Solved

GPO at AD site level

Posted on 2013-06-17
17
474 Views
Last Modified: 2013-06-25
Hi guys,
i tried to make a GPO at site level for our printers. the printer does not show up.

i dig in a bit using gpresult, found out that it still uses the GPO from earlier site which it belonged to ( let call it GPO-old)

I moved this PC to current new site, which has different IP subnet setting from old one.

my questions is why this PC is still using GPO-old instead of applying GPO-new?
(both GPO-old and GPO-new is at site level)

thanks.

SYH
0
Comment
Question by:BLarry9
  • 10
  • 4
  • 3
17 Comments
 
LVL 4

Expert Comment

by:TechOps07
ID: 39254480
Have you tried running GpUpdate /sync /boot /force?
0
 

Author Comment

by:BLarry9
ID: 39254525
yes, i did try that and after reboot, i still can see the GPO-old show up in
gpresult /r
0
 
LVL 4

Expert Comment

by:TechOps07
ID: 39254900
What if you remove and read to the domain, Check the "ENFORCE" option on the GPO. Also check the local GPO policy on the PC. There sometimes an option to override the Domain in one of those settings, don't recall exactly.
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 400 total points
ID: 39256396
Ensure that there is no oversite lapping issue in AD sites and services.
http://technet.microsoft.com/en-in/magazine/2009.06.subnets(en-us).aspx

Check the client computer DNS setting as well as DC and ensure as this:
Best practices for DNS client settings on DC and domain members.
http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

If you just modified the policy it will take time to get effect.Also force the replication from AD sites and services or repadmin command.Reboot the client computer and check.

You can also verify the client computer belongs to which AD site:
http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003/AdminTips/ActiveDirectory/DynamicSiteNameandSiteNameWhichsiteaclientcomputerbelongsto.html
0
 

Author Comment

by:BLarry9
ID: 39260885
thanks guys...
i did more test...
In the new office (siteNEW), we built a new PC and join the domain, login as the user and then i see GPO-new applied.
In the new office (siteNEW), the PC was built at other office (siteOLD), login as the user and still GPO-old applied.

Now, we can see the GPO is working, but why current PC pick up GPO-old instead of GPO-new when there are in new office (siteNEW)?
0
 

Author Comment

by:BLarry9
ID: 39260890
both gpo-old and gpo-new is applied at site level...
0
 
LVL 4

Expert Comment

by:TechOps07
ID: 39260962
BLarry,

Other than the information I gave I got no other idea my friend. I haven't come across that specific issue.
0
 

Author Comment

by:BLarry9
ID: 39261102
hi, from gpresult, in current PC,
GPO applied from: rodc2, which is a rodc at old office (siteOLD).

in the siteNEW, there is no DC, i assume it should apply gpo from our main Domain Controller, why it still apply GPO from an RODC in old office?
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39262202
As you mentioned the the PC is moved to new office where there is no DC.Have you created subnet of the new site and map the same to AD sites of main DC.

Also ensure correct dns setting the preferred dns setting should be of main DC and alternate DNS of remote site.
0
 

Author Comment

by:BLarry9
ID: 39263344
yes, i did add the new office's new IP subnet when i create a new site in AD.

DNS setting of the new office is pointing to the data center main DCs not, the RODC in old office.

when i use SET command, i can see the logon server is data center DC, but i am not sure why the GPO still apply from old office RODC.
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39265407
But you mentioned that new site does not have DC.Have you create site with no DC  in it and map the subnet to it?
0
 

Author Comment

by:BLarry9
ID: 39266693
new site does not have DC.
old site has a RODC.
all remote sites connect to our date center which has a few DCs in it.

i created a site with a subnet in active directory site and services.
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39267816
You just need to create subnet for new site in ADSS and map the same to MAIN server DC site.Have you verified the client belong to which AD site from client end.The site name is stored in a registry entry called “DynamicSiteName” at HKLM\System\CurrentControlSet\Services\Netlogon\Parameters key. DC Locator Service uses this information to query DNS Server to find the domain controllers in the site.It appends the site name to the query.More see this :http://social.technet.microsoft.com/Forums/windowsserver/en-US/dd4d3d80-cc9a-4d80-b2c4-2129097d9247/in-joined-to-clients-in-registry-where-the-name-of-the-site-to-which-the-client-belongs-is

To reset the client and discover information about the client's site, run the following command:nltest /sc_reset:domain-name\local-dc
0
 

Author Comment

by:BLarry9
ID: 39272727
thanks for your reply.
from client end, i ran "nltest /dcgetsite", i got OLD
the interesting thing is, i changed the DynamicSiteName to NEW in the registry, reboot the client machine,  and ran the nltest .dcgetsite again, it still replied me OLD

looks like the site code is stored somewhere else in registry...
0
 

Author Comment

by:BLarry9
ID: 39272755
so, from the command you gave me "nltest /sc_reset:domain-name\local-dc"

the cmd ran well and i also reboot it.
i run nltest /dsgetsite, sill OLD show up.

I ran gpresult, gpo apply from server is changed to a DC in our date center which is what we want.

but it sill applys the policy for old site.

seems like we have to let the client/system know that this computer does not belong to old site, it belongs to new site.
0
 

Author Comment

by:BLarry9
ID: 39275644
Update ---

I modified the key in
hklm\software\policies\microsoft\netlogon\parameters
there is a key called SiteName, i changed it to the new office site name

after that, when i ran nltest \dsgetsite, it returned back with the new site name

then with gpupdate/force, i can see the gpo at new site level applying to this machine.
so we know which reg key we should modify to make it work...yeah...

I have about 20 computer needs to change the site name in register, what is the best way to do that?
0
 

Author Comment

by:BLarry9
ID: 39276261
I can apply a GOP for these PCs and change their sitename to NEW.
thanks and i will close this ticket.
0

Join & Write a Comment

Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now