Solved

Group policies not applying

Posted on 2013-01-16
22
414 Views
Last Modified: 2013-01-17
Here is my scenario I need help with...

The domain server was stolen at my customer's. They have 7 users

Now installing a new domain controller.
Un-join all computers from the old domain using a local admin user on each machine
Rejoin to new domain controller
Only using default group policies
The GPO's are not applying
When using GPO Results wizard and attempt to connect to one of the computers I get "The RPC server is unavailable"
Server is a windows 2008 SP2 (same as old server)
Client computers are all Win 7

Any ideas where to start with troubleshooting

I did already disable the firewall on one of the Win 7 machines and it still does not work.
0
Comment
Question by:Gerhardpet
  • 10
  • 10
  • +1
22 Comments
 
LVL 7

Expert Comment

by:Minoru7
ID: 38784151
Did you try disabling the firewall on the server?
0
 
LVL 11

Expert Comment

by:rharland2009
ID: 38784163
Try this.
Unjoin one of the computers from the domain again.

Delete C:\WINDOWS\security\Database\secedit.sdb.

Reboot.

Rejoin to the domain.

gpupdate /force /boot

See if that works.
0
 
LVL 1

Author Comment

by:Gerhardpet
ID: 38784172
No so far I have disabled the firewall only on one of the Win 7 computers but that does not help

I can ping the server from Win 7 machine but can not ping the Win 7 from the server
0
 
LVL 7

Accepted Solution

by:
Minoru7 earned 500 total points
ID: 38784213
To me it sounds like either a DNS problem where the clients aren't able to register their own records, or the Windows firewall on the server is getting in the way of at least one way of the communication.  I'd start by testing with the Windows firewall off.  That'll instantly rule out the firewall.
0
 
LVL 18

Expert Comment

by:Sushil Sonawane
ID: 38784285
Please make following changes in registry then check.

1.  Click Start , type regedit in the Start Search box, and then press ENTER.  

2.  Locate the RequireSecuritySignature registry entry under the following registry subkey:
 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
 
3.  Right-click RequireSecuritySignature , and then click Modify .  

4.  In the Value data box, type 0 , and then click OK .  

5.  Exit Registry Editor.  

6.  Reboot the Windows 7 and test again.
0
 
LVL 1

Author Comment

by:Gerhardpet
ID: 38784381
Turning the server firewall off then I can ping the Win 7 from the server but still does not work to apply the GPO

I will try the regedit
0
 
LVL 7

Expert Comment

by:Minoru7
ID: 38784395
Actually, what probably has happened is a half join to the domain.  I would bet that you'll see some errors in the logs regarding the join.  Now that you have the firewall off, I would remove the computer from the domain and then add it back.  

The registry hack isn't necessary with Windows 7 as it understands that method of communication with the server.  There's no reason to turn off secure communication.
0
 
LVL 7

Expert Comment

by:Minoru7
ID: 38784405
Just as a side note.  The only reason I've ever had to turn off secure communication (signing), as in that registry hack, is for Apple computers to communicate with a domain controller, because they were unable to use signed communications.
0
 
LVL 1

Author Comment

by:Gerhardpet
ID: 38784467
Ok I unjoined again and now I can't ping the server from Win 7

When I try to join I get "the domain controller could not be found"

I can still ping the Win 7 from the server
0
 
LVL 1

Author Comment

by:Gerhardpet
ID: 38784478
btw...I have the firewall disabled on both the server and win 7

Before I was able to ping the server from win 7 but not now
0
 
LVL 7

Expert Comment

by:Minoru7
ID: 38784482
Make sure in AD Sites and Services that you have the subnet of the PCs created and added to the default site.  Also, verify that the DNS on the Win7 machine is correct.  If the subnet isn't in Sites and Services, then the machine won't be able to find the domain controller that is assigned to it.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 7

Expert Comment

by:Minoru7
ID: 38784485
Can you ping the server by IP, but not by name?
0
 
LVL 1

Author Comment

by:Gerhardpet
ID: 38784495
Not sure what you mean by
Make sure in AD Sites and Services that you have the subnet of the PCs created and added to the default site.
Can you explian?

Already checked DNS and win 7 is using the server as DNS
0
 
LVL 1

Author Comment

by:Gerhardpet
ID: 38784499
I have tried both and can't ping by name and the same for IP...no response either way
0
 
LVL 7

Expert Comment

by:Minoru7
ID: 38784523
Not being able to ping by IP seems to be a different problem altogether.  There shouldn't be any reason why you can't ping by IP, unless routing on your workstation isn't correct.  You have the correct default gateway?  Are they on separate subnets?  

And otherwise, open Active Directory Sites and Services.  Expand Sites.  In Subnets, create a subnet for the network.  For instance, if you are IP address 192.168.96.3 with mask of 255.255.255.0, create a subnet such as 192.168.96.0/24.  When creating it, there is a Site drop-down.  Make sure to choose the default site where the domain controller resides.
0
 
LVL 7

Expert Comment

by:Minoru7
ID: 38784527
By the way, does the server have itself configured as the DNS server?
0
 
LVL 1

Author Comment

by:Gerhardpet
ID: 38784573
By the way, does the server have itself configured as the DNS server?
Yes

Default gateway is configured
No separate subnets
Created subnet under sites and services

Rebooting server now to see if that will help
0
 
LVL 7

Expert Comment

by:Minoru7
ID: 38784582
By the way, did you restart the computer after removing it from the domain?  Even if you did, once the server is back up, I would suggest rebooting the workstation again.
0
 
LVL 1

Author Comment

by:Gerhardpet
ID: 38784642
By the way, did you restart the computer after removing it from the domain?
Yes

Now I can ping again from win 7 to server. Don't know what that was...after reboot it works

Now the win 7 is joined again and I can log in as domain admin on win 7 but GP does not apply

If I run "gpresult /r /scope computer" I get access denied. That is with the domain admin username
0
 
LVL 1

Author Comment

by:Gerhardpet
ID: 38784742
One win 7 computer is working and now I have to rejoin the other 6 computers. But I have the firewall disabled on the server.
0
 
LVL 7

Expert Comment

by:Minoru7
ID: 38784800
As long as you have a good firewall on the outside of the network, you may not need to have the Windows firewall turned on.  it's your choice.  Otherwise, you'll need to track down all the ports that need to be opened on your server and configure the Windows firewall accordingly.  

I would run a gpupdate /force on those Windows workstations and then verify in the Windows logs that it completed successfully.  That is...after you remove them from the domain and add them back after a reboot.
0
 
LVL 1

Author Comment

by:Gerhardpet
ID: 38790103
My customer is using Untangle as the a firewall so I will leave the Win 2008 firewall disabled. I really appreciate your help on this.

Thank you very much.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now