?
Solved

Windows server 2008 r2, group policy issues

Posted on 2011-09-16
7
Medium Priority
?
1,081 Views
Last Modified: 2012-08-01
Back in July we had a problem where ‘Active Directory Domain Services was unable to establish a connection with the global catalog’.  That was thankfully resolved by a very helpful expert on Expert’s Exchange.

Link to previous problem.
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_27205595.html

But we are still having problems with our XP clients, where by when the clients first boot up the client will say ‘preparing network connections’, this dialog may sit there from anywhere from 20secs to 4 minutes.  Then if you try and logon to the domain another dialog will come up and say ‘domain unavailable’.  But if you wait a few minutes you can log in, but we get these errors from the even viewer:

Eventid: 1058 - windows cannot access the file gpt.ini for GPO
Eventid: 1053 – windows could not determine the user or the computer name (the specified domain either does not exist or could not be contacted).
Eventid: 15 – Automatic enrolment for local system failed to contact the active directory. The specified domain does not exist or could not be contacted.
Eventid: 1054 – windows cannot obtain the domain controller name for your computer network.
Eventid: 1054 – Windows cannot query for the list of group policy objects.

When a user does login after these errors, we can run ‘gpupdate /force’ and that does seem to resolve the problem for the current user, but when a new user logs in same issues.

Specs
Master - HP Proliant ML330g6, 8gb RAM, 6TB hard disks on RAID5
Replicated AD: HP Microserver, 4gb RAM, 240gb hard disk, no raid

Any help on this would be a massive help.
Thank you
David
0
Comment
Question by:sidnuts
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
7 Comments
 
LVL 17

Expert Comment

by:Tony Massa
ID: 36553982
Have you had another DC removed from the domain recently?  It sounds like you have bad data in your directory, and DNS,, and the client is trying to hit a DC that no longer exists.  You may want to check AD Sites and Services as well.  

On the client, enable USERENV logging to get more info on what's happening.

If there is an old DC that was removed, you may need to perform a metadata cleanup.
http://technet.microsoft.com/en-us/library/cc736378(WS.10).asp

First, check DNS SRV records for inaccurate IPs of domain controllers as well as the domain "(Same as Parent)" records.
0
 

Author Comment

by:sidnuts
ID: 36554419
Thank you for your response, I'm back in work Monday so will take a look at what you have said.  An experts exchange member helped me to Make 1 our servers the master, as you sad probably some bad data left over.

Again thanks, will report back
David
0
 

Author Comment

by:sidnuts
ID: 36566136
Been taking a look at this metadata cleanup...getting a bit concerned that I might mess something up on active directory.

Tried to follow the link you posted, but seems to be dead.  Do you think that this script supplied by Microsoft will resolve the bad data issue:

http://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3

Thanks
David
0
Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!

 
LVL 17

Expert Comment

by:Tony Massa
ID: 36566260
it does work for object cleanup...I've had tried it once on a failed DC.  I'm not so sure as to DNS cleanup.  I always go into the _MSDCS sub-zone to make sure the records are gone.

You should also run repadmin /replsummary and DCDIAG /v (output to text) on your other DC to see if there are any references to it anywhere.
0
 

Author Comment

by:sidnuts
ID: 36566953
Thank you for all your help, I ran the command repadmin /replsummary, which results in the following:
Source DSA                    largest delta    fails/total %%   error
 AGMICROSERVER1        36m:33s           0 /   5       0
 DAVE                                32m:49s           0 /   5       0

I then ran the following to clear the DNS:

ipconfig /flushdns
ipconfig /registerdns
arp -d *
dcdiag /fix
net stop netlogon
net start netlogon
dcdiag /fix

Then I ran the command DCDIAG /v, which resulted in the following:


Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   * Verifying that the local machine DAVE, is a Directory Server.
   Home Server = DAVE
   * Connecting to directory service on server DAVE.
   * Identified AD Forest.
   Collecting AD specific global data
   * Collecting site info.
   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=ashgrove,DC=int,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
   The previous call succeeded
   Iterating through the sites
   Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ashgrove,DC=int
   Getting ISTG and options for the site
   * Identifying all servers.
   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=ashgrove,DC=int,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
   The previous call succeeded....
   The previous call succeeded
   Iterating through the list of servers
   Getting information for the server CN=NTDS Settings,CN=DAVE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ashgrove,DC=int
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=AGMICROSERVER1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ashgrove,DC=int
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   * Identifying all NC cross-refs.
   * Found 2 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site-Name\DAVE
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         Determining IP4 connectivity
         * Active Directory RPC Services Check
         ......................... DAVE passed test Connectivity
 
