Case #
You are running "Group Policy Update" on an OU inside the Group Policy Management Console in Active Directory but you are receiving RPC errors from your servers or domain-joined workstations, as shown in the example below.
After a Group Policy Update, you come across Group Policy error codes 8007071a and 800706ba.
This means that the local Windows Firewall is not configured properly to allow Group Policy (GPO) traffic. GPO traffic an be either remote GPO update or remote GP Resultant Set of Policy (RSOP) operations.
Solution #
Option 1 #
Run gpedit.msc and create a new local group policy object which implements the following policies under Local Computer Policy --> Computer Configuration --> Windows Settings --> Security Settings --> Windows Defender Firewall --> Inbound Rules :
The full configuration is shown below.
After the above local group policies are configured on each domain server and workstation, you can start applying group policy objects to the domain targets. To ensure that group policy update is working without issues, run a "Group Policy Update" force operation from within the gpmc.msc console by right clicking on the desired OU which contains AD computer objects to be tested.
Important note: If you already have custom Windows Firewall rules configured, the above local policy will override the existing custom rules and overwrite them with the local policy. In these cases, either amend your local policy to include your custom rules or manually edit the Windows Firewall rules via the WF.MSC console.
Option 2 #
Utilize the two starter GPOs available out of the box in all modern versions of Windows, as shown below.
Windows Server Group Policy offers new Starter GPOs called Group Policy Remote Update Firewall Ports and Group Policy Reporting Firewall Ports. These Starter GPO include policy settings to configure the firewall rules required for GPO operations. This enables inbound network traffic on the ports, which is necessary to allow the remote Group Policy refresh and RSOP to run. It is a best practice to create new GPOs from this Starter GPO, and then link the new GPOs to your domain with a higher precedence than the Default Domain GPO, so that you can configure all computers in the domain to enable a remote Group Policy refresh.
Group Policy Remote Update Firewall Ports Starter GPO
Group Policy Reporting Firewall Ports Starter GPO
