Solved

master dc default domain controller policy query

Posted on 2013-06-19
53
439 Views
Last Modified: 2013-08-07
hi i am running a win 2003 domain through gpmc and with isa 2006 firewall...

my default domain controller policy has nothing manually configured by me so just default settings!!!!!!!!

i am running 6 container gpos currently and confirmed all gpos are set!! but the is below:

master dc - gpo updated correctly & proxy settings - ok
file server - gpo updated correctly but not proxy settings - why
isa 2006 - gpo updated correctly but not proxy settings - why
wsus - gpo updated correctly but not proxy settings - why

if i add proxy details manually for above machines then i get internet access as expected

if i run: gpupdate /force on all machines, they all return updated successfully and all have received at least 10 shutdowns or restarts over last few days, but same issue..!!

questions 1.

i have now installed msba gpo on my master dc /ad/dns/dhcp server but receive also:
"incorrect permissions on default domain controllers policy" - can anyone advise unless it is some update that is yet to download to my master dc or causing the above problems ?
MASTER-DC-DEFAULT-GPO-SETTINGS-N.docx
0
Comment
Question by:mikey250
  • 27
  • 22
  • 4
53 Comments
 
LVL 78

Accepted Solution

by:
David Johnson, CD, MVP earned 84 total points
Comment Utility
the error message is that the default domain controllers policy is not active. (not being applied)  

Go into gpmc and ensure that the policy is enabled.  You may want to set a policy to set the proxy settings.

gpmc default domain controller policy
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 416 total points
Comment Utility
You have to see whether the default doman controller policy applies to authenticated users
Default domain policy is another.
Wen you use GPMC to run group policy reports wizard against of the systems, it should tell you what GPO is winning and thus setting the setting.

It is not clear from your uploaded document how you are breaking up the 6 containers.

The bpat provides you the error.

You also do not have an image that indicates with GPO applies to which container/s nor to which section you set the proxy, computer level or user level.
0
 
LVL 78

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 84 total points
Comment Utility
The only gpo you show is the default domain policy and not the default domain controllers policy which is the major item that mbsa is complaining about.
0
 

Author Comment

by:mikey250
Comment Utility
hi all experts, no the screenshot i attached is (only) of the default domain controllers policy since that is where i found this specific issue after running msba gpo software...!

if you view in the screenshot i have (not) shown the settings for the other gpo's in a separate container...!

if i remember correctly when i had this issue before ie:

master dc - gpo updated correctly & proxy settings - ok
file server - gpo updated correctly but not proxy settings - why
isa 2006 - gpo updated correctly but not proxy settings - why
wsus - gpo updated correctly but not proxy settings - why

i remember adding the proxy details in the default domain controller and im sure i then received the proxy details, but now i decided to remove it and see what the issue as i always assumed that the default domain controllers policy was only used when an administrator wanted to make changes across the whole network then i thought when set would take precedence over all other gpo/containters...!!
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 416 total points
Comment Utility
Proxy settings can be set for computer wide or user, which are you using?

Is the user with which you login in the container to which proxy settings apply if user based proxy setup?

Make sure your containers do not exclude parent policies.
0
 

Author Comment

by:mikey250
Comment Utility
hi ve3ofa,

ive attached a screenshot for the 'default dc policy' and it is already 'enabled' by default as i have not changed anything there & if i highlight all other gpo/containers that you can see they are set exactly the same!!
DEFAULT-DC-POLICY-SCREENSHOT-IS-.docx
0
 

Author Comment

by:mikey250
Comment Utility
hi arnold,

yes after i configure each gpo/container i (can see) in advance my settings saved which i always run on (dc) before i run: gpupdate /force on master dc..
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 416 total points
Comment Utility
Use the "group policy results" wizard to get a compete settings report on which policy applies and which setting apply and which GPO they come from.
0
 
LVL 78

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 84 total points
Comment Utility
you keep showing the default domain policy and not the default domain CONTROLLER policyThat is the DEFAULT policy not the DEFAULT DOMAIN CONTROLLER policy
0
 

Author Comment

by:mikey250
Comment Utility
hi ve3ofa,

i have attached another screenshot showing all individual settings set by default as (your) screenshot suggests.
DEFAULT-DC-POLICY-SCREENSHOT-IS-.docx
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 416 total points
Comment Utility
Check group inheritance tab, it looks as though your containers might be configured to not inherit the GPOs from higher up.

