Re: VPN - GPO Problems
- From: "Brian33" <Brian33@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 22 Apr 2005 08:02:23 -0700
I thought that I had exhausted all of my resources, but then I found this
article:
http://lists.virus.org/ntbugtraq-0310/msg00049.html
I did re-configure my remote client's static IP settings not to use WINS but
only my internal DNS servers. But think the main problem was about the ping
packet size (2048) being too high for my firewall. Since neither of my
firewalls will allow you to configure the packet size, this left me with the
method of editing the registry on my 10 remote clients. Once I did this all
of the policies loaded and the 1054 error went away.
You need to add these keys:
•HKEY_LOCAL_MACHINE\software\Policies\Microsoft\Windows\System
“GroupPolicyMinTransferRate” DWORD to 0
•HKEY_CURRENT_USER\software\Policies\Microsoft\Windows\System
“GroupPolicyMinTransferRate” DWORD to 0
Since I had disabled “Group Policy Slow link detection” at Default Domain
policy for users & computers these settings already existed on my LAN so I
just exported the LAN registry keys into a .REG file and double clicked it at
the remote site. When you change the registry for for HKEY_CURRENT_USER to
will need to either need to be logged in as the user(which user may have a
policy restricting editing the registry), or use the Multi-Remote Registry
Change v4 tool, which is what I did. It is free for up to 10 users and seem
to have worked really well. http://www.eytcheson.com/mrrc.htm
"Brian33" wrote:
> I think I am getting close now, but I am just missing something stupid, so
> any help would be greatly appreciated! I changed my remote firewall's DNS to
> point to my ISP's DNS server and changed the DNS settings in the clients to
> point at my internal DNS.
>
> Now I noticed that the 1054 error is not appearing for the for the computer
> settings when I reboot or run "GPupdate /target:computer" and the GPO
> settings are applying even if I make changes to GPO or move the Computer into
> a different OU. Also if there is a current cached profile that has the "Group
> Policy slow link threshold 0 kbps" it appears new GPO's will be applied and
> no error 1054 will appear when logging in or running GPupdate.
>
> The problem that still exist is if a user logs in for the first time
> remotely, the "User Settings" will not apply, and the "Group Policy slow link
> threshold" will be 500 kbps also folder redirection, and other settings fail.
> If I run gpresult /v I get the error: "Info: The policy object does not
> exist" and of course I get the 1054 error in Event Viewer.
>
> Any other ideas? Anyone?
>
> Thanks,
>
> Brian
>
> "Brian33" wrote:
>
> >
> > Thanks for the reply Kevin! I put you questions\suggestion below with my
> > answers. Hopefully it will be easy for you to read.
> >
> > **Each DNS server if on the DC should listen only on the address that File
> > sharing is enabled on that particular DC/DNS server. This is only for the "A"
> > record for the FQDN of the DNS server.
> > -In DNS I went to the server’s properties > interfaces tab > “Only the
> > following IP addresses” is checked and listed only the IP address for that
> > DNS server
> >
> > **Question: Is RAS on a DC with DNS installed?
> > -No RAS on my network.
> >
> > **Does nslookup domain.org return the IP addresses of All domain controllers
> > that file sharing is enabled on?
> > -Yes, but there is also a external subnet address, which from my ISP. See
> > below:
> > C:\Documents and Settings\bpeffer>nslookup Domain.org
> > Server: file2.Domain.org
> > Address: 10.1.1.17
> > Name: Domain.org
> > Addresses: 10.1.1.18, 10.1.1.17, 10.1.1.16, 24.154.178.0
> >
> >
> > **Make sure that on all DCs that are multihomed that the internal interface
> > that has file sharing enabled is at the top of the binding order. (Right
> > click Network places, choose properties, Advanced menu, select Advanced
> > settings, move the interface that has file sharing enabled to the top of the
> > connections pane.
> > -I checked the IP properties again and made sure the correct IP address was
> > at the top and the server’s IP was listed as its own for primary DNS server.
> >
> > **Finally try netdiag /fix & DCdiag /fix on all DCs.
