December 29, 2016 at 9:21 am #13824
We upgraded to 2012 DC’s back in February 2016, old 2003 DC’s were decommissioned.
I setup WSUS on a 2012 server back in June 2016 (previously was running WSUS on server 2003), all was running well – all desktops (Windows 7 Professional) were checking in to WSUS daily, PC’s were patched Monthly based on my GP rule.
I used the same group policies on the 2012 DC’s as was used on the 2003 DC’s.
Then —- about 30 days ago PC’s would randomly stop checking in to WSUS. It could be days, a week, then they would check in again.
I was able to visit a few desktops, when I run the command gpresult /v – I saw that problem computers were attempting to read GP off the old decommissioned DC’s !!
Somewhere – somehow —- computers try to read GP’s off my old decommissioned 2003 DC’s. And again — all was working well for about 5 month.
Can anyone help, why this may happen, and how to resolve/stop desktops from randomly trying to read group policies off old decommissioned DC’s?
BobDecember 30, 2016 at 9:00 am #13827
Have you checked that those workstations still have a good trust with the domain? It sounds like they are not actually communicating with current DCs but instead acting as if they have left the domain. Check that GP processing is actually occurring successfully by doing a gpupdate /force and then look at the GP Operational Log in the Event Viewer. Follow the events that occur during the processing cycle and see if GP processing is actually working for those machines.
You must be logged in to reply to this topic.
- Group Policy Storage Whitepaper Updated!
- Elevating AD Domain Access With Write Access on the Domain NC Head
- Performing a Denial of Service on AD–How Hard Is it Really?
- Protecting Active Directory–Making AD and Group Policy Less “Visible” to Attackers
- How To Think About Windows Group Policy–An Infrastructure Architect’s Take