Announcement

Collapse
No announcement yet.

GPO and DNS issue

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • GPO and DNS issue

    Having problems with GPOs being applied.

    Here's what happened or how I realized the issue. We setup a new company and set them up on a brand new subnet.

    Running a Windows Server 2003 Domain.

    Logged into Active Directory Sites and Services. Went into the subnet and created a new subnet for my new network called 10.12.0.0 with a 16 bit mask. Put the site under my primary data center site.

    Was able to join PC domain and login, but the login took a long time. After I got logged in, I noticed that there was an issue with the group policy being applied. My home page that gets set was not doing so. I opened up event viewer and I'm getting this message:


    Event Type: Error
    Event Source: Userenv
    Event Category: None
    Event ID: 1054
    Date: 6/25/2011
    Time: 4:17:03 PM
    User: NT AUTHORITY\SYSTEM
    Computer: WPG-1678
    Description:
    Windows cannot obtain the domain controller name for your computer network. (An unexpected network error occurred. ). Group Policy processing aborted.

    For more information, see Help and Support Center at .

    When I try to browse out to a server by it's unc it's asking for a username and password. Once entered, I can get in.

    When I try to run a GPUPDATE I get the same userenv evt 1054 error. I see nothing wrong with the DNS setup on the PC. It's pointed to my domain controller and I'm able to ping by IP address.

    IPCONFIG /ALL on Client

    H:\>ipconfig

    Windows IP Configuration


    Ethernet adapter Local Area Connection:

    Media State . . . . . . . . . . . : Media disconnected

    Ethernet adapter Wireless Network Connection:

    Connection-specific DNS Suffix . :
    IP Address. . . . . . . . . . . . : 10.12.1.16
    Subnet Mask . . . . . . . . . . . : 255.255.0.0
    Default Gateway . . . . . . . . . : 10.12.254.1

    Ethernet adapter Bluetooth Network Connection:

    Media State . . . . . . . . . . . : Media disconnected

    H:\>ipconfig /all

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : wpg-1678
    Primary Dns Suffix . . . . . . . : WELCH.LOCAL
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : WELCH.LOCAL

    Ethernet adapter Local Area Connection:

    Media State . . . . . . . . . . . : Media disconnected
    Description . . . . . . . . . . . : Intel(R) 82566MM Gigabit Network Con
    nection
    Physical Address. . . . . . . . . : 00-1F-E2-1A-DA-66

    Ethernet adapter Wireless Network Connection:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : 11a/b/g Wireless LAN Mini PCI Expres
    s Adapter
    Physical Address. . . . . . . . . : 00-23-4D-85-80-04
    Dhcp Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes
    IP Address. . . . . . . . . . . . : 10.12.1.16
    Subnet Mask . . . . . . . . . . . : 255.255.0.0
    Default Gateway . . . . . . . . . : 10.12.254.1
    DHCP Server . . . . . . . . . . . : 10.12.254.1
    DNS Servers . . . . . . . . . . . : 10.1.2.28
    10.1.2.7
    Lease Obtained. . . . . . . . . . : Saturday, June 25, 2011 7:58:29 AM
    Lease Expires . . . . . . . . . . : Sunday, June 26, 2011 7:58:29 AM

    Ethernet adapter Bluetooth Network Connection:

    Media State . . . . . . . . . . . : Media disconnected
    Description . . . . . . . . . . . : Bluetooth Device (Personal Area Netw
    ork)
    Physical Address. . . . . . . . . : 00-23-4D-EE-1B-28

    On the server DNS event log I'm getting these messages:
    Event Type: Error
    Event Source: DNS
    Event Category: None
    Event ID: 6702
    Date: 6/25/2011
    Time: 4:21:53 PM
    User: N/A
    Computer: SVWPDC3
    Description:
    DNS server has updated its own host (A) records. In order to ensure that its DS-integrated peer DNS servers are able to replicate with this server, an attempt was made to update them with the new records through dynamic update. An error was encountered during this update, the record data is the error code.

    If this DNS server does not have any DS-integrated peers, then this error
    should be ignored.

    If this DNS server's Active Directory replication partners do not have the correct IP address(es) for this server, they will be unable to replicate with it.

    To ensure proper replication:
    1) Find this server's Active Directory replication partners that run the DNS server.
    2) Open DnsManager and connect in turn to each of the replication partners.
    3) On each server, check the host (A record) registration for THIS server.
    4) Delete any A records that do NOT correspond to IP addresses of this server.
    5) If there are no A records for this server, add at least one A record corresponding to an address on this server, that the replication partner can contact. (In other words, if there multiple IP addresses for this DNS server, add at least one that is on the same network as the Active Directory DNS server you are updating.)
    6) Note, that is not necessary to update EVERY replication partner. It is only necessary that the records are fixed up on enough replication partners so that every server that replicates with this server will receive (through replication) the new data.

