none
updating Domain members (policies and passwords) in windows server 2008

    Question

  • hi pals,

    i have a Active Directory installed in Windows server 2008,and my domain members are using windows 7.

    when i change a policy on my server, it takes about two days for the members of that GPO to be effected, and also when i change the password for a user, he/she can still login with her/his old password for a period of time.I have used "gpupdate/force" command in domain members and also in server but i doesn't change anything.

    how can i force my clients to update their policy/password? in fact how can i delete the settings' cache on a client computer?

    i would appreciate if you answer,

    Sunday, April 15, 2012 12:59 PM

Answers

All replies

  • Hello,

    please assure that you use ONLY domain DNS servers on the clients NIC and NONE else like the ISP or router.

    Additional password/account lockout policy must be configured on domain level to be applied correct.

    Normal GPO refresh interval is 90-120 minutes or at least after a reboot or using gpupdate commands IF the DCs have replicated the settings.

    So did you check that all DCs are in sync with repadmin command http://blogs.technet.com/b/askds/archive/2009/07/01/getting-over-replmon.aspx ?


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Sunday, April 15, 2012 1:14 PM
  • Dear meinolf,

    I have set a few extra DNSs for members, like internet DNS, Local Web Hosting Server and the DC server. what should i do after removing those extra DSNs? coz i have to configure them back to have all previous features on my member.

    also i should mention that i had two servers in our company, i switched one of them off (for saving energy costs) and instead set the main DNS of the members to the other DC which is ON. shall it cause any problem?

    Thanks,

    Sunday, April 15, 2012 1:22 PM
  • Hello,

    to have still internet access you have to configure the FORWARDERS in the DNS server properties in the DNS management console on the DC/DNS server.

    After that changes please run ipconfig /flushdns and ipconfig /registerdns and restart the netlogon service on DCs and reboot client machines.

    Aslo assure the DCs do ONLY use one NIC enabled and using one ip address only from the LAN.

    If you have more then one DC they MUST replicate to be in sync at least in between the tombstone lifetime, between 60-180 days depends on the OS. Also the DC having the FSMO roles and is GC should available always.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Sunday, April 15, 2012 1:32 PM
  • Hi,

    I would agree with Meinolf Weber that configuring the client DNS settings to point to the internal DNS Server, and using forwarders in the DNS Server to point to the external DNS Servers.

    For more information, please refer to the following Microsoft TechNet articles:

    Understanding forwarders

    http://technet.microsoft.com/en-us/library/cc782142(v=WS.10).aspx

    Using forwarders

    http://technet.microsoft.com/en-us/library/cc757172(v=WS.10).aspx

    Best Practice Active Directory Design for Managing Windows Networks

    http://technet.microsoft.com/en-us/library/bb727085.aspx

    In addition, password policy does not block user logon also can be caused by the cached credentials. You may disable it to check the result.

    For related information, please also refer to the following Microsoft KB article:

    Cached domain logon information

    http://support.microsoft.com/kb/172931

    Regards,


    Arthur Li

    TechNet Community Support

    Wednesday, April 18, 2012 11:53 AM
    Moderator