I.e. default domain policy not applying to isa2006 container.
0
 

Author Comment

by:mikey250
Comment Utility
morning ve3ofa, for some reason since yesturday i could not log back onto experts exchange as kept receiving an oohps error about too many responses so was not able to log on.  this has happened before but when i leave it over night it appears to let me back on.!!

also after your last message i attached another screenshot show a list of all containers and the 'default domain controller policy'..
0
 

Author Comment

by:mikey250
Comment Utility
morning arnold,

where do i go to check the group inheritance tab exactly and what am i looking for ?

normally when i created folders i can see a ticked box by default for:

"allow inheritable permissions from the parent to propagate to this object and all child objects.  include these with entries explicitly defined here"

and ive also installed all my machines clean!!
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 416 total points
Comment Utility
When you look at each container in GPMC, it shows the GPO that applies to the container, the next tab shows all the GPOs that apply (ref your comment http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_28161768.html#a39261515 )

Use group policy results (GPMC last option in the left pane)
See which GPOs apply to a system in a container and a logged in user and based on that you can see what settings are getting set and which policy is setting the,.
0
 

Author Comment

by:mikey250
Comment Utility
hi arnold,

oh yeh i can see now...!!! they appear all set correctly to 'gpo status - enabled' for under Inheritance tab.

even though some updates were sent to all my machines yesturday which i have installed.  i have also noticed some more updates on my wsus for each container which i have now approved.   so maybe some update will correct this gpo issue i appear to have as mention earlier on the 1st thread.

as im using win 2003 i can generate a report simular to rsop.msc that shows what has been configured in my gpo - i have attached screenshot also which effectively is the same for all other machines except that the update time interval for the master dc is default 5 mins etc
GP-INHERITANCE-SCREENSHOT.docx
WSUS---FILE-DOMAIN-SERVER-GPO-SE.docx
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 416 total points
Comment Utility
Wsus is unrelated.

Using the GPMC tool, provides a better visual representation of the applied settings along with the source of this settings,

The issue with some might be related to another policy setting parameters first.

Unfortunately, you have not answered whether you are applying proxy settings on computer level or user level?
0
 

Author Comment

by:mikey250
Comment Utility
morning arnold,

yes i realise wsus is unrelated as i was just showing you what gpo's was configured as all containers are identical, except for default for default domain controlloer.

"yes i have answered whether you are applying proxy settings on computer level or user level"...! :)

there are no proxy settings that can be configured in computer configuration...!

i have configured proxy settings in user configuration for all machines hence screenshot gpo settings tab shows visual proxy configuation sent on previous thread via attachment for wsus & file server gpo settings - all machines configured same...
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 416 total points
Comment Utility
What user is logging in when the proxy settings do not apply on the file server, ISA, domain controller?
The doman controller only allows administrators to login unless that restriction was removed by way of a security modification in The default domain controller policy local login.
0
 

Author Comment

by:mikey250
Comment Utility
always the domain adminstrator currently until i know configurations are correct!!

i have added no restrictions as new install...

as my wsus & file server did not detect proxy settings - i input manually and this allowed internet access.  so i then removed manually proxy settings & accessed default domain policy and input manually proxy details here, which automatically added proxy details in wsus & file domain server.

except for the above issue, my master dc & isa 2006 and win 7 and xp desktop in separate containters detect proxy automatically no problem so not sure why wsus & file did not!! puzzling..

my wsus & file server are still detecting updates via my wsus so i am continuing to install, just incase there is some missing update as not sure!!
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 416 total points
Comment Utility
Please use GPMC's Group Policy Results Wizard and see whether the reason the proxy is not being applied is because of a filter on the administrator's account.

