1

Let me preface this by saying that I'm by no means a trained sysadmin but rather, shall we say, learning on the go. Apologies if the answer to my questions is obvious but I couldn't find an exact answer by Google/Serverfault search.

So I'm in-charge of manage about 200 windows computers where I work and I recently learned about this thing active directory to easily effect changes on all computers which is just great. So I set up the domain controller and found a .vbs script to join computers to the domain. Perfect.

Except the GPOs I set are not being pushed down to the computers. I tried running "gpupdate /force" on a computer and it shows the following error

The processing of Group Policy failed. Windows attempted to retrieve new Group Policy settings for this user or computer. Look in the details tab for error code and description. Windows will automatically retry this operation at the next refresh cycle. Computers joined to the domain must have proper name resolution and network connectivity to a domain controller for discovery of new Group Policy objects and settings. An event will be logged when Group Policy is successful.

User Policy update has completed successfully.

To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.

I looked around some more and it seems when I point the DNS of the clients to domain controller, the updates go through (Running nsloookup {domain.com} returns a non-authoritative answer). Now, it could be that pointing the DNS to DC is mandatory in AD. But I never saw this mentioned in any of the tutorials I found which is really weird. So is it really required? (This is the closest answer I found to this which seems to suggest yes, but is there truly no other way? Can't I possibly return an authoritative answer to nslookup?)

If it is required, any way I can update the DNS of all the computers in the domain without physically going to each computer?

This also raises another issue. What if I, for some reason have to change the current IP of the DC. Do I then need to update the DNS again on every computer?

Thanks for your time and looking forward to your advice.

Manoj Jain
  • 33
  • 1
  • 6
  • I might be missing the point, but GPOs are deployed to the computers already members of the domain; so you cannot push a GPO to computers out of the domain so they join it, you would need to run that manually. – curropar Nov 10 '17 at 00:00

2 Answers2

3

One of my favorites "DNS is the answer, the question doesn't matter".

Group Policies are stored in the FQDN\Sysvol\FQDN\Policies folder - if you can't resolve your FQDN from your DNS solution, GPO processing will fail.

An Active Directory domain needs DNS, it doesn't have to be AD Integrated DNS (installing the DNS server role on the Domain Controller), but it is easier to administer. If you do this you can point all your domain computers to the Domain Controller for DNS and be done.

The Domain Controller should have a single static IP, this is listed as a best practice and typically all servers, due to their nature of being online to service requests, use static IPs. With this in mind, IPs shouldn't be changing. If the IP does change, there are tons of scripts for programmatically changing member computer DNS server IPs, do a search.

How does the computer join vbs script work? It needs DNS to resolve the domain name to join. Provided the script works, then the computer is already pointing to a DNS server that points to the domain and Group Policy processing should be fine. Warning: you may get a "successful" join without actually joining thanks to Microsoft's genius decision to incorporate "offline domain join" to reduce the appearance of errors. The best way to test this is to login with an actual domain account. If you get an error along the lines of the 'the domain is not reachable', then you probably still have a DNS issue.

spacenomyous
  • 1,319
  • 6
  • 15
2

Short answer to "do you need DNS pointing to Domain Controller for GPO to work" is yes. spacenomyous has the answer up there.

I'm guessing that if you're new to AD and DNS, you may also be new to DHCP, which will dynamically grant IP addresses and associated settings to clients. You can add that role to the DC (or other server), and then point your clients to use DHCP to update the network settings, including DNS entries to have them all point to internal DNS.

If you absolutely must set them on each computer, then you should be learning some Powershell scripting to automate. If you can do a .vbs script, then you can look at the following link to figure out how to update the clients:

https://www.pdq.com/blog/using-powershell-to-set-static-and-dhcp-ip-addresses-part-1/

CC.
  • 1,186
  • 1
  • 10
  • 22