Solved

domain controller issue

Posted on 2014-01-26
9
410 Views
Last Modified: 2014-02-16
hi

I have always been curious, when I join machines to the domain and they all locate by default in the built-in computer container, I do not configure the gpo for the built-in container because I then create specific 'ou/gpo' and 'move' each machine to relevant gpo.

I am currently running a small win 2003 domain network with only 3 other domain member servers attached but planning on upgrading to win 2008.

note: as I only have 1 x master dc/dns - I normally set primary dc to the same static ip address, but this time I left as default primary dns: 127.0.0.1 - I assume is perfectly ok

due to changing things and putting them back and removing machines from the domain and sometimes re-installing clean os on server without 1st removing from domain, but then running:

- clear scavenging file
- clear cache
- detect server updates & restarting dns
- or ipconfig /flushdns & ipconfig /registerdns in my master dc and gpo stuff, it appears my gpo is not quite working properly or really sluggish, ie my member servers and desktop not detecting my internet/proxy details, but when I add in manually it allows internet access.
- unauthourizing dhcp
- reconcile scopes
- restarting dhcp

- rebooting master dc 3/4 times

note:  the above will probably be the cause of my problem but trying to put it right.

on my isa it receives internet access but did not receive the gpo/internet proxy details via internet options, but when I add in manually it stops my internet from working.

I have checked the eventviewer on all machines and restarted several time but same issue.

my fileserver previously allowed my win 7 laptop to logon via roaming profile and receive internet access but when I logon to domain successfully via win 7 laptop it states that the file server is not connected or does not have permission.

normally I switch my machines off overnight, but I decided to leave my machines on for 2 days just incase the gpo was skewed and needed time to sync but have not had time to test yet.

note: I have 'reset the user config\windows settings\internet explorer maintenance', run gpupdate /force on master dc, restarted once and logged on and off 4/5 times times and done the same with the other machines but had the same issue.

step 1

when I check the gpo manual configuration - it shows my internet connections successfully

step 2

run: gpo modelling for 'computer/container or user & container' all other settings are set but when I check the 'user config\internet connection - it does not show it has taken & the 'settings' tab (does not) show internet proxy settings.

run: gpo rsop results - shows all other gpo settings but not the 'user config\windows settings\internet connection does not show my internet proxy details.

question 1.  If when I test to see if gpo's have been received and win 7 laptop can connect to fileserver and my machines can rec

note: I normally do not set 'enforce' gpo as I only have 1 x domain

note: if I run: rsop.msc on my win 7 it states that I do not have permission even though I used the 'domain admin' to logon as usual but rsop still opens and shows all correct gpos but not my internet proxy settings.

question 2.  if my gpo's are still skewed I was thinking of removing all machines from the domain and demoting my dc and either doing a clean install or then running: dcpromo again.  any suggestions from anyone  ?

question 3.  is the 'enforce setting for the gpo' only used if multiple domains are configured for example as I never set it  ?
0
Comment
Question by:mikey250
  • 5
  • 4
9 Comments
 
LVL 4

Accepted Solution

by:
colditzz earned 500 total points
ID: 39810318
Not sure if I am following your description accurately, but it looks like you are trying to apply the internet settings (which are User specific) via a GPO that is only applying to Computer accounts.  The GPO that applies User settings must be in the hierarchy above the user accounts unless you have loopback processing enabled (possibly unnecessary overhead).

I would create a specific GPO that applies the user internet settings and then apply that at an OU which contains your user accounts.

Hope this helps with the application of GPO policy issue.

Regarding the rsop.msc issue as Domain Admin on Win 7 machine, firstly please ensure the Domain Admins AD group is a member of the Administrators builtin group on the Win 7 machine, secondly you may need to run rsop.msc using the 'Run as Administrator' option (due to UAC), to do this, launch cmd.exe 'as Administrator' and click Yes to the UAC pop-up, then launch rsop.msc from the elevated command prompt.

Cheers
0
 

Author Comment

by:mikey250
ID: 39810347
hi colditzz,  yes I configure the following:

computer config\windows components\windows update - as usual
computer config\admin template\system\gpo - as usual

user config\windows settings\internet etc - as usual
user config\admin template\system\gpo - as usual

that is all I have ever done!

I am not sure about the 'loopback processing' as never understood what it meant..!

I am only using the 'domain admin' account.

i will try and run 'rsop.msc. from win 7.
0
 
LVL 4

Assisted Solution

by:colditzz
colditzz earned 500 total points
ID: 39810389
If you are only using the Domain Admin account (Administrator by default), this will be in the 'Users' container, you will need to ensure this container can 'see' the GPO.

