Announcement

Collapse
No announcement yet.

Windows Server 2008 Group Policy Problems

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Windows Server 2008 Group Policy Problems

    Greetings all,

    I've been working on this through searching to the best of my ability, and I'm just stumped....

    I'm setting up a new Group Policy for a public library's Computer Lab. As such, I'm restricting access to certain items, and it works like a charm. Sometimes. I'm having problems with machines intermittently loading the GPO. I haven't been able to get consistent results. Of the 10 machines, 5 will load the GPO correctly and 5 won't. Reboot all machines and the previous 5 that didn't load correctly, load fine. I've attributed this to a couple of problems I have...

    1) I have the machines set to delete all profiles on reboot (I can't have people saving naughty pictures on the computers then Grandma sitting down next and seeing them). This causes the GPO to have to load on everyboot. The machines each boot at least 10 times per day...

    2) OpenDNS. Being a public computer lab, we need a cheap/free web filtering solution and I've implemented OpenDNS. I'm almost sure this is where the problem is...I've set OpenDNS on the DNS Server "Forwarding" per OpenDNS's instructions here:
    <nvm...I'm a newb and can't post links>

    When the GPO fails to load, if I run an nsloopup from the client to my DNS Server (dc1.XXX.lib.XX.us), I get IP Addresses for OpenDNS's servers. This bothers me.

    If I disable the OpenDNS forwarding, the GPO's load much more consistently (though I still can't say 100%)

    I've done enough searching to come across DeleGate, but don't want to go down that road until I've made sure I've covered all my bases first.

    I can provide dnslint and dcdiag both PASS my DNS test. (I can provide complete logs if necessary)


    Any ideas here?

    <EDIT: I have done "gpudpate /force" on the problem machines with no error. However, "gpresult" shows no GPO.>
    Last edited by ken_npl; 30th March 2011, 21:57. Reason: additonal info

  • #2
    Re: Windows Server 2008 Group Policy Problems

    It sounds like the problem is DNS related, for sure. I wonder if (lack of) DNS suffix is a problem?

    Your local DNS server should be the lookup point for your local computers' DNS queries and thus an NSLookup should always refer to your local DNS server as the query host.

    Is this an AD environment?

    I would check the IPCONFIG/ALL settings of the workstations to make sure that subnets, gateways and DNS are correct. DNS should be your local DNS server. Your DNS server should only forward queries which do not cover your local domain.
    |
    +-- JDMils
    |
    +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
    |

    Comment


    • #3
      Re: Windows Server 2008 Group Policy Problems

      What Windows are you running on the clients?
      Gareth Howells

      BSc (Hons), MBCS, MCP, MCDST, ICCE

      Any advice is given in good faith and without warranty.

      Please give reputation points if somebody has helped you.

      "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

      "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

      Comment


      • #4
        Re: Windows Server 2008 Group Policy Problems

        Originally posted by JDMils View Post
        It sounds like the problem is DNS related, for sure. I wonder if (lack of) DNS suffix is a problem?

        Your local DNS server should be the lookup point for your local computers' DNS queries and thus an NSLookup should always refer to your local DNS server as the query host.

        Is this an AD environment?

        I would check the IPCONFIG/ALL settings of the workstations to make sure that subnets, gateways and DNS are correct. DNS should be your local DNS server. Your DNS server should only forward queries which do not cover your local domain.
        IPCONFIG /ALL is showing the correct subnets, gateway and DNS (all local IPs). When I perform an NSLookup, however, it sucessfully finds the DNS, but at an outside IP. I'll attempt to get screenshots posted shortly.

        Yes, it is an Active Directory Environment.

        Originally posted by gforceindustries
        What Windows are you running on the clients?
        Windows XP Professional

        Comment


        • #5
          Re: Windows Server 2008 Group Policy Problems

          Screenshots:

          One is without DNS hardcoded...as you can see, what is supposed to be set up as a "Forward" DNS is acting as the primary (the 208.xxx.xxx.xxx is OpenDNS). I don't like this behavior but can't pinpoint it as the problem.

          The reason I can't pinpoint it is even when I hardcode the DNS to local DNS...The WebFiltering works fine, but I still have intermittent results with loading the GPO as can be seen in the other screenshot. You can see the gpudpate didn't work, and you can see that the nslookup for the DNS server was fine...
          Attached Files

          Comment


          • #6
            Re: Windows Server 2008 Group Policy Problems

            Another interesting tidbit:

            If I log in as Domain Administrator on any of the machines, I get full GPO love...so, it has to do with the specific OU or GPO...hmm...

            Comment


            • #7
              Re: Windows Server 2008 Group Policy Problems

              The best I can offer you is to remove all GPOs from the users & computers. Now, add each of the settings you would like to apply, but one-at-a-time and test after each addition.

              You may find that it is due to one of your settings- I don't know- just a suggestion. If you add your first GPO setting and the computers fail then it aint GPO or OU.
              |
              +-- JDMils
              |
              +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
              |

              Comment


              • #8
                Re: Windows Server 2008 Group Policy Problems

                Thank you for the reply!

                I did as you stated and I'm still getting mixed results. Even with only 1 setting applied (Force Classic Start Menu), I'm still getting hit-and-miss results from random machines. On any random machine in the lab, the GPO is getting applied 75% of the time...I'm calling in a priest and gonna go from there.

                I'm still stuck on the fact that the "Administrator" user profile applies 100% of the time, but the "Lab" user profile only applies 75% of the time...

                Gonna continue to work on it and post my findings here...

                Comment


                • #9
                  Re: Windows Server 2008 Group Policy Problems

                  What do you get when you run GPRESULT each time? Can you create a brand new GPO and apply test settings to see if they work each time? I wounder if there are security issues with your AD setup.

                  I have an issue here where specific users cannot change their own password from their workstations- I found that those users had incorrect security setup on their user accounts which did not allow them to perform this action.

                  What happens if you make your test users domain admins?
                  |
                  +-- JDMils
                  |
                  +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
                  |

                  Comment


                  • #10
                    Re: Windows Server 2008 Group Policy Problems

                    CAn you please draw your current setup??

                    From what i can see your clients are in one netowrk and your DNS is in another, not that it matters though.

                    Comment


                    • #11
                      Re: Windows Server 2008 Group Policy Problems

                      You have differing DHCP answers on both the screenshots - and if you look closely you can see why. Your DHCP lease time is set quite long, something that has always bugged me about the standard DHCP setup.

                      Try going into the scope and setting the lease time to 24 hours unless you have a need for it to be higher. That should stop the PCs from holding on to the incorrect DNS servers for longer than they should as they'll have to ask for a new lease.

                      With regards to the GPOs, check the reverse DNS zone. If the reverse DNS zone isn't being updated when the client IPs change you might discover that the PCs can find the server but the server can't find the PCs. I've had GPO issues that were resolved by enabling dynamic updates on the zone.
                      Last edited by beddo; 14th April 2011, 13:59. Reason: typo

                      Comment


                      • #12
                        Re: Windows Server 2008 Group Policy Problems

                        use windows DNS service instead of openDNS may be it may somve your problem.

                        Comment


                        • #13
                          Re: Windows Server 2008 Group Policy Problems

                          Originally posted by wullieb1 View Post
                          CAn you please draw your current setup??

                          From what i can see your clients are in one netowrk and your DNS is in another, not that it matters though.
                          we have same problem.I hopefully anyone help we......

                          Comment

                          Working...
                          X