Group Policy not being applied

boat_anker
boat_anker used Ask the Experts™
on
Hi,

Windows SBS 2011 Domain - All clients are Windows 7 Pro

I have a bunch of PC's which will not apply the computer Group Policy. I get the standard errors when running gpupdate /force

Log Name:      System
Source:        Microsoft-Windows-GroupPolicy
Date:          15/11/11 3:06:38 PM
Event ID:      1055
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Computer:      WS2.domain.local
Description:
The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).

When I run RSOP on the client the user name that is reported at the top of the report is correct however the computer name and domain is incorrect. Computer name is nothing like what is in system properties and domain controller and the domain that is reported only says local. The computer name seems like an old computer name.

I have removed computer from domain, deleted objects in domain and added it back to the domain via http://connect.

This network was set up by someone else. Computers use to connect to Linum server until Windows SBS 2011 was implemented.

Any new computers that are added to the domain apply group policy ok.

Any one have any idea what is causing this.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
chek dns settings on these client computers.
They should point ONLY to sbs server.

Check dns settings on the server too, it shoul point ONLY to itself (forwarders or root hints are defined in the dns console)

Once corrected dns settings, check if rebooting the client throws the pbl away, otherwise i suggest you to reboot the srvr too, just to start fresh.

Check events on the server and then try to re-join a workstatin manually (deleting the object in ad).

Hth, good luck.
systechSenior Technical Lead

Commented:
Note down the IP address of the client machine and go to DNS console, check the A records and ptr records, you will find multiple A records for particular machines, if so, delete all the existing entries and leave only the current one and check the issue.
Hi all,

Boat anker, refer to the article and follow different troubleshooting options mentioned, I am sure you will resolve your issue:
http://www.tech-faq.com/troubleshooting-group-policy.html

Do update us again.
Thank you
Anil
Learn SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

Author

Commented:
Hi, thanks for the responses. Unfortunately the problem still exists. All DNS is correct as well as TCP/IP etc.

This is what I don't understand when I used a PC as a test. I removed it from the Domain and AD etc, Changed its name, then changed it back and then added it back to the domain. The problem remained.

I then removed the PC from the domain again and reinstalled Windows, gave it the same name and added it back to the domain and that fixed the problem.

I appreciate that one way to fix the problem is to reinstall Windows on he 20 client PC's but that is out of the question at the moment.

Any more suggestions would be appreciated.

Commented:
Please have a look at below:
http://technet.microsoft.com/en-us/library/cc727272(WS.10).aspx

You should have other errors also, once you report those errors we can narrow it down.

A

Commented:
It is for sure that you are having problems with your network, have a look at this:
http://support.microsoft.com/kb/2018583

Also, just to test turn off the firewall on both DC & Client to see the Network Connectivity.

Can you also confirm that the W7 clients are not installed from a pre image?

Thanks,
A

Author

Commented:
Hi Ackles,
Re http://technet.microsoft.com/en-us/library/cc727272(WS.10).aspx I get Error Code 5 in the details tab of Event 1055. Just before the Event 1055 event I also got the following which goes away when I disable the firewall on the client

Log Name:      System
Source:        LsaSrv
Date:          15/11/2011 11:14:03 PM
Event ID:      40961
Task Category: None
Level:         Warning
Keywords:      
User:          SYSTEM
Computer:      WS2.domain.local
Description:
The Security System could not establish a secured connection with the server LDAP/SERVER.domain.local/domain.local@DOMAIN.LOCAL. No authentication protocol was available.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="LsaSrv" Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" />
    <EventID>40961</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2011-11-15T12:44:03.553277400Z" />
    <EventRecordID>81253</EventRecordID>
    <Correlation />
    <Execution ProcessID="584" ThreadID="2184" />
    <Channel>System</Channel>
    <Computer>WS2.domain.local</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="Target">LDAP/SERVER.domain.local/domain.local@domain.LOCAL</Data>
  </EventData>
</Event>

Commented:
1. Did you disable the firewall on DC?
2. Tell me something, do you have any W7 machine which is working fine?
3. Can you also confirm that the W7 clients are not installed from a pre image?

