We help IT Professionals succeed at work.

PC not getting Group Policy on Windows Server 2003 Network

ITBanker
ITBanker asked
on
1,591 Views
Last Modified: 2008-01-09
I have a multi-office network with a Windows 2003 server as the main domain controller.  In one of my branches, one PC is not getting the Group Policy from the domain controller.  Where do I need to start troubleshooting?
Comment
Watch Question

Commented:
logon as domain user, in the run command enter "gpupdate /force"

this will force the PC to check for GPO updates.

Next, make sure the user is in the group that the GPO applies to, using group policy manager, then check the policies in effect for the user --> resultant set of policy tool>

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rsop.mspx

http://www.microsoft.com/downloads/details.aspx?FamilyID=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en

Commented:
Run a gpupdate /force on the pc and see if it is successfull.
Use the GPMC to see if the a resultant set of policy on the machine.
GPMC can be found here:
http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&DisplayLang=en

In GPMC select the pc and the loged on user run de rsop and see what the outcome is.

Good luck,

Walter

Author

Commented:
OK.  What am I missing here?  I don't see where I can run rsop from within GPMC.

Commented:
Follow the first link I provided for rsop...

using the ggpo manager, you can click on a policy on the left side, on the right side it will show the settings for that policy.  Youcan also see a list of all group policies under Group Policy objects.

Author

Commented:
Got it.  Thanks!

That is telling me that there was an error loading the Computer Configuration policies.  Under the Error Information tab, it tells me that the Group Policy Infrastructure failed.  Here's the message:


"Wednesday, February 15, 2006 4:35:15 PM

Group Policy Infrastructure failed due to the error listed below.
The specified domain either does not exist or could not be contacted.

Note:  Due to the GP Core failure, none of the other Group Policy components processed their policy.  Consequently, status information for the other components is not available."

What does that mean?

Author

Commented:
I should probably also add that when I run gpupdate /force, the computer does get the policy its supposed to be getting.

Commented:
Do this, pull the pc from the domain, restart, re-add the pc back into domain, restart.....it sounds like its having trouble contacting the DC.

Author

Commented:
I actually already did that last Friday.  I am still having the same problem.

Commented:
check the event log on the XP station do you see any errors?  Also, check the tcpip settings ipconfig /all to make sure it looks like the other PCs...

Author

Commented:
Yes, I do see a consistent error.

"Source:  Userenv  Event ID:  1054

Windows cannot obtain the domain controller name for your computer network.  (The specified domain either does not exist or could not be contacted. ).  Group Policy processing aborted."

I'm checking the ipconfig now.

Commented:
ipconfig /all

check the primary dns suffix, dns suffix search list, and DNS server IP primary/seconday

Author

Commented:
The ipconfig looks right.

Commented:
1. Click Start, click Control Panel, click Network and Internet Connections, and then click Network Connections.
2. Right-click Local Area Connection, and then click Properties.
3. Click Internet Protocol (TCP/IP), and then click Properties.
4. Select the Use the following DNS server addresses option button if it is not already selected.
5. Type the correct DNS address in the Preferred DNS server box.<--manually put your primary internal DNS here
6. Click OK.

Commented:
its not resolving the DNS correctly, thats why you get the 1054 errors.

Author

Commented:
As I have it now, the Preferred DNS server is the DC in the main office.  The branch only has a member server.  Should it be pointing to the member server as Preferred DNS server?
do this...   from a CMD window  type  "NSLOOKUP [DC]"   where [DC] is the DC in your main office.

you should get the following:


C:\>NSLOOKUP DC
Server:  dc.domain
Address:  xxx.xxx.xxx.xxx

Name:    DC.domain
Address:  xxx.xxx.xxx.xxx


If you do not get the fully qualified name back for your DC you've got DNS/ WINS problems.

Also do a simple PING [DC]...   you get the proper IP address?


also be careful removing and readding the computername quickly when you're having problems contacting the DC.  I've seen screwey stuff where you have to wait for a little while (I waited overnight) and then I could readd and contact the DC just fine.  It's actually AD acting funny.

Commented:
I'm assuming your member server DOESN'T have DNS installed, so i would keep it pointed to your DC.  What kind of link do you have to the main office? When you do the ping as enigma suggested, how long does the ping take?  can you even ping by name or only by IP?

