Computer Policy cannot be applied

Hello everyone,

I have Domain Controllers running server 2008R2 and 2 domain members running 2012R2.
I am trying to apply group policy and keep getting the same error on both members:

Computer policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more
of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).

First thing I thought that it is SID, so I ran sysprep again, just to make sure, but it did not helped.
Also tried:
1. renaming servers
2. re-joining the domain

Thanks in advance for any help.
TomerLeibovichAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

systechSenior Technical LeadCommented:
Hi,

How many Dc's you have in the network? make sure it's replicating to each other?. Check the "DFS Replication" or "File Replication" logs for any Jurnal_Wrap error?

Sound like replication issue here.
TomerLeibovichAuthor Commented:
Hi,

No, there are no failed events on "DFS Replication" logs.
systechSenior Technical LeadCommented:
Hi,

If already not tried, could you check the below things?

Stop windows firewall service (start>>run>>services.msc) and check gpupdate /force

Did you changed your DNS address in the server's network card properties? if so, can you make the preferred DNS itself and alternate to another DNS server?

Also, worth to check the Integrity check onto the DC's (using ntdsutil for NTDS.DIT) and make sure that the ntds.dit is fine on all the DC's.
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

Hypercat (Deb)Commented:
If it's not a DNS issue as suggested above:  Are you using the latest ADMX files for group policy?  If not, I recommend downloading and installing them, as it might be a mismatch between the ADMX version and the 2012 R2 servers:

https://www.microsoft.com/en-us/download/details.aspx?id=43413
Sudeep SharmaTechnical DesignerCommented:
Are the IP addresses of DNS correct?

Sudeep
TomerLeibovichAuthor Commented:
IP addresses of the DNS are correct - they map to the domain controllers and I don't have a problem to ping and resolve any of the hosts.
I also tried the ADMX and it did not helped as well.

I'm attaching here the gpresult file, maybe one of you guys can found the issue there.
gpreport2.html
Hypercat (Deb)Commented:
That report clearly shows that no group policies other than the local GPO are being applied.  Can you please provide a printout of the configuration of the group policy showing the Scope, Details, Settings and Delegation tabs?
TomerLeibovichAuthor Commented:
Attached are the screenshots of the GPO
delegation.PNG
scope.PNG
details.PNG
settings.PNG
Hypercat (Deb)Commented:
That all looks pretty normal as well. The only odd thing is that I've never seen anyone set the Password security settings the way you have, but you say that it's working on other servers, so that doesn't seem like it would be causing this problem. It would be extremely insecure to have these settings as you've done, so I would advise not doing this, but that's not relevant to the problem you've posted.

In the process of your troubleshooting (renaming computers, rejoining the domain, etc.), did you actually DELETE the original domain accounts for these servers?  I would try with one server: unjoin the domain, go to the Computers container (whatever container that includes these machines) in AD and manually delete the computer account, reboot and rejoin the domain.  This will cleanly remove all trace of the server from AD (or should do so), and maybe that will clean up whatever isn't working properly with the computer's account in AD.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
TomerLeibovichAuthor Commented:
Thanks for the comment.
I've done it but there is no progress on this matter.
Getting the same error
TomerLeibovichAuthor Commented:
Solved.
I've re-joined the domain (one more..)
Run setspn -R hostname
dis-join the domain
restart
re-joined domain.
Worked.

Thanks everyone
TomerLeibovichAuthor Commented:
This solution with resetting SPN helped.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.