer after removing it from the domain?  Even if you did, once the server is back up, I would suggest rebooting the workstation again.
0
 
LVL 1

Author Comment

by:Gerhardpet
ID: 38784642
By the way, did you restart the computer after removing it from the domain?
Yes

Now I can ping again from win 7 to server. Don't know what that was...after reboot it works

Now the win 7 is joined again and I can log in as domain admin on win 7 but GP does not apply

If I run "gpresult /r /scope computer" I get access denied. That is with the domain admin username
0
 
LVL 1

Author Comment

by:Gerhardpet
ID: 38784742
One win 7 computer is working and now I have to rejoin the other 6 computers. But I have the firewall disabled on the server.
0
 
LVL 7

Expert Comment

by:Minoru7
ID: 38784800
As long as you have a good firewall on the outside of the network, you may not need to have the Windows firewall turned on.  it's your choice.  Otherwise, you'll need to track down all the ports that need to be opened on your server and configure the Windows firewall accordingly.  

I would run a gpupdate /force on those Windows workstations and then verify in the Windows logs that it completed successfully.  That is...after you remove them from the domain and add them back after a reboot.
0
 
LVL 1

Author Comment

by:Gerhardpet
ID: 38790103
My customer is using Untangle as the a firewall so I will leave the Win 2008 firewall disabled. I really appreciate your help on this.

Thank you very much.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You may have a outside contractor who comes in once a week or seasonal to do some work in your office but you only want to give him access to the programs and files he needs and keep privet all other documents and programs, can you do this on a loca…
A quick guide on how to use Group Policy to create a custom power plan and set it active on Windows 7.
This Micro Tutorial will teach you the basics of configuring your computer to improve its speed. It will also teach you how to disable programs that are running in the background simultaneously. This will be demonstrated using Windows 7 operating…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question