Home Domain. Need Help!

[Shylidi]

Alright guys. Here's what's going on.

 

I set up a Windows Active Directory environment to handle all the machines in my home. I have about 20 machines so authenticating against a Domain Controller is preferable to separate credentials on each machine.

 

Neither here nor there, that functionality works fine! But my GPOs do not propagate through the network. I suspect this is because of DNS.

 

I don't know how to set my pfsense router to direct all DNS requests to the DC, and I am fairly certain my DC isn't setup to handle DNS properly.

 

I have too manually direct the NICs of the machines to the DC in order to join the domain. I would like it if it would work without manual configuration.

 

I don't even know what info to post to help diagnose the issue, but any help would be appreciated! Hopefully we can get this figured out so I can rejoin my wife's devices to the domain. (She was frustrated that group policies blocked her Windows Hello sign in.)

 

If I can get this working and GPOs would work I would be a very happy man!

 

Thanks in Advance!

[LAwLz]

7 minutes ago, Shylidi said:

I don't know how to set my pfsense router to direct all DNS requests to the DC

You do this in the DHCP settings.

 

7 minutes ago, Shylidi said:

I am fairly certain my DC isn't setup to handle DNS properly.

Have you installed the DNS role?

 

 

I am not entirely sure GPOs need a DNS though. The machines can join the domain just fine, right? So if the joining and authentication doesn't need the DNS, then I don't see why GPOs would need it.

Are you sure you're applying the GPOs to the right OU, and have you run gpupdate afterwards (on the client)?

[MACE529]

I hope I remember to re-post on here when I wake up... Would love to put some additions to this post, but i'm too tired right now. 

Lets keep this tab open until I get home from work!

 

<brbafk>

[Shylidi]

7 hours ago, LAwLz said:

You do this in the DHCP settings.

 

Have you installed the DNS role?

 

 

I am not entirely sure GPOs need a DNS though. The machines can join the domain just fine, right? So if the joining and authentication doesn't need the DNS, then I don't see why GPOs would need it.

Are you sure you're applying the GPOs to the right OU, and have you run gpupdate afterwards (on the client)?

I set it up under general settings. But when a machine connects to the network without manual configuration it says:

 

If the client does not log in within 30 seconds, they receive the following message:
"Windows cannot connect to the domain, either because the domain controller is down or otherwise unavailable, or because your computer account was not found."

Then later in the message it claims the computer is configured to pull DNS from 8.8.8.8 (googledns)

 

Not sure why that is happening.

 

Okay, so I have several mobile machines which if I have to set the DNS pointer to the server in Network Settings work fine. But if I take them to work, I am on a network with several layers of security, and the DNS will not work, and I have to change the settings back to default. I currently have to manually change the DNS pointer in Network Settings. If I set it up like the screenshot, I can connect to the domain (but I still don't get any GPOs.

 

I know how to set OU's and apply GPOs to the proper objects at work, so I think I'm doing it right in this case. (Who knows, I may be doing it wrong.)

 

Thanks for the reply!

[Ithanul]

This might have some useful info for you:  http://techgenix.com/Top-10-Reasons-Why-Group-Policy-Fails-to-Apply-Part1/

[LAwLz]

54 minutes ago, Shylidi said:

If the client does not log in within 30 seconds, they receive the following message:
"Windows cannot connect to the domain, either because the domain controller is down or otherwise unavailable, or because your computer account was not found."

Then later in the message it claims the computer is configured to pull DNS from 8.8.8.8 (googledns)

 

Not sure why that is happening.

Because you haven't configured your DHCP server properly. You need to change it so that it points clients to your Windows DNS and not 8.8.8.8.

Go into your DHCP settings and change it from 8.8.8.8 to whatever your Windows server's IP is.

 

56 minutes ago, Shylidi said:

I know how to set OU's and apply GPOs to the proper objects at work, so I think I'm doing it right in this case. (Who knows, I may be doing it wrong.)

Are you sure your account and/or computer object is a member of the OU, to which you have applied the GPO?

[Shylidi]

16 minutes ago, LAwLz said:

Because you haven't configured your DHCP server properly. You need to change it so that it points clients to your Windows DNS and not 8.8.8.8.

Go into your DHCP settings and change it from 8.8.8.8 to whatever your Windows server's IP is.

 

Are you sure your account and/or computer object is a member of the OU, to which you have applied the GPO?

Here's a screenshot from the pfsense router. The only DNS server is the windows DC.

 

I'm fairly certain I have the machines set up in the AD correctly. I can look into it later.

[LAwLz]

7 minutes ago, Shylidi said:

Here's a screenshot from the pfsense router. The only DNS server is the windows DC.

That's strange, but I still recommend you change it so that the DHCP points to your Windows server too.

You do that in the DHCP options.

[Shylidi]

There was a setting in there set to 8.8.8.8!

 

Awesome!

 

I am at church right now so, I can't test the GPOs but I will when I get home!

[Shylidi]

The machines see the domain with default ip settings!

 

PROGRESS

 

Now I'm going to look into GPO updating and let you know how that goes!

[Shylidi]

Okay, now GPOs are applying to the DC, and no where else.

 

The DC has it's network drives mounted and listed, while other machines are not picking up that GPO.

 

Any ideas?

[Shylidi]

50 minutes ago, LAwLz said:

That's strange, but I still recommend you change it so that the DHCP points to your Windows server too.

You do that in the DHCP options.

There was a setting in there set to 8.8.8.8!

 

Awesome!

The machines see the domain with default ip settings!

 

PROGRESS

Okay, now GPOs are applying to the DC, and no where else.

 

The DC has it's network drives mounted and listed, while other machines are not picking up that GPO.

 

Any ideas?