When you get a chance do the ipconfig /all from the PC thats not working and one that is working, post both here

Author

Commented:
DNS is installed on the member server.  However, after reading your last comment yesterday, I went to look at the DNS on the member server and realized it was having a problem transferring from the master.  I got that fixed, and it seems that I now get the Group Policy on this PC.  However, I am still getting errors in the Event Log.

Our link to the main office is a 256K line through a frame relay.

When I ping by name, it averages 27ms.  When I ping by IP address, it averages 68ms.

When I do the NSLOOKUP [DC], here's what I get:

"***Can't find server name for address [IP address of Primary Server]:  Non-existent domain
 ***Can't find server name for address [IP address of Backup Server]:  No response from server
 ***Default servers are not available
 Server:  Unknown
 Address:  [IP address of Primary Server]

 Name:  [Primary Server name].[domain name].com
 Address:  [IP address of Primary Server]"

Commented:
It looks like the DNS service on that member service is still having trouble.  Can you do an IPCONFIG /ALL on that server and post here.  Also include how your DNS service is configured, which IP it answers on, any forwarders, primary/backup/integrated?, etc  What kind of connection does this remote site have?  How about errors in the event log(post)?

Author

Commented:
Here's what you asked me for earlier:

IPCONFIG /ALL on PC having problems:

Z:\>ipconfig /all

Windows IP Configuration

        Host Name . . . . . . . . . . . . : JC150065
        Primary Dns Suffix  . . . . . . . : sbc.com
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : sbc.com

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
        Physical Address. . . . . . . . . : 00-0D-56-D8-A5-4E
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 10.86.150.65
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 10.86.150.1
        DNS Servers . . . . . . . . . . . : 10.86.149.16
                                            10.86.149.17


Here's the IPCONFIG /ALL from another PC in that branch that is not having any problems:

Z:\>ipconfig /all

Windows IP Configuration

        Host Name . . . . . . . . . . . . : JC150060
        Primary Dns Suffix  . . . . . . . : sbc.com
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : sbc.com

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
        Physical Address. . . . . . . . . : 00-0D-56-D8-2D-D8
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 10.86.150.60
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 10.86.150.1
        DNS Servers . . . . . . . . . . . : 10.86.149.16
                                            10.86.149.17
        Primary WINS Server . . . . . . . : 10.86.149.16
        Secondary WINS Server . . . . . . : 10.86.149.17

I do see that we used WINS on the second one, but I've been told WINS are not necessary.

I will get you the IPCONFIG /ALL on the server shortly.

Commented:
Is netbios over TCPIP enabled on either of those PC's?

Author

Commented:
I don't know what that means.  How can I tell?

Author

Commented:
Here's the IPCONFIG /ALL on the server

C:\>ipconfig /all

Windows 2000 IP Configuration

        Host Name . . . . . . . . . . . . : sbc15016
        Primary Dns Suffix  . . . . . . . : sbc.com
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : sbc.com

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Intel 8255x-based PCI Ethernet Adapter (10/100)        
        Physical Address. . . . . . . . . : 00-B0-D0-AA-14-50
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 10.86.150.16
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 10.86.150.1
        DNS Servers . . . . . . . . . . . : 10.86.149.16
                                            10.86.149.17
        Primary WINS Server . . . . . . . : 10.86.149.16
        Secondary WINS Server . . . . . . : 10.86.149.17


Do you want even log errors from the server or the PC having problems?
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Yeah, I immediately noticed you have WINS server info for the working PC and not for the broken one.  While WINS itself is not needed for AD to work it may be using it for initial domain server lookup (although it should have next gone to DNS).

Turn on the NetBios traffic like Mazaraat said then enter the WINS server info into the problem PC since you're using static settings and see if it works now.

Author

Commented:
The NetBIOS setting is default.

We originally had the PCs configured to the local server but changed it nearly a year ago becuase of other problems we were having.  Those issues have been fixed, though, so I can change the configuration back.

I have changed the member server to be configured as you have suggested, Mazaraat.

Commented:
amazing how many problems a little dns error can cause...Glad we could help, Have a good weekend!

Author

Commented:
Thanks, Mazaraat!  I think the problems have been fixed!  The PC is now not only getting the Group Policy, but it is not getting errors in the Event Log regarding DNS.  I really appreciate your patience and help!  I've learned a lot!

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.