Solved

Group Policies processing not happening.

Posted on 2006-11-29
20
476 Views
Last Modified: 2011-10-03
I'm getting an error logged in the EVent Viewer, tagged "userenv" and the body is as follows

" Windows cannot obtain the domain controller name for your computer network. (An unexpected network error occurred. ). Group Policy processing aborted. "

Now, the computer *is* the domain controller (it's actually a stand-alone SBS2003 server) and nothing else is having any trouble at all understanding that it is the DC, or havnig trouble *finding* a DC. e.g. I can log in, I can add and chagne user account data, I can add computers to the domain etc.

So why does the GP processing thingy decide that it can't see the DC? If I drill down into the policy config with the policy editor, it lists the server as a Domain controller and has no trouble retreiving current GP settings to show me, or letting me edit them.

I thought this was happening at times when the disk was too busy  to respond in timely fashion - we've uprated the hardware and moved busy files off the system disk so this no longer occurs, but we still get the error.

0
Comment
Question by:ccomley
  • 10
  • 4
  • 2
  • +2
20 Comments
 
LVL 38

Expert Comment

by:Shift-3
Comment Utility
Is the DC pointed to itself for DNS?

Netdiag may give some clues to the cause of the problem.  It's located under Support\Tools on the 2003 CD.
0
 
LVL 16

Author Comment

by:ccomley
Comment Utility
Yes yes - SBS2003 and only one server so it is everything - DNS server, DHCP server, AD controller, GC, etc., etc., as well as Exchange Server.  And *everything* else is working.

I'll dig out netdiag and see what it can see.
0
 
LVL 6

Expert Comment

by:d50041
Comment Utility
Sometimes this error is cosmetic.  This happens when the server is reboot and all services take time to come up, especially when a nuimber of services as you have listed are on the server.  This is a known problem with Server 2003.  

The real question then is: are the GPO's being applied?  

If your GPO's are being applied then the error is a timing issue and cosmetic.  If GPO's are NOT being applied then we need to finid out which ones, assuming you did not modify the default domain policy or the default domain controller policy.
0
 
LVL 10

Expert Comment

by:SeanUK777
Comment Utility
sounds like a DNS issue..

Since its SBS, try adding an entry in the hosts file on the server..

C:\%systemfolder%\system32\drivers\etc\hosts

Add IP address and host name..

See if that clears up the problem..

0
 
LVL 16

Author Comment

by:ccomley
Comment Utility
D50041 - no, I don't think it's cosmetic. The server is not rebooted very often, and the error is logged way more often than the server is rebooted.

Its not easy to tell if a GPO is being applied - but a recently added workstation is not allowing me to TS into it and according to GPO it should do. So I'm guessing not.

I havn't modified any policies relating to DCs or the domain itself. I've only added a couple of standard options, to affect "client computers", specifically the one which forces the client computer to permit terminal service access, so we can properly manage worksations centrally. I may have addeda  couple of other items, I'd have to go through the tree to find out for sure. None of these changes are recent, unlike the appearance of this error in the log file.

SeanUK777 - what, you mean add a HOSTS entry for the server itself?
0
 
LVL 16

Author Comment

by:ccomley
Comment Utility
Crap - I hate entering this sort of stuff via a web interface. I now have to re-type this.

Ah - I won't bother. In a nutshell, I was also seeing an Event Log entry which said "can't read gpt.ini". But it gave a fully qualified path for gpt.ini which stared not \\server1 but \\domain-name.

This led me to wonder how \\domain-name was resolved to a \\machine-name, I went rummaging in the DNS, and found that in the forwardlookup for our internal domain, as well as

in   A   10.10.3.1 (IP addr of server1)

there was

in  A  169.254.cr.ap

Now, I have no idea when that was generated, but it's clearly wrong. And it was ABOVE the real entry, so presumably took precedence. I have now eliminated it, and descended the tree for the local domain and clearled out a couple of similar entries.

Now I just have to wait until the next GPO attempt and see what happens. Is there any way to "trigger" a GPO update? It's a bit like an exchange server log-purge, you don't seem to be in control, you have to wait unti lsome magic time and it starts itself...

0
 
LVL 6

Expert Comment

by:d50041
Comment Utility
entering the IP of the server is recommended by many admins. HOSTS file:

C:\WINDOWS\system32\drivers\etc\hosts

Edit with Notepad, add a line for the server as shown in the example.  As an aside, you can use this to keep staff or kids at home, m accessing certain web sites, such as myspace, just use a 127.0.0.1 IP and the host name.  Host file entries supercede other sources of IP address resolution.  This is a good suggestion and easy to implement.  Do this on the server with its own IP address and name.

