Group policies don't apply

  • Thread starter Thread starter Mykhaylo Khodorev
  • Start date Start date
M

Mykhaylo Khodorev

I've got a problem. While applying GP two records in Application Log occur:

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 20.02.2004
Time: 11:04:12
User: ICB\admin
Computer: ONIX
Description:
Windows cannot establish a connection to intercontinentbank.com with
(10053).

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 20.02.2004
Time: 11:04:12
User: ICB\admin
Computer: ONIX
Description:
Windows cannot query for the list of Group Policy objects . A message that
describes the reason for this was previously logged by this policy engine.


GP don't apply. I looked for this error decription on MS KB, but didn't find
anything. Does anyone can help with this problem?
Thanks.
 
Please check DNS is working correct, this means you should be avaible to
ping your AD domain name by FDQN like ping company.local and get response
from the client as well from the server. if not make sure the clients DNS
settings pointing to the Domain Controller running DNS.

--
Regards,

Christoffer Andersson
No email replies please - reply in the newsgroup
If the information was help full, you can let me know at:
http://www.itsystem.se/employers.asp?ID=1
 
Can you connect to \\domain\sysvol folder from your workstation. This is the
primary location where GPO's a re read from. Next use nslookup, to see if
you can resolve your DC's srv records.
Error number 10053 is An established connection was aborted by the software
in your host machine. Check your software if you have anything nonstandard
which would prevent you to connect to your servers.

--

Regards
Matjaz Ladava, MCSA, MCSE, MCT, MVP
Microsoft MVP Windows Server - Active Directory
(e-mail address removed), (e-mail address removed)
 
Well.... When I ping AD domain by FDQN it shows correct IP address and
pings fine. The issue may be that this DC (whose IP is pinging) is
multihomed. But always it shows local IP address.
By the way time by time policies applies... Such problem occurs almost on
all computers in the network. Seems like it happened after I've deleted one
DC, which didn't respond.
 
Yes, I can connect to \\domain\sysvol without any problems.
Seems like all computers have just standard software, but I'll check it out
once again. Anyway one of problem computers has just Windows 2000 Server
installed.
 
In one of your replies you state, that you deleted one DC ? did you use the
correct procedure and removed AD from that server. Is that DC still showing
in your DC list ? Multihomed DC you say ? Is this DC a router or you are
using it for internet access ? If you are using it for internet access, do
you have file and printer sharing disabled on one NIC ? This is problem in
some configurations.
If you run dcdiag and netdiag on your dc's, do you get any errors ?

--

Regards
Matjaz Ladava, MCSA, MCSE, MCT, MVP
Microsoft MVP Windows Server - Active Directory
(e-mail address removed), (e-mail address removed)
 
In one of your replies you state, that you deleted one DC ? did you use
the
correct procedure and removed AD from that server.
Click to expand...

That wasn't completely correct procedure. Because that DC is down I used
procedure described in KB216498.
Is that DC still showing
in your DC list ?
No.

Multihomed DC you say ? Is this DC a router or you are
using it for internet access ?
Click to expand...

Both ways. It DC are using as VPN server and internet router.
If you are using it for internet access, do
you have file and printer sharing disabled on one NIC ? This is problem in
some configurations.
Click to expand...

LAN NIC has file and printer sharing enabled. Two others don't.
If you run dcdiag and netdiag on your dc's, do you get any errors ?
Click to expand...

I'll be able to give an answer tomorrow, when I'm at work.

Thank you.
 
Another thing to check is, if you enable FPS on all your nics, do you still
get the problem and the second thing is check the binding order of your
NICS, so that LAN nic is listed first in binding order.

--

Regards
Matjaz Ladava, MCSA, MCSE, MCT, MVP
Microsoft MVP Windows Server - Active Directory
(e-mail address removed), (e-mail address removed)
 
I've enabled FPS on all NICs, but this didn't help. The LAN NIC is
listed first in binding order.
Here is error part of DCDIAG:
Starting test: kccevent
An Warning Event occured. EventID: 0x8000061E
Time Generated: 02/23/2004 21:21:39
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC000051F
Time Generated: 02/23/2004 21:21:39
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x8000061E
Time Generated: 02/23/2004 21:21:39
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC000051F
Time Generated: 02/23/2004 21:21:39
(Event String could not be retrieved)
......................... PRIMESERVER failed test kccevent

I don't know what is kccevent test but I guess it isn't connected to the
problem. Am I right?

And error part of NETDIAG:
DNS test . . . . . . . . . . . . . : Failed
[WARNING] The DNS entries for this DC are not registered correctly on
DNS server '127.0.0.1'. Please wait for 30 minutes for DNS server
replication.
[FATAL] No DNS servers have the DNS records for this DC registered.

I can't understand where and what should I register DNS records for DC.
I have two DNS servers in this site. Both of DNS servers run on DCs. There
are two DCs in this site. I suspect both DCs are registered in DNS
servers...
It makes me crazy.....
 
By the way I've found out policies don't apply in time. By default DCs apply
policies every 5 minutes and client computer do this every 90 minutes. But
logs show policies apply about twice a day. I checked all policies for
policy update schedule, but there were default values everywhere. What could
it be?
 
Back
Top