Solved

Windows server 2008 r2, group policy issues

Posted on 2011-09-16
7
1,049 Views
Last Modified: 2012-08-01
Back in July we had a problem where ‘Active Directory Domain Services was unable to establish a connection with the global catalog’.  That was thankfully resolved by a very helpful expert on Expert’s Exchange.

Link to previous problem.
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_27205595.html

But we are still having problems with our XP clients, where by when the clients first boot up the client will say ‘preparing network connections’, this dialog may sit there from anywhere from 20secs to 4 minutes.  Then if you try and logon to the domain another dialog will come up and say ‘domain unavailable’.  But if you wait a few minutes you can log in, but we get these errors from the even viewer:

Eventid: 1058 - windows cannot access the file gpt.ini for GPO
Eventid: 1053 – windows could not determine the user or the computer name (the specified domain either does not exist or could not be contacted).
Eventid: 15 – Automatic enrolment for local system failed to contact the active directory. The specified domain does not exist or could not be contacted.
Eventid: 1054 – windows cannot obtain the domain controller name for your computer network.
Eventid: 1054 – Windows cannot query for the list of group policy objects.

When a user does login after these errors, we can run ‘gpupdate /force’ and that does seem to resolve the problem for the current user, but when a new user logs in same issues.

Specs
Master - HP Proliant ML330g6, 8gb RAM, 6TB hard disks on RAID5
Replicated AD: HP Microserver, 4gb RAM, 240gb hard disk, no raid

Any help on this would be a massive help.
Thank you
David
0
Comment
Question by:sidnuts
  • 5
  • 2
7 Comments
 
LVL 17

Expert Comment

by:Tony Massa
ID: 36553982
Have you had another DC removed from the domain recently?  It sounds like you have bad data in your directory, and DNS,, and the client is trying to hit a DC that no longer exists.  You may want to check AD Sites and Services as well.  

On the client, enable USERENV logging to get more info on what's happening.

If there is an old DC that was removed, you may need to perform a metadata cleanup.
http://technet.microsoft.com/en-us/library/cc736378(WS.10).asp

First, check DNS SRV records for inaccurate IPs of domain controllers as well as the domain "(Same as Parent)" records.
0
 

Author Comment

by:sidnuts
ID: 36554419
Thank you for your response, I'm back in work Monday so will take a look at what you have said.  An experts exchange member helped me to Make 1 our servers the master, as you sad probably some bad data left over.

Again thanks, will report back
David
0
 

Author Comment

by:sidnuts
ID: 36566136
Been taking a look at this metadata cleanup...getting a bit concerned that I might mess something up on active directory.

Tried to follow the link you posted, but seems to be dead.  Do you think that this script supplied by Microsoft will resolve the bad data issue:

http://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3

Thanks
David
0
Want to promote your upcoming event?

Attending an event? Speaking at a conference? Or exhibiting at a tradeshow? Easily inform your contacts by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

 
LVL 17

Expert Comment

by:Tony Massa
ID: 36566260
it does work for object cleanup...I've had tried it once on a failed DC.  I'm not so sure as to DNS cleanup.  I always go into the _MSDCS sub-zone to make sure the records are gone.

You should also run repadmin /replsummary and DCDIAG /v (output to text) on your other DC to see if there are any references to it anywhere.
0
 

Author Comment

by:sidnuts
ID: 36566953
Thank you for all your help, I ran the command repadmin /replsummary, which results in the following:
Source DSA                    largest delta    fails/total %%   error
 AGMICROSERVER1        36m:33s           0 /   5       0
 DAVE                                32m:49s           0 /   5       0

I then ran the following to clear the DNS:

ipconfig /flushdns
ipconfig /registerdns
arp -d *
dcdiag /fix
net stop netlogon
net start netlogon
dcdiag /fix

Then I ran the command DCDIAG /v, which resulted in the following:


Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   * Verifying that the local machine DAVE, is a Directory Server.
   Home Server = DAVE
   * Connecting to directory service on server DAVE.
   * Identified AD Forest.
   Collecting AD specific global data
   * Collecting site info.
   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=ashgrove,DC=int,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
   The previous call succeeded
   Iterating through the sites
   Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ashgrove,DC=int
   Getting ISTG and options for the site
   * Identifying all servers.
   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=ashgrove,DC=int,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
   The previous call succeeded....
   The previous call succeeded
   Iterating through the list of servers
   Getting information for the server CN=NTDS Settings,CN=DAVE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ashgrove,DC=int
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=AGMICROSERVER1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ashgrove,DC=int
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   * Identifying all NC cross-refs.
   * Found 2 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site-Name\DAVE
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         Determining IP4 connectivity
         * Active Directory RPC Services Check
         ......................... DAVE passed test Connectivity
 
