+ Reply to Thread
Page 1 of 2 1 2 Last
Results 1 to 25 of 34

Thread: Group Policy

  1. Senior Member
    Join Date
    Jul 2009
    Location
    New York
    Posts
    139

    Certifications
    A+, Network+, Security+, CCNA, CCNA Security
    #1

    Default Group Policy

    I have group policies applying throughout my domain. All the policies apply fine for the OU's with computers in them, but the OU with users, none of the group policies work. Im using a server with 2003 and xp clients. I have a group policies called redirect and folders. When i run gpresult none of the group policies even show up that are in the User OU.

    There are no errors in the event log for the client or the server. Any ideas of what could be going on?
    Reply With Quote Quote  

  2. SS
  3. Senior Member
    Join Date
    Jul 2009
    Posts
    2,056

    Certifications
    Beer+
    #2
    Are the settings you applied done in the "Computer Configuration" side?

    Remember that computer config applies to comptuers and user config applies to users. They will ignore the settings it they arent applicable.
    Reply With Quote Quote  

  4. Nidhoggr, the Net Serpent Claymoore's Avatar
    Join Date
    Nov 2007
    Location
    FL
    Posts
    1,622

    Certifications
    AWS Architect, MCSEx3, MCITPx6, MCTSx17
    #3
    You say that all of your users are in a single OU. Is this an OU that you created or is it the default Users container? You can't apply group policies to the default user or computer containers, only OUs.
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    Jul 2009
    Location
    New York
    Posts
    139

    Certifications
    A+, Network+, Security+, CCNA, CCNA Security
    #4
    No the settings are being done on the User side. I'm actually doing folder redirection. This is an OU that I've created. I even created a new policy to not show the "my music" folder and that doesnt apply either. All computer side policies work fine. This all started happening when I downloaded that new GPMC. Still can't figure this out.
    Reply With Quote Quote  

  6. Senior Member
    Join Date
    Jul 2009
    Location
    New York
    Posts
    139

    Certifications
    A+, Network+, Security+, CCNA, CCNA Security
    #5
    Now im getting an event ID error 1054, saying " windows cannot obtain the domain controller for your computer network. Group policy aborting."
    Reply With Quote Quote  

  7. BOBBY_TABLES RobertKaucher's Avatar
    Join Date
    Dec 2007
    Location
    Lebanon, Ohio - USA
    Posts
    4,274

    Certifications
    MCSD Web Apps/SharePoint Applications, MCITP: DBA 2005/2008, EA, EDA7, Linux+, Sec+, MCSE, MCDST, MCTS
    #6
    Quote Originally Posted by mallyg27 View Post
    Now im getting an event ID error 1054, saying " windows cannot obtain the domain controller for your computer network. Group policy aborting."
    The first thing I would check is DNS. I doubt this is it, but you should verify that it's not the problem.

    * Look in the server's log for DNS errors.

    * Verify that you can ping the domain: ping domain.local

    * Use nslookup to verify srv records.

    1. Open Command Prompt.
    2. Type: nslookup
    3. Type: set q=srv
    4. Type: _ldap._tcp.dc._msdcs.domainname.local

    Try this as well:
    Windows cannot obtain the domain controller name for your computer network. (An unexpected network error occurred. ). Group Policy processing aborted. | IT Solutions Knowledge Base
    Reply With Quote Quote  

  8. Senior Member
    Join Date
    Jan 2009
    Posts
    297

    Certifications
    A+, Network +, MCSE 2003, CCNA:S, VCP 4
    #7
    Are the actual user accounts in the OU or just computers? If its just computer account you need to enable group policy loopback mode. This allows user settings to apply to computers.
    Reply With Quote Quote  

  9. Senior Member
    Join Date
    May 2007
    Posts
    218

    Certifications
    A+, MCP 70-270,70-290 Network+,Associates in Computer Network Systems
    #8
    Quote Originally Posted by mallyg27 View Post
    Now im getting an event ID error 1054, saying " windows cannot obtain the domain controller for your computer network. Group policy aborting."
    Check the health of your domain controllers.

    Dcdiag Overview: Networking and Communications; Active Directory
    Reply With Quote Quote  

  10. Senior Member
    Join Date
    Jul 2009
    Location
    New York
    Posts
    139

    Certifications
    A+, Network+, Security+, CCNA, CCNA Security
    #9
    Quote Originally Posted by RobertKaucher View Post
    The first thing I would check is DNS. I doubt this is it, but you should verify that it's not the problem.

    * Look in the server's log for DNS errors.

    * Verify that you can ping the domain: ping domain.local

    * Use nslookup to verify srv records.

    1. Open Command Prompt.
    2. Type: nslookup
    3. Type: set q=srv
    4. Type: _ldap._tcp.dc._msdcs.domainname.local

    Try this as well:
    Windows cannot obtain the domain controller name for your computer network. (An unexpected network error occurred. ). Group Policy processing aborted. | IT Solutions Knowledge Base

    I ran NSlookup and it says DNS requested timed out.
    Reply With Quote Quote  

  11. BOBBY_TABLES RobertKaucher's Avatar
    Join Date
    Dec 2007
    Location
    Lebanon, Ohio - USA
    Posts
    4,274

    Certifications
    MCSD Web Apps/SharePoint Applications, MCITP: DBA 2005/2008, EA, EDA7, Linux+, Sec+, MCSE, MCDST, MCTS
    #10
    Quote Originally Posted by mallyg27 View Post
    I ran NSlookup and it says DNS requested timed out.
    Tell me a little bit about your network configuration.

    1. Do your DCs use 127.0.0.1 as the address for their DNS server?
    2. Do your clients all point to the DCs for DNS? Notice you cannot have any other DNS servers that do not have zones for your domain. You should not use your PDC as your primary DNS server and your ISP DNS server as your secondary.

    Run dcdiag /test:dns on your domain controller. If there are are errors run dcdiag /fix then run net stop netlogon and then net start netlogon rund dcdiag /test:dns again to verify.
    Reply With Quote Quote  

  12. Senior Member
    Join Date
    Jul 2009
    Location
    New York
    Posts
    139

    Certifications
    A+, Network+, Security+, CCNA, CCNA Security
    #11
    Quote Originally Posted by RobertKaucher View Post
    Tell me a little bit about your network configuration.

    1. Do your DCs use 127.0.0.1 as the address for their DNS server?
    2. Do your clients all point to the DCs for DNS? Notice you cannot have any other DNS servers that do not have zones for your domain. You should not use your PDC as your primary DNS server and your ISP DNS server as your secondary.

    Run dcdiag /test:dns on your domain controller. If there are are errors run dcdiag /fix then run net stop netlogon and then net start netlogon rund dcdiag /test:dns again to verify.
    Basically I have a simple network setup with windows server 2003 and a clinet computer running XP for learning purposes. It's not connected to the internet. My server IP address is 192.168.1.101,subnet mask is 255.255.255 and the default gateway is 192.168.1.1( do i even need a specify a gateway). The preferred DNS is 192.168.1.101. The client uses 192.168.1.101 as its preferred DNS.

    I also ran the dcdiag test it my DNS failed the test. A bunch of entries say "this is not a valid DNS server and "root hints list has invalid root hint server.
    Last edited by mallyg27; 08-29-2009 at 03:34 AM.
    Reply With Quote Quote  

  13. Senior Member
    Join Date
    Jan 2009
    Posts
    297

    Certifications
    A+, Network +, MCSE 2003, CCNA:S, VCP 4
    #12
    Run dcdiag /fix. If that doesn't correct it you may need to take drastic measures.
    Your DNS server does have a zone with the same name as your domain, correct? And it does contain all the appropriate SRV records?

    If this is a test network I would suggest running dcpromo to demote the server. Then make sure your dns server has a zone with the same name as the domain you wish to create. Make sure your future DC has that DNS server listed as it's one and only DNS server. Then run dcpromo again to repromote. If you get an error in the dcpromo process about dns not being correct DO NOT just check the "I'll fix later" box. Keep retrying until it doesn't give you the error. Then you should be all set.
    Reply With Quote Quote  

  14. Senior Member
    Join Date
    Jan 2009
    Posts
    297

    Certifications
    A+, Network +, MCSE 2003, CCNA:S, VCP 4
    #13
    Quote Originally Posted by mallyg27 View Post
    No the settings are being done on the User side. I'm actually doing folder redirection. This is an OU that I've created. I even created a new policy to not show the "my music" folder and that doesnt apply either. All computer side policies work fine. This all started happening when I downloaded that new GPMC. Still can't figure this out.
    Btw, GPMC is a great tool and you'll come to love it as you learn more about group policy.
    Reply With Quote Quote  

  15. Senior Member
    Join Date
    Jul 2009
    Posts
    2,056

    Certifications
    Beer+
    #14
    Quote Originally Posted by rwwest7 View Post
    Btw, GPMC is a great tool and you'll come to love it as you learn more about group policy.

