Link to home
Start Free TrialLog in
Avatar of SupermanTB

asked on

Updating Group Policy over a PPTP VPN

I've got quite a few users (all Windows 10 Pro) that work 100% remotely out of their homes.  I need to push out some GP updates, but for some of the users, when I connect with the VPN and do a gpupdate /force, I'm getting the following error message.

Computer policy could not be updates successfully.  The following errors were encountered:

The processing of a Group Policy failed because of lack of network connectivity to a domain controller.  This may be a transient condition.  A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed.  If you do not see a success message for several hours, then contact your administrator.  

I've added the IP address of the domain controller (Server 2008 R2) the the DNS of the VPN connection.  The computers that are experiencing this problem all are able to ping the domain controller and browse to it.  

Any help would be much appreciated.

Thanks very much.
Avatar of Rob Williams
Rob Williams
Flag of Canada image

It is usually a DNS issue.  The client PC must only be able to contact your corporate DNS server.  Thus there cannot be an ISP, router or such as an alternate DNS server, as they will often respond first and DNS will not resolve.  

I would also recommend in the VPN client's NIC configuration, under TCP/IP properties | Advanced | DNS to enter the corporate, internal, DNS suffix, such as mydomain.local, in the "use this DNS suffix for this connection box.

Finally it is best to enable in the VPN NIC configuration "use remote default gateway" to force all compunication through the tunnel.

Though gpupdate /force should work, if you set up the VPN client to connect before logon it should automatically update Group Policy.  I have written blog articles discussing this option:
XP & Win7:
Win 8 and 10:
Note at the bottom of the first link Group policies to add if a slow link.
Avatar of SupermanTB


I've made the requested changes, except for having the VPN  work on login, and I'm still facing this problem.

I agree this is a DNS issue.  I can ping the DC by IP address, but I cannot ping by the server name.  When I ping the server by name, it pings servername.domainname.local, but the IP address is the public IP for the VPN rather than the local IP of the server.  The only way I've been able to ping by server name is to adjust the hosts file.  Even after I do that, I am still unable to do a gpupdate /force.

I've tried routing traffic through the remote gateway, I've added the IP address of the DC as the DNS server for the VPN connection, I've added the domain name in the "DNS suffix for this connection field" and no luck.

Any thoughts?
when i say public IP of the VPN, i mean the public IP address of the VPN connection.  We use as the connection string when setting up the VPN.  When I ping the server name of the DC, it resolves to the same public IP address as instead of the local IP
Ok, it looks like my last comment was the result of me not having the VPN set to go through the gateway of the remote network.  I had been toggling that feature on and off for testing purposes.  I've toggled it back on and am able to ping by the servername without any problems
Sorry about the multiple looks like I was mistaken in my comments above.  My apologies again.  On the users were I expereince this issue, once I'm connected to the VPN, whether the internet traffic is routed through the remote gateway or not, when I ping the DC by servername, I get the public IP address of the  One the computers that work, pinging the servername resolves to a local IP.  

This certainly looks like a DNS issue, I just can't figure out where.  I've got the local IP of the DC configured as the primary DNS for the VPN on the client computers.

Thanks very much for your help
Is your corporate, internal domain suffix a  .com rather than .local ?

You mention; "got the local IP of the DC configured as the primary DNS".  Primary, or only?  Has to be ONLY.
the local DNS is domainname.local.  the connection string we're using for the VPN connection is

To answer your second comment, it is primary only.  There is no secondary.
I would make sure the domainname.local suffix is added in the DNS properties of the virtual NIC.
As a test can you ping the server using   servername.domainname.local  

Also what do the following return, from a command prompt on the connecting machine:
 nslookup  servername
nslookup servername.domainname.local
Here are those results

nslookup on servername
Server:  Unknown

DNS request timed out
*** Request to unknown timed-out

nslookup on servername.domainname.local
Server:  Unknown

DNS request timed out
         timeout was 2 seconds
*** Request to unknown timed-out
Definitely DNS, isn't it.
Could you possibly connect the VPN and then from the connecting PC post the results of
  ipconfig /all
  route print

You may want to mask or change any public IP's and domain names for security, but please leave private IP addressing in tact.

Here are those results.  I'm including the results where the check box is selected to use the remote site as the gateway and when that was not selected.  We typically do not have that configured, but I wanted to be thorough with the results.  

FYI, during the time of this testing, the DNS suffix was entered in the Advanced TCP/IP settings for the VPN adapter, however, the Register this connection's address in DNS box was unchecked as was teh Use this connections's DNS suffix in DNS registration.  I experience the same error whether those boxes are checked or not, but just communicating that those boxes were unchecked when i generated the results below.

Thanks very much for your continued assistance.
Any thoughts on this after seeing those results?
Very sorry, I somehow missed your last post.
I reviewed the files you posted and just tried numerous options on a local system to compare.

Your configurations; ipconfig, and route print, look fine.  Very odd that you are having issues.

On the test system I used I didn’t even add the DNS server, as it was handed out automatically by the VPN server, which resulted in the same configuration as you have.  I could ping servername.domain.local, but had to add the domain suffix in the VPN configuration to just ping servername.  
I also strongly recommend having the “use remote default gateway” option enabled.  If the VPN connection is slow at all it may use the local DNS servers (ISP) to resolve instead of VPN, and fail.

I apologize for earlier comments about nslookup. That will not work anyway as there is no reverse DNS entry for your VPN clients.  However ping <name> should work.

I am running out of ideas, but just to confirm; your corporate DNS server (not VPN server) is  ?
Thank you for the reply.  you are correct.  The DNS server is

Very odd behavior.  Some laptops it works and others it does not.
A long shot:

Do you know if the problematic users' ISPs support IPv6?
I am in Eastern Canada and none of the ISPs do, but IPV6 in windows 7 and newer is preferred over IPv4.  I wonder if we have reached a point where the IPv6 portion of the VPN client needs to be configured for DNS.  When you add the DNS suffix to IPv4 it automatically adds it to IPv6, but the DNS server's IPv6 address is not added dynamically or statically. You could try disabling the IPv6 option just in the PPP/VPN NIC, or have you tried a working laptop at a none working client site?  Perhaps site related more than device.

Again, a long shot.
that's actually a pretty good idea.  I've ran into IPv6 problems in past with users working out of their homes.  Let me give that a try and i will get back to you
I am not certain if un-checking IPv6 will actually do it, but worth a try.  To properly disable IPv6 you have to do so in the registry, but that will disable it for all traffic and I would never recommend that.  If it works, great, if not try taking a working laptop to a non-working site.

Let me know how you make out, I am very curious.  It may be using IPv6 to connect to your ISP's DNS server.
Unfortunately no luck with the IPv6.
Thank you for all your help.  If you come up with something new, let me know.  Otherwise, I'll be awarding you points for the effort.  I just opened up another question to try and work around this issue.  Link below
Avatar of Rob Williams
Rob Williams
Flag of Canada image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I really appreciate all your help.  This is a very odd issue.

FYI, I connected one of the users with a completely different VPN (SSL SonicWall VPN) and experienced the same issue.  Just not sure what's going on here.