Doing primary tests
   
   Testing server: Default-First-Site-Name\DAVE
      Starting test: Advertising
         The DC DAVE is advertising itself as a DC and having a DS.
         The DC DAVE is advertising as an LDAP server
         The DC DAVE is advertising as having a writeable directory
         The DC DAVE is advertising as a Key Distribution Center
         The DC DAVE is advertising as a time server
         The DS DAVE is advertising as a GC.
         ......................... DAVE passed test Advertising
      Test omitted by user request: CheckSecurityError
      Test omitted by user request: CutoffServers
      Starting test: FrsEvent
         * The File Replication Service Event log test
         ......................... DAVE passed test FrsEvent
      Starting test: DFSREvent
         The DFS Replication Event Log.
         Skip the test because the server is running FRS.
         ......................... DAVE passed test DFSREvent
      Starting test: SysVolCheck
         * The File Replication Service SYSVOL ready test
         File Replication Service's SYSVOL is ready
         ......................... DAVE passed test SysVolCheck
      Starting test: KccEvent
         * The KCC Event log test
         Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
         ......................... DAVE passed test KccEvent
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=DAVE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ashgrove,DC=int
         Role Domain Owner = CN=NTDS Settings,CN=DAVE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ashgrove,DC=int
         Role PDC Owner = CN=NTDS Settings,CN=DAVE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ashgrove,DC=int
         Role Rid Owner = CN=NTDS Settings,CN=DAVE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ashgrove,DC=int
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=DAVE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ashgrove,DC=int
         ......................... DAVE passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         Checking machine account for DC DAVE on DC DAVE.
         * SPN found :LDAP/DAVE.ashgrove.int/ashgrove.int
         * SPN found :LDAP/DAVE.ashgrove.int
         * SPN found :LDAP/DAVE
         * SPN found :LDAP/DAVE.ashgrove.int/ASHGROVE
         * SPN found :LDAP/8008278a-aefc-4862-b511-6e9a0c2f4c73._msdcs.ashgrove.int
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/8008278a-aefc-4862-b511-6e9a0c2f4c73/ashgrove.int
         * SPN found :HOST/DAVE.ashgrove.int/ashgrove.int
         * SPN found :HOST/DAVE.ashgrove.int
         * SPN found :HOST/DAVE
         * SPN found :HOST/DAVE.ashgrove.int/ASHGROVE
         * SPN found :GC/DAVE.ashgrove.int/ashgrove.int
         ......................... DAVE passed test MachineAccount
      Starting test: NCSecDesc
         * Security Permissions check for all NC's on DC DAVE.
         * Security Permissions Check for
           DC=ForestDnsZones,DC=ashgrove,DC=int
            (NDNC,Version 3)
         * Security Permissions Check for
           DC=DomainDnsZones,DC=ashgrove,DC=int
            (NDNC,Version 3)
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=ashgrove,DC=int
            (Schema,Version 3)
         * Security Permissions Check for
           CN=Configuration,DC=ashgrove,DC=int
            (Configuration,Version 3)
         * Security Permissions Check for
           DC=ashgrove,DC=int
            (Domain,Version 3)
         ......................... DAVE passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         Verified share \\DAVE\netlogon
         Verified share \\DAVE\sysvol
         ......................... DAVE passed test NetLogons
      Starting test: ObjectsReplicated
         DAVE is in domain DC=ashgrove,DC=int
         Checking for CN=DAVE,OU=Domain Controllers,DC=ashgrove,DC=int in domain DC=ashgrove,DC=int on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=DAVE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ashgrove,DC=int in domain CN=Configuration,DC=ashgrove,DC=int on 1 servers
            Object is up-to-date on all servers.
         ......................... DAVE passed test ObjectsReplicated
      Test omitted by user request: OutboundSecureChannels
      Starting test: Replications
         * Replications Check
         * Replication Latency Check
            DC=ForestDnsZones,DC=ashgrove,DC=int
               Latency information for 3 entries in the vector were ignored.
                  3 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=DomainDnsZones,DC=ashgrove,DC=int
               Latency information for 3 entries in the vector were ignored.
                  3 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            CN=Schema,CN=Configuration,DC=ashgrove,DC=int
               Latency information for 3 entries in the vector were ignored.
                  3 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            CN=Configuration,DC=ashgrove,DC=int
               Latency information for 3 entries in the vector were ignored.
                  3 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=ashgrove,DC=int
               Latency information for 3 entries in the vector were ignored.
                  3 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
         * Replication Site Latency Check
         ......................... DAVE passed test Replications
      Starting test: RidManager
         * Available RID Pool for the Domain is 4107 to 1073741823
         * DAVE.ashgrove.int is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 3607 to 4106
         * rIDPreviousAllocationPool is 3607 to 4106
         * rIDNextRID: 3622
         ......................... DAVE passed test RidManager
      Starting test: Services
         * Checking Service: EventSystem
         * Checking Service: RpcSs
         * Checking Service: NTDS
         * Checking Service: DnsCache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... DAVE passed test Services
      Starting test: SystemLog
         * The System Event log test
         An error event occurred.  EventID: 0xC00010DF
            Time Generated: 09/20/2011   13:29:32
            Event String:
            A duplicate name has been detected on the TCP network.  The IP address of the computer that sent the message is in the data. Use nbtstat -n in a command window to see which name is in the Conflict state.
         An error event occurred.  EventID: 0x40000004
            Time Generated: 09/20/2011   13:31:25
            Event String:
            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server ASHGROVEPC18$. The target name used was cifs/ASHGROVE_PPA1.ashgrove.int. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (ASHGROVE.INT) is different from the client domain (ASHGROVE.INT), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
         An error event occurred.  EventID: 0xC00010DF
            Time Generated: 09/20/2011   13:53:36
            Event String:
            A duplicate name has been detected on the TCP network.  The IP address of the computer that sent the message is in the data. Use nbtstat -n in a command window to see which name is in the Conflict state.
         An error event occurred.  EventID: 0x40000004
            Time Generated: 09/20/2011   13:56:34
            Event String:
            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server ASHGROVEPC1$. The target name used was cifs/ASHGROVEPC6.ashgrove.int. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (ASHGROVE.INT) is different from the client domain (ASHGROVE.INT), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
         An error event occurred.  EventID: 0xC00010DF
            Time Generated: 09/20/2011   14:10:09
            Event String:
            A duplicate name has been detected on the TCP network.  The IP address of the computer that sent the message is in the data. Use nbtstat -n in a command window to see which name is in the Conflict state.
         A warning event occurred.  EventID: 0x800007DC
            Time Generated: 09/20/2011   14:13:07
            Event String:
            While transmitting or receiving data, the server encountered a network error. Occassional errors are expected, but large amounts of these indicate a possible error in your network configuration.  The error status code is contained within the returned data (formatted as Words) and may point you towards the problem.
         An error event occurred.  EventID: 0xC00010DF
            Time Generated: 09/20/2011   14:17:34
            Event String:
            A duplicate name has been detected on the TCP network.  The IP address of the computer that sent the message is in the data. Use nbtstat -n in a command window to see which name is in the Conflict state.
         An error event occurred.  EventID: 0x40000004
            Time Generated: 09/20/2011   14:22:45
            Event String:
            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server ASHGROVEPC5$. The target name used was cifs/RECEPTIONPC.ashgrove.int. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (ASHGROVE.INT) is different from the client domain (ASHGROVE.INT), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
         A warning event occurred.  EventID: 0x800007DC
            Time Generated: 09/20/2011   14:23:33
            Event String:
            While transmitting or receiving data, the server encountered a network error. Occassional errors are expected, but large amounts of these indicate a possible error in your network configuration.  The error status code is contained within the returned data (formatted as Words) and may point you towards the problem.
         ......................... DAVE failed test SystemLog
      Test omitted by user request: Topology
      Test omitted by user request: VerifyEnterpriseReferences
      Starting test: VerifyReferences
         The system object reference (serverReference)
         CN=DAVE,OU=Domain Controllers,DC=ashgrove,DC=int and backlink on
         CN=DAVE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ashgrove,DC=int
         are correct.
         The system object reference (serverReferenceBL)
         CN=DAVE,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=ashgrove,DC=int
         and backlink on
         CN=NTDS Settings,CN=DAVE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ashgrove,DC=int
         are correct.
         The system object reference (frsComputerReferenceBL)
         CN=DAVE,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=ashgrove,DC=int
         and backlink on CN=DAVE,OU=Domain Controllers,DC=ashgrove,DC=int are
         correct.
         ......................... DAVE passed test VerifyReferences
      Test omitted by user request: VerifyReplicas
   
