We seem to have one machine where group policy is not getting applied correctly. When a pupil logs onto the machine they are not getting some of the group policies we have in place.
I tried a couple of things with interesting results:
1) Pinging the DC - This works fine (both IP and DNS)
2) Pinging the machine form the DC - This does not work unless I disable the Windows Firewall on the machine
We use Windows Firewall which is set by group policy.
Any ideas what might be causing this?
Adam.
Any useful messages in the client event logs?
I can't remember the exact message but there were netlogon errors being logged everytime I tried to logon to this machine - along the lines of no domain controller could be found.
One other thing that was happening was the pupils home folder was being mapped to the root of the share (which they dont have access to) instead of actual home folder.
I take it you have run a gpupdate on the client - [ part of the Edugeek Admin Bar - see below ]
And that the PC is in the correct OU and has not got any other special over - riding policies ?
Yep run gpupdate /force, reset as required. The machine is in the same OU is has always been in since it was first installed along with 28 other machines that don't have the problem. It's just this single machine!
I had this exact problem recently on a number of machines. For me, it was a DNS issue--for some reason, the computers had a bad DHCP address which did not point to the DC DNS server. A simple release renew of the ip address solved the issue for me (except for one machine that had to be rejoined to the domain for unknown reasons).
Have you tried ipconfig/ release and ipconfig/ renew yet?
Why? I would have thought you have a superior firewall protecting your network where it joins the outside wall. You shouldn't need to firewall the individual machines too.Originally Posted by adamf
Windows Firewall always gets switched off here (... just not quickly enough sometimes)
I did try release/renew also deleted the lease from the DHCP server neither worked. I haven't tried removing it from the domian and rejoining it yet - i'll give that a go.
We do have a superior firewall protecting the network.
I don't know why Windows Firewall is on (something the person I replaced put in place). It's gonna be turned off now cause it's caused too many problems aside from this (had a few problems with it and ghost).
Last edited by adamf; 7th February 2008 at 10:29 PM.
Might seem really obvious but I've found it can be helpful to check - make sure your DNS addresses for the network connection point to the correct DNS server (try specifying the absolute DNS IP instead of getting it automatically as well). If that's all fine, you can do as you suggested yourself; take the computer off of the domain and then see if it can connect again (if it's a DNS issue it may not find the domain after you take it off though.)
Best Regards,
Last edited by DarkLight; 7th February 2008 at 10:36 PM.
That was my only concern, about it not being able to rejoin. The DNS addresses are correct (as set by the server options in DHCP) and the A records exist on all 3 DNS servers.
You'll have to find and solve the issue if the computer is on the domain or otherwise, so trying to rejoin the domain isn't a bad option even it can't instantly rejoin. It may help you to see what error there is when connecting - if there is one.
Best Regards,
Edit : Do you know if the problems are related to specific policies, and have you looked at the resultant set of policy (rsop.msc) to see what is applied to the machine?
Last edited by DarkLight; 7th February 2008 at 10:54 PM.
Sounds odd, but have you tried it on a different port ? [ a port from a known working PC which is getting its policy updates ok ]
You could try giving the client a static IP address.....
Move the client to a different OU - [ different policy ] then back again - also may be worth running filemon / regmon whilst running a GPupdate to see whats happening. Will be interesting to see a set of event logs too.....
I've post this before, in many cases I have found the reverse dns to be the problem if you have one.
Check the reverse lookup zones in your DNS. Are there multiple entries for the same IP/Hostname?
GP relies on DNS for resolution if IP is the only protocol (who uses anything else).
You must be able to ping by hostname and ping -a xxx.xxx.xxx.xxx by IP from the DC to client.
If you use the windows firewall make sure the policy allows remote management and whatever other services you need eg. ping.
I have often found if you fix the reverse dns issues the GP's suddenly work.
Just to let you all know removing the machine from the domain and rejoining fixed the problem although the cause is still unknown.
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
