We help IT Professionals succeed at work.

Updating Group Policy over a PPTP VPN

1,242 Views
Last Modified: 2018-05-24
I've got quite a few users (all Windows 10 Pro) that work 100% remotely out of their homes.  I need to push out some GP updates, but for some of the users, when I connect with the VPN and do a gpupdate /force, I'm getting the following error message.

Computer policy could not be updates successfully.  The following errors were encountered:

The processing of a Group Policy failed because of lack of network connectivity to a domain controller.  This may be a transient condition.  A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed.  If you do not see a success message for several hours, then contact your administrator.  

I've added the IP address of the domain controller (Server 2008 R2) the the DNS of the VPN connection.  The computers that are experiencing this problem all are able to ping the domain controller and browse to it.  

Any help would be much appreciated.

Thanks very much.
Comment
Watch Question

CERTIFIED EXPERT
Top Expert 2013

Commented:
It is usually a DNS issue.  The client PC must only be able to contact your corporate DNS server.  Thus there cannot be an ISP, router or such as an alternate DNS server, as they will often respond first and DNS will not resolve.  

I would also recommend in the VPN client's NIC configuration, under TCP/IP properties | Advanced | DNS to enter the corporate, internal, DNS suffix, such as mydomain.local, in the "use this DNS suffix for this connection box.

Finally it is best to enable in the VPN NIC configuration "use remote default gateway" to force all compunication through the tunnel.

Though gpupdate /force should work, if you set up the VPN client to connect before logon it should automatically update Group Policy.  I have written blog articles discussing this option:
XP & Win7:
https://blog.lan-tech.ca/2012/04/29/connect-to-windows-vpn-at-logon/
Win 8 and 10:
https://blog.lan-tech.ca/2013/03/02/windows-8-connect-to-vpn-before-logon/
Note at the bottom of the first link Group policies to add if a slow link.

Author

Commented:
I've made the requested changes, except for having the VPN  work on login, and I'm still facing this problem.

I agree this is a DNS issue.  I can ping the DC by IP address, but I cannot ping by the server name.  When I ping the server by name, it pings servername.domainname.local, but the IP address is the public IP for the VPN rather than the local IP of the server.  The only way I've been able to ping by server name is to adjust the hosts file.  Even after I do that, I am still unable to do a gpupdate /force.

I've tried routing traffic through the remote gateway, I've added the IP address of the DC as the DNS server for the VPN connection, I've added the domain name in the "DNS suffix for this connection field" and no luck.

Any thoughts?

Author

Commented:
when i say public IP of the VPN, i mean the public IP address of the VPN connection.  We use vpn.domainname.com as the connection string when setting up the VPN.  When I ping the server name of the DC, it resolves to the same public IP address as vpn.domainname.com instead of the local IP

Author

Commented:
Ok, it looks like my last comment was the result of me not having the VPN set to go through the gateway of the remote network.  I had been toggling that feature on and off for testing purposes.  I've toggled it back on and am able to ping by the servername without any problems

Author

Commented:
Sorry about the multiple comments......it looks like I was mistaken in my comments above.  My apologies again.  On the users were I expereince this issue, once I'm connected to the VPN, whether the internet traffic is routed through the remote gateway or not, when I ping the DC by servername, I get the public IP address of the vpn.domainname.com.  One the computers that work, pinging the servername resolves to a local IP.  

This certainly looks like a DNS issue, I just can't figure out where.  I've got the local IP of the DC configured as the primary DNS for the VPN on the client computers.

Thanks very much for your help
CERTIFIED EXPERT
Top Expert 2013

Commented:
Is your corporate, internal domain suffix a  .com rather than .local ?

You mention; "got the local IP of the DC configured as the primary DNS".  Primary, or only?  Has to be ONLY.

Author

Commented:
the local DNS is domainname.local.  the connection string we're using for the VPN connection is vpn.domainname.com.