      Test omitted by user request: DNS
      Test omitted by user request: DNS
   
   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation
   
   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation
   
   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
   
   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
   
   Running partition tests on : ashgrove
      Starting test: CheckSDRefDom
         ......................... ashgrove passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ashgrove passed test CrossRefValidation
   
   Running enterprise tests on : ashgrove.int
      Test omitted by user request: DNS
      Test omitted by user request: DNS
      Starting test: LocatorCheck
         GC Name: \\DAVE.ashgrove.int
         Locator Flags: 0xe00033fd
         PDC Name: \\DAVE.ashgrove.int
         Locator Flags: 0xe00033fd
         Time Server Name: \\DAVE.ashgrove.int
         Locator Flags: 0xe00033fd
         Preferred Time Server Name: \\DAVE.ashgrove.int
         Locator Flags: 0xe00033fd
         KDC Name: \\DAVE.ashgrove.int
         Locator Flags: 0xe00033fd
         ......................... ashgrove.int passed test LocatorCheck
      Starting test: Intersite
         Skipping site Default-First-Site-Name, this site is outside the scope
         provided by the command line arguments provided.
         ......................... ashgrove.int passed test Intersite



Not sure if above log can shed a light on our problem

Thanks again
David
0
 

Accepted Solution

by:
sidnuts earned 0 total points
ID: 36929944
Got this one sorted now, deleted the computer account from the domain, then from the client I added them to a workgroup then re-joined them after a re-boot.
0
 

Author Closing Comment

by:sidnuts
ID: 36954239
Sorted myself
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
Backups and Disaster RecoveryIn this post, we’ll look at strategies for backups and disaster recovery.
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question