Monthly Archives: November 2012

Group Policy Loopback: Merge not working on Windows 7 / Server 2008 R2

I guess I wasn’t paying attention. It’s now November 2012, and I’m just now realizing that Group Policy Loopback, with Merge selected, no longer works as I’d expect with Windows 7 and Server 2008(R2)

It used to work like this:

Replace mode would ignore all GPOs applied to the user up until it got to the OU with the loopback policy, and then apply ONLY the GPOs with user settings in the OU with the loopback policy. This still works as expected in 2008/win7.

Merge mode would ADD the additional GPOs to what was already applied to the user, overriding any existing settings as needed, effectively merging them. This is what no longer works as expected.

Here is what I’ve found:

Microsoft published this KB, 953786, which says that the PCs now need to have a entry in the ACL of the GPO allowing them to read the settings of said GPO. What I’ve done to make this easier for myself is added the “Domain Computers” Active Directory group to any GPO which contains the user settings that I wish to apply via loopback merge.

In my testing, this added ACL entry has solved the issue, and allowed it to work as I expected, which is the way that 2003/xp behaved.

Configuring Failover between two Cisco ASAs

I had to setup my first Active Passive Cisco ASA pair this past week, it turns out it’s a little simpler than the documentation first makes it appear. Here is what you’ll need:

  • Two ASAs with the licensing necessary to enable Failover
  • Two IPs on each subnet the pair will be connected to (including a new subnet on the failover link between the units, this should be a subnet not in use anywhere else on the network)
  • A Crossover cable.

Let’s make some assumptions, first let’s say our Private IP subnet is 192.168.1.x/24, our failover subnet is 172.16.1.x/24, and our wan subnet is 1.1.1.x/24, just so we know what IPs we’ll use. Let’s also assume that we’re using Interface 0/0 for the WAN, and Interface 0/1 for the LAN, and interface 0/3 for the failover.

  1. Bring your first unit online, and assign the first IP on each subnet to the proper interfaces.
  2. Bring your second unit online, and assign the second IP on each subnet to the proper interfaces
  3. Connect one of the interfaces on the first unit to that same interface on the other unit using the crossover cable, assign IPs on this interface from the new subnet you created for failover traffic.
  4. Verify that each unit can ping the other on each interface (wan to wan, failover to failover, lan to lan)
  5. Once you’ve verified that each unit can communicate with the other it’s time to start entering commands.

With those subnets in mind let’s assign IPs:

Primary:

  • Lan: 192.168.1.1
  • Failover 172.16.1.1
  • Wan 1.1.1.1

Secondary:

  • Lan: 192.168.1.2
  • Failover 172.16.1.2
  • Wan 1.1.1.2

So here are the commands that we’re going to enter on our primary unit:

  1. Interface Ethernet0/0
  2. ip address 1.1.1.1 255.255.255.0 standby 1.1.1.2
  3. Interface Ethernet0/1
  4. ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
  5. failover lan unit primary
  6. failover lan interface Failover ethernet0/3
  7. failover link Failover Ethernet0/3
  8. Failover interface ip Failover 172.16.1.1 255.255.255.0 standby 172.16.1.2
  9. failover

Here are the commands that we’re going to enter on our secondary unit:

  1. Interface Ethernet0/0
  2. ip address 1.1.1.1 255.255.255.0 standby 1.1.1.2
  3. Interface Ethernet0/1
  4. ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
  5. failover lan unit standby
  6. failover lan interface Failover ethernet0/3
  7. failover link Failover Ethernet0/3
  8. Failover interface ip Failover 172.16.1.1 255.255.255.0 standby 172.16.1.2
  9. failover

You can then run a “show failover” on each unit to see which is active, and which is standby, and whether or not failover is working. You also can continue to connect to either unit using either the primary or secondary IP, they will both display the same hostname since their configs are being replicated, but you can use the “show failover” to remind yourself which unit you are on. Finally you’ll only want to make  and save changes from the primary unit, failover will take care of replicating them to the other unit.

Once you’ve verified that everything is working, run a “write mem” on each unit before you start testing.