Re: Group Policy Not Applied

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 04/27/04 

Date: Mon, 26 Apr 2004 19:41:25 -0700

You may just have DNS data issues.
Netdiag would give you better clue on that.
In general, make sure the DCs are pointing at correct
DNS servers (only), which often means other DCs of
the domain (if forestroot and AD integrated DNS), and
check that the DNS zone is AD integrated allowing for
secure dynamic updates. If this is so, and you have not
gone out of your way to disable DC registration efforts,
then the DNS should self correct in about 15 minutes.
This can be hastened with
net stop netlogon
net start netlogon
at a DC that is not correctly DNS registered.
If this is done and the dynamic updates are accepted,
then the GUID SRVs used for replication will be defined. 

-- 
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Pat" <anonymous@discussions.microsoft.com> wrote in message
news:45c801c42bba$b7caf720$a401280a@phx.gbl...
> Nothing out of place in the evenet log.  Thanks for
> pointing me to some new tools, netdiag and dcdiag.
>
> From the client (netdiag) I get the following:
> DC list test . . . . . . . . . . . : Failed
>     Find DC in domain 'MLDAVISCH13':
>     Found this DC in domain 'MLDAVISCH13':
>         DC. . . . . . . . . . . : \\MAMIELDA-
> SRV.MLDAVISCH13.COM
>         Address . . . . . . . . : \\192.1.2.103
>         Domain Guid . . . . . . : {892DEB1D-589F-48AA-BFDD-
> 5ED639F52169}
>         Domain Name . . . . . . : MLDAVISCH13.COM
>         Forest Name . . . . . . : MLDAVISCH13.COM
>         DC Site Name. . . . . . : Default-First-Site-Name
>         Our Site Name . . . . . : Default-First-Site-Name
>         Flags . . . . . . . . . : PDC emulator GC DS KDC
> TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE
> 0x8
>     'MLDAVISCH13': No DCs are up.
>     List of DCs in Domain 'MLDAVISCH13':
>         MAMIELDA-SRV.MLDAVISCH13.COM  (this DC is down)
>
> Running dcdiag on server I get this:
>    Testing server: Default-First-Site-Name\MAMIELDA-SRV
>       Starting test: Connectivity
>          MAMIELDA-SRV's server GUID DNS name could not be
> resolved to an IP address.  Check the DNS server, DHCP,
> server name, etc
>          Although the Guid DNS name(8c50427a-efbf-450b-
> a79f-b5dbf5cce975._msdcs.MLDAVISCH13.com) couldn't be
> resolved, the server name (MAMIELDA-SRV.MLDAVISCH13.COM)
> resolved to the IP address (192.1.2.103) and was
> pingable.  Check that the IP address is registered
> correctly with the DNS server..........................
> MAMIELDA-SRV failed test Connectivity
>
> Doing primary tests
>
>    Testing server: Default-First-Site-Name\MAMIELDA-SRV
>       Skipping all tests, because server MAMIELDA-SRV is
>       not responding to directory service requests
>
> Looks to me like the GUID is the culprit. Is there any way
> to straighten this out?  Since I am also unable to load a
> Service pack, it looks like I will be reloading WIN.
>
>
>
> >-----Original Message-----
> >Event log messages ?
> >It sounds like the GPT part but not the GPC part, which
> >are stored in Sysvol and in AD respectively, are being
> >seen.
> >Have you checked AD networking health from the client
> >machine viewpoint ?  Run netdiag at the DC and if clean
> >then at the client.  You did say only one DC or else
> running
> >this at all DCs would be in order.  netdiag is in the
> optional
> >support / tools (if not yet installed, get version
> released
> >with service pack).
> >
> >-- 
> >Roger Abell
> >Microsoft MVP (Windows Server System: Security)
> >MCSE (W2k3,W2k,Nt4)  MCDBA
> >"pat" <anonymous@discussions.microsoft.com> wrote in
> message
> >news:35a301c4295e$febd73f0$a601280a@phx.gbl...
> >> In researchng this some more, the prior situation
> applies
> >> only to windows settings/security settings/local
> >> policies/security options.  When I edit the same gp
> policy
> >> at user config/admin templates/start menu&Taskbar, those
> >> changes are applied. Now I'm really confused.
> >> >-----Original Message-----
> >> >I inherited this situation from my predesssor... I
> have a
> >> >win2000 domain, 1 server and 25 "pro" workstations and
> am
> >> >implementing group policy.  When I edit the workstation
> >> >local security policy, the local setting changes, but
> the
> >> >effective setting remains unchanged.  When I edit the
> >> >domain gp policy on the domain controller, the
> effective
> >> >setting still remains unchanged on the workstations.
> When
> >> >I run gpresult on the workstation, it shows the domain
> >> >group policy implemented. Any suggestions on why the
> >> >workstations are not setting the domain group policy?
> TIA.
> >> >
> >
> >
> >.
> >

Relevant Pages

  • Re: FQDN - DNS resolution
    ... > that look like in the DNS console. ... > If you have multiple DCs in a single site this will be load-balanced, ... > the first is passed, then the second, etc. (from the server -the client ... when you ping the domain name you get a DC returned. ...
    (microsoft.public.win2000.active_directory)
  • Re: Troubleshoot or reinstall Server 2000?
    ... functionality to the newer 2003 DC including FSMO roles, ... shouldn't have the IM on GC, unless all DCs on your site are also GCs. ... Are both DCs DNS server? ...
    (microsoft.public.win2000.active_directory)
  • Re: No client login when DC not available
    ... Ie. the client's logon server is not DC1, ... This implies the OTHER DCs are not properly registered in DNS ...
    (microsoft.public.windows.server.active_directory)
  • Re: Security Event 676 - Kerberos Failure Code 6
    ... controller also being the proxy server. ... DNS issues can cause a lot of problems ... Netdiag is also available for XP on the ... > that was an error (only the gateway of the Domain Controller was configed ...
    (microsoft.public.win2000.security)
  • Re: KCC error
    ... Netdiag came up with two errors. ... DNS registration for the VPN server was ... error that appears when clients try to connect. ...
    (microsoft.public.windows.server.active_directory)