VPN - GPO Problems
- From: "Brian33" <Brian33@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 30 Mar 2005 08:51:10 -0800
Hello all,
I am having problems with Group Policy being applied over my VPN. Most
polices are failing, including folder redirection and desktop settings. If I
physically connect the user’s PC to the LAN and login as the user, the user
will pick up their settings with cached credentials when I transport the PC
back to the remote site. Of course if the user logins in to computer for the
first time on site, or if I make any GPO changes they will not apply. Clients
on the remote site are also receiving in the Event Viewer: error 1054 –
“Windows cannot obtain the domain controller name for your computer network.
(An unexpected network error occurred.). Group Policy processing aborted.”
I do not use roaming profiles and do not experience any GPO problems on my
LAN. The VPN is set up between two 3Com firewalls using cable modems. I have
three DC’s on my LAN (one of which is a mail server) and there are about 10
users at the remote site with no servers there. I am also sure the users and
computers are in their correct OU and I am not using any local GPO’s at the
site. The only way I could get clients to connect from the remote site thru
the VPN was to configure them with static IP’s and enter WINS IP addresses in
the “WINS” tab of the clients IP properties, but the clients IP addresses are
showing up in DNS, I can ping by name, and connect using UNC path names.
I have performed a lot of research on this and here is a list of things I
have tried thus far:
1. Disabled “Detect slow links for GPO” at the domain level by setting it to
0.
2. When I tried to ping through the VPN using the “Ping –l 2048 [IP
ADDRESS]” I get no reply. In fact I only get up until about 1450 bytes before
it fails. I cannot find a way on either firewall to up the packet sizes…I may
be SOL here.
3. DNS server’s network properties are pointing to their own IP addresses
for DNS
4. There is not a root “.” Zone in DNS
5. In all three DC’s Event viewers I am receiving event warning “409- The
DNS server list of restricted interfaces contains IP addresses that are not
configured for use at the server computer. Use the DNS manager server
properties, interfaces dialog, to verify and reset the IP addresses the DNS
server should listen on. For more information, see "To restrict a DNS server
to listen only on selected addresses" , but on the interfaces tab I have
selected “Only the following IP addresses” and entered only the IP’s of the 3
DC’s.
6. I ran “DCdiag /v” on all of the DC’s which passed.
7. I ran Netdiag from the clients on the LAN & remote site and received this
error only: “[WARNING] Failed to query SPN registration on DC
'server1.domain.org'.” Not sure if this a problem.
8. Ran “set” & “NSlookup” commands from client and picked up a DC
9. Ran “gpupdate /force” from client.
10. Used Replmon and did not receive any errors.
11. I added subnets to “Sites and services” for the LAN subnet & the remote
subnet, but did not do any other configuration here.
12. Ran “RSOP” on the client and had red X’s and little GPO’s applied.
13. I have not altered any of the security policies on the GPO’s ACL and I’m
pretty sure I haven’t created some sort of GPO conflict.
I’m starting to think there is something I missed in Sites and Services or
DNS, but am not sure. I also noticed that when I run “Gpresult /v” on the
client it tries to pick up the policies from the mail server and when I click
on the “server” in DNS it says the server needs to be configured, but it was
configured and I can see all of the host files in the forward and reverse
lookup zones.
I know this is a lot of information, but I thought it would help eliminate
some further questions and maybe help someone else reading this post.
Thanks,
Brian
.
- Follow-Ups:
- Re: VPN - GPO Problems
- From: Kevin D. Goodknecht Sr. [MVP]
- Re: VPN - GPO Problems
- Prev by Date: Using Active Directory for FDA Part 11 compliance
- Next by Date: Re: NTDS event id: 1168 error 1(1)
- Previous by thread: Using Active Directory for FDA Part 11 compliance
- Next by thread: Re: VPN - GPO Problems
- Index(es):
Relevant Pages
|
Loading