Open gpmc.msc on the server, in the left-hand pane, select the Users container, in the right-hand pane select the 'Group Policy Inheritance' tab and make sure the GPO(s) you have configured are listed.

http://social.technet.microsoft.com/wiki/contents/articles/2548.windows-server-understand-user-group-policy-loopback-processing-mode.aspx - that is an explanation of loopback processing and how it does/can work for you...
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 

Author Comment

by:mikey250
ID: 39810491
i always use the 'domain admin account' that i create when i 1st install win 2003 and then when i run: dcpromo i continue to use this same account and join everyone to the built-in computer container.

i never configure the 'built-in' gpo as above states i move to specific 'ou/gpo' as described as below:

- i then create each ou/gpo and configure as normal
- i then move each individual machine into each separate ou/gpo
- i also configure computer config\admin temp\folder redirection & select both boxes
- i also configure user config\windows settings\folder redirection & locate file server
- i always put both user & computer into same ou/gpo and configure both: computer config & user config - i always have although i know some others separate both into separate 'ou/gpo'
- i then restart all machines
- i then run: gpupdate or /force as and when required if trying to speed the gpo/sync up ie restart once and logon and off 4 times

this is what i have always done.

as i am the only one who makes changes i do not create other accounts and give domain admin rights.

question 1.  have i got the understand wrong  ?

question 2.  i never really use the 'gpmc.msc' as i always open manually the gpmc always on the master dc/ad/dns/dhcp/gpo server but if i was to create a secondary or multiple domain accounts for other users then i would 'tell them to configure the gpo via 'gpmc.msc' - please tell me if i have the wrong understanding  ?

note: i have read the 'url' you sent me about 'loopback processing' but not sure if this is relevant to me, due to how i normally do things as explained above.

i assume 'loopback processing' is if i configure an 'ou & move computers/servers' in one container or multiple

i assume 'loopback processing' is if i configure an 'ou & move users' in one container or multiple

note:  i will have to spend time reading that link as do not entirely understand it properly
0
 

Author Comment

by:mikey250
ID: 39811970
hi colditzz,

I did the following but the 'users container' does not show in 'win 2003' - I have attached what is the default before I create and link 'gpos' like I usual do.

open gpmc.msc on the server, in the left-hand pane, select the users container, in the right-hand pane select the 'group policy inheritance' tab and make sure the gpos you have configured are listed.
gpo-screenshot.docx
0
 
LVL 4

Assisted Solution

by:colditzz
colditzz earned 500 total points
ID: 39851846
Hi mikey250,

Apologies for the delay in responding to your query.

From the screen shots you attached and the explanation you have provided above I cannot see that you have done anything 'wrong'.  I see you said you have checked the Event Viewer, but didn't say what you have looked for?  Have you checked to see if there are any errors relating to DNS, connection to the domain, etc?

Can you browse (using 'My Computer' or Windows Explorer) to \\FQDN\NETLOGON or \\FQDN\SYSVOL?

The 'Default Domain Policy' by default applies to everything below it in the hierarchy, so you could try adding it in that policy to see if it takes effect.

Personally - and it is just a personal preference - I always create a new GPO in the 'Group Policy Objects' container, I add the configuration required and then I link it to the OU I want it to apply to.

If it was just the folder redirection that was failing, I would suggest looking at the share permissions and NTFS permissions for the shared folder(s), but as it is also Internet Explorer connection settings, the best place to look would be the Event Viewer.

Cheers
0
 

Author Comment

by:mikey250
ID: 39853238
hi colditz, apologies for not coming back but my problem is now resolved.

as it turns out yes I had configured everything correctly, but I did not confirm the 'precedence order' of the 'linked gpo objects & the inheritance tab'.  after this was explained to me as I never ever touch it because did not understand it so I always forgot about it.  that fixed my problem.

due to having a problem on my fileserver and my isa, I have had to re-install and change the harddrives, so I am trying to get back to where I originally was.

either way at least I have fixed my problem.

I will allocate the points as the assistance was still good advice.  so appreciated.
0
 

Author Closing Comment

by:mikey250
ID: 39853434
although the advice did not resolve my issue, the advice was good.  the issue was my 'precedence' order was not correct but I have explained this on my last thread.

appreciated for advice anyway.
0
 
LVL 4

Expert Comment

by:colditzz
ID: 39862741
Hi Mikey,

Thank you kindly for the allocations and I'm glad you got to the bottom of the problem.

Cheers
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
By default the complete memory dump option is disabled in windows . If we want to enable the complete memory dump for a diagnostic purpose, we have a solution for it. here we are using the registry method to enable this.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question