Please answer all the questions as I am not in front of machine so my only source of information is what you provide.

There can be several reasons & many ways to troubleshoot, to get most effective results you will have to provide answers.

Thanks,
A

Author

Commented:
I can't turn off firewall on the DC. The workstations may have been installed from an image. I have checked the SID on each computer and hey are unique.

Commented:
May?

1) Do you have any W7 computers which is running fine? If yes, is that machine also build in the same way as effected machines (i mean imaged) ?
2) Are there any machines in Domain which are W7 & working fine?
3) Is there any Anti Virus installed on machines? If yes, is it possible to remove it?

Please let me know the answers to these questions & we can take from there.

Author

Commented:
1)Yes some PC's are running fine. They are either new PC's provided by me to the client since taking over this problem from another provider. And a PC that has had Windows reinstalled.

I disabled AV and problem remains

Commented:
Your answers clear one thing that the problem is definately with the "Imaged PC's".

Now, when you say you disabled AV, did you just disable it or remove it?

As a first step try Clean Boot & see what happens, if it works fine then there is something installed what is blocking the network, however my fear is that it might be something in the image which is giving you hard time.

I can't tell you something simple to figure it our, it's gonna take time.

Can you please compare services running on the good scenario & troubled PC?

A

Commented:
Take a look at the DFS on good & bad machines, I mean the following specific registry keys:
http://support.microsoft.com/?id=314494

If you see the difference there, then just make them same & test the results.

A

Author

Commented:
HI, I have tried everything suggested above. I have also tried a Windows Repair (or Windows 7 Upgrade) but still no luck. I noticed that there is a difference in the advanced firewall between the computers that do work and the ones that don't. There are no firewall rules in the Remote Administration Group for the faulty workstations. Even though I turn the firewall off it still doesn't help. I am sure that there must also be other items missing behind the scene too.

When I run gpresult /h in cmd it shows me a different computer name "37L4247E29-32" and domain "local" rather than the actual computer name and domain. I checked this on another computer that isn't working and it shows exactly the same computer name and domain, therefore it must be an image. Gpresult on a good PC displays domain\computername correctly.

I may have to resign to the fact that it needs a reinstall

Commented:
It for sure looks like that your image has a problem.
Now, the point is how do you want to proceed?

I would say if you want a quick way then you can capture the image of existing good computer & deploy it to all the other computers. You can use WDS to do so quickly on all the computers.
Since you have a Domain Controller you have all the necessary requirements to do so.

Let me know if you want to go this way & I can provide you all the resources from image capturing to deploying it?

A

Author

Commented:
I just got more info from the user. The problematic computers had windows installed directly from a windows 7 DVD. They were installed onto a network with no Domain Controller but just a Linux server. They have since got rid of the Linux server and implemented the DC and added the computers to it.
Commented:
Download Kerbtray from Microsoft site, hit google & see if you are getting Kerberos Authentication.
The other computer you mentioned which is working, what is different in it than non working computer? I mean how we're they added to domain?
A

Author

Commented:
I have called Microsoft for assistance with this. Will advise what we find (if anything)

Author

Commented:
FYI, Microsoft have been working on this for the past 4 days. Will advise when/if a resolution is found.
LeeTutorretired
Top Expert 2009

Commented:
I've requested that this question be deleted for the following reason:

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

Commented:
Lee,
What are we supposed to do when Author goes to MS Support & stops responding?

A

Commented:
This is exactly how MS would troubleshoot.

Commented:
My comment ID:37157112 would have identified if the user was getting authentication from Domain Controller or not.
The comment of Author  ID:37157097 clearly puts doubt if the computer is getting Kerbros from DC, if that is the case for sure there can't be any group policy, also the Time Sync will also be in question which are basic requirements for GP to take effect.

A

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial