Link to home
Start Free TrialLog in
Avatar of BLarry9
BLarry9

asked on

GPO at AD site level

Hi guys,
i tried to make a GPO at site level for our printers. the printer does not show up.

i dig in a bit using gpresult, found out that it still uses the GPO from earlier site which it belonged to ( let call it GPO-old)

I moved this PC to current new site, which has different IP subnet setting from old one.

my questions is why this PC is still using GPO-old instead of applying GPO-new?
(both GPO-old and GPO-new is at site level)

thanks.

SYH
Avatar of TechOps07
TechOps07

Have you tried running GpUpdate /sync /boot /force?
Avatar of BLarry9

ASKER

yes, i did try that and after reboot, i still can see the GPO-old show up in
gpresult /r
What if you remove and read to the domain, Check the "ENFORCE" option on the GPO. Also check the local GPO policy on the PC. There sometimes an option to override the Domain in one of those settings, don't recall exactly.
ASKER CERTIFIED SOLUTION
Avatar of Sandesh Dubey
Sandesh Dubey
Flag of India image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of BLarry9

ASKER

thanks guys...
i did more test...
In the new office (siteNEW), we built a new PC and join the domain, login as the user and then i see GPO-new applied.
In the new office (siteNEW), the PC was built at other office (siteOLD), login as the user and still GPO-old applied.

Now, we can see the GPO is working, but why current PC pick up GPO-old instead of GPO-new when there are in new office (siteNEW)?
Avatar of BLarry9

ASKER

both gpo-old and gpo-new is applied at site level...
BLarry,

Other than the information I gave I got no other idea my friend. I haven't come across that specific issue.
Avatar of BLarry9

ASKER

hi, from gpresult, in current PC,
GPO applied from: rodc2, which is a rodc at old office (siteOLD).

in the siteNEW, there is no DC, i assume it should apply gpo from our main Domain Controller, why it still apply GPO from an RODC in old office?
As you mentioned the the PC is moved to new office where there is no DC.Have you created subnet of the new site and map the same to AD sites of main DC.

Also ensure correct dns setting the preferred dns setting should be of main DC and alternate DNS of remote site.
Avatar of BLarry9

ASKER

yes, i did add the new office's new IP subnet when i create a new site in AD.

DNS setting of the new office is pointing to the data center main DCs not, the RODC in old office.

when i use SET command, i can see the logon server is data center DC, but i am not sure why the GPO still apply from old office RODC.
But you mentioned that new site does not have DC.Have you create site with no DC  in it and map the subnet to it?
Avatar of BLarry9

ASKER

new site does not have DC.
old site has a RODC.
all remote sites connect to our date center which has a few DCs in it.

i created a site with a subnet in active directory site and services.
You just need to create subnet for new site in ADSS and map the same to MAIN server DC site.Have you verified the client belong to which AD site from client end.The site name is stored in a registry entry called “DynamicSiteName” at HKLM\System\CurrentControlSet\Services\Netlogon\Parameters key. DC Locator Service uses this information to query DNS Server to find the domain controllers in the site.It appends the site name to the query.More see this :http://social.technet.microsoft.com/Forums/windowsserver/en-US/dd4d3d80-cc9a-4d80-b2c4-2129097d9247/in-joined-to-clients-in-registry-where-the-name-of-the-site-to-which-the-client-belongs-is

To reset the client and discover information about the client's site, run the following command:nltest /sc_reset:domain-name\local-dc
Avatar of BLarry9

ASKER

thanks for your reply.
from client end, i ran "nltest /dcgetsite", i got OLD
the interesting thing is, i changed the DynamicSiteName to NEW in the registry, reboot the client machine,  and ran the nltest .dcgetsite again, it still replied me OLD

looks like the site code is stored somewhere else in registry...
Avatar of BLarry9

ASKER

so, from the command you gave me "nltest /sc_reset:domain-name\local-dc"

the cmd ran well and i also reboot it.
i run nltest /dsgetsite, sill OLD show up.

I ran gpresult, gpo apply from server is changed to a DC in our date center which is what we want.

but it sill applys the policy for old site.

seems like we have to let the client/system know that this computer does not belong to old site, it belongs to new site.
Avatar of BLarry9

ASKER

Update ---

I modified the key in
hklm\software\policies\microsoft\netlogon\parameters
there is a key called SiteName, i changed it to the new office site name

after that, when i ran nltest \dsgetsite, it returned back with the new site name

then with gpupdate/force, i can see the gpo at new site level applying to this machine.
so we know which reg key we should modify to make it work...yeah...

I have about 20 computer needs to change the site name in register, what is the best way to do that?
Avatar of BLarry9

ASKER

I can apply a GOP for these PCs and change their sitename to NEW.
thanks and i will close this ticket.