To answer your second comment, it is primary only.  There is no secondary.
CERTIFIED EXPERT
Top Expert 2013

Commented:
I would make sure the domainname.local suffix is added in the DNS properties of the virtual NIC.
As a test can you ping the server using   servername.domainname.local  

Also what do the following return, from a command prompt on the connecting machine:
 nslookup  servername
nslookup servername.domainname.local

Author

Commented:
Here are those results

nslookup on servername
Server:  Unknown
Address:  192.168.200.200

DNS request timed out
*** Request to unknown timed-out

nslookup on servername.domainname.local
Server:  Unknown
Address:  192.168.200.200

DNS request timed out
         timeout was 2 seconds
*** Request to unknown timed-out
CERTIFIED EXPERT
Top Expert 2013

Commented:
Definitely DNS, isn't it.
Could you possibly connect the VPN and then from the connecting PC post the results of
  ipconfig /all
and
  route print

You may want to mask or change any public IP's and domain names for security, but please leave private IP addressing in tact.

Thanks.

Author

Commented:
Here are those results.  I'm including the results where the check box is selected to use the remote site as the gateway and when that was not selected.  We typically do not have that configured, but I wanted to be thorough with the results.  

FYI, during the time of this testing, the DNS suffix was entered in the Advanced TCP/IP settings for the VPN adapter, however, the Register this connection's address in DNS box was unchecked as was teh Use this connections's DNS suffix in DNS registration.  I experience the same error whether those boxes are checked or not, but just communicating that those boxes were unchecked when i generated the results below.

Thanks very much for your continued assistance.
ipconfig--local-gateway-.txt
routeprint--local-gateway-.txt
ipconfig--remote-gateway-.txt
routeprint--remote-gateway-.txt

Author

Commented:
Any thoughts on this after seeing those results?
CERTIFIED EXPERT
Top Expert 2013

Commented:
Very sorry, I somehow missed your last post.
I reviewed the files you posted and just tried numerous options on a local system to compare.

Your configurations; ipconfig, and route print, look fine.  Very odd that you are having issues.

On the test system I used I didn’t even add the DNS server, as it was handed out automatically by the VPN server, which resulted in the same configuration as you have.  I could ping servername.domain.local, but had to add the domain suffix in the VPN configuration to just ping servername.  
I also strongly recommend having the “use remote default gateway” option enabled.  If the VPN connection is slow at all it may use the local DNS servers (ISP) to resolve instead of VPN, and fail.

I apologize for earlier comments about nslookup. That will not work anyway as there is no reverse DNS entry for your VPN clients.  However ping <name> should work.

I am running out of ideas, but just to confirm; your corporate DNS server (not VPN server) is 192.168.200.200  ?

Author

Commented:
Thank you for the reply.  you are correct.  The DNS server is 192.168.200.200.

Very odd behavior.  Some laptops it works and others it does not.
CERTIFIED EXPERT
Top Expert 2013

Commented:
A long shot:

Do you know if the problematic users' ISPs support IPv6?
I am in Eastern Canada and none of the ISPs do, but IPV6 in windows 7 and newer is preferred over IPv4.  I wonder if we have reached a point where the IPv6 portion of the VPN client needs to be configured for DNS.  When you add the DNS suffix to IPv4 it automatically adds it to IPv6, but the DNS server's IPv6 address is not added dynamically or statically. You could try disabling the IPv6 option just in the PPP/VPN NIC, or have you tried a working laptop at a none working client site?  Perhaps site related more than device.

Again, a long shot.

Author

Commented:
that's actually a pretty good idea.  I've ran into IPv6 problems in past with users working out of their homes.  Let me give that a try and i will get back to you
CERTIFIED EXPERT
Top Expert 2013

Commented:
I am not certain if un-checking IPv6 will actually do it, but worth a try.  To properly disable IPv6 you have to do so in the registry, but that will disable it for all traffic and I would never recommend that.  If it works, great, if not try taking a working laptop to a non-working site.

Let me know how you make out, I am very curious.  It may be using IPv6 to connect to your ISP's DNS server.

Author

Commented:
Unfortunately no luck with the IPv6.

Author

Commented:
Thank you for all your help.  If you come up with something new, let me know.  Otherwise, I'll be awarding you points for the effort.  I just opened up another question to try and work around this issue.  Link below

https://www.experts-exchange.com/questions/29008812/Force-local-Group-Policy-instead-of-getting-GP-from-domain-for-remote-computers.html
CERTIFIED EXPERT
Top Expert 2013
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION

Author

Commented:
I really appreciate all your help.  This is a very odd issue.

FYI, I connected one of the users with a completely different VPN (SSL SonicWall VPN) and experienced the same issue.  Just not sure what's going on here.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions