GPMC - Windows Firewall with Advanced Security - When editing uses dfferent DC than Chosen.


  • I just noticed this, and am not sure if this intended behavior or not, although it would be strange if it was.

    We have 2 x 2008 R2 Domain Controllers. 1 at each site.

    Let's say

    DC01 - PDC - Site 1

    DC02 - Site 2 (not a RODC) I'm at this site.

    I open Group Policy Management and change the Domain Controller it is connected to, to the local Domain Controller DC02, which is not the PDC. Then I create a new GPO, edit it, noticing again, that at the top it lists the name of the GPO and the correct local domain controller(DC02) I chose to edit. Then I edit the GPO and go to Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security. Expanding this and clicking on Windows Firewall with Advanced Security - LDAP://CN={GUID} etc... gives me an error, "There is no such object on the server".

    The apparent reason is that it is looking for the GPO GUID on the DC01\SYSVOL, but of course that GPO folder GUID hasn't been replicated yet, so it can't be edited. If I wait until DC02 and DC01 sync, then I can successfully edit the Firewall Settings, but it's extremely slow(because it's actually editing DC01 at the other site) and when I save it, the settings appear at DC01, not DC02.

    It appears that most(all?) other settings work fine, it's just the Windows Firewall with Advanced Security that is somehow navigating to the wrong SYSVOL. My theory is that the DNS is messed up so  that it goes to the wrong SYSVOL, but I haven't been able to nail anything down.

    Any ideas? Things that I can check or narrow down the issue? Any help greatly appreciated.

    DCDIAG /c /e passes all tests except NCSecDesc as expected.

    No errors in Event Viewer, including FRS and GP.

    Friday, July 29, 2016 6:36 PM


All replies