laptops connect at work but not at home?

[Guest]

Firstly, I also posted this into the Broadband Networking and Group Policy
forums, as it might apply there too. The summary is that users' WinXP Pro
laptops work fine on our office network but not at home, whether they're
using dial-up or broadband.

Now here are the details: Initially these laptops belonged to an OU on our
W2K domain with other office PCs (which have static IPs) and the laptops
(using DHCP) were used successfully at their homes. Then I specified 2
internal DNS servers in the OU's GPO, and that's about when the laptops
started failing to connect at home. Cable-modem users were actually able to
ping IP addresses on the Internet, but not FQDNs. Convinced then it was
strictly a DNS issue, I removed the DNS servers from the laptops' Registries
(NameServer key under HKLM\software\policies\microsoft\WindowsNT\DNSclient)
and seemed to work on one laptop but, strangely, not the rest! So then I
moved these laptops into their own OU without any DNS servers set (since they
get DNS server settings via DHCP anyway), refreshed policy on DC and laptops,
but still didnt work! Now the cable-modem users can't even ping IP
addresses. I even removed one laptop from the OU altogether, refreshed, and
still doesnt work! Meanwhile, connectivity at work remains intact...

Other pertitent info: Users log into their laptops at home using the same
profile as at work (DC info apparently cached), but even logging in as
another profile (a local one) didnt work. Running ipconfig /all in either
profile shows FQDN still as 'computername.domainname.com', but as said
before, it worked at home like this before the GPO edit.

Thanks in advance.

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Firstly, I also posted this into the Broadband Networking and Group
Policy forums, as it might apply there too. The summary is that
users' WinXP Pro laptops work fine on our office network but not at
home, whether they're using dial-up or broadband.

Now here are the details: Initially these laptops belonged to an OU
on our W2K domain with other office PCs (which have static IPs) and
the laptops (using DHCP) were used successfully at their homes. Then
I specified 2 internal DNS servers in the OU's GPO, and that's about
when the laptops started failing to connect at home. Cable-modem
users were actually able to ping IP addresses on the Internet, but
not FQDNs. Convinced then it was strictly a DNS issue, I removed the
DNS servers from the laptops' Registries (NameServer key under
HKLM\software\policies\microsoft\WindowsNT\DNSclient) and seemed to
work on one laptop but, strangely, not the rest! So then I moved
these laptops into their own OU without any DNS servers set (since
they get DNS server settings via DHCP anyway), refreshed policy on DC
and laptops, but still didnt work! Now the cable-modem users can't
even ping IP addresses. I even removed one laptop from the OU
altogether, refreshed, and still doesnt work! Meanwhile,
connectivity at work remains intact...

Other pertitent info: Users log into their laptops at home using the
same profile as at work (DC info apparently cached), but even logging
in as another profile (a local one) didnt work. Running ipconfig
/all in either profile shows FQDN still as
'computername.domainname.com', but as said before, it worked at home
like this before the GPO edit.

In Help and support, Tools, Advanced system information, there is a tool for
checking applied policies.
Carefully look through the policy report for any entry that can cause this.

 

[Guest]

Thanks, but if it's anything like what the gpresult tool does, then I've
already covered that base too. I ran it after I removed the laptop from the
OU altogether and saw that only the default domain policy was still applied
(as it was supposed to) which only includes info about password requirements.
What else might it be...?

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Thanks, but if it's anything like what the gpresult tool does, then
I've already covered that base too. I ran it after I removed the
laptop from the OU altogether and saw that only the default domain
policy was still applied (as it was supposed to) which only includes
info about password requirements. What else might it be...?

After re-reading the original post to see if I missed anything in it, you
state user cannot ping IP addresses. Is there a manually configured Gateway?

 

[Guest]

No.

 

[Ace Fekay [MVP]]

In

No.

FYI, sometimes with GPO settings, you need to "disable" a setting to undo it
rather than just set them to 'not configured'. Not saying that this is the
case, but if you remember NT40 Sytem Policies, that was the only way to
'undo' them.

Also, what I've found with XP machines, a Computer Configuration GPO setting
will only work if the computer is in that specific GPO, even if you set the
Computer Configuration section for a specific user account. What I've did to
correct this is to put the XP machines into a sub-OU under the OU with the
GPO to get it to work. This is only for XP. Windows 2000 will accept the
Computer Configuration Policy if it's in the OU or not when set on GPO for a
user account.

Have you used the GPMC to run an RSOP or even a Modeling report? You would
need a Win2003 DC to run that tool.

