Group Policy

mallyg27mallyg27 Member Posts: 139
I have group policies applying throughout my domain. All the policies apply fine for the OU's with computers in them, but the OU with users, none of the group policies work. Im using a server with 2003 and xp clients. I have a group policies called redirect and folders. When i run gpresult none of the group policies even show up that are in the User OU.

There are no errors in the event log for the client or the server. Any ideas of what could be going on?
«1

Comments

  • Hyper-MeHyper-Me Banned Posts: 2,059
    Are the settings you applied done in the "Computer Configuration" side?

    Remember that computer config applies to comptuers and user config applies to users. They will ignore the settings it they arent applicable.
  • ClaymooreClaymoore Member Posts: 1,637
    You say that all of your users are in a single OU. Is this an OU that you created or is it the default Users container? You can't apply group policies to the default user or computer containers, only OUs.
  • mallyg27mallyg27 Member Posts: 139
    No the settings are being done on the User side. I'm actually doing folder redirection. This is an OU that I've created. I even created a new policy to not show the "my music" folder and that doesnt apply either. All computer side policies work fine. This all started happening when I downloaded that new GPMC. Still can't figure this out.
  • mallyg27mallyg27 Member Posts: 139
    Now im getting an event ID error 1054, saying " windows cannot obtain the domain controller for your computer network. Group policy aborting."
  • RobertKaucherRobertKaucher Member Posts: 4,299 ■■■■■■■■■■
    mallyg27 wrote: »
    Now im getting an event ID error 1054, saying " windows cannot obtain the domain controller for your computer network. Group policy aborting."
    The first thing I would check is DNS. I doubt this is it, but you should verify that it's not the problem.

    * Look in the server's log for DNS errors.

    * Verify that you can ping the domain: ping domain.local

    * Use nslookup to verify srv records.

    1. Open Command Prompt.
    2. Type: nslookup
    3. Type: set q=srv
    4. Type: _ldap._tcp.dc._msdcs.domainname.local

    Try this as well:
    Windows cannot obtain the domain controller name for your computer network. (An unexpected network error occurred. ). Group Policy processing aborted. | IT Solutions Knowledge Base
  • rwwest7rwwest7 Member Posts: 300
    Are the actual user accounts in the OU or just computers? If its just computer account you need to enable group policy loopback mode. This allows user settings to apply to computers.
  • bjaxxbjaxx Member Posts: 217
    mallyg27 wrote: »
    Now im getting an event ID error 1054, saying " windows cannot obtain the domain controller for your computer network. Group policy aborting."

    Check the health of your domain controllers.

    Dcdiag Overview: Networking and Communications; Active Directory
    "You have to hate to lose more than you love to win"
  • mallyg27mallyg27 Member Posts: 139
    The first thing I would check is DNS. I doubt this is it, but you should verify that it's not the problem.

    * Look in the server's log for DNS errors.

    * Verify that you can ping the domain: ping domain.local

    * Use nslookup to verify srv records.

    1. Open Command Prompt.
    2. Type: nslookup
    3. Type: set q=srv
    4. Type: _ldap._tcp.dc._msdcs.domainname.local

    Try this as well:
    Windows cannot obtain the domain controller name for your computer network. (An unexpected network error occurred. ). Group Policy processing aborted. | IT Solutions Knowledge Base


    I ran NSlookup and it says DNS requested timed out.
  • RobertKaucherRobertKaucher Member Posts: 4,299 ■■■■■■■■■■
    mallyg27 wrote: »
    I ran NSlookup and it says DNS requested timed out.

    Tell me a little bit about your network configuration.

    1. Do your DCs use 127.0.0.1 as the address for their DNS server?
    2. Do your clients all point to the DCs for DNS? Notice you cannot have any other DNS servers that do not have zones for your domain. You should not use your PDC as your primary DNS server and your ISP DNS server as your secondary.

    Run dcdiag /test:dns on your domain controller. If there are are errors run dcdiag /fix then run net stop netlogon and then net start netlogon rund dcdiag /test:dns again to verify.
  • mallyg27mallyg27 Member Posts: 139
    Tell me a little bit about your network configuration.

    1. Do your DCs use 127.0.0.1 as the address for their DNS server?
    2. Do your clients all point to the DCs for DNS? Notice you cannot have any other DNS servers that do not have zones for your domain. You should not use your PDC as your primary DNS server and your ISP DNS server as your secondary.

    Run dcdiag /test:dns on your domain controller. If there are are errors run dcdiag /fix then run net stop netlogon and then net start netlogon rund dcdiag /test:dns again to verify.

    Basically I have a simple network setup with windows server 2003 and a clinet computer running XP for learning purposes. It's not connected to the internet. My server IP address is 192.168.1.101,subnet mask is 255.255.255 and the default gateway is 192.168.1.1( do i even need a specify a gateway). The preferred DNS is 192.168.1.101. The client uses 192.168.1.101 as its preferred DNS.

    I also ran the dcdiag test it my DNS failed the test. A bunch of entries say "this is not a valid DNS server and "root hints list has invalid root hint server.
  • rwwest7rwwest7 Member Posts: 300
    Run dcdiag /fix. If that doesn't correct it you may need to take drastic measures.
    Your DNS server does have a zone with the same name as your domain, correct? And it does contain all the appropriate SRV records?

    If this is a test network I would suggest running dcpromo to demote the server. Then make sure your dns server has a zone with the same name as the domain you wish to create. Make sure your future DC has that DNS server listed as it's one and only DNS server. Then run dcpromo again to repromote. If you get an error in the dcpromo process about dns not being correct DO NOT just check the "I'll fix later" box. Keep retrying until it doesn't give you the error. Then you should be all set.
  • rwwest7rwwest7 Member Posts: 300
    mallyg27 wrote: »
    No the settings are being done on the User side. I'm actually doing folder redirection. This is an OU that I've created. I even created a new policy to not show the "my music" folder and that doesnt apply either. All computer side policies work fine. This all started happening when I downloaded that new GPMC. Still can't figure this out.
    Btw, GPMC is a great tool and you'll come to love it as you learn more about group policy.
  • Hyper-MeHyper-Me Banned Posts: 2,059
    rwwest7 wrote: »
    Btw, GPMC is a great tool and you'll come to love it as you learn more about group policy.


    Agreed. Now that i use it on 2008, i cant stand the old 2003 method of managing policies.
  • RobertKaucherRobertKaucher Member Posts: 4,299 ■■■■■■■■■■
    rwwest7 wrote: »
    Run dcdiag /fix. If that doesn't correct it you may need to take drastic measures.
    Your DNS server does have a zone with the same name as your domain, correct? And it does contain all the appropriate SRV records?

    If this is a test network I would suggest running dcpromo to demote the server. Then make sure your dns server has a zone with the same name as the domain you wish to create. Make sure your future DC has that DNS server listed as it's one and only DNS server. Then run dcpromo again to repromote. If you get an error in the dcpromo process about dns not being correct DO NOT just check the "I'll fix later" box. Keep retrying until it doesn't give you the error. Then you should be all set.

    I agree with the idea of starting over here. See if you can fix it and get things working with dcdiag, but I would not trust it even if it seemed to work.
    * Does your server have a static IP address? If not it needs to have a static address.
    * A domain controller that is also a DNS server (and why wouldn't it be?) should have 127.0.0.1 as the entry for its DNS server.
  • rwwest7rwwest7 Member Posts: 300
    Hyper-Me wrote: »
    Agreed. Now that i use it on 2008, i cant stand the old 2003 method of managing policies.
    You can use GPMC on 2003 also. It comes built into 2008, but you can download it for 2003.
  • mallyg27mallyg27 Member Posts: 139
    I agree with the idea of starting over here. See if you can fix it and get things working with dcdiag, but I would not trust it even if it seemed to work.
    * Does your server have a static IP address? If not it needs to have a static address.
    * A domain controller that is also a DNS server (and why wouldn't it be?) should have 127.0.0.1 as the entry for its DNS server.

    Yes my server has a static address of 192.168.1.101. I tried to dcdiag /fix and it still failed so im going to start over and see what happens.
  • Hyper-MeHyper-Me Banned Posts: 2,059
    rwwest7 wrote: »
    You can use GPMC on 2003 also. It comes built into 2008, but you can download it for 2003.


    I know, i was just saying that I happen to use it on 2008 because thats what our DC's are at work and I love it. I had never used it until 2008.
  • mallyg27mallyg27 Member Posts: 139
    This DNS setup is killing me. My server keeps on failing when I do the dcdiag. Im now getting event id 4521. Do i need to setup a reverse zone also?
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    Post the error. You don't need reverse look-up zones.
  • rwwest7rwwest7 Member Posts: 300
    mallyg27 wrote: »
    This DNS setup is killing me. My server keeps on failing when I do the dcdiag. Im now getting event id 4521. Do i need to setup a reverse zone also?
    This is how DNS in your domain should be set up:
    -A Domain Controller should be the DNS server.