    Agreed. Now that i use it on 2008, i cant stand the old 2003 method of managing policies.
    Reply With Quote Quote  

  16. BOBBY_TABLES RobertKaucher's Avatar
    Join Date
    Dec 2007
    Location
    Lebanon, Ohio - USA
    Posts
    4,274

    Certifications
    MCSD Web Apps/SharePoint Applications, MCITP: DBA 2005/2008, EA, EDA7, Linux+, Sec+, MCSE, MCDST, MCTS
    #15
    Quote Originally Posted by rwwest7 View Post
    Run dcdiag /fix. If that doesn't correct it you may need to take drastic measures.
    Your DNS server does have a zone with the same name as your domain, correct? And it does contain all the appropriate SRV records?

    If this is a test network I would suggest running dcpromo to demote the server. Then make sure your dns server has a zone with the same name as the domain you wish to create. Make sure your future DC has that DNS server listed as it's one and only DNS server. Then run dcpromo again to repromote. If you get an error in the dcpromo process about dns not being correct DO NOT just check the "I'll fix later" box. Keep retrying until it doesn't give you the error. Then you should be all set.
    I agree with the idea of starting over here. See if you can fix it and get things working with dcdiag, but I would not trust it even if it seemed to work.
    * Does your server have a static IP address? If not it needs to have a static address.
    * A domain controller that is also a DNS server (and why wouldn't it be?) should have 127.0.0.1 as the entry for its DNS server.
    Reply With Quote Quote  

  17. Senior Member
    Join Date
    Jan 2009
    Posts
    297

    Certifications
    A+, Network +, MCSE 2003, CCNA:S, VCP 4
    #16
    Quote Originally Posted by Hyper-Me View Post
    Agreed. Now that i use it on 2008, i cant stand the old 2003 method of managing policies.
    You can use GPMC on 2003 also. It comes built into 2008, but you can download it for 2003.
    Reply With Quote Quote  

  18. Senior Member
    Join Date
    Jul 2009
    Location
    New York
    Posts
    139

    Certifications
    A+, Network+, Security+, CCNA, CCNA Security
    #17
    Quote Originally Posted by RobertKaucher View Post
    I agree with the idea of starting over here. See if you can fix it and get things working with dcdiag, but I would not trust it even if it seemed to work.
    * Does your server have a static IP address? If not it needs to have a static address.
    * A domain controller that is also a DNS server (and why wouldn't it be?) should have 127.0.0.1 as the entry for its DNS server.
    Yes my server has a static address of 192.168.1.101. I tried to dcdiag /fix and it still failed so im going to start over and see what happens.
    Reply With Quote Quote  

  19. Senior Member
    Join Date
    Jul 2009
    Posts
    2,056

    Certifications
    Beer+
    #18
    Quote Originally Posted by rwwest7 View Post
    You can use GPMC on 2003 also. It comes built into 2008, but you can download it for 2003.

    I know, i was just saying that I happen to use it on 2008 because thats what our DC's are at work and I love it. I had never used it until 2008.
    Reply With Quote Quote  

  20. Senior Member
    Join Date
    Jul 2009
    Location
    New York
    Posts
    139

    Certifications
    A+, Network+, Security+, CCNA, CCNA Security
    #19
    This DNS setup is killing me. My server keeps on failing when I do the dcdiag. Im now getting event id 4521. Do i need to setup a reverse zone also?
    Last edited by mallyg27; 08-29-2009 at 06:55 PM.
    Reply With Quote Quote  

  21. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #20
    Post the error. You don't need reverse look-up zones.
    Reply With Quote Quote  

  22. Senior Member
    Join Date
    Jan 2009
    Posts
    297

    Certifications
    A+, Network +, MCSE 2003, CCNA:S, VCP 4
    #21
    Quote Originally Posted by mallyg27 View Post
    This DNS setup is killing me. My server keeps on failing when I do the dcdiag. Im now getting event id 4521. Do i need to setup a reverse zone also?
    This is how DNS in your domain should be set up:
    -A Domain Controller should be the DNS server.

