Group Policy Failed. Windows could not resolve the user name.
I have a small network of about 30 computers. We recently installed a new router (Sonicwall) and transferred the task of DHCP to it instead of our Windows 2000 server. Now our users are getting long login times where Windows 7 just sits on the welcome screen for a while. Eventviewer throws the following errors:
1053
The processing of Group Policy failed. Windows could not resolve the user name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
5719
This computer was not able to set up a secure session with a domain controller in domain WESTMINSTERCO due to the following:
There are currently no logon servers available to service the logon request.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.
I am not very knowledgeable of troubleshooting client-server problems. Can anyone shed light on this?
1053
The processing of Group Policy failed. Windows could not resolve the user name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
5719
This computer was not able to set up a secure session with a domain controller in domain WESTMINSTERCO due to the following:
There are currently no logon servers available to service the logon request.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.
I am not very knowledgeable of troubleshooting client-server problems. Can anyone shed light on this?
Paul MacDonald
On any of the computers, if you run IPCONFIG /ALL from a command prompt, do you see valid IP information for your network? It sounds like these machines are getting bad IPs (or not getting any at all) and can't find a DC as a consequence.
ASKER
Yes they all eventually get IP addresses. Once I make it past the "Welcome" screen and do an IPCONFIG /all , they are getting valid IP addresses and getting through the default gateway just fine. It's almost like it's taking an unusual amount of time for them to get IP's and that is causing the error.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Not necessarily but I figured being that the router, a Sonicwall NSA 2400 would be more apt for the task of DHCP since it probably has a beefier processer and or RAM than our older Dell PowerEdge server? I dunno though.
Never let a router handle DHCP in a domain environment.
I can't say. Looking at their product page, they don't note the DHCP feature at all so it must not be a strong selling point.
DHCP isn't exactly a huge overhead, so I'm surprised you're having trouble as well. Can you find out if you're running the most recent firmware on the router?
DHCP isn't exactly a huge overhead, so I'm surprised you're having trouble as well. Can you find out if you're running the most recent firmware on the router?
ASKER
I'm wondering if it's a DHCP problem or if somehow the computers are still trying to receive IP addresses from the older server? The DHCP service on the old server is not enabled though.
No, the clients broadcast for a DHCP server so they don't know or care who responds. All other things being equal, this looks like a problem with the new router. Whether or not it's working normally, I can't say.
I would suggest the following:
1) Download kerbtray.exe from microsoft site & run it to see if your kerbros is fine.
2) To isolate DHCP give static IP on one of the computers & have a look.
I am sure your kerbros will fail, but you can run kerbtray again after giving static IP to see if it resolves the issue.
Rest after you post these results.
A
1) Download kerbtray.exe from microsoft site & run it to see if your kerbros is fine.
2) To isolate DHCP give static IP on one of the computers & have a look.
I am sure your kerbros will fail, but you can run kerbtray again after giving static IP to see if it resolves the issue.
Rest after you post these results.
A
ASKER
Ackles can you explain this tool in some detail to me and how it pertains to this issue. I'm somewhat familiar with Kerberos but only through reading not from experieince. Thanks for your help.
See group policy depends on many factors, DNS, Time Sync, Kerberos, Site, Domain, OU....
In your case kerberos is definitely failing if you not getting netlogon, as you mentioned, it looks like DHCP issue, if you give static IP that will be ruled out.
Once it's ruled out & if kerbtray gives you green symbol, you have ruled out all the Authentication issues. Then it will be easy to troubleshoot.
If you open command prompt & run "Set" you are actually supposed to see everything required to get you ticket from DC, however XP onwards set command just lies you on the face.... so the only way to see is kerbtray.
Let me know if you need further info.
A
In your case kerberos is definitely failing if you not getting netlogon, as you mentioned, it looks like DHCP issue, if you give static IP that will be ruled out.
Once it's ruled out & if kerbtray gives you green symbol, you have ruled out all the Authentication issues. Then it will be easy to troubleshoot.
If you open command prompt & run "Set" you are actually supposed to see everything required to get you ticket from DC, however XP onwards set command just lies you on the face.... so the only way to see is kerbtray.
Let me know if you need further info.
A
ASKER
Ok I set a Static IP address and ran Kerbtray.exe and the tray icon is green and I don't see any signs of error. I'm assuming that means that authentication is succesful.
The sonicwall must hand out ONLY the SBS's IP as a valid DNS server. If it assigns the router or an ISP, even as an alternate, you will have name resolution problems, slow logons, and failed GP.
The SBS really should be your DHCP server. It is such a small service it will not tax the server at all. You should read the following:
http://sbs.seandaniel.com/2008/10/do-i-absolutely-have-to-run-dhcp-on-sbs.html
The SBS really should be your DHCP server. It is such a small service it will not tax the server at all. You should read the following:
http://sbs.seandaniel.com/2008/10/do-i-absolutely-have-to-run-dhcp-on-sbs.html
ASKER
Actually, scratch that. I closed it down and reopened and it says "no network credentials".
I am lost, are you seeing a Green Ticket on Kerbtray or just three symbols of keys? or what exactly?
ASKER
Ok.. disregard last post.. it is definitely showing green. I think what we are going to do is just assign DHCP service back to the SBS.
Yes, now you can & try if the kerbtray is giving you green ticket then DHCP is fine.
Please be sure to test that solves the problem.
ASKER
I will post back here after we make the change. Thanks for all the replies.
ASKER
We gave the task of DHCP back to the server and the problem is fixed.