none
applied GPO not change the setting

All replies

  • Hi,
     
    Is the old server still on the network and visible?
     
    >>Sure the old name appears.

    >>And "sits" in registry.
     
    You mean the entry under HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate has the old server name listed?
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Wednesday, September 2, 2015 8:47 AM
    Moderator
  • Hi,

    Have you attempted a gpupdate /force ? Did you create a new GPO for the WSUS setting or just change the setting in the existing GPO?

    Do you have multiple DCs? If so.. I would also check by running CMD and type: ECHO %LOGONSERVER%

    After running that, I would connect to the server and check the Group Policy has synchronized between domain controllers correctly.

    If you run rsop.msc which can be run from Start -> Run or Windows Key +R.

    Once this has completed, right-click on Computer Configuration and select Properties.
    Now select the checkbox next to 'Display all GPOs and filtering status'. Make sure your GPO is within the list and it's status is Applied.

    Let me know how you get on with the above steps.

    Regards,
    Adam

    Wednesday, September 2, 2015 9:14 AM
  • Ethan,

    > Is the old server still on the network and visible?

    It is down from the moment that the name and port of the new server were changed in the existing GPO.

    The network adapter is disabled  to be sure that this server cannot be connected to LAN.

    > You mean the entry under HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate has the old server name listed?

    Exact.

    Found that 7 DCs from 16 not checked in to new WSUS. What is strange that the same GPO applied to Servers OU. and there are no problem.

    In my initial post you can see that in Resultant the GPO shows winning. Should mean really applied I guess?

    But the entry shows old name.

    Looks like simpe no synchro between DCs. From the other hand the same GPO is applied to other OU...

    will check more...

    Any ideas ?

    Thx.


    --- When you hit a wrong note its the next note that makes it good or bad. --- Miles Davis

    Wednesday, September 2, 2015 3:14 PM
  • I am back to GPO problem. Have time to take a closer look...

    the situation becomes even more "interesting"

    as mentioned, 7 out of 16 DCs are not checked in to new WSUS.

    The "simple" sync question is out of picture.

    I connected to one of DCs that has failed WSUS updates and checked WSUS GPO on it.

    I was sure that it will show old name theoretically blaming sync, before start to troubleshoot in this direction...

    Surprisingly, new WSUS name with the port are in place...

    Next. I run Group Policy Result Wizard on dc in question against itself. And it showed WRONG (old name).

    That allowed to conclude that the problem is really related to GPO application on server itself.

    The GPO was changed a week ago.

    For fun I restarted the server. It didn't help with correct policy application. It is still winning, no errors but the server name stays on old.

    Desperately :), I run GPUPDATE /force...

    Ta-da! It immediately worked.

    The question:

    What is going ON? I could understand if it was on one machine but why on 7 out of 16.

    Thx.


    --- When you hit a wrong note its the next note that makes it good or bad. --- Miles Davis


    Thursday, September 3, 2015 1:15 PM
  • This may just be some replication/refresh issue. GPO is not get refreshed on some DC, probably due to some policy history on the machine.

    Friday, September 4, 2015 2:30 AM
  • Hi,
     
    Thanks for the update. First it's good to hear that you are unblocked now.
     
    There are situations that the computer's registry might need to be refreshed, even though the GPO is listed. I was about to suggest you to delete the Group Policy history on the faulty DCs, so that the machine is not aware of any GPOs that have been applied previously.
     
    (HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\History)
     
    Another way to force a registry refresh is to use the Gpupdate /force command. It's always a good idea to run Gpupdate /force command everytime you apply/update a GPO.
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Friday, September 4, 2015 2:44 AM
    Moderator
  • Ethan,

    in case of 7 DCs there is no problem to run gpupdate /force. They are in one OU and not so many so easy to see what is not in WSUS.

    But the server name for another GPO related to workstations was changed too.  Hundreds of them are checked in to WSUS like some DCs. How I can be sure that all of them got GPO change?

    I guess that policy update mechanism should work and should be equal to FORCE.


    --- When you hit a wrong note its the next note that makes it good or bad. --- Miles Davis

    Friday, September 4, 2015 2:11 PM