One more thing, I am assuming you're saying the users cannot ping by IP or
FQDN when the users are using their laptops at home, they are directly
connected to their own network, e.g. Linksys router or directly on the cable
modem. How about whey they VPN into the corporate network, does it work for
them then?

Is there a Proxy or ISA setting on the laptops?

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Infinite Diversities in Infinite Combinations.
=================================

 

[Guest]

i'll try to disable the DNS-related settings in the GPO and see what happens.
Even though the DNS Servers setting's explanation says, "If this setting is
not configured, it is not applied to any computers, and computers use their
local or DHCP-configured parameters."?

We were running W2K Server and ran into problems using GPMC from my XP box
so I abandoned its use. But now that server runs W2K3, so should be ok now I
think. So I'll try to run an RSOP and/or modeling report.

What I've did to correct this is to put the XP machines into a sub-OU under the OU with the GPO to get it to work.

I suppose I could try this too.

You're right, they cannot ping from home, behind a Linksys router or
directly connected to cable modem. But they don't VPN in, so we can't test
that. There is no proxy or ISA in place.

To add to the mystery, one of the laptops that I've been messing with
concerning this issue has all of a sudden started working at home! Over the
weekend, the owner told me this - this was two days after I would have
changed anything. Is there a chance it was simply like a delayed applying of
settings? The owner said she'd only rebooted, but we'd been doing that along
the way already. Not to say this issue is totally resolved - there is at
least one laptop out there that cannot connect to the Internet when outside
this office, last I heard...

 

[Ace Fekay [MVP]]

In

i'll try to disable the DNS-related settings in the GPO and see what
happens. Even though the DNS Servers setting's explanation says, "If
this setting is not configured, it is not applied to any computers,
and computers use their local or DHCP-configured parameters."?

I've seen this in the past. It doesn't apply to XP and GPOs, but I just
thought to bring that across. I;ve seen it during a migration where a an XP
machine joined to the NT4 domain exhibited this behavior after the NT4
upgrade. What I had to do is set the NT4 style System Polices back to
disabled. Once I confirmed that, I then removed the System Policy and
proceeded to use GPOs.

We were running W2K Server and ran into problems using GPMC from my
XP box so I abandoned its use. But now that server runs W2K3, so
should be ok now I think. So I'll try to run an RSOP and/or modeling
report.

Ok, sounds good.

I suppose I could try this too.

You're right, they cannot ping from home, behind a Linksys router or
directly connected to cable modem. But they don't VPN in, so we
can't test that. There is no proxy or ISA in place.

To add to the mystery, one of the laptops that I've been messing with
concerning this issue has all of a sudden started working at home!
Over the weekend, the owner told me this - this was two days after I
would have changed anything. Is there a chance it was simply like a
delayed applying of settings? The owner said she'd only rebooted,
but we'd been doing that along the way already. Not to say this
issue is totally resolved - there is at least one laptop out there
that cannot connect to the Internet when outside this office, last I
heard...

Can I assume the users at home performed an ipconfig /release and then
followed by a /renew? Did you have them confirm their ipconfig settings when
you were helping them tech support this?

Ace

 

[Guest]

Can I assume the users at home performed an ipconfig /release and then

followed by a /renew? Did you have them confirm their ipconfig settings when
you were helping them tech support this?

yes we did all that. when we first started troubleshooting this, they could
ping Internet IP addreesses but no FQDNs, and were getting IP address from
ISP. later, when they couldnt ping anything at all, they werent getting one.

 

[Ace Fekay [MVP]]

In

yes we did all that. when we first started troubleshooting this,
they could ping Internet IP addreesses but no FQDNs, and were getting
IP address from ISP. later, when they couldnt ping anything at all,
they werent getting one.

If they weren't getting an IP, then I can understand why they can't ping
anything.

Is there a personal firewall (Zone Alarm) or anything else similar to that
installed?

Are the DNS addresses on the clients hardcoded to your internal DNS but the
IP is set to 'obtain automatically'?

Ace

 

[Guest]

Is there a personal firewall (Zone Alarm) or anything else similar to that

installed?

no firewall. even turned off XP firewall.

Are the DNS addresses on the clients hardcoded to your internal DNS but the
IP is set to 'obtain automatically'?

If I understand your question right, that's what appears to have caused this
whole mess. Yes, they're set to obtain automatically (both at work and at
home), but the office network's internal DNS servers are there in the
Registry when they're at home (I had them look it up). Clearing them out
seems to work sporadically. I mean, it worked for the first laptop on which
we first discovered this problem. But the second laptop didn't behave the
same way (it's the one I described above that unexpectedly just started
working last weekend). Now a third laptop has exhibited the same issue.
I've told him to ipconfig /release, /renew, and /flushdns, also he cleared
out the DNS servers from HKLM\Software\Policies\Microsoft\WindowsNT\DNSclient
and rebooted, and he even gets an IP address from the wireless hotspot he's
trying to connect to, but still cannot pull up web pages. He also cant seem
to ping Internet IP addresses even though his laptop gets that IP address -
weird.

Or maybe I dont understand your question: 'hardcoded to the internal DNS'?

 

[Ace Fekay [MVP]]

In

no firewall. even turned off XP firewall.


If I understand your question right, that's what appears to have
caused this whole mess. Yes, they're set to obtain automatically
(both at work and at home), but the office network's internal DNS
servers are there in the Registry when they're at home (I had them
look it up). Clearing them out seems to work sporadically. I mean,
it worked for the first laptop on which we first discovered this
problem. But the second laptop didn't behave the same way (it's the
one I described above that unexpectedly just started working last
weekend). Now a third laptop has exhibited the same issue. I've told
him to ipconfig /release, /renew, and /flushdns, also he cleared out
the DNS servers from
HKLM\Software\Policies\Microsoft\WindowsNT\DNSclient and rebooted,
and he even gets an IP address from the wireless hotspot he's trying
to connect to, but still cannot pull up web pages. He also cant seem
to ping Internet IP addresses even though his laptop gets that IP
address - weird.

Or maybe I dont understand your question: 'hardcoded to the internal
DNS'?

In IP properties, you can select to either obtain automatically or set it
statically. You can even set the DNS addresses statically, but obtain an IP
address automatically. Check out the IP properties and you'll see what I
mean.

I assume no spyware or viruses such as the QHOSTS that compromises the Hosts
file.

Honestly I've never seen these sort of problems with connectivity. I work
with one of my clients of about 150+ users and half of them have laptops and
travel around and they have no problems whatsoever whether they are in a
hotel, airport, a Starbucks or at home on their wireless.

It uis obviously something common since it is happening to all your laptops.
If you brought a new laptop in that never had the GPO settings, does it work
anywhere it goes?

Ace

 

[Guest]

"In IP properties, you can select to either obtain automatically"...

Ok, setting static TCP/IP info. I thought you meant something else by
"hardcoding." Yes, again, they're set to obtain automatically.

Right, no viruses/spyware. Scanned with locally installed AV and online AV
scanners.

about 150+ users and half of them have laptops and have no problems whatsoever

yeah, neither did we until I set up this GPO and included the laptops in it!

If you brought a new laptop in that never had the GPO settings, does it work

well, not sure. we dont have a new laptop that was just purchased to use
for a test. it probably would though cuz the laptops' GPO now doesnt include
DNS settings.

 

[Ace Fekay [MVP]]

In

"In IP properties, you can select to either obtain automatically"...

Ok, setting static TCP/IP info. I thought you meant something else by
"hardcoding." Yes, again, they're set to obtain automatically.

Right, no viruses/spyware. Scanned with locally installed AV and
online AV scanners.


yeah, neither did we until I set up this GPO and included the laptops
in it!


well, not sure. we dont have a new laptop that was just purchased to
use for a test. it probably would though cuz the laptops' GPO now
doesnt include DNS settings.

So it all points back to the GPO. Let's backtrack a sec. Did you ever get a
chance to run a Resulting Policy report thru GPMC on one of the affected
laptops or a user account?

Was this a GPO you created or did you alter the Default Domain Policy? If
not the default, did you completely remove the GPO and allow the user to
logon and then logoff and then go home and try it again?

Was anything else altered thru the reg such as the MTU settings? That can
affect communication. Any other software installed on these laptops that
affect network settings, such as WinPoet or anything else?

Originally you said you posted this in the GPO newsgroup. I was looking for
it in win2000.group_policy group but couldn't find your name. I was curious
what those guys had to offer.

If you re-ran Windows setup on one of the laptops, in effect resetting the
system (it will keep the users' profiles, apps and other settings intact),
and then put the computer into another OU without that GPO, does it work? I
know this is alot of work, but I'm trying to pinpoint where the issue is.

Also, maybe disjoining one of them, allow the user to take it home and try
it, then when they return, re-join it but put it in a different OU.

