Updating Group Policy over a PPTP VPN
I've got quite a few users (all Windows 10 Pro) that work 100% remotely out of their homes. I need to push out some GP updates, but for some of the users, when I connect with the VPN and do a gpupdate /force, I'm getting the following error message.
Computer policy could not be updates successfully. The following errors were encountered:
The processing of a Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.
I've added the IP address of the domain controller (Server 2008 R2) the the DNS of the VPN connection. The computers that are experiencing this problem all are able to ping the domain controller and browse to it.
Any help would be much appreciated.
Thanks very much.
Computer policy could not be updates successfully. The following errors were encountered:
The processing of a Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.
I've added the IP address of the domain controller (Server 2008 R2) the the DNS of the VPN connection. The computers that are experiencing this problem all are able to ping the domain controller and browse to it.
Any help would be much appreciated.
Thanks very much.
It is usually a DNS issue. The client PC must only be able to contact your corporate DNS server. Thus there cannot be an ISP, router or such as an alternate DNS server, as they will often respond first and DNS will not resolve.
I would also recommend in the VPN client's NIC configuration, under TCP/IP properties | Advanced | DNS to enter the corporate, internal, DNS suffix, such as mydomain.local, in the "use this DNS suffix for this connection box.
Finally it is best to enable in the VPN NIC configuration "use remote default gateway" to force all compunication through the tunnel.
Though gpupdate /force should work, if you set up the VPN client to connect before logon it should automatically update Group Policy. I have written blog articles discussing this option:
XP & Win7:
https://blog.lan-tech.ca/2012/04/29/connect-to-windows-vpn-at-logon/
Win 8 and 10:
https://blog.lan-tech.ca/2013/03/02/windows-8-connect-to-vpn-before-logon/
Note at the bottom of the first link Group policies to add if a slow link.
I would also recommend in the VPN client's NIC configuration, under TCP/IP properties | Advanced | DNS to enter the corporate, internal, DNS suffix, such as mydomain.local, in the "use this DNS suffix for this connection box.
Finally it is best to enable in the VPN NIC configuration "use remote default gateway" to force all compunication through the tunnel.
Though gpupdate /force should work, if you set up the VPN client to connect before logon it should automatically update Group Policy. I have written blog articles discussing this option:
XP & Win7:
https://blog.lan-tech.ca/2012/04/29/connect-to-windows-vpn-at-logon/
Win 8 and 10:
https://blog.lan-tech.ca/2013/03/02/windows-8-connect-to-vpn-before-logon/
Note at the bottom of the first link Group policies to add if a slow link.
I've made the requested changes, except for having the VPN work on login, and I'm still facing this problem.
I agree this is a DNS issue. I can ping the DC by IP address, but I cannot ping by the server name. When I ping the server by name, it pings servername.domainname.loca
I've tried routing traffic through the remote gateway, I've added the IP address of the DC as the DNS server for the VPN connection, I've added the domain name in the "DNS suffix for this connection field" and no luck.
Any thoughts?
I agree this is a DNS issue. I can ping the DC by IP address, but I cannot ping by the server name. When I ping the server by name, it pings servername.domainname.loca
I've tried routing traffic through the remote gateway, I've added the IP address of the DC as the DNS server for the VPN connection, I've added the domain name in the "DNS suffix for this connection field" and no luck.
Any thoughts?
when i say public IP of the VPN, i mean the public IP address of the VPN connection. We use vpn.domainname.com as the connection string when setting up the VPN. When I ping the server name of the DC, it resolves to the same public IP address as vpn.domainname.com instead of the local IP
Ok, it looks like my last comment was the result of me not having the VPN set to go through the gateway of the remote network. I had been toggling that feature on and off for testing purposes. I've toggled it back on and am able to ping by the servername without any problems
Sorry about the multiple comments......it looks like I was mistaken in my comments above. My apologies again. On the users were I expereince this issue, once I'm connected to the VPN, whether the internet traffic is routed through the remote gateway or not, when I ping the DC by servername, I get the public IP address of the vpn.domainname.com. One the computers that work, pinging the servername resolves to a local IP.
