Group Policy over VPN site to Site

  • Thread starter Thread starter Terry
  • Start date Start date
T

Terry

Anyone

I have 5 centers that are connected to the corporate
office through a VPN (site to site)using T1 lines.
Corporate has approx 20 users. Each center has approx 10
users.

Users can log into the domain but the group policy is not
getting to the client computers. I have check for the
ports 88 and 445 for being open on the VPN and LAN site
and it is. I have tried to ping the computers at each
center using the command ping 192.168.0.1 -n 100 -l 2048
and I get a successful reply with an ave time of 80ms

My Question: Why wont group policy push down to the
clients?

Thank you in advance for your assistance.
 
Do the clients on the other side of the VPN receive the policies? Check the
application log on the client for errors and post them in the NG. You
should also check to see if "slow link detection" is enabled. If the link
is detected as being slow then the some parts of the policies will not
apply. If it is enabled you may want to try disabling it. Take a look at
the following articles

250842 Troubleshooting Group Policy Application Problems
http://support.microsoft.com/?id=250842
227369 Default Behavior for Group Policy Extensions with Slow Link
http://support.microsoft.com/?id=227369
227260 How a Slow Link Is Detected for Processing User Profiles and Group
Policy http://support.microsoft.com/?id=227260

--
Tim Hines, MCSE, MCSA
Windows 2000 Directory Services

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 
I am having this same problem. Users can logon to the
machines, run their logon script, can access all network
resources, but group policy is not applied. Group policy
is properly applied everywhere, except through our site-to-
site VPNs.

In the event logs on the client, I am getting the
following error:

Windows cannot obtain the domain controller name for your
computer network. Return value (59).

This is what shows up in userenv.log:

USERENV(f4.a8) 10:40:46:585 ProcessGPOs: DSGetDCName
failed with 59.

I have run the standard nslookup for the SRV records, and
it pulls on the domain controllers with no problems
(_ldap._tcp.dc._msdcs.ActiveDirectoryDomainName)

I have already forced Kerberos to use TCP instead of UDP (
http://support.microsoft.com/?kbid=244474 )



I tried this:

http://support.microsoft.com/default.aspx?scid=kb;en-
us;310456

I ran portqry on ldap port 389, and UDP fails, but TCP
returns the records.

It seems to be a problem with ldap over UDP. Any ideas?
Please help!

Thank You.
 
Error 59 translates to "An unexpected network error occurred.". I would
start by t-shooting the network settings. Check the binding order of the
NICs and protocols. Make sure that the most used nic or protocol is at the
top of the list. Take a look at the NIC settings such as full duplex or
half duplex and change them if needed. Test the network connectivity by
running "ping -l 1742 IP address". Make sure that you get consistent ping
responses. Take a network trace of the client booting and logging on. The
trace may reveal a problem.

--
Tim Hines, MCSE, MCSA
Windows 2000 Directory Services

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 
Clients at the corporate sites recieve the Group Policies
fine. The only clients that don't receive the policy is
the ones through the Site to Site VPN.

I have set the slow link detection to force Group Policy
if a slow link is detected. This shouldn't be the case
unless 5 users are able to pull ldown the throughput on
the T1 line at each center.

Client Error: Event ID 1054: Message: Windows cannot
obtin the domain controller name for your computer
network. (An unexpected network eror ocurred) Group
Policy processing aborted

Thanks for your assitance
 
There is only 1 NIC per PC, and only using TCP/IP. We
have multiple remote sites, and NONE of the computers are
getting group policy - all the same error. If I take the
same PC and move it to a site that is not using a VPN, it
works fine.

Doing a ping -l 1742 I do not get any replies. (If I do
1472, I get replies. Just tried that in case of a typo)

Thank You.
 
Take a look at the following articles:

326152 PRB: Cannot Connect to Domain Controller and Cannot Apply Group
Policy
http://support.microsoft.com/?id=326152
324174 Event ID 1054 Is Logged in the Application Event Log
http://support.microsoft.com/?id=324174


--
Tim Hines, MCSE, MCSA
Windows 2000 Directory Services

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 
Tim, I need your help, pleeeeease! I am pulling my hair out (what
little there is left) over these issues with Windows XP boxes on a
2000 AD domain. I have read the post you responded to that is listed
in the subject, and judging by your responses, you are very
knowledgeable in these areas. I have much the same problem, although
my domain controllers are both onsite, rather than across the WAN. I
have scoured the newsgroups and the Microsoft Knowledge base for days
now and tried countless attempts to correct the issues. Could you
please help me resolve this issue, as I am in the hot seat now with my
company!