    -DNS should be AD integrated

    -All domain controllers and clients should be pointing to a windows DNS server only, do not list your cable router or anything else in the DNS settings.

    -Your DNS server should have either your cable router or your ISPs DNS servers listed under the Forwarders tab.

    So your clients computers should be using your DC/DNS servers for all name resolution. If they are trying to get to the internet, they should send the request to your DC/DNS server then your DC/DNS server should forward the request based on what is in it's Forwarders tab then return the answer to your client while cacheing the answer for future use.
  • mallyg27mallyg27 Member Posts: 139
    rwwest7 wrote: »
    This is how DNS in your domain should be set up:
    -A Domain Controller should be the DNS server.

    -DNS should be AD integrated

    -All domain controllers and clients should be pointing to a windows DNS server only, do not list your cable router or anything else in the DNS settings.

    -Your DNS server should have either your cable router or your ISPs DNS servers listed under the Forwarders tab.

    So your clients computers should be using your DC/DNS servers for all name resolution. If they are trying to get to the internet, they should send the request to your DC/DNS server then your DC/DNS server should forward the request based on what is in it's Forwarders tab then return the answer to your client while cacheing the answer for future use.

    I did the dcpromo and I set up the active directory again but when I install the dns it keeps the same settings from the previous setup. The way your telling me to install it, I believe that's what I did.
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    mallyg27 wrote: »
    ...the default gateway is 192.168.1.1( do i even need a specify a gateway).

    Only if you're connecting to networks other than your LAN.
    2. Do your clients all point to the DCs for DNS? Notice you cannot have any other DNS servers that do not have zones for your domain. You should not use your PDC as your primary DNS server and your ISP DNS server as your secondary.

    Ehhh? You mean if he only has a single internal DNS server, so the clients could still get to the internet if that fails?
    rwwest7 wrote: »
    -Your DNS server should have either your cable router or your ISPs DNS servers listed under the Forwarders tab.

    While I also do this, this is an optional step that allows you to offload iterative queries to your ISP. If you don't it will just use root hints and still be able to resolve names if you don't do this.

    ***

    As far as the problems go, I'd google the errors you're getting when you run dcdiag. It sounds like you need to completely blow away DNS and put it back on.
  • RobertKaucherRobertKaucher Member Posts: 4,299 ■■■■■■■■■■
    dynamik wrote: »
    Ehhh? You mean if he only has a single internal DNS server, so the clients could still get to the internet if that fails?


    No, no... This was late night typo. My intended meaning was that the clients should not use the ISPs DNS servers as their secondaries. They should use the DC as their DNS server, of course. I am not sure why I thought that sentence made sense.

    I have seen networks have authentication issues similar to this, where the clients had the DC as the primary DNS and the ISP DNS servers as the secondary and for some reason (response time?) the clients started to favour the ISP's DNS server. So they would send all their domain.local queries off to the ISP.
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    Hah, no worries. You're always sharp, so I figured it was something like that.

    Wow, their network must be awful! It takes a (relatively) long time for a machine to completely give up on the primary DNS server and move on to the second. icon_lol.gif
  • mallyg27mallyg27 Member Posts: 139
    I need to narrow this down now.These are my server settings:
    IP address: 192.168.1.101
    Subnet:255.255.255.0
    Preferred DNS: 127.0.0.1
    Are these settings fine?

    When I install active directory should i let it install DNS for me or should i do it manually?
    When i run nslookup, it should not say "default server: localhost". Am i correct?
    And what do you mean by "And it does contain all the appropriate SRV records?
  • mallyg27mallyg27 Member Posts: 139
    Ok i just installed it again. In my DNS event log i get an event ID 4521 that says "The DNS server encountered error <error code> attempting to load zone <zone name> from Active Directory. The DNS server will attempt to load this zone again on the next timeout cycle."

    This is what I did step for step. I ran DCpromo to unistall active directory. It rebooted. I made sure the Ip address address and preferred DNS was correct for the server. Then I ran dcpromo again. Active directory installed and it ask me if i wanted it to install DNS for me also, I let it install it for me. It rebooted, everything seemed fine but then I got that in my event log.