Please setup and test with a regular/limited users.
0
 

Author Comment

by:mikey250
Comment Utility
hi arnold, one of my previous comments explained this below:

master dc - gpo updated correctly & proxy settings - ok
file server - gpo updated correctly but not proxy settings - why
isa 2006 - gpo updated correctly but not proxy settings - why
wsus - gpo updated correctly but not proxy settings - why

due to the above proxy not working, i then decided to add proxy to the 'default doman policy', which provided proxy to above machines ie file server, isa and wsus

so currently i have left proxy in default domain policy, but i always thought default domain policy can be left empty unless an administrator wants to take control or put some default settings in place whether a machine is part of the domain or not!!!

task 1

what i will do now is remove proxy from default domain policy & gpudpate /force and wait then add proxy back into wsus gpo container and gpudpate /force again and see if settings go through this time... as now ive also been updating all machines and wsus with updates.
RSOP-DEFAULT-DOMAIN-POLICY-SCREE.docx
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 416 total points
Comment Utility
There is a specific reason I am asking you to run and get the similar results you are using RSoP for from the GPMC interface Group Policy Wizard interface.

Please create a new user.
Use this user to test. Do not manually add proxy settings
It may take two logins for the proxy policy settings to apply.



You manually modified the proxy settings for the administrator account on the systems on which the policy does not apply/work.
0
 

Author Comment

by:mikey250
Comment Utility
hi

my dc was in the middle of downloading and shutting down which has taken this length of time to complete but it is back up now and more update ie (.net) updates are ready to download.

ok i have now created a new (test) domain account in the 'user: containter' and as you know currently in the (domain default policy) the proxy settings were added manually previously.

i will not do anything more until you get back to me..)

note: in all my experience ive never had my gpo settings take even after 2 shutdowns or start as what i would normally do is this:

master dc:

create a user account
add gpo settings to update itself and proxy settings & http://wsus:8530
i would then on the master dc do: gpupdate /force which sometimes updates within time or not & shutdown
log back on
restart master dc
log back on master dc

domain member server or domain normal user machine
logon with domain admin account to domain member server
run: rsop.msc - but no proxy settings
then i would restart domain member server
logon with domain admin account again
run: rsop.msc - but still no proxy settings
i would then run: gpudpate /force - which sometimes would complete on time or not
shutdown domain member server
log back on server again but still no proxy settings
and sometime i would run just gpupdate - but still same issues
so i would then log off domain member server

master dc:

logon again
run: gpupdate /force & shutdown & repeat 10 times

domain member server
log back on
run: rsop.msc - still no proxy settings or sometimes yes

and sometimes run:

gpupdate /target: sync
gpupdate /target: computer | user

note: ive always got confused

i hope when i eventually move to win 2008, that things have improved unless i have been doing things in wrong order...!!!
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 416 total points
Comment Utility
Updating GPO does not require a reboot of the DC.
Double check the GPO within GOMC and make sure that the AD change indicator/version for matches the sysvol
Computer AD(23) sysvol(23)
User AD(45) sysvol(45)

If either does not match, means you have an error in your GPO which will prevent it from propagatin and an earlier version applies.

Use GPMC to run a group policy result wizard against a computer/user.  Within the report it will tell you the version of the GPO that is winning and controls the setting.

Regular users should never be allowed login on a DC.

You need to look at the proxy settings not connection settings.
0
 

Author Comment

by:mikey250
Comment Utility
morning arnold, thanks for those comments yesturday!!!!!!!!

i have now removed my proxy details manually from the 'default domain policy', but when i do a refresh within gpmc and select the 'settings' tab that shows a visual display of settings, the proxy is still there.

i then did: gpupdate

logged off and back on but proxy is still there.

i then edit into 'internet explorer maintenance and select 'connection it shows the proxy as not selected but when i click the 'precedence' tab it states:

- default domain policy - disabled - which is good but why has it not taken affect yet - ?

i am not sure how to check for the following:

double check the dpo within gpmc and make sure that the ad change indicator/version for

computer ad(23) sysvol(23)
user ad(45) sysvol(45)

i presume you mean for computer ad: os version: 5.2.3790 although i dont think it is this as it appears to be a 2 digit number such as below:

so i have found this:
objectversion 30 - which i have found - ?

sysvol version: i cannot find manually

so after looking on google it appears i need to install: rktools, i normally install but not yet and as there are some (.net) updates currently installing on my master dc, it did not allow me to install (rktools), so will do once this finished which appears to be taking a long time although not usually..!!

its about time i learn more about troubleshooting gpo!!

i have run 2 commands as below which appear to show the exact same thing but not sure if this is the version you are after:

gpresult /s pdc-001 /u administrator …. It works
gpresult /s pdc-001 /user administrator … it works

i see: group policy result tool v2.0

you mention the below because in win 2003 via gpo/user configuration/windows settings\internet maintenance it does show a list as below:

- connection settings - this is where i can add (also) proxy which auto completes proxy settings below:

- automatic browser configuration

- proxy settings - i have now check and it has not been removed  (tick)- so i will do this now (i see what you mean) - not sure why that is.....!!!!

