Group Policy

mallyg27 · August 2009

I have group policies applying throughout my domain. All the policies apply fine for the OU's with computers in them, but the OU with users, none of the group policies work. Im using a server with 2003 and xp clients. I have a group policies called redirect and folders. When i run gpresult none of the group policies even show up that are in the User OU.

There are no errors in the event log for the client or the server. Any ideas of what could be going on?

Hyper-Me · August 2009

Are the settings you applied done in the "Computer Configuration" side?

Remember that computer config applies to comptuers and user config applies to users. They will ignore the settings it they arent applicable.

Claymoore · August 2009

You say that all of your users are in a single OU. Is this an OU that you created or is it the default Users container? You can't apply group policies to the default user or computer containers, only OUs.

mallyg27 · August 2009

No the settings are being done on the User side. I'm actually doing folder redirection. This is an OU that I've created. I even created a new policy to not show the "my music" folder and that doesnt apply either. All computer side policies work fine. This all started happening when I downloaded that new GPMC. Still can't figure this out.

mallyg27 · August 2009

Now im getting an event ID error 1054, saying " windows cannot obtain the domain controller for your computer network. Group policy aborting."

RobertKaucher · August 2009

mallyg27 wrote: »

Now im getting an event ID error 1054, saying " windows cannot obtain the domain controller for your computer network. Group policy aborting."

The first thing I would check is DNS. I doubt this is it, but you should verify that it's not the problem.

* Look in the server's log for DNS errors.

* Verify that you can ping the domain: ping domain.local

* Use nslookup to verify srv records.

1. Open Command Prompt.
2. Type: nslookup
3. Type: set q=srv
4. Type: _ldap._tcp.dc._msdcs.domainname.local

Try this as well:
Windows cannot obtain the domain controller name for your computer network. (An unexpected network error occurred. ). Group Policy processing aborted. | IT Solutions Knowledge Base

rwwest7 · August 2009

Are the actual user accounts in the OU or just computers? If its just computer account you need to enable group policy loopback mode. This allows user settings to apply to computers.

bjaxx · August 2009

mallyg27 wrote: »

Now im getting an event ID error 1054, saying " windows cannot obtain the domain controller for your computer network. Group policy aborting."

Check the health of your domain controllers.

Dcdiag Overview: Networking and Communications; Active Directory

mallyg27 · August 2009

RobertKaucher wrote: »

The first thing I would check is DNS. I doubt this is it, but you should verify that it's not the problem.

* Look in the server's log for DNS errors.

* Verify that you can ping the domain: ping domain.local

* Use nslookup to verify srv records.

1. Open Command Prompt.
2. Type: nslookup
3. Type: set q=srv
4. Type: _ldap._tcp.dc._msdcs.domainname.local

Try this as well:
Windows cannot obtain the domain controller name for your computer network. (An unexpected network error occurred. ). Group Policy processing aborted. | IT Solutions Knowledge Base

I ran NSlookup and it says DNS requested timed out.

RobertKaucher · August 2009

mallyg27 wrote: »

I ran NSlookup and it says DNS requested timed out.

Tell me a little bit about your network configuration.

1. Do your DCs use 127.0.0.1 as the address for their DNS server?
2. Do your clients all point to the DCs for DNS? Notice you cannot have any other DNS servers that do not have zones for your domain. You should not use your PDC as your primary DNS server and your ISP DNS server as your secondary.

Run dcdiag /test:dns on your domain controller. If there are are errors run dcdiag /fix then run net stop netlogon and then net start netlogon rund dcdiag /test:dns again to verify.

mallyg27 · August 2009

RobertKaucher wrote: »

Tell me a little bit about your network configuration.

1. Do your DCs use 127.0.0.1 as the address for their DNS server?
2. Do your clients all point to the DCs for DNS? Notice you cannot have any other DNS servers that do not have zones for your domain. You should not use your PDC as your primary DNS server and your ISP DNS server as your secondary.

Run dcdiag /test:dns on your domain controller. If there are are errors run dcdiag /fix then run net stop netlogon and then net start netlogon rund dcdiag /test:dns again to verify.

Basically I have a simple network setup with windows server 2003 and a clinet computer running XP for learning purposes. It's not connected to the internet. My server IP address is 192.168.1.101,subnet mask is 255.255.255 and the default gateway is 192.168.1.1( do i even need a specify a gateway). The preferred DNS is 192.168.1.101. The client uses 192.168.1.101 as its preferred DNS.

I also ran the dcdiag test it my DNS failed the test. A bunch of entries say "this is not a valid DNS server and "root hints list has invalid root hint server.

rwwest7 · August 2009

Run dcdiag /fix. If that doesn't correct it you may need to take drastic measures.
Your DNS server does have a zone with the same name as your domain, correct? And it does contain all the appropriate SRV records?

If this is a test network I would suggest running dcpromo to demote the server. Then make sure your dns server has a zone with the same name as the domain you wish to create. Make sure your future DC has that DNS server listed as it's one and only DNS server. Then run dcpromo again to repromote. If you get an error in the dcpromo process about dns not being correct DO NOT just check the "I'll fix later" box. Keep retrying until it doesn't give you the error. Then you should be all set.

rwwest7 · August 2009

mallyg27 wrote: »

No the settings are being done on the User side. I'm actually doing folder redirection. This is an OU that I've created. I even created a new policy to not show the "my music" folder and that doesnt apply either. All computer side policies work fine. This all started happening when I downloaded that new GPMC. Still can't figure this out.

Btw, GPMC is a great tool and you'll come to love it as you learn more about group policy.

Hyper-Me · August 2009

rwwest7 wrote: »

Btw, GPMC is a great tool and you'll come to love it as you learn more about group policy.

Agreed. Now that i use it on 2008, i cant stand the old 2003 method of managing policies.

RobertKaucher · August 2009

rwwest7 wrote: »

Run dcdiag /fix. If that doesn't correct it you may need to take drastic measures.
Your DNS server does have a zone with the same name as your domain, correct? And it does contain all the appropriate SRV records?

If this is a test network I would suggest running dcpromo to demote the server. Then make sure your dns server has a zone with the same name as the domain you wish to create. Make sure your future DC has that DNS server listed as it's one and only DNS server. Then run dcpromo again to repromote. If you get an error in the dcpromo process about dns not being correct DO NOT just check the "I'll fix later" box. Keep retrying until it doesn't give you the error. Then you should be all set.

I agree with the idea of starting over here. See if you can fix it and get things working with dcdiag, but I would not trust it even if it seemed to work.
* Does your server have a static IP address? If not it needs to have a static address.
* A domain controller that is also a DNS server (and why wouldn't it be?) should have 127.0.0.1 as the entry for its DNS server.

rwwest7 · August 2009

Hyper-Me wrote: »

Agreed. Now that i use it on 2008, i cant stand the old 2003 method of managing policies.

You can use GPMC on 2003 also. It comes built into 2008, but you can download it for 2003.

mallyg27 · August 2009

RobertKaucher wrote: »

I agree with the idea of starting over here. See if you can fix it and get things working with dcdiag, but I would not trust it even if it seemed to work.
* Does your server have a static IP address? If not it needs to have a static address.
* A domain controller that is also a DNS server (and why wouldn't it be?) should have 127.0.0.1 as the entry for its DNS server.

Yes my server has a static address of 192.168.1.101. I tried to dcdiag /fix and it still failed so im going to start over and see what happens.

Hyper-Me · August 2009

rwwest7 wrote: »

You can use GPMC on 2003 also. It comes built into 2008, but you can download it for 2003.

I know, i was just saying that I happen to use it on 2008 because thats what our DC's are at work and I love it. I had never used it until 2008.

mallyg27 · August 2009

This DNS setup is killing me. My server keeps on failing when I do the dcdiag. Im now getting event id 4521. Do i need to setup a reverse zone also?

dynamik · August 2009

Post the error. You don't need reverse look-up zones.

rwwest7 · August 2009

mallyg27 wrote: »

This DNS setup is killing me. My server keeps on failing when I do the dcdiag. Im now getting event id 4521. Do i need to setup a reverse zone also?