    By the way this server is not on the internet. I just have this server and another XP workstation.
  • bjaxxbjaxx Member Posts: 217
    mallyg27 wrote: »
    Ok i just installed it again. In my DNS event log i get an event ID 4521 that says "The DNS server encountered error <error code> attempting to load zone <zone name> from Active Directory. The DNS server will attempt to load this zone again on the next timeout cycle."

    This is what I did step for step. I ran DCpromo to unistall active directory. It rebooted. I made sure the Ip address address and preferred DNS was correct for the server. Then I ran dcpromo again. Active directory installed and it ask me if i wanted it to install DNS for me also, I let it install it for me. It rebooted, everything seemed fine but then I got that in my event log.

    By the way this server is not on the internet. I just have this server and another XP workstation.

    Description of the Netdiag /fix Switch
    "You have to hate to lose more than you love to win"
  • rwwest7rwwest7 Member Posts: 300
    mallyg27 wrote: »
    I need to narrow this down now.These are my server settings:
    IP address: 192.168.1.101
    Subnet:255.255.255.0
    Preferred DNS: 127.0.0.1
    Are these settings fine?

    When I install active directory should i let it install DNS for me or should i do it manually?
    When i run nslookup, it should not say "default server: localhost". Am i correct?
    And what do you mean by "And it does contain all the appropriate SRV records?
    You should have DNS all set up before running dcpromo. Set up DNS on the server and make sure a forward-lookup zone is created with the exact same name as the domain you wish to create. The default settings should work. Then after the zone is created run dcpromo. Like I said, if you DNS set up correctly then you shouldn't get any errors when running dcpromo. If you get an error then cancel and triple check your DNS server settings.

    Don't even bother with nslookup, you'll just end up making this more complicated than it is.

    SRV records are critical for AD/Group Policy to work. When you first create the DNS zone it'll look boring and bare. Aftering running dcpromo you'll see a lot of new entries, these are the SRV records and stuff. Look at this: Active Directory SRV Records .

    I would recomend starting over again. Demote the server. Delete any DNS zones you have. Create a new forward lookup zone with the same name as the domain, including extension (if your domain will be home.org, make sure the zone is named home.org NOT just home). Promote the server.

    No need to use 127.0.0.1 as the DNS address, just use the static 192.168.1.101 address of the server. And make sure in your DNS server settings that the server is "listening" on that address.
  • Hyper-MeHyper-Me Banned Posts: 2,059
    Whats wrong with letting dcpromo run the DNS install? I've never had an issue out of it before.
  • mallyg27mallyg27 Member Posts: 139
    rwwest7 wrote: »
    You should have DNS all set up before running dcpromo. Set up DNS on the server and make sure a forward-lookup zone is created with the exact same name as the domain you wish to create. The default settings should work. Then after the zone is created run dcpromo. Like I said, if you DNS set up correctly then you shouldn't get any errors when running dcpromo. If you get an error then cancel and triple check your DNS server settings.

    Don't even bother with nslookup, you'll just end up making this more complicated than it is.

    SRV records are critical for AD/Group Policy to work. When you first create the DNS zone it'll look boring and bare. Aftering running dcpromo you'll see a lot of new entries, these are the SRV records and stuff. Look at this: Active Directory SRV Records .

    I would recomend starting over again. Demote the server. Delete any DNS zones you have. Create a new forward lookup zone with the same name as the domain, including extension (if your domain will be home.org, make sure the zone is named home.org NOT just home). Promote the server.

    No need to use 127.0.0.1 as the DNS address, just use the static 192.168.1.101 address of the server. And make sure in your DNS server settings that the server is "listening" on that address.

    I did exactly what you told me to do. I demoted the server,deleted DNs zones,created a new forward zone with tha same name. Now when i run dcpromo again to install active directory. Once it gets to the DNS Registration Diagnostics screen it says diagnostics failed. It gives me three options:
    1.I have corrected the problem
    2.Install and configure DNS server on this computer
    3. I will correct the problem later by configuring manually.

    I thought since I have already installed DNS prior to running dcpromo everything should be fine. What should I do from here. Thanks for any help.

    P.S. I went ahead and let it install and configure DNS server on this computer. I'm now getting an error in my event long with the event ID 4007 that says "The DNS server was unable to open zone _msdcs..com in the Active Directory from the application directory partition ForestDnsZones..com. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone." Any suggestions.
Sign In or Register to comment.