Ace

 

[Guest]

Did you ever get a

chance to run a Resulting Policy report thru GPMC on one of the affected
laptops or a user account?

no, but i will. the thing is, of the 14 laptops, most either dont get
online at home or havent been brought into the office since i added this GPO.
so, cant really test to see how theyre behaving yet. however, one laptop
that i havent touched concerning this issue does go back and forth and she
said she hasnt had any problems connecting at either place.

Was this a GPO you created or did you alter the Default Domain Policy?

GPO i created.

If
not the default, did you completely remove the GPO and allow the user to
logon and then logoff and then go home and try it again?

i didnt remove the GPO, but at one point i'd removed one laptop from the OU
(and was part of no OU and had no GPO applied), refreshed everything, let
them log in, then shut down, and take it home to try. if memory serves, this
still didnt work initially. but this was the one that started working again
last weekend.

Was anything else altered thru the reg such as the MTU settings? That can
affect communication. Any other software installed on these laptops that
affect network settings, such as WinPoet or anything else?

no other registry or software changes.

Originally you said you posted this in the GPO newsgroup. I was looking for
it in win2000.group_policy group but couldn't find your name. I was curious
what those guys had to offer.

you're the only one who's replied.

If you re-ran Windows setup on one of the laptops, in effect resetting the
system (it will keep the users' profiles, apps and other settings intact),
and then put the computer into another OU without that GPO, does it work? I
know this is alot of work, but I'm trying to pinpoint where the issue is.

yes, and appreciate it. but i dont think the solution is that drastic.

Also, maybe disjoining one of them, allow the user to take it home and try
it, then when they return, re-join it but put it in a different OU.

i think along these lines is the right path to the solution. of course, as
i wrote above, each laptop seems to be behaving differently!

 

[Ace Fekay [MVP]]

In

no, but i will. the thing is, of the 14 laptops, most either dont get
online at home or havent been brought into the office since i added
this GPO. so, cant really test to see how theyre behaving yet.
however, one laptop that i havent touched concerning this issue does
go back and forth and she said she hasnt had any problems connecting
at either place.


GPO i created.

Just yank it at this point!

i didnt remove the GPO, but at one point i'd removed one laptop from
the OU (and was part of no OU and had no GPO applied), refreshed
everything, let them log in, then shut down, and take it home to try.
if memory serves, this still didnt work initially. but this was the
one that started working again last weekend.

That's strange. It will usually just work with the new GPO, or lack of,
immediately.

no other registry or software changes.


you're the only one who's replied.

And Kevin earlier in this thread.

yes, and appreciate it. but i dont think the solution is that
drastic.

Just a thought to try.

i think along these lines is the right path to the solution. of
course, as i wrote above, each laptop seems to be behaving
differently!

Strangest thing. That's what;s making it difficult to diagnose. Let me know
what you find with the GPMC report.

Ace

 

[Guest]

Ok, just ran GPMC's Group Policy Results wizard on one of the laptops that
hasnt even been connected at home yet. The only DNS-related thing (which I
did set) was Dynamic Update set as enabled. Its status has not proven to
have any effect on all this.

 

[Guest]

What's especially weird about all this is that I can't seem to force the
changes in the Registry. I search for all instances of the internal DNS
servers in the Registry and wipe them out and reboot but still nothing. One
guy is now in Germany for the month and hoped to get online while there but
can't. So, he can't just bring his laptop back in to log in or let new
policies apply or anything. I've emailed him all these TCP/IP and
Registry-editing instructions above but none have worked (he's using a hotel
PC to get email). Apparently there's either something I'm missing in the
Regsitry or something else...

 

[Kevin D. Goodknecht Sr. [MVP]]

In

What's especially weird about all this is that I can't seem to force
the changes in the Registry. I search for all instances of the
internal DNS servers in the Registry and wipe them out and reboot but
still nothing. One guy is now in Germany for the month and hoped to
get online while there but can't. So, he can't just bring his laptop
back in to log in or let new policies apply or anything. I've
emailed him all these TCP/IP and Registry-editing instructions above
but none have worked (he's using a hotel PC to get email).
Apparently there's either something I'm missing in the Regsitry or
something else...

You may have a Winsock problem, install the Windows XP support tools from
the XP CD and run netdiag /v to check the Winsock test.

 

[Guest]

Just yank it at this point!

gettin' close to doin' that...

Let me know what you find with the GPMC report.

did you see my post?

You may have a Winsock problem, install the Windows XP support tools from
the XP CD and run netdiag /v to check the Winsock test.

i will.