- user agent string

"you need to look at the proxy settings not connection settings"

after my (.net) updates have completely installed i will run: gpupdate and try again and let you know and check out (rktools) for sysvol version and compare with ad version..!!

:)
0
 

Author Comment

by:mikey250
Comment Utility
my master dc, has now installed those (.net) updates as i mentioned previously.)

im trying to look on google for a list of commands to make use of the (rktools) but cannot seem to find any and troubleshoot or check version of (sysvol).
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 76

Assisted Solution

by:arnold
arnold earned 416 total points
Comment Utility
Use GPMC Group Policy Management, select the GPO, on the right pane details tab everything is listed and displayed.

When you select the Container, all the GPOs that apply should be listed in order under the group policy inheritance tab.
The GPO that has the lowest number for the precedence is the winning GPO for a setting.

there is gpotool | more
see if you get any GPO with anything other than Policy ok
0
 

Author Comment

by:mikey250
Comment Utility
morning arnold,

i always open and configure my gpo via group policy management instead of: gpoedit.msc

yes in the policy inheritance tab for example all my machines show as:

1st place: isa 2006
2nd place: default domain

same for all others!!


if i run: rsop.msc on my 'master dc', & check (internet explorer)/connections/precedance tab: it only shows: default domain policy <disabled>, when i expected to see my (dc)

ive also just found inside gpmc (details tab), what you asked about before:

double check the gpo within gpmc and make sure that the ad change indicator/version for matches the sysvol
Computer ad(23) sysvol(23)
User ad(45) sysvol(45)

this is what i see for each:

domain controller:

user version 8(ad), 8(sysvol)
computer version 47(ad), 47(sysvol)

isa:

user version 8(ad), 8(sysvol)
computer version 24(ad), 24,(sysvol)

wsus & file server (share same container):

user version 10(ad), 10(sysvol)
computer version 17(ad), 17(sysvol)

win 7 laptop:

user version 11(ad), 11(sysvol)
computer version 20(ad), 20(sysvol)

xp desktop:

user version 13(ad), 13(sysvol)
computer version 19(ad), 19(sysvol)
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 416 total points
Comment Utility
I understand you are editing/managing your GPO through GPMC, but I am keep asking you to stop running RSOP and use the GPMC's equivalent Group Policy Results wizard which is a graphical equivalent but is run from the server where you can specify the target Computer/user.

Please run that.  Once you have the results, you can see what settings are set and which is the controlling policy.

The problem with proxy is that once it is set or user modified, while the GPMC/RSOP says it is applied, it might not.
0
 

Author Comment

by:mikey250
Comment Utility
hi arnold, i must be confusing u!!!!!!!!!!!!! apologies lets start again..
0
 

Author Comment

by:mikey250
Comment Utility
hi arnold,

"i understand you are editing/managing your gpo through gpmc" - correct

"but I am keep asking you to stop running rsop" - only to view & compare

"and use the gpmc's equivalent group policy results wizard which is a graphical equivalent but is run from the server where you can specify the target computer/user" - correct yes i do (only)

"the problem with proxy is that once it is set or user modified, while the gpmc/rsop says it is applied, it might not." - understood...!!

all settings via gpmc are always correct...!!! hence problem
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 416 total points
Comment Utility
What are the results of proxy when you use a new account to login into each system (twice)

Did you make any changes to the connection settings that you kept displaying in your posts?
connections settings could be the issue that is causing the conflict.
 remove the proxy GPO from applying to one of the containers.
Create a new GPO and ONLY configure proxy settings. nothing else.
Then have yet another new test user account that will login into a system within this container. and see whether that works.
0
 

Author Comment

by:mikey250
Comment Utility
hi arnold, i did create a new user account as you requested below: but not tested.

