Solved

How can I make default domain policy to apply to all computers in domain

Posted on 2014-10-29
17
323 Views
Last Modified: 2014-11-05
Default domain policy is not Appling to computers in domain.  I have one 2008 R2 domain controller and about 50 win 7 computers. about half of them don't receive the policy and a gpupdate /force fails with this error:
C:\Windows\system32>gpupdate /force
Updating Policy...

User policy could not be updated successfully. The following errors were encount
ered:

The processing of Group Policy failed. Windows attempted to read the file \\cori
nthiantitle.local\sysvol\corinthiantitle.local\Policies\{31B2F340-016D-11D2-945F
-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Po
licy settings may not be applied until this event is resolved. This issue may be
 transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller
 has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
Computer policy could not be updated successfully. The following errors were enc
ountered:

The processing of Group Policy failed. Windows attempted to read the file \\cori
nthiantitle.local\sysvol\corinthiantitle.local\Policies\{31B2F340-016D-11D2-945F
-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Po
licy settings may not be applied until this event is resolved. This issue may be
 transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller
 has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.

To diagnose the failure, review the event log or run GPRESULT /H GPReport.html f
rom the command line to access information about Group Policy results.
0
Comment
Question by:Sam Craven
  • 9
  • 8
17 Comments
 
LVL 5

Expert Comment

by:Armenio
ID: 40412147
double check DNS
Make sure your dc only has one nic connected

reconnect the workstation to the domain like so
right click my computer, properties and advanced system settings then network id and follow instructions. This should fix any security and with kerberos should that be the cause.
0
 
LVL 5

Expert Comment

by:Armenio
ID: 40412181
p.s a default domain policy already applies to all computers in the domain.

Personally I don't really edit the default domain policy except for security needs. Create a separate policy fro everything else.

If this is not applying this would indicate a problem with something else other than the default domain policy as it applies to all machines in the domain regardless.
0
 
LVL 5

Expert Comment

by:Armenio
ID: 40412182
post the event log so that we can see it.
0
 

Author Comment

by:Sam Craven
ID: 40412220
only one nic on dc

removed from domain and re-added using network-id.....no help:(
0
 

Author Comment

by:Sam Craven
ID: 40412227
Log Name:      System
Source:        Microsoft-Windows-GroupPolicy
Date:          10/29/2014 4:50:16 PM
Event ID:      1058
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Computer:      SAMPC.corinthiantitle.local
Description:
The processing of Group Policy failed. Windows attempted to read the file \\corinthiantitle.local\sysvol\corinthiantitle.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />
    <EventID>1058</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>1</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2014-10-29T23:50:16.405997600Z" />
    <EventRecordID>42660</EventRecordID>
    <Correlation ActivityID="{0A98EF9F-96EC-4176-9904-3943254AA545}" />
    <Execution ProcessID="1016" ThreadID="1552" />
    <Channel>System</Channel>
    <Computer>SAMPC.corinthiantitle.local</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="SupportInfo1">4</Data>
    <Data Name="SupportInfo2">816</Data>
    <Data Name="ProcessingMode">0</Data>
    <Data Name="ProcessingTimeInMilliseconds">546</Data>
    <Data Name="ErrorCode">1396</Data>
    <Data Name="ErrorDescription">Logon Failure: The target account name is incorrect. </Data>
    <Data Name="DCName">DC1.corinthiantitle.local</Data>
    <Data Name="GPOCNName">CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=corinthiantitle,DC=local</Data>
    <Data Name="FilePath">\\corinthiantitle.local\sysvol\corinthiantitle.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini</Data>
  </EventData>
</Event>
0
 
LVL 5

Expert Comment

by:Armenio
ID: 40412457
This is your problem

Logon Failure: The target account name is incorrect.


This indicates that the machine account is incorrect. When you removed and rejoined the machine to the domain, did you delete it form Active directory before rejoining it. This is important to delete it from AD so that it can create a new machine account and Sids for Kerboros.
Try this first
http://support.microsoft.com/kb/325850

Remove machien from domain and delete teh account in Active Directory. Then rejoin it to domain.

more things to try

Did you migrate and replicate or upgrade the domain recently. As this type of thing can happen with replicating the domain and it not completing correctly.

