Solved

domain controller issue

Posted on 2014-01-26
9
406 Views
Last Modified: 2014-02-16
hi

I have always been curious, when I join machines to the domain and they all locate by default in the built-in computer container, I do not configure the gpo for the built-in container because I then create specific 'ou/gpo' and 'move' each machine to relevant gpo.

I am currently running a small win 2003 domain network with only 3 other domain member servers attached but planning on upgrading to win 2008.

note: as I only have 1 x master dc/dns - I normally set primary dc to the same static ip address, but this time I left as default primary dns: 127.0.0.1 - I assume is perfectly ok

due to changing things and putting them back and removing machines from the domain and sometimes re-installing clean os on server without 1st removing from domain, but then running:

- clear scavenging file
- clear cache
- detect server updates & restarting dns
- or ipconfig /flushdns & ipconfig /registerdns in my master dc and gpo stuff, it appears my gpo is not quite working properly or really sluggish, ie my member servers and desktop not detecting my internet/proxy details, but when I add in manually it allows internet access.
- unauthourizing dhcp
- reconcile scopes
- restarting dhcp

- rebooting master dc 3/4 times

note:  the above will probably be the cause of my problem but trying to put it right.

on my isa it receives internet access but did not receive the gpo/internet proxy details via internet options, but when I add in manually it stops my internet from working.

I have checked the eventviewer on all machines and restarted several time but same issue.

my fileserver previously allowed my win 7 laptop to logon via roaming profile and receive internet access but when I logon to domain successfully via win 7 laptop it states that the file server is not connected or does not have permission.

normally I switch my machines off overnight, but I decided to leave my machines on for 2 days just incase the gpo was skewed and needed time to sync but have not had time to test yet.

note: I have 'reset the user config\windows settings\internet explorer maintenance', run gpupdate /force on master dc, restarted once and logged on and off 4/5 times times and done the same with the other machines but had the same issue.

step 1

when I check the gpo manual configuration - it shows my internet connections successfully

step 2

run: gpo modelling for 'computer/container or user & container' all other settings are set but when I check the 'user config\internet connection - it does not show it has taken & the 'settings' tab (does not) show internet proxy settings.

run: gpo rsop results - shows all other gpo settings but not the 'user config\windows settings\internet connection does not show my internet proxy details.

question 1.  If when I test to see if gpo's have been received and win 7 laptop can connect to fileserver and my machines can rec

note: I normally do not set 'enforce' gpo as I only have 1 x domain

note: if I run: rsop.msc on my win 7 it states that I do not have permission even though I used the 'domain admin' to logon as usual but rsop still opens and shows all correct gpos but not my internet proxy settings.

question 2.  if my gpo's are still skewed I was thinking of removing all machines from the domain and demoting my dc and either doing a clean install or then running: dcpromo again.  any suggestions from anyone  ?

question 3.  is the 'enforce setting for the gpo' only used if multiple domains are configured for example as I never set it  ?
0
Comment
Question by:mikey250
  • 5
  • 4
9 Comments
 
LVL 4

Accepted Solution

by:
colditzz earned 500 total points
ID: 39810318
Not sure if I am following your description accurately, but it looks like you are trying to apply the internet settings (which are User specific) via a GPO that is only applying to Computer accounts.  The GPO that applies User settings must be in the hierarchy above the user accounts unless you have loopback processing enabled (possibly unnecessary overhead).

I would create a specific GPO that applies the user internet settings and then apply that at an OU which contains your user accounts.

Hope this helps with the application of GPO policy issue.

Regarding the rsop.msc issue as Domain Admin on Win 7 machine, firstly please ensure the Domain Admins AD group is a member of the Administrators builtin group on the Win 7 machine, secondly you may need to run rsop.msc using the 'Run as Administrator' option (due to UAC), to do this, launch cmd.exe 'as Administrator' and click Yes to the UAC pop-up, then launch rsop.msc from the elevated command prompt.

Cheers
0
 

Author Comment

by:mikey250
ID: 39810347
hi colditzz,  yes I configure the following:

computer config\windows components\windows update - as usual
computer config\admin template\system\gpo - as usual

user config\windows settings\internet etc - as usual
user config\admin template\system\gpo - as usual

that is all I have ever done!

I am not sure about the 'loopback processing' as never understood what it meant..!

I am only using the 'domain admin' account.

i will try and run 'rsop.msc. from win 7.
0
 
LVL 4

Assisted Solution

by:colditzz
colditzz earned 500 total points
ID: 39810389
If you are only using the Domain Admin account (Administrator by default), this will be in the 'Users' container, you will need to ensure this container can 'see' the GPO.

