Computer Policy cannot be applied

TomerLeibovich
TomerLeibovich used Ask the Experts™
on
Hello everyone,

I have Domain Controllers running server 2008R2 and 2 domain members running 2012R2.
I am trying to apply group policy and keep getting the same error on both members:

Computer policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more
of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).

First thing I thought that it is SID, so I ran sysprep again, just to make sure, but it did not helped.
Also tried:
1. renaming servers
2. re-joining the domain

Thanks in advance for any help.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
systechSenior Technical Lead

Commented:
Hi,

How many Dc's you have in the network? make sure it's replicating to each other?. Check the "DFS Replication" or "File Replication" logs for any Jurnal_Wrap error?

Sound like replication issue here.

Author

Commented:
Hi,

No, there are no failed events on "DFS Replication" logs.
systechSenior Technical Lead

Commented:
Hi,

If already not tried, could you check the below things?

Stop windows firewall service (start>>run>>services.msc) and check gpupdate /force

Did you changed your DNS address in the server's network card properties? if so, can you make the preferred DNS itself and alternate to another DNS server?

Also, worth to check the Integrity check onto the DC's (using ntdsutil for NTDS.DIT) and make sure that the ntds.dit is fine on all the DC's.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

If it's not a DNS issue as suggested above:  Are you using the latest ADMX files for group policy?  If not, I recommend downloading and installing them, as it might be a mismatch between the ADMX version and the 2012 R2 servers:

https://www.microsoft.com/en-us/download/details.aspx?id=43413
Sudeep SharmaTechnical Designer

Commented:
Are the IP addresses of DNS correct?

Sudeep

Author

Commented:
IP addresses of the DNS are correct - they map to the domain controllers and I don't have a problem to ping and resolve any of the hosts.
I also tried the ADMX and it did not helped as well.

I'm attaching here the gpresult file, maybe one of you guys can found the issue there.
gpreport2.html
That report clearly shows that no group policies other than the local GPO are being applied.  Can you please provide a printout of the configuration of the group policy showing the Scope, Details, Settings and Delegation tabs?

Author

Commented:
Attached are the screenshots of the GPO
delegation.PNG
scope.PNG
details.PNG
settings.PNG
That all looks pretty normal as well. The only odd thing is that I've never seen anyone set the Password security settings the way you have, but you say that it's working on other servers, so that doesn't seem like it would be causing this problem. It would be extremely insecure to have these settings as you've done, so I would advise not doing this, but that's not relevant to the problem you've posted.

In the process of your troubleshooting (renaming computers, rejoining the domain, etc.), did you actually DELETE the original domain accounts for these servers?  I would try with one server: unjoin the domain, go to the Computers container (whatever container that includes these machines) in AD and manually delete the computer account, reboot and rejoin the domain.  This will cleanly remove all trace of the server from AD (or should do so), and maybe that will clean up whatever isn't working properly with the computer's account in AD.

Author

Commented:
Thanks for the comment.
I've done it but there is no progress on this matter.
Getting the same error

Author

Commented:
Solved.
I've re-joined the domain (one more..)
Run setspn -R hostname
dis-join the domain
restart
re-joined domain.
Worked.

Thanks everyone

Author

Commented:
This solution with resetting SPN helped.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial