Updating Group Policy over a PPTP VPN

I've got quite a few users (all Windows 10 Pro) that work 100% remotely out of their homes.  I need to push out some GP updates, but for some of the users, when I connect with the VPN and do a gpupdate /force, I'm getting the following error message.

Computer policy could not be updates successfully.  The following errors were encountered:

The processing of a Group Policy failed because of lack of network connectivity to a domain controller.  This may be a transient condition.  A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed.  If you do not see a success message for several hours, then contact your administrator.  

I've added the IP address of the domain controller (Server 2008 R2) the the DNS of the VPN connection.  The computers that are experiencing this problem all are able to ping the domain controller and browse to it.  

Any help would be much appreciated.

Thanks very much.
SupermanTBAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rob WilliamsCommented:
It is usually a DNS issue.  The client PC must only be able to contact your corporate DNS server.  Thus there cannot be an ISP, router or such as an alternate DNS server, as they will often respond first and DNS will not resolve.  

I would also recommend in the VPN client's NIC configuration, under TCP/IP properties | Advanced | DNS to enter the corporate, internal, DNS suffix, such as mydomain.local, in the "use this DNS suffix for this connection box.

Finally it is best to enable in the VPN NIC configuration "use remote default gateway" to force all compunication through the tunnel.

Though gpupdate /force should work, if you set up the VPN client to connect before logon it should automatically update Group Policy.  I have written blog articles discussing this option:
XP & Win7:
https://blog.lan-tech.ca/2012/04/29/connect-to-windows-vpn-at-logon/
Win 8 and 10:
https://blog.lan-tech.ca/2013/03/02/windows-8-connect-to-vpn-before-logon/
Note at the bottom of the first link Group policies to add if a slow link.
0
SupermanTBAuthor Commented:
I've made the requested changes, except for having the VPN  work on login, and I'm still facing this problem.

I agree this is a DNS issue.  I can ping the DC by IP address, but I cannot ping by the server name.  When I ping the server by name, it pings servername.domainname.local, but the IP address is the public IP for the VPN rather than the local IP of the server.  The only way I've been able to ping by server name is to adjust the hosts file.  Even after I do that, I am still unable to do a gpupdate /force.

I've tried routing traffic through the remote gateway, I've added the IP address of the DC as the DNS server for the VPN connection, I've added the domain name in the "DNS suffix for this connection field" and no luck.

Any thoughts?
0
SupermanTBAuthor Commented:
when i say public IP of the VPN, i mean the public IP address of the VPN connection.  We use vpn.domainname.com as the connection string when setting up the VPN.  When I ping the server name of the DC, it resolves to the same public IP address as vpn.domainname.com instead of the local IP
0
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

SupermanTBAuthor Commented:
Ok, it looks like my last comment was the result of me not having the VPN set to go through the gateway of the remote network.  I had been toggling that feature on and off for testing purposes.  I've toggled it back on and am able to ping by the servername without any problems
0
SupermanTBAuthor Commented:
Sorry about the multiple comments......it looks like I was mistaken in my comments above.  My apologies again.  On the users were I expereince this issue, once I'm connected to the VPN, whether the internet traffic is routed through the remote gateway or not, when I ping the DC by servername, I get the public IP address of the vpn.domainname.com.  One the computers that work, pinging the servername resolves to a local IP.  

This certainly looks like a DNS issue, I just can't figure out where.  I've got the local IP of the DC configured as the primary DNS for the VPN on the client computers.

Thanks very much for your help
0
Rob WilliamsCommented:
Is your corporate, internal domain suffix a  .com rather than .local ?

You mention; "got the local IP of the DC configured as the primary DNS".  Primary, or only?  Has to be ONLY.
0
SupermanTBAuthor Commented:
the local DNS is domainname.local.  the connection string we're using for the VPN connection is vpn.domainname.com.

To answer your second comment, it is primary only.  There is no secondary.
0
Rob WilliamsCommented:
I would make sure the domainname.local suffix is added in the DNS properties of the virtual NIC.
As a test can you ping the server using   servername.domainname.local  

Also what do the following return, from a command prompt on the connecting machine:
 nslookup  servername
nslookup servername.domainname.local
0
SupermanTBAuthor Commented:
Here are those results

nslookup on servername
Server:  Unknown
Address:  192.168.200.200

DNS request timed out
*** Request to unknown timed-out

nslookup on servername.domainname.local
Server:  Unknown
Address:  192.168.200.200

DNS request timed out
         timeout was 2 seconds
*** Request to unknown timed-out
0
Rob WilliamsCommented:
Definitely DNS, isn't it.
Could you possibly connect the VPN and then from the connecting PC post the results of
  ipconfig /all
and
  route print

You may want to mask or change any public IP's and domain names for security, but please leave private IP addressing in tact.

Thanks.
0
SupermanTBAuthor Commented:
Here are those results.  I'm including the results where the check box is selected to use the remote site as the gateway and when that was not selected.  We typically do not have that configured, but I wanted to be thorough with the results.  

FYI, during the time of this testing, the DNS suffix was entered in the Advanced TCP/IP settings for the VPN adapter, however, the Register this connection's address in DNS box was unchecked as was teh Use this connections's DNS suffix in DNS registration.  I experience the same error whether those boxes are checked or not, but just communicating that those boxes were unchecked when i generated the results below.

Thanks very much for your continued assistance.
ipconfig--local-gateway-.txt
routeprint--local-gateway-.txt
ipconfig--remote-gateway-.txt
routeprint--remote-gateway-.txt
0
SupermanTBAuthor Commented:
Any thoughts on this after seeing those results?
0
Rob WilliamsCommented:
Very sorry, I somehow missed your last post.
I reviewed the files you posted and just tried numerous options on a local system to compare.

Your configurations; ipconfig, and route print, look fine.  Very odd that you are having issues.

On the test system I used I didn’t even add the DNS server, as it was handed out automatically by the VPN server, which resulted in the same configuration as you have.  I could ping servername.domain.local, but had to add the domain suffix in the VPN configuration to just ping servername.  
I also strongly recommend having the “use remote default gateway” option enabled.  If the VPN connection is slow at all it may use the local DNS servers (ISP) to resolve instead of VPN, and fail.

I apologize for earlier comments about nslookup. That will not work anyway as there is no reverse DNS entry for your VPN clients.  However ping <name> should work.

I am running out of ideas, but just to confirm; your corporate DNS server (not VPN server) is 192.168.200.200  ?
0
SupermanTBAuthor Commented:
Thank you for the reply.  you are correct.  The DNS server is 192.168.200.200.

Very odd behavior.  Some laptops it works and others it does not.
0
Rob WilliamsCommented:
A long shot:

Do you know if the problematic users' ISPs support IPv6?
I am in Eastern Canada and none of the ISPs do, but IPV6 in windows 7 and newer is preferred over IPv4.  I wonder if we have reached a point where the IPv6 portion of the VPN client needs to be configured for DNS.  When you add the DNS suffix to IPv4 it automatically adds it to IPv6, but the DNS server's IPv6 address is not added dynamically or statically. You could try disabling the IPv6 option just in the PPP/VPN NIC, or have you tried a working laptop at a none working client site?  Perhaps site related more than device.

Again, a long shot.
0
SupermanTBAuthor Commented:
that's actually a pretty good idea.  I've ran into IPv6 problems in past with users working out of their homes.  Let me give that a try and i will get back to you
0
Rob WilliamsCommented:
I am not certain if un-checking IPv6 will actually do it, but worth a try.  To properly disable IPv6 you have to do so in the registry, but that will disable it for all traffic and I would never recommend that.  If it works, great, if not try taking a working laptop to a non-working site.

Let me know how you make out, I am very curious.  It may be using IPv6 to connect to your ISP's DNS server.
0
SupermanTBAuthor Commented:
Unfortunately no luck with the IPv6.
0
SupermanTBAuthor Commented:
Thank you for all your help.  If you come up with something new, let me know.  Otherwise, I'll be awarding you points for the effort.  I just opened up another question to try and work around this issue.  Link below

https://www.experts-exchange.com/questions/29008812/Force-local-Group-Policy-instead-of-getting-GP-from-domain-for-remote-computers.html
0
Rob WilliamsCommented:
VPN issues are 1 of 4 sources; server, client, ISP, or site.  
-Server is OK as some work fine
-Client may be the issue, but they seem to be configured correctly, and presumably all the same
-ISP issues usually result in not being able to connect at all
-Site issues "usually" are inability to access resources even though a connection is made.  This is not the case but I would still be very curious to hear what happens if a problematic laptop was tried at a site where an other laptop works.

The most common problem with VPN is site issues, though unlike your issue, so they are becoming much less common in favour of other solutions.

Sorry I have not been more help.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SupermanTBAuthor Commented:
I really appreciate all your help.  This is a very odd issue.

FYI, I connected one of the users with a completely different VPN (SSL SonicWall VPN) and experienced the same issue.  Just not sure what's going on here.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.