    For more information, see Help and Support Center at .
    Data:
    0000: 7c 26 00 00 |&..


    I've verifed there is an A record and the _MSDCS, _TCP, _UDP, _Sites, DomainDNSZone and ForestDNSZones look good and are populated with the correct information.

    On Domain Controller running DNS

    C:\Documents and Settings\welchad>ipconfig /all

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : SVWPDC3
    Primary Dns Suffix . . . . . . . : WELCH.LOCAL
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : WELCH.LOCAL

    Ethernet adapter HP Network Team #1:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : HP Network Team #1
    Physical Address. . . . . . . . . : 00-17-A4-AA-9E-2C
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 10.1.2.28
    Subnet Mask . . . . . . . . . . . : 255.255.0.0
    Default Gateway . . . . . . . . . : 10.1.254.1
    DNS Servers . . . . . . . . . . . : 10.1.2.7
    10.1.2.28

    I've tried recreating the primary zone by renaming the netlogon.dns and netlogon.dnb and restarting the netlogon service, but it did not make me create a new zone.

  • #2
    Re: GPO and DNS issue

    DCDiag results


    C:\Documents and Settings\welchad>dcdiag

    Domain Controller Diagnosis

    Performing initial setup:
    Done gathering initial info.

    Doing initial required tests

    Testing server: Elkhart-data-center\SVWPDC3
    Starting test: Connectivity
    ......................... SVWPDC3 passed test Connectivity

    Doing primary tests

    Testing server: Elkhart-data-center\SVWPDC3
    Starting test: Replications
    ......................... SVWPDC3 passed test Replications
    Starting test: NCSecDesc
    ......................... SVWPDC3 passed test NCSecDesc
    Starting test: NetLogons
    ......................... SVWPDC3 passed test NetLogons
    Starting test: Advertising
    ......................... SVWPDC3 passed test Advertising
    Starting test: KnowsOfRoleHolders
    ......................... SVWPDC3 passed test KnowsOfRoleHolders
    Starting test: RidManager
    ......................... SVWPDC3 passed test RidManager
    Starting test: MachineAccount
    ......................... SVWPDC3 passed test MachineAccount
    Starting test: Services
    ......................... SVWPDC3 passed test Services
    Starting test: ObjectsReplicated
    ......................... SVWPDC3 passed test ObjectsReplicated
    Starting test: frssysvol
    ......................... SVWPDC3 passed test frssysvol
    Starting test: frsevent
    There are warning or error events within the last 24 hours after the
    SYSVOL has been shared. Failing SYSVOL replication problems may cause
    Group Policy problems.
    ......................... SVWPDC3 failed test frsevent
    Starting test: kccevent
    ......................... SVWPDC3 passed test kccevent
    Starting test: systemlog
    ......................... SVWPDC3 passed test systemlog
    Starting test: VerifyReferences
    ......................... SVWPDC3 passed test VerifyReferences

    Running partition tests on : ForestDnsZones
    Starting test: CrossRefValidation
    ......................... ForestDnsZones passed test CrossRefValidatio

    Starting test: CheckSDRefDom
    ......................... ForestDnsZones passed test CheckSDRefDom

    Running partition tests on : DomainDnsZones
    Starting test: CrossRefValidation
    ......................... DomainDnsZones passed test CrossRefValidatio

    Starting test: CheckSDRefDom
    ......................... DomainDnsZones passed test CheckSDRefDom

    Running partition tests on : Schema
    Starting test: CrossRefValidation
    ......................... Schema passed test CrossRefValidation
    Starting test: CheckSDRefDom
    ......................... Schema passed test CheckSDRefDom

    Running partition tests on : Configuration
    Starting test: CrossRefValidation
    ......................... Configuration passed test CrossRefValidation
    Starting test: CheckSDRefDom
    ......................... Configuration passed test CheckSDRefDom

    Running partition tests on : WELCH
    Starting test: CrossRefValidation
    ......................... WELCH passed test CrossRefValidation
    Starting test: CheckSDRefDom
    ......................... WELCH passed test CheckSDRefDom

    Running enterprise tests on : WELCH.LOCAL
    Starting test: Intersite
    ......................... WELCH.LOCAL passed test Intersite
    Starting test: FsmoCheck
    ......................... WELCH.LOCAL passed test FsmoCheck

    Netdiag results

    ..........................................

    Computer Name: SVWPDC1
    DNS Host Name: svwpdc1.WELCH.LOCAL
    System info : Microsoft Windows Server 2003 R2 (Build 3790)
    Processor : x86 Family 15 Model 4 Stepping 1, GenuineIntel
    List of installed hotfixes :
    KB890046
    KB893756
    KB896358
    KB896422
    KB896424
    KB896428
    KB898715
    KB899587
    KB899588
    KB899589
    KB899591
    KB900725
    KB901017
    KB901214
    KB902400
    KB904706
    KB905414
    KB905915
    KB908519
    KB910437
    KB911897
    KB912919
    KB931836
    Q147222


    Netcard queries test . . . . . . . : Passed



    Per interface results:

    Adapter : HP Network Team #1

    Netcard queries test . . . : Passed

    Host Name. . . . . . . . . : svwpdc1
    IP Address . . . . . . . . : 10.1.2.4
    Subnet Mask. . . . . . . . : 255.255.0.0
    IP Address . . . . . . . . : 10.1.2.7
    Subnet Mask. . . . . . . . : 255.255.0.0
    Default Gateway. . . . . . : 10.1.254.1
    Primary WINS Server. . . . : 10.1.2.28
    Secondary WINS Server. . . : 10.1.2.7
    Dns Servers. . . . . . . . : 10.1.2.28
    10.1.2.7


    AutoConfiguration results. . . . . . : Passed

    Default gateway test . . . : Passed

    NetBT name test. . . . . . : Passed

    WINS service test. . . . . : Passed


    Global results:


    Domain membership test . . . . . . : Passed


    NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
    NetBT_Tcpip_{732D8812-707F-4D58-BE53-754093F8BE0D}
    1 NetBt transport currently configured.


    Autonet address test . . . . . . . : Passed


    IP loopback ping test. . . . . . . : Passed


    Default gateway test . . . . . . . : Passed


    NetBT name test. . . . . . . . . . : Passed


    Winsock test . . . . . . . . . . . : Passed


    DNS test . . . . . . . . . . . . . : Failed
    [WARNING] The DNS entries for this DC are not registered correctly on DNS se
    rver '10.1.2.28'. Please wait for 30 minutes for DNS server replication.
    [WARNING] The DNS entries for this DC are not registered correctly on DNS se
    rver '10.1.2.7'. Please wait for 30 minutes for DNS server replication.
    [FATAL] No DNS servers have the DNS records for this DC registered.


    Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
    NetBT_Tcpip_{732D8812-707F-4D58-BE53-754093F8BE0D}
    The redir is bound to 1 NetBt transport.

    List of NetBt transports currently bound to the browser
    NetBT_Tcpip_{732D8812-707F-4D58-BE53-754093F8BE0D}
    The browser is bound to 1 NetBt transport.


    DC discovery test. . . . . . . . . : Passed


    DC list test . . . . . . . . . . . : Passed


    Trust relationship test. . . . . . : Skipped


    Kerberos test. . . . . . . . . . . : Passed


    LDAP test. . . . . . . . . . . . . : Passed


    Bindings test. . . . . . . . . . . : Passed


    WAN configuration test . . . . . . : Skipped
    No active remote access connections.


    Modem diagnostics test . . . . . . : Passed

    IP Security test . . . . . . . . . : Skipped

    Note: run "netsh ipsec dynamic show /?" for more detailed information


    The command completed successfully

    Comment


    • #3
      Re: GPO and DNS issue

      Also getting this message in event log when I restart net logon:

      Event Type: Warning
      Event Source: NETLOGON
      Event Category: None
      Event ID: 5781
      Date: 6/25/2011
      Time: 4:05:49 PM
      User: N/A
      Computer: SVWPDC3
      Description:
      Dynamic registration or deletion of one or more DNS records associated with DNS domain 'WELCH.LOCAL.' failed. These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).

      Possible causes of failure include:
      - TCP/IP properties of the network connections of this computer contain wrong IP address(es) of the preferred and alternate DNS servers
      - Specified preferred and alternate DNS servers are not running
      - DNS server(s) primary for the records to be registered is not running
      - Preferred or alternate DNS servers are configured with wrong root hints
      - Parent DNS zone contains incorrect delegation to the child zone authoritative for the DNS records that failed registration

      USER ACTION
      Fix possible misconfiguration(s) specified above and initiate registration or deletion of the DNS records by running 'nltest.exe /dsregdns' from the command prompt or by restarting Net Logon service. Nltest.exe is available in the Microsoft Windows Server Resource Kit CD.

      For more information, see Help and Support Center at
      Data:
      0000: 2a 23 00 00 *#..