On the workstation check the DNS is correct do a NSlookup for the domain controller and make sure you can resolve ip forwards and reverse.  Make sure it pings on the full dns name of the server eg server.domain.com
browse to the gp.inin file make sure you can open it form the workstation.

if still not working Run a DCdiag and post the results.
0
 

Author Comment

by:Sam Craven
ID: 40413863
I did recently migrate the domain from our old server (DC1) to (DC). According to the dcdiag, it looks like that may be the problem. What steps do I need to take to fix this issue?

DCDIAG:

C:\Users\administrator.CORINTHIANTITLE>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = DC
   * Identified AD Forest.
   Ldap search capabality attribute search failed on server DC1, return value =
   81
   Got error while checking if the DC is using FRS or DFSR. Error:
   Win32 Error 81The VerifyReferences, FrsEvent and DfsrEvent tests might fail
   because of this error.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\DC
      Starting test: Connectivity
         ......................... DC passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\DC
      Starting test: Advertising
         ......................... DC passed test Advertising
      Starting test: FrsEvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... DC passed test FrsEvent
      Starting test: DFSREvent
         ......................... DC passed test DFSREvent
      Starting test: SysVolCheck
         ......................... DC passed test SysVolCheck
      Starting test: KccEvent
         ......................... DC passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... DC passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... DC passed test MachineAccount
      Starting test: NCSecDesc
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=corinthiantitle,DC=local
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=corinthiantitle,DC=local
         ......................... DC failed test NCSecDesc
      Starting test: NetLogons
         ......................... DC passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... DC passed test ObjectsReplicated
      Starting test: Replications
         [Replications Check,DC] A recent replication attempt failed:
            From DC1 to DC
            Naming Context: DC=ForestDnsZones,DC=corinthiantitle,DC=local
            The replication generated an error (1256):
            The remote system is not available. For information about network tr
oubleshooting, see Windows Help.

            The failure occurred at 2014-10-30 09:49:40.
            The last success occurred at 2014-08-07 15:47:24.
            2012 failures have occurred since the last success.
         [DC1] DsBindWithSpnEx() failed with error 1753,
         There are no more endpoints available from the endpoint mapper..
         [Replications Check,DC] A recent replication attempt failed:
            From DC1 to DC
            Naming Context: DC=DomainDnsZones,DC=corinthiantitle,DC=local
            The replication generated an error (1256):
            The remote system is not available. For information about network tr
oubleshooting, see Windows Help.

            The failure occurred at 2014-10-30 09:49:40.
            The last success occurred at 2014-08-07 15:47:24.
            2012 failures have occurred since the last success.
         [Replications Check,DC] A recent replication attempt failed:
            From DC1 to DC
            Naming Context:
            CN=Schema,CN=Configuration,DC=corinthiantitle,DC=local
            The replication generated an error (1753):
            There are no more endpoints available from the endpoint mapper.
            The failure occurred at 2014-10-30 09:49:40.
            The last success occurred at 2014-08-07 15:47:24.
            2011 failures have occurred since the last success.
            The directory on DC1 is in the process.
            of starting up or shutting down, and is not available.
            Verify machine is not hung during boot.
         [Replications Check,DC] A recent replication attempt failed:
            From DC1 to DC
            Naming Context: CN=Configuration,DC=corinthiantitle,DC=local
            The replication generated an error (1753):
            There are no more endpoints available from the endpoint mapper.
            The failure occurred at 2014-10-30 09:49:39.
            The last success occurred at 2014-08-07 15:47:24.
            2011 failures have occurred since the last success.
            The directory on DC1 is in the process.
            of starting up or shutting down, and is not available.
            Verify machine is not hung during boot.
         [Replications Check,DC] A recent replication attempt failed:
            From DC1 to DC
            Naming Context: DC=corinthiantitle,DC=local
            The replication generated an error (1753):
            There are no more endpoints available from the endpoint mapper.
            The failure occurred at 2014-10-30 09:49:40.
            The last success occurred at 2014-08-07 16:07:52.
            2011 failures have occurred since the last success.
            The directory on DC1 is in the process.
            of starting up or shutting down, and is not available.
            Verify machine is not hung during boot.
         ......................... DC failed test Replications
      Starting test: RidManager
         ......................... DC passed test RidManager
      Starting test: Services
         ......................... DC passed test Services
      Starting test: SystemLog
         A warning event occurred.  EventID: 0x000003FC
            Time Generated: 10/30/2014   09:08:15
            Event String:
            Scope, 192.168.0.0, is 85 percent full with only 22 IP addresses rem
aining.
         ......................... DC passed test SystemLog
      Starting test: VerifyReferences
         ......................... DC passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : corinthiantitle
      Starting test: CheckSDRefDom
         ......................... corinthiantitle passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... corinthiantitle passed test
         CrossRefValidation