Doing primary tests
   
   Testing server: Default-First-Site-Name\DAVE
      Starting test: Advertising
         The DC DAVE is advertising itself as a DC and having a DS.
         The DC DAVE is advertising as an LDAP server
         The DC DAVE is advertising as having a writeable directory
         The DC DAVE is advertising as a Key Distribution Center
         The DC DAVE is advertising as a time server
         The DS DAVE is advertising as a GC.
         ......................... DAVE passed test Advertising
      Test omitted by user request: CheckSecurityError
      Test omitted by user request: CutoffServers
      Starting test: FrsEvent
         * The File Replication Service Event log test
         ......................... DAVE passed test FrsEvent
      Starting test: DFSREvent
         The DFS Replication Event Log.
         Skip the test because the server is running FRS.
         ......................... DAVE passed test DFSREvent
      Starting test: SysVolCheck
         * The File Replication Service SYSVOL ready test
         File Replication Service's SYSVOL is ready
         ......................... DAVE passed test SysVolCheck
      Starting test: KccEvent
         * The KCC Event log test
         Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
         ......................... DAVE passed test KccEvent
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=DAVE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ashgrove,DC=int
         Role Domain Owner = CN=NTDS Settings,CN=DAVE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ashgrove,DC=int
         Role PDC Owner = CN=NTDS Settings,CN=DAVE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ashgrove,DC=int
         Role Rid Owner = CN=NTDS Settings,CN=DAVE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ashgrove,DC=int
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=DAVE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ashgrove,DC=int
         ......................... DAVE passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         Checking machine account for DC DAVE on DC DAVE.
         * SPN found :LDAP/DAVE.ashgrove.int/ashgrove.int
         * SPN found :LDAP/DAVE.ashgrove.int
         * SPN found :LDAP/DAVE
         * SPN found :LDAP/DAVE.ashgrove.int/ASHGROVE
         * SPN found :LDAP/8008278a-aefc-4862-b511-6e9a0c2f4c73._msdcs.ashgrove.int
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/8008278a-aefc-4862-b511-6e9a0c2f4c73/ashgrove.int
         * SPN found :HOST/DAVE.ashgrove.int/ashgrove.int
         * SPN found :HOST/DAVE.ashgrove.int
         * SPN found :HOST/DAVE
         * SPN found :HOST/DAVE.ashgrove.int/ASHGROVE
         * SPN found :GC/DAVE.ashgrove.int/ashgrove.int
         ......................... DAVE passed test MachineAccount
      Starting test: NCSecDesc
         * Security Permissions check for all NC's on DC DAVE.
         * Security Permissions Check for
           DC=ForestDnsZones,DC=ashgrove,DC=int
            (NDNC,Version 3)
         * Security Permissions Check for
           DC=DomainDnsZones,DC=ashgrove,DC=int
            (NDNC,Version 3)
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=ashgrove,DC=int
            (Schema,Version 3)
         * Security Permissions Check for
           CN=Configuration,DC=ashgrove,DC=int
            (Configuration,Version 3)
         * Security Permissions Check for
           DC=ashgrove,DC=int
            (Domain,Version 3)
         ......................... DAVE passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         Verified share \\DAVE\netlogon
         Verified share \\DAVE\sysvol
         ......................... DAVE passed test NetLogons
      Starting test: ObjectsReplicated
         DAVE is in domain DC=ashgrove,DC=int
         Checking for CN=DAVE,OU=Domain Controllers,DC=ashgrove,DC=int in domain DC=ashgrove,DC=int on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=DAVE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ashgrove,DC=int in domain CN=Configuration,DC=ashgrove,DC=int on 1 servers
            Object is up-to-date on all servers.
         ......................... DAVE passed test ObjectsReplicated
      Test omitted by user request: OutboundSecureChannels
      Starting test: Replications
         * Replications Check
         * Replication Latency Check
            DC=ForestDnsZones,DC=ashgrove,DC=int
               Latency information for 3 entries in the vector were ignored.
                  3 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=DomainDnsZones,DC=ashgrove,DC=int
               Latency information for 3 entries in the vector were ignored.
                  3 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            CN=Schema,CN=Configuration,DC=ashgrove,DC=int
               Latency information for 3 entries in the vector were ignored.
                  3 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            CN=Configuration,DC=ashgrove,DC=int
               Latency information for 3 entries in the vector were ignored.
                  3 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=ashgrove,DC=int
               Latency information for 3 entries in the vector were ignored.
                  3 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
         * Replication Site Latency Check
         ......................... DAVE passed test Replications
      Starting test: RidManager
         * Available RID Pool for the Domain is 4107 to 1073741823
         * DAVE.ashgrove.int is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 3607 to 4106
         * rIDPreviousAllocationPool is 3607 to 4106
         * rIDNextRID: 3622
         ......................... DAVE passed test RidManager
      Starting test: Services
         * Checking Service: EventSystem
         * Checking Service: RpcSs
         * Checking Service: NTDS
         * Checking Service: DnsCache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... DAVE passed test Services
      Starting test: SystemLog
         * The System Event log test
         An error event occurred.  EventID: 0xC00010DF
            Time Generated: 09/20/2011   13:29:32
            Event String:
            A duplicate name has been detected on the TCP network.  The IP address of the computer that sent the message is in the data. Use nbtstat -n in a command window to see which name is in the Conflict state.
         An error event occurred.  EventID: 0x40000004
            Time Generated: 09/20/2011   13:31:25
            Event String:
            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server ASHGROVEPC18$. The target name used was cifs/ASHGROVE_PPA1.ashgrove.int. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (ASHGROVE.INT) is different from the client domain (ASHGROVE.INT), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
         An error event occurred.  EventID: 0xC00010DF
            Time Generated: 09/20/2011   13:53:36
            Event String:
            A duplicate name has been detected on the TCP network.  The IP address of the computer that sent the message is in the data. Use nbtstat -n in a command window to see which name is in the Conflict state.
         An error event occurred.  EventID: 0x40000004
            Time Generated: 09/20/2011   13:56:34
            Event String:
            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server ASHGROVEPC1$. The target name used was cifs/ASHGROVEPC6.ashgrove.int. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (ASHGROVE.INT) is different from the client domain (ASHGROVE.INT), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
         An error event occurred.  EventID: 0xC00010DF
            Time Generated: 09/20/2011   14:10:09
            Event String:
            A duplicate name has been detected on the TCP network.  The IP address of the computer that sent the message is in the data. Use nbtstat -n in a command window to see which name is in the Conflict state.
         A warning event occurred.  EventID: 0x800007DC
            Time Generated: 09/20/2011   14:13:07
            Event String:
            While transmitting or receiving data, the server encountered a network error. Occassional errors are expected, but large amounts of these indicate a possible error in your network configuration.  The error status code is contained within the returned data (formatted as Words) and may point you towards the problem.
         An error event occurred.  EventID: 0xC00010DF
            Time Generated: 09/20/2011   14:17:34
            Event String:
            A duplicate name has been detected on the TCP network.  The IP address of the computer that sent the message is in the data. Use nbtstat -n in a command window to see which name is in the Conflict state.
         An error event occurred.  EventID: 0x40000004
            Time Generated: 09/20/2011   14:22:45
            Event String:
            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server ASHGROVEPC5$. The target name used was cifs/RECEPTIONPC.ashgrove.int. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (ASHGROVE.INT) is different from the client domain (ASHGROVE.INT), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
         A warning event occurred.  EventID: 0x800007DC
            Time Generated: 09/20/2011   14:23:33
            Event String:
            While transmitting or receiving data, the server encountered a network error. Occassional errors are expected, but large amounts of these indicate a possible error in your network configuration.  The error status code is contained within the returned data (formatted as Words) and may point you towards the problem.
         ......................... DAVE failed test SystemLog
      Test omitted by user request: Topology
      Test omitted by user request: VerifyEnterpriseReferences
      Starting test: VerifyReferences
         The system object reference (serverReference)
         CN=DAVE,OU=Domain Controllers,DC=ashgrove,DC=int and backlink on
         CN=DAVE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ashgrove,DC=int
         are correct.
         The system object reference (serverReferenceBL)
         CN=DAVE,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=ashgrove,DC=int
         and backlink on
         CN=NTDS Settings,CN=DAVE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ashgrove,DC=int
         are correct.
         The system object reference (frsComputerReferenceBL)
         CN=DAVE,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=ashgrove,DC=int
         and backlink on CN=DAVE,OU=Domain Controllers,DC=ashgrove,DC=int are
         correct.
         ......................... DAVE passed test VerifyReferences
      Test omitted by user request: VerifyReplicas
   
