Not allowed to manage GPO on on a DC! Why?

[mrFederico]

Hello all!

This is my first post on this site! Excuse my ugly English!
I spent two day in searching an answer to my question, but i don't find it!
I'm new in the world of AD. I find a domain installed in a school to control the PC in the labs, and some teacher ask me to enforce the client (no wallpaper change, software restriction and so on)!
So, I begin study the problem and I understand that I need to use GPO on the AD (a local policy is not possible: there are more then 40 clients!)
The problem is: when I try to use the GP on the properties of an OU, the DC (I forget! 1 DC with win 2003 installed!) says me: "Domain Controller not Found" (in italian!) and than it proposes me three option, but indipendently of my choice, the Group Policy tab becomes disabled!
What can I do?
Thank's all in advance!
Federico

ps: I have also the screenshota of the sequence...but they are in italian!

 

[mlichstein]

This usually occurs because the PDC emulator cannot be found.

How is your DNS configured? Is the DC pointing to itself for DNS?

 

[mrFederico]

Thank you, mlichstein for the replay!

What is a PDC emlator?

I don't know the dns configuration! At the moment I can say you that the client of the domain uses as DNS sever the same machine that implement the DC, so it's possible that the DC is poiting to itself. I will make this check as soon as (now I'm far from the DC!) How can I make this control? ("...is pointing itself")

Thank you again!
Federico

 

[mlichstein]

You can check to see if the DC is pointing to itself by running ipconfig /all from a command prompt.

Please paste the output from that command here.

 

[Ckoslow]

You dont need DNS for your DC to manage GPO's all you need are the FSMO roles

Most liekly you are missing one of the FSMO roles on that DC or. Do you have another DC that has crashed or can not talk with the current DC you are managing from? Without access to the DC with the FSMO roles you can not manage GPO's

 

[mlichstein]

Uhm....the FSMO roles are discovered using DNS. Even if there is only one DC and it holds all the FSMO roles, if it is not pointed to a DNS server containing the SRV records for the domain (usually itself), it will not work correctly.

 

[mrFederico]

Dear mlichstein and dear Ckoslow,

this is the response of the command ipconfig -all on the DC.

--------------

Configurazione IP di Windows

Nome host . . . . . . . . . . . . . . : srv02-denino
Suffisso DNS primario . . . . . . . . : mercurio
Tipo nodo . . . . . . . . . . . . . . : Sconosciuto
Routing IP abilitato . . . . . . . . : Sì
Proxy WINS abilitato . . . . . . . . : No
Elenco di ricerca suffissi DNS. . . . : mercurio

Scheda Ethernet Rete Esterna Pubblica: <---THIS NIC IS CONNECTED to INTERNET via a NAT

Suffisso DNS specifico per connessione:
Descrizione . . . . . . . . . . . . . : NIC Fast Ethernet PCI Realtek RTL8139
Family
Indirizzo fisico. . . . . . . . . . . : 00-50-FC-ED-89-99
DHCP abilitato. . . . . . . . . . . . : No
Indirizzo IP. . . . . . . . . . . . . : 192.168.13.4
Subnet mask . . . . . . . . . . . . . : 255.255.255.192
Gateway predefinito . . . . . . . . . : 192.168.13.1
Server DNS . . . . . . . . . . . . . : 212.131.30.42 <--- AN EXT DNS!
212.131.30.43

Scheda Ethernet Rete Interna: <---THIS NIC IS CONNECTED TO THE LOCAL LAN (DOMAIN)

Suffisso DNS specifico per connessione:
Descrizione . . . . . . . . . . . . . : Connessione di rete Intel(R) PRO/1000
MT
Indirizzo fisico. . . . . . . . . . . : 00-30-48-70-1F-FC
DHCP abilitato. . . . . . . . . . . . : No
Indirizzo IP. . . . . . . . . . . . . : 192.168.0.65
Subnet mask . . . . . . . . . . . . . : 255.255.255.192
Gateway predefinito . . . . . . . . . :
Server DNS . . . . . . . . . . . . . : 192.168.0.65 <--- IS POINTING ITSELF?

--------------

Excuse my delay, but yesterday i'm not at work!
Waiting from you!
Federico

 

[mrFederico]

Dear mlichstein and dear Ckoslow,

I need more help from you!
Please give me some new helps!

Thanks!
Federico

 

[mrFederico]

Dear mlichstein,

I have further indagate the problem, and I make some step in the solution of my problem! Your idea is good! In fact I try to disable the NIC connected to an external DNS, (that points to an ext DNS!!!) and the Group Policy applet now is enabled!
Now I have another 2 question:

First:
I have reconnected the ext NIC, and I think that the Group Policy,will not work again! Instead it works! Why?

Second:
how can I insert a "SRV record" in the internal DNS?

Thank you for your interest!

mrFederico