This certainly looks like a DNS issue, I just can't figure out where. I've got the local IP of the DC configured as the primary DNS for the VPN on the client computers.
Thanks very much for your help
This certainly looks like a DNS issue, I just can't figure out where. I've got the local IP of the DC configured as the primary DNS for the VPN on the client computers.
Thanks very much for your help
Is your corporate, internal domain suffix a .com rather than .local ?
You mention; "got the local IP of the DC configured as the primary DNS". Primary, or only? Has to be ONLY.
You mention; "got the local IP of the DC configured as the primary DNS". Primary, or only? Has to be ONLY.
the local DNS is domainname.local. the connection string we're using for the VPN connection is vpn.domainname.com.
To answer your second comment, it is primary only. There is no secondary.
To answer your second comment, it is primary only. There is no secondary.
I would make sure the domainname.local suffix is added in the DNS properties of the virtual NIC.
As a test can you ping the server using servername.domainname.loca
Also what do the following return, from a command prompt on the connecting machine:
nslookup servername
nslookup servername.domainname.loca
As a test can you ping the server using servername.domainname.loca
Also what do the following return, from a command prompt on the connecting machine:
nslookup servername
nslookup servername.domainname.loca
Here are those results
nslookup on servername
Server: Unknown
Address: 192.168.200.200
DNS request timed out
*** Request to unknown timed-out
nslookup on servername.domainname.loca
Server: Unknown
Address: 192.168.200.200
DNS request timed out
timeout was 2 seconds
*** Request to unknown timed-out
nslookup on servername
Server: Unknown
Address: 192.168.200.200
DNS request timed out
*** Request to unknown timed-out
nslookup on servername.domainname.loca
Server: Unknown
Address: 192.168.200.200
DNS request timed out
timeout was 2 seconds
*** Request to unknown timed-out
Definitely DNS, isn't it.
Could you possibly connect the VPN and then from the connecting PC post the results of
ipconfig /all
and
route print
You may want to mask or change any public IP's and domain names for security, but please leave private IP addressing in tact.
Thanks.
Could you possibly connect the VPN and then from the connecting PC post the results of
ipconfig /all
and
route print
You may want to mask or change any public IP's and domain names for security, but please leave private IP addressing in tact.
Thanks.
Here are those results. I'm including the results where the check box is selected to use the remote site as the gateway and when that was not selected. We typically do not have that configured, but I wanted to be thorough with the results.
FYI, during the time of this testing, the DNS suffix was entered in the Advanced TCP/IP settings for the VPN adapter, however, the Register this connection's address in DNS box was unchecked as was teh Use this connections's DNS suffix in DNS registration. I experience the same error whether those boxes are checked or not, but just communicating that those boxes were unchecked when i generated the results below.
Thanks very much for your continued assistance.
ipconfig--local-gateway-.txt
routeprint--local-gateway-.txt
ipconfig--remote-gateway-.txt
routeprint--remote-gateway-.txt
FYI, during the time of this testing, the DNS suffix was entered in the Advanced TCP/IP settings for the VPN adapter, however, the Register this connection's address in DNS box was unchecked as was teh Use this connections's DNS suffix in DNS registration. I experience the same error whether those boxes are checked or not, but just communicating that those boxes were unchecked when i generated the results below.
Thanks very much for your continued assistance.
ipconfig--local-gateway-.txt
routeprint--local-gateway-.txt
ipconfig--remote-gateway-.txt
routeprint--remote-gateway-.txt
Very sorry, I somehow missed your last post.
I reviewed the files you posted and just tried numerous options on a local system to compare.
Your configurations; ipconfig, and route print, look fine. Very odd that you are having issues.
On the test system I used I didn’t even add the DNS server, as it was handed out automatically by the VPN server, which resulted in the same configuration as you have. I could ping servername.domain.local, but had to add the domain suffix in the VPN configuration to just ping servername.
I also strongly recommend having the “use remote default gateway” option enabled. If the VPN connection is slow at all it may use the local DNS servers (ISP) to resolve instead of VPN, and fail.
I apologize for earlier comments about nslookup. That will not work anyway as there is no reverse DNS entry for your VPN clients. However ping <name> should work.
I am running out of ideas, but just to confirm; your corporate DNS server (not VPN server) is 192.168.200.200 ?
I reviewed the files you posted and just tried numerous options on a local system to compare.
Your configurations; ipconfig, and route print, look fine. Very odd that you are having issues.
On the test system I used I didn’t even add the DNS server, as it was handed out automatically by the VPN server, which resulted in the same configuration as you have. I could ping servername.domain.local, but had to add the domain suffix in the VPN configuration to just ping servername.
I also strongly recommend having the “use remote default gateway” option enabled. If the VPN connection is slow at all it may use the local DNS servers (ISP) to resolve instead of VPN, and fail.
I apologize for earlier comments about nslookup. That will not work anyway as there is no reverse DNS entry for your VPN clients. However ping <name> should work.
I am running out of ideas, but just to confirm; your corporate DNS server (not VPN server) is 192.168.200.200 ?
Thank you for the reply. you are correct. The DNS server is 192.168.200.200.
Very odd behavior. Some laptops it works and others it does not.
Very odd behavior. Some laptops it works and others it does not.
A long shot:
Do you know if the problematic users' ISPs support IPv6?
I am in Eastern Canada and none of the ISPs do, but IPV6 in windows 7 and newer is preferred over IPv4. I wonder if we have reached a point where the IPv6 portion of the VPN client needs to be configured for DNS. When you add the DNS suffix to IPv4 it automatically adds it to IPv6, but the DNS server's IPv6 address is not added dynamically or statically. You could try disabling the IPv6 option just in the PPP/VPN NIC, or have you tried a working laptop at a none working client site? Perhaps site related more than device.
Again, a long shot.
Do you know if the problematic users' ISPs support IPv6?
I am in Eastern Canada and none of the ISPs do, but IPV6 in windows 7 and newer is preferred over IPv4. I wonder if we have reached a point where the IPv6 portion of the VPN client needs to be configured for DNS. When you add the DNS suffix to IPv4 it automatically adds it to IPv6, but the DNS server's IPv6 address is not added dynamically or statically. You could try disabling the IPv6 option just in the PPP/VPN NIC, or have you tried a working laptop at a none working client site? Perhaps site related more than device.
Again, a long shot.
that's actually a pretty good idea. I've ran into IPv6 problems in past with users working out of their homes. Let me give that a try and i will get back to you
I am not certain if un-checking IPv6 will actually do it, but worth a try. To properly disable IPv6 you have to do so in the registry, but that will disable it for all traffic and I would never recommend that. If it works, great, if not try taking a working laptop to a non-working site.
Let me know how you make out, I am very curious. It may be using IPv6 to connect to your ISP's DNS server.
Let me know how you make out, I am very curious. It may be using IPv6 to connect to your ISP's DNS server.
Thank you for all your help. If you come up with something new, let me know. Otherwise, I'll be awarding you points for the effort. I just opened up another question to try and work around this issue. Link below
https://www.experts-exchange.com/questions/29008812/Force-local-Group-Policy-instead-of-getting-GP-from-domain-for-remote-computers.html
https://www.experts-exchange.com/questions/29008812/Force-local-Group-Policy-instead-of-getting-GP-from-domain-for-remote-computers.html
Gain unlimited access to on-demand training courses with an Experts Exchange subscription.
Get AccessWhy Experts Exchange?
Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.
Jim Murphy
Programmer at Smart IT Solutions
When asked, what has been your best career decision?
Deciding to stick with EE.
Mohamed Asif
Technical Department Head
Being involved with EE helped me to grow personally and professionally.
Carl Webster
CTP, Sr Infrastructure Consultant
Did You Know?
We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE
Ask ANY Question
Connect with Certified Experts to gain insight and support on specific technology challenges including:
- Troubleshooting
- Research
- Professional Opinions