   Running enterprise tests on : corinthiantitle.local
      Starting test: LocatorCheck
         ......................... corinthiantitle.local passed test
         LocatorCheck
      Starting test: Intersite
         ......................... corinthiantitle.local passed test Intersite
0
 

Author Comment

by:Sam Craven
ID: 40414080
Just to clarify... DC1 no longer exists
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 5

Expert Comment

by:Armenio
ID: 40414755
That is exactly the problem

have you given all the FISMO roles to the new DC.
0
 
LVL 5

Expert Comment

by:Armenio
ID: 40414765
Did you let it replicate properly for a couple of days before turning it off.

It does not appear as if you completed the migration before removing the old DC.  You need to provide more information on how you performed the migration.  IS the server sill available to turn on did you just turn it off or did you uninstall AD from the old server.  you will need to provide a clear idea of that was done and what steps you took. because it appears as if you never uninstalled AD from the old server and it was never removed from AD. Give me  details of steps taken and duration. did you allow few days to replicate.
0
 

Author Comment

by:Sam Craven
ID: 40414807
This was done quite some time ago - I can't really say how long I left DC1 up and running after the roles transfer.   My guess is that I left it up for 1 day tops.   That server has already been reutilized elsewhere......what can I do to remove this "ghost" DC at this point?

Thanks
0
 
LVL 5

Expert Comment

by:Armenio
ID: 40414814
Did you uninstall Active directory form the old server while it was connected to the domain before turning it off.

did you run dc promo on the old dc
0
 

Author Comment

by:Sam Craven
ID: 40414822
I did not - I didn't know that I needed to:(
0
 
LVL 5

Accepted Solution

by:
Armenio earned 500 total points
ID: 40414840
That is your problem over their.

Before you begin Backup and test your Backup. ( this is very very important. You are about to perform open heart surgery on AD)

Make sure every =single FISMO role is on the new server if not seize it.

Next read through every one of the articles below and understand them before you start. Apply the appropriate ones to you.

If you are not very very comfortable using ADSI edit do not do this get a professional in you will completely destroy AD and Exchange.

you will need to perform a Metadata clean up of AD. and manually clean up everything manually. Do not forget to clean up DNS

Read every single article in full understand it and then apply the appropriate ones.
Re-read the articles again and make sure you understand every element of it.
Now Google more articles and read them ( removing failed DC from AD)


http://blogs.msmvps.com/mweber/2010/05/16/active-directory-metadata-cleanup/
http://technet.microsoft.com/en-us/library/cc794860%28v=ws.10%29.aspx
http://technet.microsoft.com/en-us/library/cc816907%28v=ws.10%29.aspx
http://blogs.msmvps.com/ad/blog/2008/12/17/how-to-remove-a-failed-or-offline-dc/

P.S. Good Luck :-)

Next time you post a question try provide some back story this will help us get a solution to you quicker.
0
 

Author Comment

by:Sam Craven
ID: 40421926
That worked!   THANK YOU so much.
0
 
LVL 5

Expert Comment

by:Armenio
ID: 40423154
Great Glad to have been able to help. If you don't mind could yo assign point as you see fit. :-)
0
 

Author Closing Comment

by:Sam Craven
ID: 40424703
Very helpful and timely. Thank you soooo much for helping us out on this major problem!!!
0

Featured Post

Free book by J.Peter Bruzzese, Microsoft MVP

Are you using Office 365? Trying to set up email signatures but you’re struggling with transport rules and connectors? Let renowned Microsoft MVP J.Peter Bruzzese show you how in this exclusive e-book on Office 365 email signatures. Better yet, it’s free!

Join & Write a Comment

INTRODUCTION The purpose of this document is to demonstrate the Installation and configuration of the Data Protection Manager product. Note that this demonstration was prepared on the basis of Windows OS is 2008 R2 and DPM 2010. DATA PROTECTI…
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now