Network and/or group policy problem
Hi,
We have just replaced 17 old PC's with brand new ones. For some reason about 6 (so far) of them randomly seem to only pick up some of their policies. Here's some of the things we've noticed:
1) Their home directories are not mapped
2) Additional mappings set via a logon script are not mapped
3) They are able to right click the desktop and shouldn't be
4) Their wallpaper doesn't get replaced with ours
5) Their Internet proxy settings are missing (so they are unable to use the internet)
6) Symantec Endpoint's Icon shows that it is offline (I.e. cannot communicate with our Antivirus Server)
However, they are not able to browse the C drive; they are told that it's restricted... So something is being picked up...
We are also able to ping our domain controllers when this happens.
If we remove the computer from our domain and then add it again, it solves the problem. But only for a while.
We are running Windows Server 2003 on all of our servers and Windows XP Pro SP3 on all of our clients.
The event log from one of the computers has the following errors/warnings:
==========================
Event: 1054
Windows cannot obtain the domain controller name for your computer network. (A socket operation was attempted to an unreachable host. ). Group Policy processing aborted.
Event: 4356
The COM+ Event System failed to create an instance of the subscriber partition:{41E90F3E-56C1-4
Event: 15
Automatic certificate enrollment for local system failed to contact the active directory (0x8007003a). The specified server cannot perform the requested operation.
Enrollment will not be performed.
Event: 1006
Windows cannot bind to stanwell.internal domain. (Local Error). Group Policy processing aborted.
Event: 1000
Could not execute the following script Mapping.bat. The system cannot find the file specified.
Event: 1030
Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.
Event: 1053
Windows cannot determine the user or computer name. (Not enough storage is available to complete this operation. ). Group Policy processing aborted.
Event: 1053
Windows cannot determine the user or computer name. (The RPC server is unavailable. ). Group Policy processing aborted.
==========================
Thanks in advance,
mms_master
We have just replaced 17 old PC's with brand new ones. For some reason about 6 (so far) of them randomly seem to only pick up some of their policies. Here's some of the things we've noticed:
1) Their home directories are not mapped
2) Additional mappings set via a logon script are not mapped
3) They are able to right click the desktop and shouldn't be
4) Their wallpaper doesn't get replaced with ours
5) Their Internet proxy settings are missing (so they are unable to use the internet)
6) Symantec Endpoint's Icon shows that it is offline (I.e. cannot communicate with our Antivirus Server)
However, they are not able to browse the C drive; they are told that it's restricted... So something is being picked up...
We are also able to ping our domain controllers when this happens.
If we remove the computer from our domain and then add it again, it solves the problem. But only for a while.
We are running Windows Server 2003 on all of our servers and Windows XP Pro SP3 on all of our clients.
The event log from one of the computers has the following errors/warnings:
==========================
Event: 1054
Windows cannot obtain the domain controller name for your computer network. (A socket operation was attempted to an unreachable host. ). Group Policy processing aborted.
Event: 4356
The COM+ Event System failed to create an instance of the subscriber partition:{41E90F3E-56C1-4
Event: 15
Automatic certificate enrollment for local system failed to contact the active directory (0x8007003a). The specified server cannot perform the requested operation.
Enrollment will not be performed.
Event: 1006
Windows cannot bind to stanwell.internal domain. (Local Error). Group Policy processing aborted.
Event: 1000
Could not execute the following script Mapping.bat. The system cannot find the file specified.
Event: 1030
Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.
Event: 1053
Windows cannot determine the user or computer name. (Not enough storage is available to complete this operation. ). Group Policy processing aborted.
Event: 1053
Windows cannot determine the user or computer name. (The RPC server is unavailable. ). Group Policy processing aborted.
==========================
Thanks in advance,
mms_master
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
@DCMBS
I tried to telnet one of our DC's on a machine with the problem and couldn't connect. Tried from the machine next to it and I could. I then removed Symantec Endpoint, restarted the machine and tried using telnet and the Internet. All appeared well for the first 2 minutes. Then some elements (e.g. images) were not being displayed. Refreshing the page loaded those elements, but sometimes broke others. Then all of a sudden the internet stopped working. When this happened I tried to telnet again and was unable to connect.
So it doesn't appear to be Symantec Endpoint. (Our windows firewall is also turned off)
@MariusSunchaser
I've checked one of the computers and its connecting to stanweb3 (our 3rd server). There is an older PC on the other side of the room which has been working for about a year with no problems. I've checked the log on that PC also and it is connecting to stanweb3 aswell.
If by changing the DC it connects to you mean change the prefered dns on the IP settings; it is currently set to stanweb's IP and the alternate is set to stanweb2, but it's connecting to stanweb 3...
I tried to telnet one of our DC's on a machine with the problem and couldn't connect. Tried from the machine next to it and I could. I then removed Symantec Endpoint, restarted the machine and tried using telnet and the Internet. All appeared well for the first 2 minutes. Then some elements (e.g. images) were not being displayed. Refreshing the page loaded those elements, but sometimes broke others. Then all of a sudden the internet stopped working. When this happened I tried to telnet again and was unable to connect.
