Solved

How can I make default domain policy to apply to all computers in domain

Posted on 2014-10-29
17
367 Views
Last Modified: 2014-11-05
Default domain policy is not Appling to computers in domain.  I have one 2008 R2 domain controller and about 50 win 7 computers. about half of them don't receive the policy and a gpupdate /force fails with this error:
C:\Windows\system32>gpupdate /force
Updating Policy...

User policy could not be updated successfully. The following errors were encount
ered:

The processing of Group Policy failed. Windows attempted to read the file \\cori
nthiantitle.local\sysvol\corinthiantitle.local\Policies\{31B2F340-016D-11D2-945F
-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Po
licy settings may not be applied until this event is resolved. This issue may be
 transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller
 has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
Computer policy could not be updated successfully. The following errors were enc
ountered:

The processing of Group Policy failed. Windows attempted to read the file \\cori
nthiantitle.local\sysvol\corinthiantitle.local\Policies\{31B2F340-016D-11D2-945F
-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Po
licy settings may not be applied until this event is resolved. This issue may be
 transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller
 has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.

To diagnose the failure, review the event log or run GPRESULT /H GPReport.html f
rom the command line to access information about Group Policy results.
0
Comment
Question by:Sam Craven
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 8
17 Comments
 
LVL 5

Expert Comment

by:Armenio
ID: 40412147
double check DNS
Make sure your dc only has one nic connected

reconnect the workstation to the domain like so
right click my computer, properties and advanced system settings then network id and follow instructions. This should fix any security and with kerberos should that be the cause.
0
 
LVL 5

Expert Comment

by:Armenio
ID: 40412181
p.s a default domain policy already applies to all computers in the domain.

Personally I don't really edit the default domain policy except for security needs. Create a separate policy fro everything else.

If this is not applying this would indicate a problem with something else other than the default domain policy as it applies to all machines in the domain regardless.
0
 
LVL 5

Expert Comment

by:Armenio
ID: 40412182
post the event log so that we can see it.
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 

Author Comment

by:Sam Craven
ID: 40412220
only one nic on dc

removed from domain and re-added using network-id.....no help:(
0
 

Author Comment

by:Sam Craven
ID: 40412227
Log Name:      System
Source:        Microsoft-Windows-GroupPolicy
Date:          10/29/2014 4:50:16 PM
Event ID:      1058
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Computer:      SAMPC.corinthiantitle.local
Description:
The processing of Group Policy failed. Windows attempted to read the file \\corinthiantitle.local\sysvol\corinthiantitle.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />
    <EventID>1058</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>1</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2014-10-29T23:50:16.405997600Z" />
    <EventRecordID>42660</EventRecordID>
    <Correlation ActivityID="{0A98EF9F-96EC-4176-9904-3943254AA545}" />
    <Execution ProcessID="1016" ThreadID="1552" />
    <Channel>System</Channel>
    <Computer>SAMPC.corinthiantitle.local</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="SupportInfo1">4</Data>
    <Data Name="SupportInfo2">816</Data>
    <Data Name="ProcessingMode">0</Data>
    <Data Name="ProcessingTimeInMilliseconds">546</Data>
    <Data Name="ErrorCode">1396</Data>
    <Data Name="ErrorDescription">Logon Failure: The target account name is incorrect. </Data>
    <Data Name="DCName">DC1.corinthiantitle.local</Data>
    <Data Name="GPOCNName">CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=corinthiantitle,DC=local</Data>
    <Data Name="FilePath">\\corinthiantitle.local\sysvol\corinthiantitle.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini</Data>
  </EventData>
</Event>
0
 
LVL 5

Expert Comment

by:Armenio
ID: 40412457
This is your problem

Logon Failure: The target account name is incorrect.


This indicates that the machine account is incorrect. When you removed and rejoined the machine to the domain, did you delete it form Active directory before rejoining it. This is important to delete it from AD so that it can create a new machine account and Sids for Kerboros.
Try this first
http://support.microsoft.com/kb/325850

Remove machien from domain and delete teh account in Active Directory. Then rejoin it to domain.

more things to try

Did you migrate and replicate or upgrade the domain recently. As this type of thing can happen with replicating the domain and it not completing correctly.

