• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 437
  • Last Modified:

domain controller issue


I have always been curious, when I join machines to the domain and they all locate by default in the built-in computer container, I do not configure the gpo for the built-in container because I then create specific 'ou/gpo' and 'move' each machine to relevant gpo.

I am currently running a small win 2003 domain network with only 3 other domain member servers attached but planning on upgrading to win 2008.

note: as I only have 1 x master dc/dns - I normally set primary dc to the same static ip address, but this time I left as default primary dns: - I assume is perfectly ok

due to changing things and putting them back and removing machines from the domain and sometimes re-installing clean os on server without 1st removing from domain, but then running:

- clear scavenging file
- clear cache
- detect server updates & restarting dns
- or ipconfig /flushdns & ipconfig /registerdns in my master dc and gpo stuff, it appears my gpo is not quite working properly or really sluggish, ie my member servers and desktop not detecting my internet/proxy details, but when I add in manually it allows internet access.
- unauthourizing dhcp
- reconcile scopes
- restarting dhcp

- rebooting master dc 3/4 times

note:  the above will probably be the cause of my problem but trying to put it right.

on my isa it receives internet access but did not receive the gpo/internet proxy details via internet options, but when I add in manually it stops my internet from working.

I have checked the eventviewer on all machines and restarted several time but same issue.

my fileserver previously allowed my win 7 laptop to logon via roaming profile and receive internet access but when I logon to domain successfully via win 7 laptop it states that the file server is not connected or does not have permission.

normally I switch my machines off overnight, but I decided to leave my machines on for 2 days just incase the gpo was skewed and needed time to sync but have not had time to test yet.

note: I have 'reset the user config\windows settings\internet explorer maintenance', run gpupdate /force on master dc, restarted once and logged on and off 4/5 times times and done the same with the other machines but had the same issue.

step 1

when I check the gpo manual configuration - it shows my internet connections successfully

step 2

run: gpo modelling for 'computer/container or user & container' all other settings are set but when I check the 'user config\internet connection - it does not show it has taken & the 'settings' tab (does not) show internet proxy settings.

run: gpo rsop results - shows all other gpo settings but not the 'user config\windows settings\internet connection does not show my internet proxy details.

question 1.  If when I test to see if gpo's have been received and win 7 laptop can connect to fileserver and my machines can rec

note: I normally do not set 'enforce' gpo as I only have 1 x domain

note: if I run: rsop.msc on my win 7 it states that I do not have permission even though I used the 'domain admin' to logon as usual but rsop still opens and shows all correct gpos but not my internet proxy settings.

question 2.  if my gpo's are still skewed I was thinking of removing all machines from the domain and demoting my dc and either doing a clean install or then running: dcpromo again.  any suggestions from anyone  ?

question 3.  is the 'enforce setting for the gpo' only used if multiple domains are configured for example as I never set it  ?
  • 5
  • 4
3 Solutions
Not sure if I am following your description accurately, but it looks like you are trying to apply the internet settings (which are User specific) via a GPO that is only applying to Computer accounts.  The GPO that applies User settings must be in the hierarchy above the user accounts unless you have loopback processing enabled (possibly unnecessary overhead).

I would create a specific GPO that applies the user internet settings and then apply that at an OU which contains your user accounts.

Hope this helps with the application of GPO policy issue.

Regarding the rsop.msc issue as Domain Admin on Win 7 machine, firstly please ensure the Domain Admins AD group is a member of the Administrators builtin group on the Win 7 machine, secondly you may need to run rsop.msc using the 'Run as Administrator' option (due to UAC), to do this, launch cmd.exe 'as Administrator' and click Yes to the UAC pop-up, then launch rsop.msc from the elevated command prompt.

mikey250Author Commented:
hi colditzz,  yes I configure the following:

computer config\windows components\windows update - as usual
computer config\admin template\system\gpo - as usual

user config\windows settings\internet etc - as usual
user config\admin template\system\gpo - as usual

that is all I have ever done!

I am not sure about the 'loopback processing' as never understood what it meant..!

I am only using the 'domain admin' account.

i will try and run 'rsop.msc. from win 7.
If you are only using the Domain Admin account (Administrator by default), this will be in the 'Users' container, you will need to ensure this container can 'see' the GPO.