So it doesn't appear to be Symantec Endpoint. (Our windows firewall is also turned off)
@MariusSunchaser
I've checked one of the computers and its connecting to stanweb3 (our 3rd server). There is an older PC on the other side of the room which has been working for about a year with no problems. I've checked the log on that PC also and it is connecting to stanweb3 aswell.
If by changing the DC it connects to you mean change the prefered dns on the IP settings; it is currently set to stanweb's IP and the alternate is set to stanweb2, but it's connecting to stanweb 3...
This really smacks of a Symantec issue. Symantec doesn't always remove cleanly. There is a removal tool here that may remove it cleanly.
http://www.symantec.com/connect/forums/sep11-32-bit-removal-utility
Try removing SEP completely and see if the issue still occurs.
http://www.symantec.com/connect/forums/sep11-32-bit-removal-utility
Try removing SEP completely and see if the issue still occurs.
There is also a utility called Cleanwipe for removing SEP but you must log a call with symantec suppport to get it. They will not make it publicly available.
ASKER
Not saying that SEP isn't causing the problem, but we have it installed all over the network (on atleast 300 machines) and we are only having this problem in the one room. Would you think that rules it out or not?
We've also thought about switch and network socket problems etc, but the old machines didn't have this problem so I can't see how that could be the problem. I'm confused now, can't think of anything that's different on these machines which could be causing the problem.
We also took one machine and reinstalled the drivers for the network card and that didn't solve the problem.
It now appears to be the whole room which is having the problem (except for the one older machine) not just 6.
We've also thought about switch and network socket problems etc, but the old machines didn't have this problem so I can't see how that could be the problem. I'm confused now, can't think of anything that's different on these machines which could be causing the problem.
We also took one machine and reinstalled the drivers for the network card and that didn't solve the problem.
It now appears to be the whole room which is having the problem (except for the one older machine) not just 6.
If I read your comments right you seem to be saying that the machine works OK when first joined to the domain but after a while the problem manifests. When the problem manifests you are able to ping the DC so network connectivity seems to be OK. However you are not able to connect to the preferred DNS server on port 53. The symptons you describe are caused by this inability to connect to the preferred DNS server. So something is blocking connectivity on port 53. I would strongly suspect Symantec Endpoint here. It seems to something on the workstations as other machines continue to be able to connect. Could it be an issue with SEP and the NIC drivers on this particular type of machine.
Also what make are the PCs and What are The NICs. I have heard that Broadcom NICs can cause similar issues. If the NICs are broadcoms can you try another make.
ASKER
Not sure what make the NIC's are. However we have tried another PC in the same physical room and OU and it works fine. We have now been told that its happening in another new room. It only appears to be happening on Dell Optiplex 760. All of our Optiplex 740's work fine.
I'm going to ring Dell in the morning. I will update you as soon as I know more.
Thanks,
mms_master
I'm going to ring Dell in the morning. I will update you as soon as I know more.
Thanks,
mms_master
Dell use Broadcom mostly so it could be the Broadcom NICs.
ASKER
Dell have asked us to create a fresh build, installing drivers in the order they have emailed to me. (Which we did initially with these computers after having a problem with some UDF reader software) So I can't see this resolving anything, but we have to humour them to get anywhere.
However whilst doing this we have decided to create 2 fresh builds, install nothing at all on the one (except windows updates and drivers) and only SEP on the other. We will then put them both in the same OU as the existing computers, plug them in with the same cables and sockets etc and see what happens. After this we will call Dell again with the results.
We are also going to take a PCI NIC from another PC and install it on one of the broken machines (with the original image) to see if that makes a difference.
Thanks,
mms_master
However whilst doing this we have decided to create 2 fresh builds, install nothing at all on the one (except windows updates and drivers) and only SEP on the other. We will then put them both in the same OU as the existing computers, plug them in with the same cables and sockets etc and see what happens. After this we will call Dell again with the results.
We are also going to take a PCI NIC from another PC and install it on one of the broken machines (with the original image) to see if that makes a difference.
Thanks,
mms_master
ASKER
Also forgot to mention, I ran the replmon.exe UI on our preffered DC, added all of our DC's and then went to Action > Domain > Search Domain Controllers for Replication Errors, and run a search on the domain stanwell.internal. This search returned no errors.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Thanks for the points. I would be intrigued to know if Dells client manager would have this issue if Symantec wasn't installed.
ASKER
No problem. If you mean Symantec Endpoint then it had no difference. If you mean Symantec/Altiris Notification Server, the Dell Client Manager is an addon to that software, so it's not possible.
mms_master
mms_master
Thanks
ASKER
We are joining the PC's to the domain by going to System Properties > Change Name > Change, selecting domain and then entering our domain name (stanwell.internal). I have manually set the IP etc of the client PC's. The IP I've entered for the Prefered DNS is our primary domain controller and the Alternate DNS is ponting to our second DNS server.
We have 500-600 PC's on the network, all of which have been joined to the domain in the same method (except that some pick up their DNS settings via DHCP). None of these are getting the same problem. It only seems to be happening on 6 of our new ones.
Thanks,
mms_master