      I run nltest.exe /dsregdns and get this message:

      C:\Documents and Settings\welchad>nltest.exe /dsregdns
      Flags: 0
      Connection Status = 1311 0x51f ERROR_NO_LOGON_SERVERS
      The command completed successfully

      Computers on my older subnets update just fine. There is one Windows 7 machine on this 10.12 network and GPUPDATE works fine. My computer gets gpudates fine from my home subnet, but I'm getting 1054 messages when I'm on 10.12.

      Netdiag /fix

      Microsoft Windows [Version 5.2.3790]
      (C) Copyright 1985-2003 Microsoft Corp.

      C:\Documents and Settings\welchad>netdiag /fix

      .........................................

      Computer Name: SVWPDC1
      DNS Host Name: svwpdc1.WELCH.LOCAL
      System info : Microsoft Windows Server 2003 R2 (Build 3790)
      Processor : x86 Family 15 Model 4 Stepping 1, GenuineIntel
      List of installed hotfixes :
      KB890046
      KB893756
      KB896358
      KB896422
      KB896424
      KB896428
      KB898715
      KB899587
      KB899588
      KB899589
      KB899591
      KB900725
      KB901017
      KB901214
      KB902400
      KB904706
      KB905414
      KB905915
      KB908519
      KB910437
      KB911897
      KB912919
      KB931836
      Q147222


      Netcard queries test . . . . . . . : Passed



      Per interface results:

      Adapter : HP Network Team #1

      Netcard queries test . . . : Passed

      Host Name. . . . . . . . . : svwpdc1
      IP Address . . . . . . . . : 10.1.2.4
      Subnet Mask. . . . . . . . : 255.255.0.0
      IP Address . . . . . . . . : 10.1.2.7
      Subnet Mask. . . . . . . . : 255.255.0.0
      Default Gateway. . . . . . : 10.1.254.1
      Primary WINS Server. . . . : 10.1.2.28
      Secondary WINS Server. . . : 10.1.2.7
      Dns Servers. . . . . . . . : 10.1.2.28
      10.1.2.7


      AutoConfiguration results. . . . . . : Passed

      Default gateway test . . . : Passed

      NetBT name test. . . . . . : Passed

      WINS service test. . . . . : Passed


      Global results:


      Domain membership test . . . . . . : Passed


      NetBT transports test. . . . . . . : Passed
      List of NetBt transports currently configured:
      NetBT_Tcpip_{732D8812-707F-4D58-BE53-754093F8BE0D}
      1 NetBt transport currently configured.


      Autonet address test . . . . . . . : Passed


      IP loopback ping test. . . . . . . : Passed


      Default gateway test . . . . . . . : Passed


      NetBT name test. . . . . . . . . . : Passed


      Winsock test . . . . . . . . . . . : Passed


      DNS test . . . . . . . . . . . . . : Failed
      [FATAL] Failed to fix: DC DNS entry WELCH.LOCAL. re-registeration on DNS ser
      ver '10.1.2.28' failed.
      DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
      [FATAL] Failed to fix: DC DNS entry WELCH.LOCAL. re-registeration on DNS ser
      ver '10.1.2.28' failed.
      DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
      [FATAL] Fix Failed: netdiag failed to re-register missing DNS entries for th
      is DC on DNS server '10.1.2.28'.
      [FATAL] No DNS servers have the DNS records for this DC registered.


      Redir and Browser test . . . . . . : Passed
      List of NetBt transports currently bound to the Redir
      NetBT_Tcpip_{732D8812-707F-4D58-BE53-754093F8BE0D}
      The redir is bound to 1 NetBt transport.

      List of NetBt transports currently bound to the browser
      NetBT_Tcpip_{732D8812-707F-4D58-BE53-754093F8BE0D}
      The browser is bound to 1 NetBt transport.


      DC discovery test. . . . . . . . . : Passed


      DC list test . . . . . . . . . . . : Passed


      Trust relationship test. . . . . . : Skipped


      Kerberos test. . . . . . . . . . . : Passed


      LDAP test. . . . . . . . . . . . . : Passed


      Bindings test. . . . . . . . . . . : Passed


      WAN configuration test . . . . . . : Skipped
      No active remote access connections.


      Modem diagnostics test . . . . . . : Passed

      IP Security test . . . . . . . . . : Skipped

      Note: run "netsh ipsec dynamic show /?" for more detailed information


      The command completed successfully

      C:\Documents and Settings\welchad>

      Thanks Guys

      Comment


      • #4
        Re: GPO and DNS issue

        Well, I got my server issues resolved by deleting my primary forward lookup zone and recreating for all servers. DCDiag and NetDiag come back good. I'm still having problems getting GPOs applied.

        Comment

        Working...
        X