> > -I ran netdiag /fix and DCdiag /fix and only received this error for Netdiag:
> > LDAP test. . . . . . . . . . . . . : Passed
> > [WARNING] Failed to query SPN registration on DC 'file1.domain.org'.
> > [WARNING] Failed to query SPN registration on DC 'file2.domain.org'.
> > [WARNING] Failed to query SPN registration on DC 'mail.domain.org'.
> > I read article that said this error can occur when using an older version of
> > netdiag, so I don’t think it is a problem.
> >
> > **What about the clients? What are they using for DNS?
> > -Like I mentioned early I had to configure the remote clients with static
> > IP’s and WINS for the VPN to work for file sharing\internet etc. Here is what
> > I get when I run IPconfig /all from the remote site.
> > Windows IP Configuration
> >
> > Host Name . . . . . . . . . . . . : computername
> > Primary Dns Suffix . . . . . . . : domain.org
> > Node Type . . . . . . . . . . . . : Hybrid
> > IP Routing Enabled. . . . . . . . : No
> > WINS Proxy Enabled. . . . . . . . : No
> > DNS Suffix Search List. . . . . . : domain.org
> >
> > Ethernet adapter Local Area Connection:
> >
> > Connection-specific DNS Suffix . :
> > Description . . . . . . . . . . . : 3Com 3C920 Integrated Fast
> > Ethernet
> > Controller (3C905C-TX Compatible)
> > Physical Address. . . . . . . . . : 00-08-74-03-61-C5
> > Dhcp Enabled. . . . . . . . . . . : No
> > IP Address. . . . . . . . . . . . : 20.20.20.240
> > Subnet Mask . . . . . . . . . . . : 255.255.255.0
> > Default Gateway . . . . . . . . . : 20.20.20.1
> > DNS Servers . . . . . . . . . . . : 10.1.1.16
> > 10.1.1.17
> > Primary WINS Server . . . . . . . : 10.1.1.16
> > Secondary WINS Server . . . . . . : 10.1.1.17
> >
> > The IP addresses 10.1.1.16, and 10.1.1.17 are two of my DC’s that are
> > running DNS, WINS, and DHCP. Notice that the “Connection-specific DNS Suffix”
> > is blank, that does not occur on the LAN.
> >
> > Thanks for your help
> >
> > Brian
> >
> >
> >
> >
> > "Kevin D. Goodknecht Sr. [MVP]" wrote:
> >
> > > In news:69C7299C-DA7A-4216-B8EF-9EA654735BFC@xxxxxxxxxxxxx,
> > > Brian33 <Brian33@xxxxxxxxxxxxxxxxxxxxxxxxx> commented
> > > Then Kevin replied inline:
> > > > Hello all,
> > > >
> > > > I am having problems with Group Policy being applied over
> > > > my VPN. Most polices are failing, including folder
> > > > redirection and desktop settings. If I physically connect
> > > > the user's PC to the LAN and login as the user, the user
> > > > will pick up their settings with cached credentials when
> > > > I transport the PC back to the remote site. Of course if
> > > > the user logins in to computer for the first time on
> > > > site, or if I make any GPO changes they will not apply.
> > > > Clients on the remote site are also receiving in the
> > > > Event Viewer: error 1054 - "Windows cannot obtain the
> > > > domain controller name for your computer network. (An
> > > > unexpected network error occurred.). Group Policy
> > > > processing aborted."
> > > >
> > > > I do not use roaming profiles and do not experience any
> > > > GPO problems on my LAN. The VPN is set up between two
> > > > 3Com firewalls using cable modems. I have three DC's on
> > > > my LAN (one of which is a mail server) and there are
> > > > about 10 users at the remote site with no servers there.
> > > > I am also sure the users and computers are in their
> > > > correct OU and I am not using any local GPO's at the
> > > > site. The only way I could get clients to connect from
> > > > the remote site thru the VPN was to configure them with
> > > > static IP's and enter WINS IP addresses in the "WINS" tab
> > > > of the clients IP properties, but the clients IP
> > > > addresses are showing up in DNS, I can ping by name, and
> > > > connect using UNC path names.