Also make a test GPO. some simple workstation mod, and test it on a particular user.
0
 
LVL 38

Expert Comment

by:Shift-3
Comment Utility
You can trigger a group policy update with the command gpupdate /force

Did the "can't read gpt.ini" error list a path with a GUID in it?  If so, see if this corresponds to any of the group policy folders under SYSVOL.  One of them may be corrupt.
0
 
LVL 16

Author Comment

by:ccomley
Comment Utility
Hmm.

My above tweak has fixed the "can't open GPT.ini" error.

But now I'm getting even MORE of the

Windows cannot obtain the domain controller name for your computer network. (An unexpected network error occurred. ). Group Policy processing aborted.

errors. NOTE that it doesn't say it can't find the server, it says it can't obtain the server name. So it won't be a hosts file thing.
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 
LVL 16

Author Comment

by:ccomley
Comment Utility
Hmm. If I drill into the GPO tree, and within Forest I click on Domains, it lists MyDomain.com with a current domain controller of Server1. What more can it possibly need?

0
 
LVL 10

Expert Comment

by:SeanUK777
Comment Utility
yes, on the Server itself..
0
 
LVL 16

Author Comment

by:ccomley
Comment Utility
Hosts file entry is to no avail.

The error doesn't say it can't find the domain controller. The error says it can't OBTAIN THE DOMAIN CONTROLLER NAME.
0
 
LVL 10

Expert Comment

by:SeanUK777
Comment Utility
run ipconfig /flushdns

then

ipconfig /registerdns

try again..
0
 
LVL 16

Author Comment

by:ccomley
Comment Utility
No joy.

I'd think it was not a case of failing to find the DNS server so much as failing to get the anticipated result. But all the SRV records *appear* to be in place, by comparison with another perfectly working server which is all on teh same SPs etc. And, don't forget, everything *else* is working - users can log in locally or from workstations, workstations can be joined to teh domain, you can search for printers in the AD, etc., etc. so I assume anything *else* which looks for a DC, finds one. (and there is only one).

0
 
LVL 10

Expert Comment

by:SeanUK777
Comment Utility
0
 
LVL 16

Author Comment

by:ccomley
Comment Utility
Hmm. DOesn't appear relevant.

This server has only one lan card active, which has  correct gateway and DNS settings. (Gateway points at the firewall, DNS points at the server itself, using the 10.10.3.1 address NOT loopback). These all *work*. It's *only* the GPO processing widget which says i can't get the DC name. And I'm sure it *can* reach the DNS (coz the earlier problem stopping that caused different errors).

Is there a guide anywhere to what the assorted "extra" records that AD system puts in the DNS should be?

Is there a tool which can probe the MS DNS and check it can see what it ought to? Is there a tool to probe the GPO infrastructure and deem it consisten?
0
 
LVL 16

Author Comment

by:ccomley
Comment Utility
Oh fun. Woke up this morning to find that Everything Else on the server had now decided it could not find the GC. So I figured, a reboot can't hurt. Maybe despite flushing the cache, etc., something was persisting whicha  reboot would clear.

And after the reboot, 99% of things are back to normal. People can log in, DHCP/DNS updates are happening, ES is working once more, etc. etc...

BUT

After half an hour during which time I convinced myuself it had also solved the under lying problem, the *original* error message is back.

Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=1927london,DC=com. The file must be present at the location <\\1927london.com\sysvol\1927london.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied. ). Group Policy processing aborted.

I've checked. The secona lan card is still disabled, the rogue DNS domain level "IN A" records have not re-appeared.

This is getting silly.

Can anyone confirm what the permissions on teh "sysvol" share and on the folders within it should be?  Not that I can imagine when these may have been changed...

0
 
LVL 16

Author Comment

by:ccomley
Comment Utility
OK, looks like there's two problems involved here.

1) The invalid GC server entry in the DNS stack, put there because SBS2003 assigned an address to the second (un-connected but enabled) LAN adapter in the server.

I can't give anyone points for this cos no-one noticed it.

2) The remaining errors are *actually* faults being reported by workstations unable to complete their GP execution, they're not really faults on the server at all. Looks like a problem with Gigabit ethernet cards timing out too quickly.

I can't give anyone points for this either coz no-one's offered it as a solution.

So unless anyone has something new to contribute I consider this topic closed - I'll leave it for the clean-up to suggest how best to actually close it out.

0
 
LVL 1

Accepted Solution

by:
DarthMod earned 0 total points
Comment Utility
PAQed with points refunded (500)

DarthMod
Community Support Moderator
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now