-------------------------------------
"please create a new user.
use this user to test. do not manually add proxy settings
it may take two logins for the proxy policy settings to apply."

you manually modified the proxy settings for the administrator account on the systems on which the policy does not apply/work - i presume you mean my default domain controller policy then - yes correct
----------------------------------------

this morning i successfully removed proxy from (all machines) & confirmed..!!! all ok

i then added proxy details back to all machines successfully...!:)

last issue to solve is: my proxy details not updating on (no machines) at all & presumably not allowed machines to sync!!

i may need to leave machines to run overnight to see if resolved due to multiple changes!!

-----------------------------------------------

currently i have a problem, as my xp/sp2 has:

- folder redirection issue - trying to resolve
- also xp not detected on wsus - trying to resolve

---------------------------------------------
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 416 total points
Comment Utility
When you say you removed and added back proxy settings. Are you using the same GPO or are you creating a new One?

Please try on one container, remove the current GPO that sets the proxy.
Please also limit the GPO to only handle Proxy settings and nothing else.
0
 

Author Comment

by:mikey250
Comment Utility
hi arnold, no i did not create a new one..:)

i thought i would wait till tomorrow, just incase my gpo's are skewed or something as all the changes back and fourth may have not give my servers time to sync...!! so will have a look tomorrow maybe!!!
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 416 total points
Comment Utility
The user GPO applies/retrieved at the user login there is not an issue forthe server.
0
 

Author Comment

by:mikey250
Comment Utility
hi arnold, i thought i replied to this message already!

last time i checked, the 'proxy details' did apply on my domain member servers in different (ou/group).!

i then did: gpupdate /force - was successful

issue still same!

i have always had that problem! so i add proxy details in 'default domain policy' which is successful.  surely this is correct ?

note: once my wsus issue is resolved, i will continue to download/install all updates, hoping that an update issue is the actual problem!!  dont forget all my machines are at 99% updated already!
0
 
LVL 78

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 84 total points
Comment Utility
Domain Controller Group Policy is Applied
master dc - gpo updated correctly & proxy settings - ok

Domain Controller Group Policy is NOT Applied as are not Domain Controllers
file server - gpo updated correctly but not proxy settings - why
isa 2006 - gpo updated correctly but not proxy settings - why
wsus - gpo updated correctly but not proxy settings - why
0
 

Author Comment

by:mikey250
Comment Utility
hi ve3ofa, apologies for taking a while to get back!!!!

just to bring you upto date i have run: msba group policy and it states:

"incorrect permissions on default domain controllers policy"


possible resolution:

i ran: dcgpofix.exe /target: domain
i ran also: dcgpofix.exe /targe: dc

i then rebooted master dc

i ran: msba group policy again but same issue above ?

rrrgghhh
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 416 total points
Comment Utility
Printout the Default domain policy settings for both users and computers, then you should have.

The likely issue is that your permissions prevent the fix.
Check the default domain policy inheritance security.

Check the sysvol location to make sure settings there do not cause the issue.
0
 

Author Comment

by:mikey250
Comment Utility
hi arnold, (i have attached a new screenshot)

i ran: dcogpofix /target: domain - this fixed any issues with default domain policy

"check the default domain policy inheritance security"

yes the default domain policy is showing:

- 1 default domain policy

&

"default domain controller policy" - this is the issue

- 1 default domain controllers policy
- 2 default domain policy
msba-group-error-screenshot.docx
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 416 total points
Comment Utility
Dcgpofix /target:both should ret both.  The issue might be that the security permissions on the default domain controller path is explicitly denying access.

http://windowsitpro.com/group-policy/how-can-i-restore-contents-default-domain-and-default-domain-controller-dc-group-policy
Use gpotool to lists your GPOs
An option once you get all the settings from the default DC GPO, try the reset.

