Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » unable to apply group policy when server is in DMZ
unable to apply group policy when server is in DMZ [message #160031] Sun, 16 August 2009 19:49 Go to next message
Vic1982  is currently offline Vic1982
Messages: 1
Registered: August 2009
Junior Member
Hi
One of our server in DMZ is giving error messages in event log

'Windows cannot query for the list of Group Policy objects. Check the event
log for possible messages previously logged by the policy engine that
describes the reason for this.'

'Windows cannot bind to YPG.LOCAL domain. (Invalid Credentials). Group
Policy processing aborted.'

I guess the firewall is blocking the traffic, any idea?
Re: unable to apply group policy when server is in DMZ [message #160032 is a reply to message #160031] Sun, 16 August 2009 23:19 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello Vic1982,

Is the server a DC?

Check following documents:
http://support.microsoft.com/kb/555381

http://technet.microsoft.com/en-us/library/bb727063.aspx

http://support.microsoft.com/kb/179442/

http://technet.microsoft.com/en-us/library/bb125069(EXCHG.65).aspx

http://geekswithblogs.net/TSCustomiser/archive/2007/05/09/11 2357.aspx

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi
> One of our server in DMZ is giving error messages in event log
> 'Windows cannot query for the list of Group Policy objects. Check the
> event log for possible messages previously logged by the policy engine
> that describes the reason for this.'
>
> 'Windows cannot bind to YPG.LOCAL domain. (Invalid Credentials). Group
> Policy processing aborted.'
>
> I guess the firewall is blocking the traffic, any idea?
>
Re: unable to apply group policy when server is in DMZ [message #160044 is a reply to message #160031] Mon, 17 August 2009 07:54 Go to previous message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Vic1982" <Vic1982@discussions.microsoft.com> wrote in message
news:7150DE23-F7C6-46DC-8435-CB13B5D4AE89@microsoft.com...
> Hi
> One of our server in DMZ is giving error messages in event log
>
> 'Windows cannot query for the list of Group Policy objects. Check the
> event
> log for possible messages previously logged by the policy engine that
> describes the reason for this.'
>
> 'Windows cannot bind to YPG.LOCAL domain. (Invalid Credentials). Group
> Policy processing aborted.'
>
> I guess the firewall is blocking the traffic, any idea?
>
>
>


Is there a simple firewall between the DMZ and main network, or is it a NAT
device?

If NAT - Forget it. It won't work, unless you create a VPN from the machines
in the DMZ to the internal network. NAT cannot traverse domain
communications directly, because simply it cannot read the encrypted RPC
packets to translate them. That functionality will never be provided due to
security reasons.

If a simple firewall, it will work, but you need to open about 29 ports plus
the ephemeral Service response ports (UPD 1023+), which I refer to as
'swiss-cheesing your firewall." If this is the scenario, you could control
access through the firewall between the outside machine and internal subnet
by using IPSec. The second and third link Meinolf provided explains both of
these scenarios.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum to benefit from collaboration
among responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.
Previous Topic:certificate expiration
Next Topic:ADMT and SID Filtering
Goto Forum:
  


Current Time: Wed Jan 17 05:46:14 MST 2018

Total time taken to generate the page: 0.01863 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software