> > > >
> > > > I have performed a lot of research on this and here is a
> > > > list of things I have tried thus far:
> > > > 1. Disabled "Detect slow links for GPO" at the domain
> > > > level by setting it to 0.
> > > > 2. When I tried to ping through the VPN using the "Ping
> > > > -l 2048 [IP ADDRESS]" I get no reply. In fact I only get
> > > > up until about 1450 bytes before it fails. I cannot find
> > > > a way on either firewall to up the packet sizes.I may be
> > > > SOL here.
> > >
> > > The internet MTU is 1500 bytes - 28 leaves an MTU of 1472 bytes using ping.
> > >
> > > > 3. DNS server's network properties are pointing to their
> > > > own IP addresses for DNS
> > >
> > > What about the clients? What are they using for DNS?
> > >
> > > > 4. There is not a root "." Zone in DNS
> > > > 5. In all three DC's Event viewers I am receiving event
> > > > warning "409- The DNS server list of restricted
> > > > interfaces contains IP addresses that are not configured
> > > > for use at the server computer. Use the DNS manager
> > > > server properties, interfaces dialog, to verify and reset
> > > > the IP addresses the DNS server should listen on. For
> > > > more information, see "To restrict a DNS server to listen
> > > > only on selected addresses" , but on the interfaces tab I
> > > > have selected "Only the following IP addresses" and
> > > > entered only the IP's of the 3 DC's.
> > >
> > > Each DNS server if on the DC should listen only on the address that File
> > > sharing is enabled on that particular DC/DNS server. This is only for the
> > > "A" record for the FQDN of the DNS server.
> > > Question: Is RAS on a DC with DNS installed?
> > > If it is follow this KB to fix this.
> > > 292822 - Name resolution and connectivity issues on a Routing and Remote
> > > Access Server that also runs DNS or WINS:
> > > http://support.microsoft.com/default.aspx?scid=kb;en-us;Q292822
> > >
> > > > 6. I ran "DCdiag /v" on all of the DC's which passed.
> > > > 7. I ran Netdiag from the clients on the LAN & remote
> > > > site and received this error only: "[WARNING] Failed to
> > > > query SPN registration on DC 'server1.domain.org'." Not
> > > > sure if this a problem.
> > > > 8. Ran "set" & "NSlookup" commands from client and picked
> > > > up a DC
> > >
> > > Does nslookup domain.org return the IP addresses of All domain controllers
> > > that file sharing is enabled on?
> > > Make sure that on all DCs that are multihomed that the internal interface
> > > that has file sharing enabled is at the top of the binding order. (Right
> > > click Network places, choose properties, Advanced menu, select Advanced
> > > settings, move the interface that has file sharing enabled to the top of the
> > > connections pane.
> > >
> > > Finally try netdiag /fix & DCdiag /fix on all DCs.
> > >
> > >
> > >
> > > --
> > > Best regards,
> > > Kevin D4 Dad Goodknecht Sr. [MVP]
> > > Hope This Helps
> > > ===================================
> > > When responding to posts, please "Reply to Group"
> > > via your newsreader so that others may learn and
> > > benefit from your issue, to respond directly to
> > > me remove the nospam. from my email address.
> > > ===================================
> > > http://www.lonestaramerica.com/
> > > ===================================
> > > Use Outlook Express?... Get OE_Quotefix:
> > > It will strip signature out and more
> > > http://home.in.tum.de/~jain/software/oe-quotefix/
> > > ===================================
> > > Keep a back up of your OE settings and folders
> > > with OEBackup:
> > > http://www.oehelp.com/OEBackup/Default.aspx
> > > ===================================
> > >
> > >
> > >
.
- References:
- VPN - GPO Problems
- From: Brian33
- Re: VPN - GPO Problems
- From: Kevin D. Goodknecht Sr. [MVP]
- Re: VPN - GPO Problems
- From: Brian33
- Re: VPN - GPO Problems
- From: Brian33
- VPN - GPO Problems
- Prev by Date: Re: ADAM:security implications
- Next by Date: Re: ADAM:security implications
- Previous by thread: Re: VPN - GPO Problems
- Next by thread: Re: NTDS event id: 1168 error 1(1)
- Index(es):
Relevant Pages
|
Loading
