laptops connect at work but not at home?

[Ace Fekay [MVP]]

In

Ok, just ran GPMC's Group Policy Results wizard on one of the laptops
that hasnt even been connected at home yet. The only DNS-related
thing (which I did set) was Dynamic Update set as enabled. Its
status has not proven to have any effect on all this.

That's it? Just remove the link and completely delete the GPO and recreate a
new one from scratch for whatever other settings you are controlling. I
wouldn't even know why you are controlling DNS behavior with GPOs since that
is default with client PCs anyway, that is newer than Win2000. Any
compelling reason to control this behavior with a GPO?

Ace

 

[Guest]

That's it? Just remove the link and completely delete the GPO and recreate a

new one from scratch for whatever other settings you are controlling. I
wouldn't even know why you are controlling DNS behavior with GPOs since that
is default with client PCs anyway, that is newer than Win2000. Any
compelling reason to control this behavior with a GPO?

no reason. didnt know the clients did that - maybe shoulda guessed though.
i'll remove that setting too. sure, i could wipe the GPO out and start
fresh. of course, i wont know if it works until someone either brings in
their laptop or takes it home (one that hasnt been fixed of course)!

btw, i've tried to copy one GPO to another OU and rename it, but then the
original gets renamed too. it'd be nice to copy over one of the other GPOs,
rename it, and remove the DNS-related stuff. how do i do that?

 

[Kevin D. Goodknecht Sr. [MVP]]

btw, i've tried to copy one GPO to another OU and rename it, but then
the original gets renamed too. it'd be nice to copy over one of the
other GPOs, rename it, and remove the DNS-related stuff. how do i do
that?

You can't do this, in the console when you see the list of GPOs? These are
just links the actual GPO has a very long globally unique identifier and are
in the \\DNSADDomain\SYSVOL\DNSADDomain\policies DFS share. Do not modify
these unless you know exactly what you are doing.
You can have the same GPO linked to several different OUs.

 

[Guest]

You can't do this,

ah.

ok, shifting focus slightly, we have another GPO that does contain internal
DNS server settings for an OU containing desktop workstations at our office.
so theyre not going anywhere, like the laptops do! anyway, they dont seem to
take on the internal DNS servers in TCP/IP properties as they should. seems
that it should be grayed-out with those DNS servers set, but it's not. you
can click in 'em and change, which is not the goal. ipconfig /all displays
'incorrect' info (the same what's set in TCP/IP Properties), but the
'correct' info are in the same same Registry keys that the laptops had:
HKLM\software\policies\microsoft\windowsNT\DNSclient. these PCs of course
have static TCP/IP info and most are used by local Admins. to explain it
another way, i'd like the GPO to set static DNS servers and the static IP
addresses to be set locally. is that possible? or would it just be worth my
while/time to reset the DNS settings manually on each PC?

 

[Ace Fekay [MVP]]

In

no reason. didnt know the clients did that - maybe shoulda guessed
though. i'll remove that setting too. sure, i could wipe the GPO out
and start fresh. of course, i wont know if it works until someone
either brings in their laptop or takes it home (one that hasnt been
fixed of course)!

btw, i've tried to copy one GPO to another OU and rename it, but then
the original gets renamed too. it'd be nice to copy over one of the
other GPOs, rename it, and remove the DNS-related stuff. how do i do
that?

Just as Kevin said, they are just links to the GPO itself. If you look
further down in the GPMC, you will see a container called Group Policy
Objects. These are all the GPOs created in the domain. If you delete one
from an OU, it just removes the link. That is why when you rename a link, it
renames the actual GPO. Just delete the actual GPO under that container and
create a new one.

As for default dynamic update behavior, here are some links to read up on:

816592 - HOW TO Configure DNS Dynamic Update in Windows 2003:
http://support.microsoft.com/?id=816592

317590 - HOW TO Configure DNS Dynamic Update in Windows 2000, [How it
relates to Pri DNS Suffix and Append parent Suffix. Also DNSUpdateProxy
Group]:
http://support.microsoft.com/?id=317590

Basically, as long as the client is newer than Win2000, the Primary DNS
Suffix, or any of your suffixes are set to the zone to update into, and the
DNS addresses on the clients IP properties are set ONLY to the internal DNS
servers hosting the AD zone name or have a reference to the SOA of the zone,
will it work. Also when DHCP is used, it will be based on the above default
behavior. You can also force DHCP to upate for your clients, especially for
legacy and non-Windows clients. No need to control this thru GPOs, which
just complicates things (as you've seen).