This is how DNS in your domain should be set up:
-A Domain Controller should be the DNS server.

-DNS should be AD integrated

-All domain controllers and clients should be pointing to a windows DNS server only, do not list your cable router or anything else in the DNS settings.

-Your DNS server should have either your cable router or your ISPs DNS servers listed under the Forwarders tab.

So your clients computers should be using your DC/DNS servers for all name resolution. If they are trying to get to the internet, they should send the request to your DC/DNS server then your DC/DNS server should forward the request based on what is in it's Forwarders tab then return the answer to your client while cacheing the answer for future use.

mallyg27 · August 2009

rwwest7 wrote: »

This is how DNS in your domain should be set up:
-A Domain Controller should be the DNS server.

-DNS should be AD integrated

-All domain controllers and clients should be pointing to a windows DNS server only, do not list your cable router or anything else in the DNS settings.

-Your DNS server should have either your cable router or your ISPs DNS servers listed under the Forwarders tab.

So your clients computers should be using your DC/DNS servers for all name resolution. If they are trying to get to the internet, they should send the request to your DC/DNS server then your DC/DNS server should forward the request based on what is in it's Forwarders tab then return the answer to your client while cacheing the answer for future use.

I did the dcpromo and I set up the active directory again but when I install the dns it keeps the same settings from the previous setup. The way your telling me to install it, I believe that's what I did.

dynamik · August 2009

mallyg27 wrote: »

...the default gateway is 192.168.1.1( do i even need a specify a gateway).

Only if you're connecting to networks other than your LAN.

RobertKaucher wrote: »

2. Do your clients all point to the DCs for DNS? Notice you cannot have any other DNS servers that do not have zones for your domain. You should not use your PDC as your primary DNS server and your ISP DNS server as your secondary.

Ehhh? You mean if he only has a single internal DNS server, so the clients could still get to the internet if that fails?

rwwest7 wrote: »

-Your DNS server should have either your cable router or your ISPs DNS servers listed under the Forwarders tab.

While I also do this, this is an optional step that allows you to offload iterative queries to your ISP. If you don't it will just use root hints and still be able to resolve names if you don't do this.

***

As far as the problems go, I'd google the errors you're getting when you run dcdiag. It sounds like you need to completely blow away DNS and put it back on.

RobertKaucher · August 2009

dynamik wrote: »

Ehhh? You mean if he only has a single internal DNS server, so the clients could still get to the internet if that fails?

No, no... This was late night typo. My intended meaning was that the clients should not use the ISPs DNS servers as their secondaries. They should use the DC as their DNS server, of course. I am not sure why I thought that sentence made sense.

I have seen networks have authentication issues similar to this, where the clients had the DC as the primary DNS and the ISP DNS servers as the secondary and for some reason (response time?) the clients started to favour the ISP's DNS server. So they would send all their domain.local queries off to the ISP.

dynamik · August 2009

Hah, no worries. You're always sharp, so I figured it was something like that.

Wow, their network must be awful! It takes a (relatively) long time for a machine to completely give up on the primary DNS server and move on to the second.

mallyg27 · August 2009

I need to narrow this down now.These are my server settings:
IP address: 192.168.1.101
Subnet:255.255.255.0
Preferred DNS: 127.0.0.1
Are these settings fine?

When I install active directory should i let it install DNS for me or should i do it manually?
When i run nslookup, it should not say "default server: localhost". Am i correct?
And what do you mean by "And it does contain all the appropriate SRV records?

mallyg27 · August 2009

Ok i just installed it again. In my DNS event log i get an event ID 4521 that says "The DNS server encountered error <error code> attempting to load zone <zone name> from Active Directory. The DNS server will attempt to load this zone again on the next timeout cycle."

This is what I did step for step. I ran DCpromo to unistall active directory. It rebooted. I made sure the Ip address address and preferred DNS was correct for the server. Then I ran dcpromo again. Active directory installed and it ask me if i wanted it to install DNS for me also, I let it install it for me. It rebooted, everything seemed fine but then I got that in my event log.