Open gpmc.msc on the server, in the left-hand pane, select the Users container, in the right-hand pane select the 'Group Policy Inheritance' tab and make sure the GPO(s) you have configured are listed.

http://social.technet.microsoft.com/wiki/contents/articles/2548.windows-server-understand-user-group-policy-loopback-processing-mode.aspx - that is an explanation of loopback processing and how it does/can work for you...
0
 

Author Comment

by:mikey250
ID: 39810491
i always use the 'domain admin account' that i create when i 1st install win 2003 and then when i run: dcpromo i continue to use this same account and join everyone to the built-in computer container.

i never configure the 'built-in' gpo as above states i move to specific 'ou/gpo' as described as below:

- i then create each ou/gpo and configure as normal
- i then move each individual machine into each separate ou/gpo
- i also configure computer config\admin temp\folder redirection & select both boxes
- i also configure user config\windows settings\folder redirection & locate file server
- i always put both user & computer into same ou/gpo and configure both: computer config & user config - i always have although i know some others separate both into separate 'ou/gpo'
- i then restart all machines
- i then run: gpupdate or /force as and when required if trying to speed the gpo/sync up ie restart once and logon and off 4 times

this is what i have always done.

as i am the only one who makes changes i do not create other accounts and give domain admin rights.

question 1.  have i got the understand wrong  ?

question 2.  i never really use the 'gpmc.msc' as i always open manually the gpmc always on the master dc/ad/dns/dhcp/gpo server but if i was to create a secondary or multiple domain accounts for other users then i would 'tell them to configure the gpo via 'gpmc.msc' - please tell me if i have the wrong understanding  ?

note: i have read the 'url' you sent me about 'loopback processing' but not sure if this is relevant to me, due to how i normally do things as explained above.

i assume 'loopback processing' is if i configure an 'ou & move computers/servers' in one container or multiple

i assume 'loopback processing' is if i configure an 'ou & move users' in one container or multiple

note:  i will have to spend time reading that link as do not entirely understand it properly
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 

Author Comment

by:mikey250
ID: 39811970
hi colditzz,

I did the following but the 'users container' does not show in 'win 2003' - I have attached what is the default before I create and link 'gpos' like I usual do.

open gpmc.msc on the server, in the left-hand pane, select the users container, in the right-hand pane select the 'group policy inheritance' tab and make sure the gpos you have configured are listed.
gpo-screenshot.docx
0
 
LVL 4

Assisted Solution

by:colditzz
colditzz earned 500 total points
ID: 39851846
Hi mikey250,

Apologies for the delay in responding to your query.

From the screen shots you attached and the explanation you have provided above I cannot see that you have done anything 'wrong'.  I see you said you have checked the Event Viewer, but didn't say what you have looked for?  Have you checked to see if there are any errors relating to DNS, connection to the domain, etc?

Can you browse (using 'My Computer' or Windows Explorer) to \\FQDN\NETLOGON or \\FQDN\SYSVOL?

The 'Default Domain Policy' by default applies to everything below it in the hierarchy, so you could try adding it in that policy to see if it takes effect.

Personally - and it is just a personal preference - I always create a new GPO in the 'Group Policy Objects' container, I add the configuration required and then I link it to the OU I want it to apply to.

If it was just the folder redirection that was failing, I would suggest looking at the share permissions and NTFS permissions for the shared folder(s), but as it is also Internet Explorer connection settings, the best place to look would be the Event Viewer.

Cheers
0
 

Author Comment

by:mikey250
ID: 39853238
hi colditz, apologies for not coming back but my problem is now resolved.

as it turns out yes I had configured everything correctly, but I did not confirm the 'precedence order' of the 'linked gpo objects & the inheritance tab'.  after this was explained to me as I never ever touch it because did not understand it so I always forgot about it.  that fixed my problem.

due to having a problem on my fileserver and my isa, I have had to re-install and change the harddrives, so I am trying to get back to where I originally was.

either way at least I have fixed my problem.

I will allocate the points as the assistance was still good advice.  so appreciated.
0
 

Author Closing Comment

by:mikey250
ID: 39853434
although the advice did not resolve my issue, the advice was good.  the issue was my 'precedence' order was not correct but I have explained this on my last thread.

appreciated for advice anyway.
0
 
LVL 4

Expert Comment

by:colditzz
ID: 39862741
Hi Mikey,

Thank you kindly for the allocations and I'm glad you got to the bottom of the problem.

Cheers
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
A procedure for exporting installed hotfix details of remote computers using powershell
This Micro Tutorial will teach you how to the overview of Microsoft Security Essentials. This is a free anti-virus software that guards your PC against viruses, spyware, worms, and other malicious software. This will be demonstrated using Windows…
This Micro Tutorial will go in depth within Systems and Security in Windows 7 and will go into detail regarding Action Center, Windows Firewall, System, etc. This will be demonstrated using Windows 7 operating system.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now