[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 537
  • Last Modified:

Scripts not running over WAN when logging into domain

We have a new branch office and am having some difficulties with policies when logging into the domain.
When the PC logs in, drive mapping are fine.
Computer Policies do not seem to apply
I can PING the domain controller ok.
When I run a gpudate, everything seems fine:
    User Policy Refresh has completed.
    Computer Policy Refresh has completed.

However,
In the event logger are several of the following:
ID: 1054, Source: Userenv
Windows cannot obtain the domain controller name for your computer network. (An unexpected network error occurred. ). Group Policy processing aborted.

Any ideas on what could be causing these issues?

Thanks,

E.D.
0
edalzell
Asked:
edalzell
1 Solution
 
mgonulluCommented:
The problem is the delay and gap that happens, when the user enter the password, it try to contact the Domain controller, for a network gap problem the machine ends up by loging locally to the machine and some policies will not be applied and in addition some error messages could be seen.
0
 
SysExpertCommented:
It could also mean that DNS is slow, or similar issues, since the DC can not be contacted.

Is the WAN slow or congested ?


I hope this helps !
0
 
edalzellAuthor Commented:
Just did a few more quick tests:

1. Login scrips do run (login.bat) and network drives connect propely
2. While pinging DC, there is no packet loss - 20ms avg. return
3. I can resolve DC hostname, no problem.

I'm assuming it's a port that's being blocked, etc.
I understand you need to following in order to run AD...
53/udp - DNS
88/udp - Kerberos
135/tcp - RPC Endpoint Mapper (DC replication)
369/udp - LDAP
3268/udp - GC

Is there a DCDIAG util or something similar that will assist me with troubleshooting?

Thanks!

E.D.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
mgonulluCommented:
See this Microsoft solution:

http://support.microsoft.com/kb/304970
0
 
edalzellAuthor Commented:
mgonullu, thanks for the suggestion.
I already have this enabled..... :-)
0
 
edalzellAuthor Commented:
FYI... after running a netdiag, here's what I get.

C:\Program Files\Support Tools>netdiag /fix

Netcard queries test . . . . . . . : Passed

Per interface results:

    Adapter : Local Area Connection

        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : hostname
        IP Address . . . . . . . . : 192.168.13.125
        Subnet Mask. . . . . . . . : 255.255.255.0
        Default Gateway. . . . . . : 192.168.13.1
        Primary WINS Server. . . . : 192.168.0.225
        Dns Servers. . . . . . . . : 192.168.0.225
        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Passed

        NetBT name test. . . . . . : Passed
        [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenge
r Service', <20> 'WINS' names is missing.

        WINS service test. . . . . : Passed
Global results:
Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
        NetBT_Tcpip_{609FA2F1-BA42-4BBA-8F2C-9207CE166057}
    1 NetBt transport currently configured.
Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Passed
NetBT name test. . . . . . . . . . : Passed
    [WARNING] You don't have a single interface with the <00> 'WorkStation Servi
ce', <03> 'Messenger Service', <20> 'WINS' names defined.

Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Passed
Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
        NetBT_Tcpip_{609FA2F1-BA42-4BBA-8F2C-9207CE166057}
    The redir is bound to 1 NetBt transport.

    List of NetBt transports currently bound to the browser
        NetBT_Tcpip_{609FA2F1-BA42-4BBA-8F2C-9207CE166057}
    The browser is bound to 1 NetBt transport.
DC discovery test. . . . . . . . . : Passed
DC list test . . . . . . . . . . . : Passed
Trust relationship test. . . . . . : Passed
    Secure channel for domain 'KAWARTHACU' is to '\\controller.domain.com'.
Kerberos test. . . . . . . . . . . : Passed
LDAP test. . . . . . . . . . . . . : Passed
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
    No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Passed
    Service status  is: Started
    Service startup is: Automatic
    IPSec service is available, but no policy is assigned or active
    Note: run "ipseccmd /?" for more detailed information


The command completed successfully

Thanks!
0
 
DeVryWindowsCommented:
I may be worth looking to Slow Link Detection for Group Policy processing

http://technet.microsoft.com/en-us/library/cc781031.aspx
0
 
edalzellAuthor Commented:
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now