By the way this server is not on the internet. I just have this server and another XP workstation.

bjaxx · August 2009

mallyg27 wrote: »

Ok i just installed it again. In my DNS event log i get an event ID 4521 that says "The DNS server encountered error <error code> attempting to load zone <zone name> from Active Directory. The DNS server will attempt to load this zone again on the next timeout cycle."

This is what I did step for step. I ran DCpromo to unistall active directory. It rebooted. I made sure the Ip address address and preferred DNS was correct for the server. Then I ran dcpromo again. Active directory installed and it ask me if i wanted it to install DNS for me also, I let it install it for me. It rebooted, everything seemed fine but then I got that in my event log.

By the way this server is not on the internet. I just have this server and another XP workstation.

Description of the Netdiag /fix Switch

rwwest7 · August 2009

mallyg27 wrote: »

I need to narrow this down now.These are my server settings:
IP address: 192.168.1.101
Subnet:255.255.255.0
Preferred DNS: 127.0.0.1
Are these settings fine?

When I install active directory should i let it install DNS for me or should i do it manually?
When i run nslookup, it should not say "default server: localhost". Am i correct?
And what do you mean by "And it does contain all the appropriate SRV records?

You should have DNS all set up before running dcpromo. Set up DNS on the server and make sure a forward-lookup zone is created with the exact same name as the domain you wish to create. The default settings should work. Then after the zone is created run dcpromo. Like I said, if you DNS set up correctly then you shouldn't get any errors when running dcpromo. If you get an error then cancel and triple check your DNS server settings.

Don't even bother with nslookup, you'll just end up making this more complicated than it is.

SRV records are critical for AD/Group Policy to work. When you first create the DNS zone it'll look boring and bare. Aftering running dcpromo you'll see a lot of new entries, these are the SRV records and stuff. Look at this: Active Directory SRV Records .

I would recomend starting over again. Demote the server. Delete any DNS zones you have. Create a new forward lookup zone with the same name as the domain, including extension (if your domain will be home.org, make sure the zone is named home.org NOT just home). Promote the server.

No need to use 127.0.0.1 as the DNS address, just use the static 192.168.1.101 address of the server. And make sure in your DNS server settings that the server is "listening" on that address.

Hyper-Me · August 2009

Whats wrong with letting dcpromo run the DNS install? I've never had an issue out of it before.

mallyg27 · August 2009

rwwest7 wrote: »

You should have DNS all set up before running dcpromo. Set up DNS on the server and make sure a forward-lookup zone is created with the exact same name as the domain you wish to create. The default settings should work. Then after the zone is created run dcpromo. Like I said, if you DNS set up correctly then you shouldn't get any errors when running dcpromo. If you get an error then cancel and triple check your DNS server settings.

Don't even bother with nslookup, you'll just end up making this more complicated than it is.

SRV records are critical for AD/Group Policy to work. When you first create the DNS zone it'll look boring and bare. Aftering running dcpromo you'll see a lot of new entries, these are the SRV records and stuff. Look at this: Active Directory SRV Records .

I would recomend starting over again. Demote the server. Delete any DNS zones you have. Create a new forward lookup zone with the same name as the domain, including extension (if your domain will be home.org, make sure the zone is named home.org NOT just home). Promote the server.

No need to use 127.0.0.1 as the DNS address, just use the static 192.168.1.101 address of the server. And make sure in your DNS server settings that the server is "listening" on that address.

I did exactly what you told me to do. I demoted the server,deleted DNs zones,created a new forward zone with tha same name. Now when i run dcpromo again to install active directory. Once it gets to the DNS Registration Diagnostics screen it says diagnostics failed. It gives me three options:
1.I have corrected the problem
2.Install and configure DNS server on this computer
3. I will correct the problem later by configuring manually.

I thought since I have already installed DNS prior to running dcpromo everything should be fine. What should I do from here. Thanks for any help.

P.S. I went ahead and let it install and configure DNS server on this computer. I'm now getting an error in my event long with the event ID 4007 that says "The DNS server was unable to open zone _msdcs..com in the Active Directory from the application directory partition ForestDnsZones..com. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone." Any suggestions.

Group Policy

Comments