Here is the situation. I get the following errors:

System:

NETLOGON (bigger problem)

Event ID 5719

No Domain Controller is available for domain MTS due to the following:
There are currently no logon servers available to service the logon
request. Make sure that the computer is connected to the network and
try again. If the problem persists, please contact your domain
administrator.



W32Time (I think due to the other problem…)

Event ID 29

The time provider NtpClient is configured to acquire time from one or
more time sources, however none of the sources are currently
accessible. No attempt to contact a source will be made for 15
minutes. NtpClient has no source of accurate time.

I also get warnings about DHCP Event ID 1003 – You r computer was not
able to renew its address from the network (from the DHCP Server) for
the Network Card with network address….. The semaphore timeout period
has expired. Your computer will continue to try and obtain an address
on its own from the network DHCP server.


Application:

Userenv

Event ID: 1054

Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be
contacted.) Group Policy processing aborted.

In addition to these errors, the group policy obviously does not get
applied properly. The GP Core has a failure each time with the big
red X through it. Occasionally, the user portion will work, but many
times it does not. When I run the gpupdate command after I am logged
on, most of the group policy gets applied. I have tried
troubleshooting all of the DNS issues listed in Q314861, Q260371,
Q237675, Q300202, Q291382 and Q298656 among others.

In Q314861, they discuss that you should be able to do an nslookup
guid._msdcs.root_domain.com When I do this, the command does not
succeed, but I have tried the steps the article advises and that entry
still does not exist. Then, I manually tried to enter it, but am not
certain if that was necessary or not. Can you please advise?

Can you help me get these issues resolved? I feel like I am chasing
my tail! And then it will look like it works for 1 boot cycle and it
reappears at the next logon. (By the way, I have also set the local
computer policy to "Always wait for the network at computer startup
and logon") That doesn't seem to resolve it either. It seems to me
like the computer is still booting before the network is started,
which would explain the DHCP error, and probably the others too! What
can I do to resolve these issues? They are happening on all of the XP
Pro boxes we've introduced into our environment.

One last question about Group Policy: I tried to push the automatic
updates client per the instructions in the deployment guide (using the
Active Directory GP approach). The software install failed on all of
my machines, so I removed that from the software installation
directory. It seems that it is still stuck because when I use RSoP to
monitor the policy, it still fails to do the "software install" even
though I've removed it from the policy. How can I trick it or remove
so that it gets the new policy and forgets about the install of that
app?

Thank you very much for any help you can offer. Like I said, it's
been a very rough 3-4 weeks.
 
Anyone

I have 5 centers that are connected to the corporate
office through a VPN (site to site)using T1 lines.
Corporate has approx 20 users. Each center has approx 10
users.

Users can log into the domain but the group policy is not
getting to the client computers. I have check for the
ports 88 and 445 for being open on the VPN and LAN site
and it is. I have tried to ping the computers at each
center using the command ping 192.168.0.1 -n 100 -l 1400
and I get a successful reply with an ave time of 80ms.
If I ping above 1500 I time out.

Clients at the corporate sites recieve the Group Policies
fine. The only clients that don't receive the policy is
the ones through the Site to Site VPN.

I have set the slow link detection to force Group Policy
if a slow link is detected.

Client Error: Event ID 1054: Message: Windows cannot
obtin the domain controller name for your computer
network. (An unexpected network eror ocurred) Group
Policy processing aborted


My Question: Why wont group policy push down to the
clients?

Thank you in advance for your assistance.
 
Anyone

I have 5 centers that are connected to the corporate
office through a VPN (site to site)using T1 lines.
Corporate has approx 20 users. Each center has approx 10
users.

Users can log into the domain but the group policy is not
getting to the client computers. I have check for the
ports 88 and 445 for being open on the VPN and LAN site
and it is. I have tried to ping the computers at each
center using the command ping 192.168.0.1 -n 100 -l 2048
and I get a successful reply with an ave time of 80ms.

Clients at the corporate sites recieve the Group Policies
fine. The only clients that don't receive the policy is
the ones through the Site to Site VPN.

I have set the slow link detection to force Group Policy
if a slow link is detected.

Client Error: Event ID 1054: Message: Windows cannot
obtin the domain controller name for your computer
network. (An unexpected network eror ocurred) Group
Policy processing aborted

My Question: Why wont group policy push down to the
clients?

Thank you in advance for your assistance.
 
Back
Top