Some clients going to the Protected DP and others (w\same IP range) are not
I have a handful of computers (20 out of 345) at a location that are not communicating with the local protected DP. All DP’s in our site are protected via IP Range except one DP that is a standard DP at the corporate office. I have double, tripled and quadruple checked the IP’s of the machines in question and the IP ranges the DP at this site and everything appears to be correct. When checking the locationsevices.log, the last check for DP’s was on 10/28. I have performed a “machine policy retrieval & evaluation cycle” on a few of these computers, but no change.
Here are my questions:
1) Why would some of the computers at a location not contact the local protected DP and other computers that fall into the same IP range will?
2) Other than a “machine policy retrieval & evaluation cycle” is there a way to force policy on a client?
3) Is there a log or a way to tell if a computer is communicating properly with the MP?
4) Is there a way to tell which DP’s are first, second, etc (even though all of DP’s are protected but one, this is just knowledge for future sites).
Thanks in advance
Answers
- DPs are protected to make sure that only clients within defined boundaries are allowed to use them. You can prevent clients using a DP accross the WAN that way. The downside is: there's no "fallback DP" if all DPs are protected.
- Marked As Answer byEric C. MattoonMSFT, ModeratorFriday, November 06, 2009 3:56 PM
- Would I recommend it? No, not in a forum post without seeing your environment. Would I likely recommend it if I were on-site acting as a consultant? Probably so. There's other things to take into consideration sch as BDP's etc etc. As Torsten said it will keep clients from falling back to the unprotected DP but the downside is you have to be sure all clients are covered by a DP.
John Marcum | http://www.TrueSec.com/en/Training.htm | http://myitforum.com/cs2/blogs/jmarcum- Marked As Answer byEric C. MattoonMSFT, ModeratorFriday, November 06, 2009 3:56 PM
All Replies
- 1.) I can't think of any reason this would be happening but it's exactly why I never have any unprotected DP's
2.) You could use the right click tools and force a policy reset.
3.) Check locationservices and clientlocation logs
4.) Not that I am aware of.
John Marcum | http://www.TrueSec.com/en/Training.htm | http://myitforum.com/cs2/blogs/jmarcum 1) Would you suggest we protect all DP's in the environment, if so why?
2) Tried that.- Do you have overlapping Boundaries? Is the content available on all DP's?
Also take a look at this article: http://technet.microsoft.com/en-us/library/bb632366.aspx
My Blog: http://www.petervanderwoude.nl/ - DPs are protected to make sure that only clients within defined boundaries are allowed to use them. You can prevent clients using a DP accross the WAN that way. The downside is: there's no "fallback DP" if all DPs are protected.
- Marked As Answer byEric C. MattoonMSFT, ModeratorFriday, November 06, 2009 3:56 PM
- Would I recommend it? No, not in a forum post without seeing your environment. Would I likely recommend it if I were on-site acting as a consultant? Probably so. There's other things to take into consideration sch as BDP's etc etc. As Torsten said it will keep clients from falling back to the unprotected DP but the downside is you have to be sure all clients are covered by a DP.
John Marcum | http://www.TrueSec.com/en/Training.htm | http://myitforum.com/cs2/blogs/jmarcum- Marked As Answer byEric C. MattoonMSFT, ModeratorFriday, November 06, 2009 3:56 PM