Ace

 

[Ace Fekay [MVP]]

In

ah.

ok, shifting focus slightly, we have another GPO that does contain
internal DNS server settings for an OU containing desktop
workstations at our office. so theyre not going anywhere, like the
laptops do! anyway, they dont seem to take on the internal DNS
servers in TCP/IP properties as they should. seems that it should be
grayed-out with those DNS servers set, but it's not. you can click
in 'em and change, which is not the goal. ipconfig /all displays
'incorrect' info (the same what's set in TCP/IP Properties), but the
'correct' info are in the same same Registry keys that the laptops
had: HKLM\software\policies\microsoft\windowsNT\DNSclient. these PCs
of course have static TCP/IP info and most are used by local Admins.
to explain it another way, i'd like the GPO to set static DNS servers
and the static IP addresses to be set locally. is that possible? or
would it just be worth my while/time to reset the DNS settings
manually on each PC?

Dude, you are complicating things for yourself. DHCP is a wonderful tool and
works hand in hand with dynamic updates using Option 081 (under DHCP
properties, DNS tab). Keeping users as just Domain Users will also keep them
from changing settings. Read my other post about dynamic updates.

Ace

 

[Kevin D. Goodknecht Sr. [MVP]]

ah.

ok, shifting focus slightly, we have another GPO that does contain
internal DNS server settings for an OU containing desktop
workstations at our office. so theyre not going anywhere, like the
laptops do! anyway, they dont seem to take on the internal DNS
servers in TCP/IP properties as they should. seems that it should be
grayed-out with those DNS servers set, but it's not. you can click
in 'em and change, which is not the goal. ipconfig /all displays
'incorrect' info (the same what's set in TCP/IP Properties), but the
'correct' info are in the same same Registry keys that the laptops
had: HKLM\software\policies\microsoft\windowsNT\DNSclient. these PCs
of course have static TCP/IP info and most are used by local Admins.
to explain it another way, i'd like the GPO to set static DNS servers
and the static IP addresses to be set locally. is that possible? or
would it just be worth my while/time to reset the DNS settings
manually on each PC?

With Dynamic DNS registration there is little need for a static IP address
in AD except for DNS, DHCP, SMTP or POP3 servers. DCs don't even need a
static IP unless they host one of those services. As for as that goes, DHCP
can assign a static IP based on a MAC address.

As for users changing the DNS servers in TCP/IP properties, users should not
be local administrators either. For the Applications that require
Administrative rights you should use the run as feature. Using the run as
feature allows the application to run under an Administrator account, while
not exposing the machine to things like viruses and worms, which use the
logged on user account for the damage they do. This is the way I set up my
kid's computers and believe me it has sure saved me some major headaches.

 

[Guest]

thanks for all your help. when some of these laptops either come in or go
out, we'll all what happens. in the meantime, i'm removing all DNS-related
stuff from GPOs and setting stuff manually as needed from the PCs themselves.
not TOO many, so not a big deal.

 

[Ace Fekay [MVP]]

In

thanks for all your help. when some of these laptops either come in
or go out, we'll all what happens. in the meantime, i'm removing all
DNS-related stuff from GPOs and setting stuff manually as needed from
the PCs themselves. not TOO many, so not a big deal.

Why not use DHCP?

Ace

 

[Guest]

Why not use DHCP?

ah, yes. well, i wanted to set as many as static IP as i could for
tracking, monitoring, some administrative tasks. and i know i could just
reserve specific IP addresses for specific PCs in Windows' DHCP server
service. however, and maybe i shouldve mentioned this before but didnt think
it mattered here, i'm not using a Windows-based server as the DHCP server.
i'm using a firewall appliance that has a DHCP server feature. but i might
consider it soon!

 

[Ace Fekay [MVP]]

In

ah, yes. well, i wanted to set as many as static IP as i could for
tracking, monitoring, some administrative tasks. and i know i could
just reserve specific IP addresses for specific PCs in Windows' DHCP
server service. however, and maybe i shouldve mentioned this before
but didnt think it mattered here, i'm not using a Windows-based
server as the DHCP server. i'm using a firewall appliance that has a
DHCP server feature. but i might consider it soon!

I see. Windows DHCP works hand in hand with dynamic registration by the way.
The firewall appliance probably doesn't support Option 081, hence probably
why you were having problems with dynamic registration? Or at least it may
have been contributing to it. We usually recommend getting away from a
firewall's DHCP service because of this lack of functionality.

Ace