On the workstation check the DNS is correct do a NSlookup for the domain controller and make sure you can resolve ip forwards and reverse.  Make sure it pings on the full dns name of the server eg server.domain.com
browse to the gp.inin file make sure you can open it form the workstation.

if still not working Run a DCdiag and post the results.
0
 

Author Comment

by:Sam Craven
ID: 40413863
I did recently migrate the domain from our old server (DC1) to (DC). According to the dcdiag, it looks like that may be the problem. What steps do I need to take to fix this issue?

DCDIAG:

C:\Users\administrator.CORINTHIANTITLE>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = DC
   * Identified AD Forest.
   Ldap search capabality attribute search failed on server DC1, return value =
   81
   Got error while checking if the DC is using FRS or DFSR. Error:
   Win32 Error 81The VerifyReferences, FrsEvent and DfsrEvent tests might fail
   because of this error.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\DC
      Starting test: Connectivity
         ......................... DC passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\DC
      Starting test: Advertising
         ......................... DC passed test Advertising
      Starting test: FrsEvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... DC passed test FrsEvent
      Starting test: DFSREvent
         ......................... DC passed test DFSREvent
      Starting test: SysVolCheck
         ......................... DC passed test SysVolCheck
      Starting test: KccEvent
         ......................... DC passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... DC passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... DC passed test MachineAccount
      Starting test: NCSecDesc
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=corinthiantitle,DC=local
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=corinthiantitle,DC=local
         ......................... DC failed test NCSecDesc
      Starting test: NetLogons
         ......................... DC passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... DC passed test ObjectsReplicated
      Starting test: Replications
         [Replications Check,DC] A recent replication attempt failed:
            From DC1 to DC
            Naming Context: DC=ForestDnsZones,DC=corinthiantitle,DC=local
            The replication generated an error (1256):
            The remote system is not available. For information about network tr
oubleshooting, see Windows Help.

            The failure occurred at 2014-10-30 09:49:40.
            The last success occurred at 2014-08-07 15:47:24.
            2012 failures have occurred since the last success.
         [DC1] DsBindWithSpnEx() failed with error 1753,
         There are no more endpoints available from the endpoint mapper..
         [Replications Check,DC] A recent replication attempt failed:
            From DC1 to DC
            Naming Context: DC=DomainDnsZones,DC=corinthiantitle,DC=local
            The replication generated an error (1256):
            The remote system is not available. For information about network tr
oubleshooting, see Windows Help.

            The failure occurred at 2014-10-30 09:49:40.
            The last success occurred at 2014-08-07 15:47:24.
            2012 failures have occurred since the last success.
         [Replications Check,DC] A recent replication attempt failed:
            From DC1 to DC
            Naming Context:
            CN=Schema,CN=Configuration,DC=corinthiantitle,DC=local
            The replication generated an error (1753):
            There are no more endpoints available from the endpoint mapper.
            The failure occurred at 2014-10-30 09:49:40.
            The last success occurred at 2014-08-07 15:47:24.
            2011 failures have occurred since the last success.
            The directory on DC1 is in the process.
            of starting up or shutting down, and is not available.
            Verify machine is not hung during boot.
         [Replications Check,DC] A recent replication attempt failed:
            From DC1 to DC
            Naming Context: CN=Configuration,DC=corinthiantitle,DC=local
            The replication generated an error (1753):
            There are no more endpoints available from the endpoint mapper.
            The failure occurred at 2014-10-30 09:49:39.
            The last success occurred at 2014-08-07 15:47:24.
            2011 failures have occurred since the last success.
            The directory on DC1 is in the process.
            of starting up or shutting down, and is not available.
            Verify machine is not hung during boot.
         [Replications Check,DC] A recent replication attempt failed:
            From DC1 to DC
            Naming Context: DC=corinthiantitle,DC=local
            The replication generated an error (1753):
            There are no more endpoints available from the endpoint mapper.
            The failure occurred at 2014-10-30 09:49:40.
            The last success occurred at 2014-08-07 16:07:52.
            2011 failures have occurred since the last success.
            The directory on DC1 is in the process.
            of starting up or shutting down, and is not available.
            Verify machine is not hung during boot.
         ......................... DC failed test Replications
      Starting test: RidManager
         ......................... DC passed test RidManager
      Starting test: Services
         ......................... DC passed test Services
      Starting test: SystemLog
         A warning event occurred.  EventID: 0x000003FC
            Time Generated: 10/30/2014   09:08:15
            Event String:
            Scope, 192.168.0.0, is 85 percent full with only 22 IP addresses rem
aining.
         ......................... DC passed test SystemLog
      Starting test: VerifyReferences
         ......................... DC passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : corinthiantitle
      Starting test: CheckSDRefDom
         ......................... corinthiantitle passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... corinthiantitle passed test
         CrossRefValidation