      Test omitted by user request: DNS
      Test omitted by user request: DNS
   
   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation
   
   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation
   
   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
   
   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
   
   Running partition tests on : ashgrove
      Starting test: CheckSDRefDom
         ......................... ashgrove passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ashgrove passed test CrossRefValidation
   
   Running enterprise tests on : ashgrove.int
      Test omitted by user request: DNS
      Test omitted by user request: DNS
      Starting test: LocatorCheck
         GC Name: \\DAVE.ashgrove.int
         Locator Flags: 0xe00033fd
         PDC Name: \\DAVE.ashgrove.int
         Locator Flags: 0xe00033fd
         Time Server Name: \\DAVE.ashgrove.int
         Locator Flags: 0xe00033fd
         Preferred Time Server Name: \\DAVE.ashgrove.int
         Locator Flags: 0xe00033fd
         KDC Name: \\DAVE.ashgrove.int
         Locator Flags: 0xe00033fd
         ......................... ashgrove.int passed test LocatorCheck
      Starting test: Intersite
         Skipping site Default-First-Site-Name, this site is outside the scope
         provided by the command line arguments provided.
         ......................... ashgrove.int passed test Intersite



Not sure if above log can shed a light on our problem

Thanks again
David
0
 

Accepted Solution

by:
sidnuts earned 0 total points
ID: 36929944
Got this one sorted now, deleted the computer account from the domain, then from the client I added them to a workgroup then re-joined them after a re-boot.
0
 

Author Closing Comment

by:sidnuts
ID: 36954239
Sorted myself
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now