    -DNS should be AD integrated

    -All domain controllers and clients should be pointing to a windows DNS server only, do not list your cable router or anything else in the DNS settings.

    -Your DNS server should have either your cable router or your ISPs DNS servers listed under the Forwarders tab.

    So your clients computers should be using your DC/DNS servers for all name resolution. If they are trying to get to the internet, they should send the request to your DC/DNS server then your DC/DNS server should forward the request based on what is in it's Forwarders tab then return the answer to your client while cacheing the answer for future use.
    Reply With Quote Quote  

  23. Senior Member
    Join Date
    Jul 2009
    Location
    New York
    Posts
    139

    Certifications
    A+, Network+, Security+, CCNA, CCNA Security
    #22
    Quote Originally Posted by rwwest7 View Post
    This is how DNS in your domain should be set up:
    -A Domain Controller should be the DNS server.

    -DNS should be AD integrated

    -All domain controllers and clients should be pointing to a windows DNS server only, do not list your cable router or anything else in the DNS settings.

    -Your DNS server should have either your cable router or your ISPs DNS servers listed under the Forwarders tab.

    So your clients computers should be using your DC/DNS servers for all name resolution. If they are trying to get to the internet, they should send the request to your DC/DNS server then your DC/DNS server should forward the request based on what is in it's Forwarders tab then return the answer to your client while cacheing the answer for future use.
    I did the dcpromo and I set up the active directory again but when I install the dns it keeps the same settings from the previous setup. The way your telling me to install it, I believe that's what I did.
    Reply With Quote Quote  

  24. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #23
    Quote Originally Posted by mallyg27 View Post
    ...the default gateway is 192.168.1.1( do i even need a specify a gateway).
    Only if you're connecting to networks other than your LAN.

    Quote Originally Posted by RobertKaucher View Post
    2. Do your clients all point to the DCs for DNS? Notice you cannot have any other DNS servers that do not have zones for your domain. You should not use your PDC as your primary DNS server and your ISP DNS server as your secondary.
    Ehhh? You mean if he only has a single internal DNS server, so the clients could still get to the internet if that fails?

    Quote Originally Posted by rwwest7 View Post
    -Your DNS server should have either your cable router or your ISPs DNS servers listed under the Forwarders tab.
    While I also do this, this is an optional step that allows you to offload iterative queries to your ISP. If you don't it will just use root hints and still be able to resolve names if you don't do this.

    ***

    As far as the problems go, I'd google the errors you're getting when you run dcdiag. It sounds like you need to completely blow away DNS and put it back on.
    Reply With Quote Quote  

  25. BOBBY_TABLES RobertKaucher's Avatar
    Join Date
    Dec 2007
    Location
    Lebanon, Ohio - USA
    Posts
    4,274

    Certifications
    MCSD Web Apps/SharePoint Applications, MCITP: DBA 2005/2008, EA, EDA7, Linux+, Sec+, MCSE, MCDST, MCTS
    #24
    Quote Originally Posted by dynamik View Post
    Ehhh? You mean if he only has a single internal DNS server, so the clients could still get to the internet if that fails?

    No, no... This was late night typo. My intended meaning was that the clients should not use the ISPs DNS servers as their secondaries. They should use the DC as their DNS server, of course. I am not sure why I thought that sentence made sense.

    I have seen networks have authentication issues similar to this, where the clients had the DC as the primary DNS and the ISP DNS servers as the secondary and for some reason (response time?) the clients started to favour the ISP's DNS server. So they would send all their domain.local queries off to the ISP.
    Reply With Quote Quote  

  26. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #25
    Hah, no worries. You're always sharp, so I figured it was something like that.

    Wow, their network must be awful! It takes a (relatively) long time for a machine to completely give up on the primary DNS server and move on to the second.
    Reply With Quote Quote  

+ Reply to Thread
Page 1 of 2 1 2 Last

Social Networking & Bookmarks