Group Policy
I have group policies applying throughout my domain. All the policies apply fine for the OU's with computers in them, but the OU with users, none of the group policies work. Im using a server with 2003 and xp clients. I have a group policies called redirect and folders. When i run gpresult none of the group policies even show up that are in the User OU.
There are no errors in the event log for the client or the server. Any ideas of what could be going on?
There are no errors in the event log for the client or the server. Any ideas of what could be going on?
Comments
Remember that computer config applies to comptuers and user config applies to users. They will ignore the settings it they arent applicable.
* Look in the server's log for DNS errors.
* Verify that you can ping the domain: ping domain.local
* Use nslookup to verify srv records.
1. Open Command Prompt.
2. Type: nslookup
3. Type: set q=srv
4. Type: _ldap._tcp.dc._msdcs.domainname.local
Try this as well:
Windows cannot obtain the domain controller name for your computer network. (An unexpected network error occurred. ). Group Policy processing aborted. | IT Solutions Knowledge Base
Check the health of your domain controllers.
Dcdiag Overview: Networking and Communications; Active Directory
I ran NSlookup and it says DNS requested timed out.
Tell me a little bit about your network configuration.
1. Do your DCs use 127.0.0.1 as the address for their DNS server?
2. Do your clients all point to the DCs for DNS? Notice you cannot have any other DNS servers that do not have zones for your domain. You should not use your PDC as your primary DNS server and your ISP DNS server as your secondary.
Run dcdiag /test:dns on your domain controller. If there are are errors run dcdiag /fix then run net stop netlogon and then net start netlogon rund dcdiag /test:dns again to verify.
Basically I have a simple network setup with windows server 2003 and a clinet computer running XP for learning purposes. It's not connected to the internet. My server IP address is 192.168.1.101,subnet mask is 255.255.255 and the default gateway is 192.168.1.1( do i even need a specify a gateway). The preferred DNS is 192.168.1.101. The client uses 192.168.1.101 as its preferred DNS.
I also ran the dcdiag test it my DNS failed the test. A bunch of entries say "this is not a valid DNS server and "root hints list has invalid root hint server.
Your DNS server does have a zone with the same name as your domain, correct? And it does contain all the appropriate SRV records?
If this is a test network I would suggest running dcpromo to demote the server. Then make sure your dns server has a zone with the same name as the domain you wish to create. Make sure your future DC has that DNS server listed as it's one and only DNS server. Then run dcpromo again to repromote. If you get an error in the dcpromo process about dns not being correct DO NOT just check the "I'll fix later" box. Keep retrying until it doesn't give you the error. Then you should be all set.
Agreed. Now that i use it on 2008, i cant stand the old 2003 method of managing policies.
I agree with the idea of starting over here. See if you can fix it and get things working with dcdiag, but I would not trust it even if it seemed to work.
* Does your server have a static IP address? If not it needs to have a static address.
* A domain controller that is also a DNS server (and why wouldn't it be?) should have 127.0.0.1 as the entry for its DNS server.
Yes my server has a static address of 192.168.1.101. I tried to dcdiag /fix and it still failed so im going to start over and see what happens.
I know, i was just saying that I happen to use it on 2008 because thats what our DC's are at work and I love it. I had never used it until 2008.
-A Domain Controller should be the DNS server.
-DNS should be AD integrated
-All domain controllers and clients should be pointing to a windows DNS server only, do not list your cable router or anything else in the DNS settings.
-Your DNS server should have either your cable router or your ISPs DNS servers listed under the Forwarders tab.
So your clients computers should be using your DC/DNS servers for all name resolution. If they are trying to get to the internet, they should send the request to your DC/DNS server then your DC/DNS server should forward the request based on what is in it's Forwarders tab then return the answer to your client while cacheing the answer for future use.
I did the dcpromo and I set up the active directory again but when I install the dns it keeps the same settings from the previous setup. The way your telling me to install it, I believe that's what I did.
Only if you're connecting to networks other than your LAN.
Ehhh? You mean if he only has a single internal DNS server, so the clients could still get to the internet if that fails?
While I also do this, this is an optional step that allows you to offload iterative queries to your ISP. If you don't it will just use root hints and still be able to resolve names if you don't do this.
***
As far as the problems go, I'd google the errors you're getting when you run dcdiag. It sounds like you need to completely blow away DNS and put it back on.
No, no... This was late night typo. My intended meaning was that the clients should not use the ISPs DNS servers as their secondaries. They should use the DC as their DNS server, of course. I am not sure why I thought that sentence made sense.
I have seen networks have authentication issues similar to this, where the clients had the DC as the primary DNS and the ISP DNS servers as the secondary and for some reason (response time?) the clients started to favour the ISP's DNS server. So they would send all their domain.local queries off to the ISP.
Wow, their network must be awful! It takes a (relatively) long time for a machine to completely give up on the primary DNS server and move on to the second.
IP address: 192.168.1.101
Subnet:255.255.255.0
Preferred DNS: 127.0.0.1
Are these settings fine?
When I install active directory should i let it install DNS for me or should i do it manually?
When i run nslookup, it should not say "default server: localhost". Am i correct?
And what do you mean by "And it does contain all the appropriate SRV records?
This is what I did step for step. I ran DCpromo to unistall active directory. It rebooted. I made sure the Ip address address and preferred DNS was correct for the server. Then I ran dcpromo again. Active directory installed and it ask me if i wanted it to install DNS for me also, I let it install it for me. It rebooted, everything seemed fine but then I got that in my event log.
By the way this server is not on the internet. I just have this server and another XP workstation.
Description of the Netdiag /fix Switch
Don't even bother with nslookup, you'll just end up making this more complicated than it is.
SRV records are critical for AD/Group Policy to work. When you first create the DNS zone it'll look boring and bare. Aftering running dcpromo you'll see a lot of new entries, these are the SRV records and stuff. Look at this: Active Directory SRV Records .
I would recomend starting over again. Demote the server. Delete any DNS zones you have. Create a new forward lookup zone with the same name as the domain, including extension (if your domain will be home.org, make sure the zone is named home.org NOT just home). Promote the server.
No need to use 127.0.0.1 as the DNS address, just use the static 192.168.1.101 address of the server. And make sure in your DNS server settings that the server is "listening" on that address.
I did exactly what you told me to do. I demoted the server,deleted DNs zones,created a new forward zone with tha same name. Now when i run dcpromo again to install active directory. Once it gets to the DNS Registration Diagnostics screen it says diagnostics failed. It gives me three options:
1.I have corrected the problem
2.Install and configure DNS server on this computer
3. I will correct the problem later by configuring manually.
I thought since I have already installed DNS prior to running dcpromo everything should be fine. What should I do from here. Thanks for any help.
P.S. I went ahead and let it install and configure DNS server on this computer. I'm now getting an error in my event long with the event ID 4007 that says "The DNS server was unable to open zone _msdcs..com in the Active Directory from the application directory partition ForestDnsZones..com. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone." Any suggestions.