Open gpmc.msc on the server, in the left-hand pane, select the Users container, in the right-hand pane select the 'Group Policy Inheritance' tab and make sure the GPO(s) you have configured are listed.

http://social.technet.microsoft.com/wiki/contents/articles/2548.windows-server-understand-user-group-policy-loopback-processing-mode.aspx - that is an explanation of loopback processing and how it does/can work for you...
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

mikey250Author Commented:
i always use the 'domain admin account' that i create when i 1st install win 2003 and then when i run: dcpromo i continue to use this same account and join everyone to the built-in computer container.

i never configure the 'built-in' gpo as above states i move to specific 'ou/gpo' as described as below:

- i then create each ou/gpo and configure as normal
- i then move each individual machine into each separate ou/gpo
- i also configure computer config\admin temp\folder redirection & select both boxes
- i also configure user config\windows settings\folder redirection & locate file server
- i always put both user & computer into same ou/gpo and configure both: computer config & user config - i always have although i know some others separate both into separate 'ou/gpo'
- i then restart all machines
- i then run: gpupdate or /force as and when required if trying to speed the gpo/sync up ie restart once and logon and off 4 times

this is what i have always done.

as i am the only one who makes changes i do not create other accounts and give domain admin rights.

question 1.  have i got the understand wrong  ?

question 2.  i never really use the 'gpmc.msc' as i always open manually the gpmc always on the master dc/ad/dns/dhcp/gpo server but if i was to create a secondary or multiple domain accounts for other users then i would 'tell them to configure the gpo via 'gpmc.msc' - please tell me if i have the wrong understanding  ?

note: i have read the 'url' you sent me about 'loopback processing' but not sure if this is relevant to me, due to how i normally do things as explained above.

i assume 'loopback processing' is if i configure an 'ou & move computers/servers' in one container or multiple

i assume 'loopback processing' is if i configure an 'ou & move users' in one container or multiple

note:  i will have to spend time reading that link as do not entirely understand it properly
mikey250Author Commented:
hi colditzz,

I did the following but the 'users container' does not show in 'win 2003' - I have attached what is the default before I create and link 'gpos' like I usual do.

open gpmc.msc on the server, in the left-hand pane, select the users container, in the right-hand pane select the 'group policy inheritance' tab and make sure the gpos you have configured are listed.
Hi mikey250,

Apologies for the delay in responding to your query.

From the screen shots you attached and the explanation you have provided above I cannot see that you have done anything 'wrong'.  I see you said you have checked the Event Viewer, but didn't say what you have looked for?  Have you checked to see if there are any errors relating to DNS, connection to the domain, etc?

Can you browse (using 'My Computer' or Windows Explorer) to \\FQDN\NETLOGON or \\FQDN\SYSVOL?

The 'Default Domain Policy' by default applies to everything below it in the hierarchy, so you could try adding it in that policy to see if it takes effect.

Personally - and it is just a personal preference - I always create a new GPO in the 'Group Policy Objects' container, I add the configuration required and then I link it to the OU I want it to apply to.

If it was just the folder redirection that was failing, I would suggest looking at the share permissions and NTFS permissions for the shared folder(s), but as it is also Internet Explorer connection settings, the best place to look would be the Event Viewer.

mikey250Author Commented:
hi colditz, apologies for not coming back but my problem is now resolved.

as it turns out yes I had configured everything correctly, but I did not confirm the 'precedence order' of the 'linked gpo objects & the inheritance tab'.  after this was explained to me as I never ever touch it because did not understand it so I always forgot about it.  that fixed my problem.

due to having a problem on my fileserver and my isa, I have had to re-install and change the harddrives, so I am trying to get back to where I originally was.

either way at least I have fixed my problem.

I will allocate the points as the assistance was still good advice.  so appreciated.
mikey250Author Commented:
although the advice did not resolve my issue, the advice was good.  the issue was my 'precedence' order was not correct but I have explained this on my last thread.

appreciated for advice anyway.
Hi Mikey,

Thank you kindly for the allocations and I'm glad you got to the bottom of the problem.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now