   Running enterprise tests on : corinthiantitle.local
      Starting test: LocatorCheck
         ......................... corinthiantitle.local passed test
         LocatorCheck
      Starting test: Intersite
         ......................... corinthiantitle.local passed test Intersite
0
 

Author Comment

by:Sam Craven
ID: 40414080
Just to clarify... DC1 no longer exists
0
 
LVL 5

Expert Comment

by:Armenio
ID: 40414755
That is exactly the problem

have you given all the FISMO roles to the new DC.
0
 
LVL 5

Expert Comment

by:Armenio
ID: 40414765
Did you let it replicate properly for a couple of days before turning it off.

It does not appear as if you completed the migration before removing the old DC.  You need to provide more information on how you performed the migration.  IS the server sill available to turn on did you just turn it off or did you uninstall AD from the old server.  you will need to provide a clear idea of that was done and what steps you took. because it appears as if you never uninstalled AD from the old server and it was never removed from AD. Give me  details of steps taken and duration. did you allow few days to replicate.
0
 

Author Comment

by:Sam Craven
ID: 40414807
This was done quite some time ago - I can't really say how long I left DC1 up and running after the roles transfer.   My guess is that I left it up for 1 day tops.   That server has already been reutilized elsewhere......what can I do to remove this "ghost" DC at this point?

Thanks
0
 
LVL 5

Expert Comment

by:Armenio
ID: 40414814
Did you uninstall Active directory form the old server while it was connected to the domain before turning it off.

did you run dc promo on the old dc
0
 

Author Comment

by:Sam Craven
ID: 40414822
I did not - I didn't know that I needed to:(
0
 
LVL 5

Accepted Solution

by:
Armenio earned 500 total points
ID: 40414840
That is your problem over their.

Before you begin Backup and test your Backup. ( this is very very important. You are about to perform open heart surgery on AD)

Make sure every =single FISMO role is on the new server if not seize it.

Next read through every one of the articles below and understand them before you start. Apply the appropriate ones to you.

If you are not very very comfortable using ADSI edit do not do this get a professional in you will completely destroy AD and Exchange.

you will need to perform a Metadata clean up of AD. and manually clean up everything manually. Do not forget to clean up DNS

Read every single article in full understand it and then apply the appropriate ones.
Re-read the articles again and make sure you understand every element of it.
Now Google more articles and read them ( removing failed DC from AD)


http://blogs.msmvps.com/mweber/2010/05/16/active-directory-metadata-cleanup/
http://technet.microsoft.com/en-us/library/cc794860%28v=ws.10%29.aspx
http://technet.microsoft.com/en-us/library/cc816907%28v=ws.10%29.aspx
http://blogs.msmvps.com/ad/blog/2008/12/17/how-to-remove-a-failed-or-offline-dc/

P.S. Good Luck :-)

Next time you post a question try provide some back story this will help us get a solution to you quicker.
0
 

Author Comment

by:Sam Craven
ID: 40421926
That worked!   THANK YOU so much.
0
 
LVL 5

Expert Comment

by:Armenio
ID: 40423154
Great Glad to have been able to help. If you don't mind could yo assign point as you see fit. :-)
0
 

Author Closing Comment

by:Sam Craven
ID: 40424703
Very helpful and timely. Thank you soooo much for helping us out on this major problem!!!
0

Featured Post

Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to install and use the NTBackup utility that comes with Windows Server.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question