BLarry9
asked on
GPO at AD site level
Hi guys,
i tried to make a GPO at site level for our printers. the printer does not show up.
i dig in a bit using gpresult, found out that it still uses the GPO from earlier site which it belonged to ( let call it GPO-old)
I moved this PC to current new site, which has different IP subnet setting from old one.
my questions is why this PC is still using GPO-old instead of applying GPO-new?
(both GPO-old and GPO-new is at site level)
thanks.
SYH
i tried to make a GPO at site level for our printers. the printer does not show up.
i dig in a bit using gpresult, found out that it still uses the GPO from earlier site which it belonged to ( let call it GPO-old)
I moved this PC to current new site, which has different IP subnet setting from old one.
my questions is why this PC is still using GPO-old instead of applying GPO-new?
(both GPO-old and GPO-new is at site level)
thanks.
SYH
Have you tried running GpUpdate /sync /boot /force?
ASKER
yes, i did try that and after reboot, i still can see the GPO-old show up in
gpresult /r
gpresult /r
What if you remove and read to the domain, Check the "ENFORCE" option on the GPO. Also check the local GPO policy on the PC. There sometimes an option to override the Domain in one of those settings, don't recall exactly.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks guys...
i did more test...
In the new office (siteNEW), we built a new PC and join the domain, login as the user and then i see GPO-new applied.
In the new office (siteNEW), the PC was built at other office (siteOLD), login as the user and still GPO-old applied.
Now, we can see the GPO is working, but why current PC pick up GPO-old instead of GPO-new when there are in new office (siteNEW)?
i did more test...
In the new office (siteNEW), we built a new PC and join the domain, login as the user and then i see GPO-new applied.
In the new office (siteNEW), the PC was built at other office (siteOLD), login as the user and still GPO-old applied.
Now, we can see the GPO is working, but why current PC pick up GPO-old instead of GPO-new when there are in new office (siteNEW)?
ASKER
both gpo-old and gpo-new is applied at site level...
BLarry,
Other than the information I gave I got no other idea my friend. I haven't come across that specific issue.
Other than the information I gave I got no other idea my friend. I haven't come across that specific issue.
ASKER
hi, from gpresult, in current PC,
GPO applied from: rodc2, which is a rodc at old office (siteOLD).
in the siteNEW, there is no DC, i assume it should apply gpo from our main Domain Controller, why it still apply GPO from an RODC in old office?
GPO applied from: rodc2, which is a rodc at old office (siteOLD).
in the siteNEW, there is no DC, i assume it should apply gpo from our main Domain Controller, why it still apply GPO from an RODC in old office?
As you mentioned the the PC is moved to new office where there is no DC.Have you created subnet of the new site and map the same to AD sites of main DC.
Also ensure correct dns setting the preferred dns setting should be of main DC and alternate DNS of remote site.
Also ensure correct dns setting the preferred dns setting should be of main DC and alternate DNS of remote site.
ASKER
yes, i did add the new office's new IP subnet when i create a new site in AD.
DNS setting of the new office is pointing to the data center main DCs not, the RODC in old office.
when i use SET command, i can see the logon server is data center DC, but i am not sure why the GPO still apply from old office RODC.
DNS setting of the new office is pointing to the data center main DCs not, the RODC in old office.
when i use SET command, i can see the logon server is data center DC, but i am not sure why the GPO still apply from old office RODC.
But you mentioned that new site does not have DC.Have you create site with no DC in it and map the subnet to it?
ASKER
new site does not have DC.
old site has a RODC.
all remote sites connect to our date center which has a few DCs in it.
i created a site with a subnet in active directory site and services.
old site has a RODC.
all remote sites connect to our date center which has a few DCs in it.
i created a site with a subnet in active directory site and services.
You just need to create subnet for new site in ADSS and map the same to MAIN server DC site.Have you verified the client belong to which AD site from client end.The site name is stored in a registry entry called “DynamicSiteName” at HKLM\System\CurrentControl Set\Servic es\Netlogo n\Paramete rs key. DC Locator Service uses this information to query DNS Server to find the domain controllers in the site.It appends the site name to the query.More see this :http://social.technet.microsoft.com/Forums/windowsserver/en-US/dd4d3d80-cc9a-4d80-b2c4-2129097d9247/in-joined-to-clients-in-registry-where-the-name-of-the-site-to-which-the-client-belongs-is
To reset the client and discover information about the client's site, run the following command:nltest /sc_reset:domain-name\loca l-dc
To reset the client and discover information about the client's site, run the following command:nltest /sc_reset:domain-name\loca
ASKER
thanks for your reply.
from client end, i ran "nltest /dcgetsite", i got OLD
the interesting thing is, i changed the DynamicSiteName to NEW in the registry, reboot the client machine, and ran the nltest .dcgetsite again, it still replied me OLD
looks like the site code is stored somewhere else in registry...
from client end, i ran "nltest /dcgetsite", i got OLD
the interesting thing is, i changed the DynamicSiteName to NEW in the registry, reboot the client machine, and ran the nltest .dcgetsite again, it still replied me OLD
looks like the site code is stored somewhere else in registry...
ASKER
so, from the command you gave me "nltest /sc_reset:domain-name\loca l-dc"
the cmd ran well and i also reboot it.
i run nltest /dsgetsite, sill OLD show up.
I ran gpresult, gpo apply from server is changed to a DC in our date center which is what we want.
but it sill applys the policy for old site.
seems like we have to let the client/system know that this computer does not belong to old site, it belongs to new site.
the cmd ran well and i also reboot it.
i run nltest /dsgetsite, sill OLD show up.
I ran gpresult, gpo apply from server is changed to a DC in our date center which is what we want.
but it sill applys the policy for old site.
seems like we have to let the client/system know that this computer does not belong to old site, it belongs to new site.
ASKER
Update ---
I modified the key in
hklm\software\policies\mic rosoft\net logon\para meters
there is a key called SiteName, i changed it to the new office site name
after that, when i ran nltest \dsgetsite, it returned back with the new site name
then with gpupdate/force, i can see the gpo at new site level applying to this machine.
so we know which reg key we should modify to make it work...yeah...
I have about 20 computer needs to change the site name in register, what is the best way to do that?
I modified the key in
hklm\software\policies\mic
there is a key called SiteName, i changed it to the new office site name
after that, when i ran nltest \dsgetsite, it returned back with the new site name
then with gpupdate/force, i can see the gpo at new site level applying to this machine.
so we know which reg key we should modify to make it work...yeah...
I have about 20 computer needs to change the site name in register, what is the best way to do that?
ASKER
I can apply a GOP for these PCs and change their sitename to NEW.
thanks and i will close this ticket.
thanks and i will close this ticket.