Group Policy and DNS

  • Thread starter Thread starter Ron Gallimore
  • Start date Start date
R

Ron Gallimore

We have a Win2k Small Business Server with 2 NICs. This
is our only server so it is doing DNS, DHCP, AD, etc. We
have been having problems with group policies applying so
some machines. I narrowed down to a DNS issue, I think.
The machines that are getting the policies ping the server
at x.x.x.245 and the machines that are not getting the
policies ping the server at x.x.x.246. Both addresses are
valid for the server. I deleted the .246 host record from
DNS and all of the machines work great however, two weeks
has gone by and the .246 is back in my DNS server so
obviously this is not a permanent fix. The machines that
are affected show the follow 3 errors in the logs:

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 6/10/2004
Time: 1:19:35 PM
User: NT AUTHORITY\SYSTEM
Computer: DA19
Description:
The Group Policy client-side extension Security was passed
flags (17) and returned a failure status code of (3).

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 6/10/2004
Time: 1:19:35 PM
User: NT AUTHORITY\SYSTEM
Computer: DA19
Description:
Windows cannot access the registry information at
\\<<domain here>>\sysvol\<<domain
here>>\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
\Machine\registry.pol with (51).

Event Type: Error
Event Source: SceCli
Event Category: None
Event ID: 1001
Date: 6/10/2004
Time: 1:19:35 PM
User: N/A
Computer: DA19
Description:
Security policy cannot be propagated. Cannot access the
template. Error code = 3.
\\<<domain here>>\sysvol\<<domain
here>>\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.

From the machines that are not getting the policies, I can
not browse to that directory but from the machines that
are getting the policies, I can. Once I deleted that .246
from DNS, all of the machines could browse. I think I
have tried most, if not all, of the fixes on Microsoft's
site. I do not know where to go from here.

Any ideas?
Thanks,
Ron Gallimore
Senior I.T. Consultant
Young & Associates, Inc.
 
Open the Network and dialup connections. Right click on the local area
connection that represents the .246 NIC and select properties. Highlight
Internet protocol TCP/IP and select properties - advanced - DNS tab.
At the bottom of the page uncheck the box that enables "register this
connection's address in DNS".

hth
DDS W 2k MVP MCSE
 
That has already been done.

Ron Gallimore
-----Original Message-----
Open the Network and dialup connections. Right click on the local area
connection that represents the .246 NIC and select properties. Highlight
Internet protocol TCP/IP and select properties - advanced - DNS tab.
At the bottom of the page uncheck the box that enables "register this
connection's address in DNS".

hth
DDS W 2k MVP MCSE




.
Click to expand...
 
In
Ron Gallimore said:
We have a Win2k Small Business Server with 2 NICs. This
is our only server so it is doing DNS, DHCP, AD, etc. We
have been having problems with group policies applying so
some machines. I narrowed down to a DNS issue, I think.
The machines that are getting the policies ping the server
at x.x.x.245 and the machines that are not getting the
policies ping the server at x.x.x.246. Both addresses are
valid for the server. I deleted the .246 host record from
DNS and all of the machines work great however, two weeks
has gone by and the .246 is back in my DNS server so
obviously this is not a permanent fix. The machines that
are affected show the follow 3 errors in the logs:

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 6/10/2004
Time: 1:19:35 PM
User: NT AUTHORITY\SYSTEM
Computer: DA19
Description:
The Group Policy client-side extension Security was passed
flags (17) and returned a failure status code of (3).

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 6/10/2004
Time: 1:19:35 PM
User: NT AUTHORITY\SYSTEM
Computer: DA19
Description:
Windows cannot access the registry information at
\\<<domain here>>\sysvol\<<domain
here>>\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
\Machine\registry.pol with (51).

Event Type: Error
Event Source: SceCli
Event Category: None
Event ID: 1001
Date: 6/10/2004
Time: 1:19:35 PM
User: N/A
Computer: DA19
Description:
Security policy cannot be propagated. Cannot access the
template. Error code = 3.
\\<<domain here>>\sysvol\<<domain
here>>\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.

From the machines that are not getting the policies, I can
not browse to that directory but from the machines that
are getting the policies, I can. Once I deleted that .246
from DNS, all of the machines could browse. I think I
have tried most, if not all, of the fixes on Microsoft's
site. I do not know where to go from here.
Click to expand...

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Registry value: DnsAvoidRegisterRecords
Data type: REG_MULTI_SZ
Values: LdapIpAddress


2. Then manually create the blank host for the internal IP.

You should also check your binding order by right clicking on Network
Places, choose properties then in the Advanced menu select Advanced
settings. Make sure the internal interface is at the top of the connections
pane and that file sharing is enabled.
 
Back
Top