Group Policy Failed. Windows could not resolve the user name.

Vontech615
Vontech615 used Ask the Experts™
on
I have a small network of about 30 computers. We recently installed a new router (Sonicwall) and transferred the task of DHCP to it instead of our Windows 2000 server.  Now our users are getting long login times where Windows 7 just sits on the welcome screen for a while.  Eventviewer throws the following errors:

1053
The processing of Group Policy failed. Windows could not resolve the user name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).

5719
This computer was not able to set up a secure session with a domain controller in domain WESTMINSTERCO due to the following:
There are currently no logon servers available to service the logon request.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.

I am not very knowledgeable of troubleshooting client-server problems.  Can anyone shed light on this?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Paul MacDonaldDirector, Information Systems

Commented:
On any of the computers, if you run IPCONFIG /ALL from a command prompt, do you see valid IP information for your network?  It sounds like these machines are getting bad IPs (or not getting any at all) and can't find a DC as a consequence.

Author

Commented:
Yes they all eventually get IP addresses.  Once I make it past the "Welcome" screen and do an IPCONFIG /all , they are getting valid IP addresses and getting through the default gateway just fine. It's almost like it's taking an unusual amount of time for them to get IP's and that is causing the error.
Director, Information Systems
Commented:
Is there a compelling reason not to go back to using a Windows server (even the previous one) as a DHCP server?  It may be your router isn't up to the task or is too busy handling other traffic.
Bootstrap 4: Exploring New Features

Learn how to use and navigate the new features included in Bootstrap 4, the most popular HTML, CSS, and JavaScript framework for developing responsive, mobile-first websites.

Author

Commented:
Not necessarily but I figured being that the router, a Sonicwall NSA 2400 would be more apt for the task of DHCP since it probably has a beefier processer and or RAM than our older Dell PowerEdge server?  I dunno though.
Gary ColtharpSr. Systems Engineer

Commented:
Never let a router handle DHCP in a domain environment.
Paul MacDonaldDirector, Information Systems

Commented:
I can't say.  Looking at their product page, they don't note the DHCP feature at all so it must not be a strong selling point.  

DHCP isn't exactly a huge overhead, so I'm surprised you're having trouble as well.  Can you find out if you're running the most recent firmware on the router?  

Author

Commented:
I'm wondering if it's a DHCP problem or if somehow the computers are still trying to receive IP addresses from the older server?  The DHCP service on the old server is not enabled though.
Paul MacDonaldDirector, Information Systems

Commented:
No, the clients broadcast for a DHCP server so they don't know or care who responds.  All other things being equal, this looks like a problem with the new router.  Whether or not it's working normally, I can't say.

Commented:
I would suggest the following:
1) Download kerbtray.exe from microsoft site & run it to see if your kerbros is fine.
2) To isolate DHCP give static IP on one of the computers & have a look.

I am sure your kerbros will fail, but you can run kerbtray again after giving static IP to see if it resolves the issue.

Rest after you post these results.

A

Author

Commented:
Ackles can you explain this tool in some detail to me and how it pertains to this issue.  I'm somewhat familiar with Kerberos but only through reading not from experieince.  Thanks for your help.

Commented:
See group policy depends on many factors, DNS, Time Sync, Kerberos, Site, Domain, OU....
In your case kerberos is definitely failing if you not getting netlogon, as you mentioned, it looks like DHCP issue, if you give static IP that will be ruled out.

Once it's ruled out & if kerbtray gives you green symbol, you have ruled out all the Authentication issues. Then it will be easy to troubleshoot.

If you open command prompt & run "Set" you are actually supposed to see everything required to get you ticket from DC, however XP onwards set command just lies you on the face.... so the only way to see is kerbtray.

Let me know if you need further info.

A

Author

Commented:
Ok I set a Static IP address and ran Kerbtray.exe and the tray icon is green and I don't see any signs of error.  I'm assuming that means that authentication is succesful.
Top Expert 2013

Commented:
The sonicwall must hand out ONLY the SBS's IP as a valid DNS server. If it assigns the router or an ISP, even as an alternate, you will have name resolution problems, slow logons, and failed GP.
The SBS really should be your DHCP server. It is such a small service it will not tax the server at all. You should read the following:
http://sbs.seandaniel.com/2008/10/do-i-absolutely-have-to-run-dhcp-on-sbs.html

Author

Commented:
Actually, scratch that.  I closed it down and reopened and it says "no network credentials".

Commented:
I am lost, are you seeing a Green Ticket on Kerbtray or just three symbols of keys? or what exactly?

Author

Commented:
Ok.. disregard last post.. it is definitely showing green.  I think what we are going to do is just assign DHCP service back to the SBS.  

Commented:
Yes, now you can & try if the kerbtray is giving you green ticket then DHCP is fine.
Paul MacDonaldDirector, Information Systems

Commented:
Please be sure to test that solves the problem.

Author

Commented:
I will post back here after we make the change.  Thanks for all the replies.

Author

Commented:
We gave the task of DHCP back to the server and the problem is fixed.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial