Group Policies not applying over VPN

[bowerjb]

Ok. I have a windows 2000 DC on site with approx 100 xp clients
running great under active directory. We also have multiple locations
throughout the state connected here via VPN. I have set-up a couple
of these locations with active directory and although users can
interactively login, the policies I have created will not apply. I
have made sure DNS is set-up correctly, created a slow link policy,
and synched time between server and client with "net time /set." When
I run "gpupdate /force" the machine will not ask me if I want to logg
off. Moreover, when I run "gpresult" I get the error "INFO: User
"domain\user" does not have RSOP data." I then tried to generate RSOP
data with mmc and got the error message "Group Policy Infrastructure
Failed due to the reason below. An unexpected network error has
occured."

If anyone can help please let me know.

 

[Chriss3]

Is there a Dc at each site, or did you have uncovered site objects?

--
Regards,

Christoffer Andersson
No email replies please - reply in the newsgroup
If the information was help full, you can let me know at:
http://www.itsystem.se/employers.asp?ID=1

 

[bowerjb]

Thanks for taking the time to reply.....

There is not a DC at each site. The sites have a Linksys VPN routing
things back to a VPN server here on location. These sites use DSL as
there ISP.

I found some more interesting things this morning. Apparently the
size of the MTU on each machine affects the download of the group
policies. Everything thus far on the network has been set at the
default value of 1500 but as I modify that setting on each of the
clients it seems to try "harder" to download the policies. In the end
though, nothing updates. I have tried to ping the DC from these
client machines with 2048 bytes (same amount of bytes used to
calculate slow link) and get request time out errors. The maximum I
can ping with is 1410. I am almost positive that this has something
to do with it.

 

[bowerjb]

Ok....I found the solution to our problem and thought I would post it
for all of those pulling their hair out. The issue had to due with an
MTU problem. Basically, the DC was attempting to ping the clients
across the VPN with 2048 bytes of data. This is done to calculate the
slow link algorithm. The ping, however, received the error message
"Request timed out" indicating to the DC that the client did not exist
on the network. Since it thought it did not exist the DC didn't even
try to force policies. The reason the error occurred was because of
the size of the unfragmented packets the DC was sending. It was
sending an MTU size of 1500 (default) which the network between the DC
and the clients (some DSL, some cable) could not handle. By dropping
the MTU down to 1200 we were able to get the clients to download
policies. Instead of leaving the DC with a lower MTU (causes
performance issues with clients here at this site) we decided to drop
the IPSEC MTU on the VPN down to 1200 and raise the DC MTU back to
default. This not only fixed the off-site clients connected with a
VPN but also retained performance for clients on site. Hope this
helps.