Make sure the security settings on it do not restrict your access.
0
 

Assisted Solution

by:mikey250
mikey250 earned 0 total points
Comment Utility
morning arnold,


completed url below on master dc yesturday:

http://windowsitpro.com/group-policy/how-can-i-restore-contents-default-domain-and-default-domain-controller-dc-group-policy

use gpotool to lists your gpos - do not understand - ?

an option once you get all the settings from the default dc gpo, try the reset - completed yesturday on both seperate

make sure the security settings on it do not restrict your access - what am i looking for ?

please look at my screenshots - all settings on both screenshots are identical

delegation - all 6 gpos identical

advanced security same for all 6 gpos:

authenticated users- all 6 gpos identical
creator owner - all 6 gpos identical
domain admins (itservices\domain admins) - all 6 gpos identical
enterprise admins (itservices\enterprise admins) - all 6 gpos identical
enterprise domain controllers - all 6 gpos identical
system - all 6 gpos identical
gpo-permissions-screenshot.docx
default-domain-security-settings.docx
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 416 total points
Comment Utility
You need. Look at the sysvol filesystem security settings for explicit deny.

http://social.technet.microsoft.com/Forums/windowsserver/en-US/47232013-405b-4f0d-a567-65dd453b6c6d/where-is-gpotool-in-windows-server-2008

Under detail of the default DC policy, AD/sysvol versions the same for each computer/user?
0
 

Author Comment

by:mikey250
Comment Utility
hi arnold, i already have 'resource tools' installed on my master dc, but im not sure what tools to use as i cannot find a listed description of what each tools is for!!!!!!!!

my sysvol looks ok!!

i have attached screenshot of: gpresult of master dc & 6 gpo's ad/sysvol

note: in the (gpresult) it does show:

applied group policy objects: - not sure if in wrong precedence order ?

default domain controllers policy
default domain policy

i am not sure what i am looking for!!! :(

"you need. look at the sysvol filesystem security settings for explicit deny" - ok where ?
gpresult---ad---sysvol-screensho.docx
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 416 total points
Comment Utility
gpotool will list all the GPOs you have and their status
If there is a GPO that is mismatched, i.e. one version exists on one DC and another version exists on another DC, it will point to an error that prevents the GPO from replicating.

I am not sure what the msba points to as being wrong with the default domain controller policy.
0
 

Author Comment

by:mikey250
Comment Utility
i applied the 'group policy' option via gpmc by clicking the 'advanced' option which listed the security setting & so i selected: 'enterprise domain controller' - i then ran the msba group again, and error appears to have been removed now.

also i am not sure why i need to enable (proxy) in the default domain, in order to allow the following to gain internet access, as the default domain controller will not:


file server
wsus server

total ludicrous!

thanks for the help i might ask about that last issue on another thread, as why i have to enable proxy via default domain policy to get internet access specifically for:

file server
wsus server
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 416 total points
Comment Utility
Not sure what your setup is.  You may have an external firewall that was not configured to exempt some systems while exempting others.
i.e. deny port 80 access from LAN except for proxy server, server1, server2
server3, server4 either were not available or there is a reason why these server should not have direct access to the internet.  i.e. they have content that needs to be protected.  The proxy server does that to some extent i.e. filter out virus/malware, etc.
0
 

Author Comment

by:mikey250
Comment Utility
morning arnold, i only have 1x master dc & 1 x isa 2006 firewall, that allows the internal network internet access & remote vpn (home users)

i found 2 urls below, but i used the 1st url below:

http://social.technet.microsoft.com/Forums/windowsserver/en-US/3c68243a-a8b6-41bb-b76d-7ad5d5b2324d/gpdbpa-shows-error

http://os-kb.co.uk/28/03/2012/windows/enterprise-domain-controllers-does-not-have-apply-group-policy
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
You eference several wsus server, file server, yet you list 1xdc and 1x ISA.

This is what confuses me.

Check your ISA to see which systems are exempt I.e. a
Lowed to pass through the ISA on port 80 and which are not thus required to have proxy configuration.
0
 

Author Comment

by:mikey250
Comment Utility
hi arnold, my issue appears to be resolved now!:) ive just been checking over few days to confirm!:)

as per original thread shows below:

master dc
file server
isa 2006
wsus

also:
xp desktop
win 7 laptop (local)

note: just internet access allowed
note: remote vpn (home users)
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
excellent.
0
 

Author Closing Comment

by:mikey250
Comment Utility
although my issue was not resolved. the advice given for troubleshooting purposes is also good checks to confirm my gpo appears ok.  after settings the proxy in the wsus & isa & file server separate gpos they do not appear when I check & cannot access the internet.  if I add to the (default domain policy) yes it works for those member servers mentioned above! weird!!

appreciated for the advice
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now