Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Userenv Event ID: 1054 - Userenv.log DSGetDCName failed with 59

738 views
Skip to first unread message

Herbert Peißl

unread,
Mar 3, 2008, 4:03:06 PM3/3/08
to
Hello,

we have got a urgent problem:

Our environment: a W2K Domain with W2K DCs at our Site in munich (With 2
DCs) and several sites connected over vpn (DSL 16000) with their own DC and
subnet. Our Clients are Windows XP SP2!

Our Problem at the XP-Clients in the remote subnet is that they don't apply
the current GPO and start a cached GPO with an old Loginscript. the Registry
Key in the GPO-Hive shows the old DC (Depromoted with DCPromo)!

Eventlog:
Event ID: 1054
Source: Userenv
Type: Error
Description:
Windows cannot obtain the domain controller name for your computer network.
(The specified domain either does not exist or could not be contacted). Group
Policy processing aborted.

USERNV.LOG with extended debugging
(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

DWORD: UserEnvDebugLevel HEX: 30002)


USERENV(1b8.4d0) 09:31:20:269 PingComputer: Second send failed with 11010
USERENV(1b8.4d0) 09:31:20:269 PingComputer: No data available
USERENV(1b8.4d0) 09:31:20:269 ProcessGPOs: DSGetDCName failed with 59.
USERENV(1b8.4d0) 09:31:20:280 ProcessGPOs: No WMI logging done in this
policy cycle.
USERENV(1b8.4d0) 09:31:20:280 ProcessGPOs: Processing failed with error 59.

My Tests:

- ReAdd the computer to the domain in the remote subnet
- ipconfig show correctly DNS and IP-Settings at the clients in the remote
subnet
- nslookup correctly show the dc's from the central site
- I can access \\domain\sysvol share and can start the Logon.vbs manually
and correct
- nslist.exe show the DC's from central site
- A Notebook which do not have any problems in the central site, i have
moved manually to the remote subnet and had the same Problem with the GPO.

So it could not be a client Problem.
There must be DNS misconfiguration. But where and how could i test further?

The Problem is since following Scenario:

We uninstalled some DC's (DCPROMO) in our remote subnets and reassigned the
remote Subnet to our main site in munich and clean our AD and DNS Settings
from the old DCs and sites. We installed DHCP Relay Agents at our Vigor 2900
VPN Routers in the remote subnet. The clients are connected directly over VPN
to our central site in munich and logon over the DSL Connection and use the
DNS and WINS from the central site.

After that we had to set the following Registry Key at the clients in the
remote Subnet because they can't login because problem below:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\
Kerberos\Parameters\MaxPacketSize = 0

*******************************************************
How to force Kerberos to use TCP instead of UDP in Windows Server 2003, in
Windows XP, and in Windows 2000

Event Log Error 5719
Source NETLOGON

No Windows NT or Windows 2000 Domain Controller is available for domain
Domain. The following error occurred:

There are currently no logon servers available to service the logon request.
********************************************************

After this configuration all seems well until i had seen the GPO-Problem and
the LoginScript did not start correctly.

Any Ideas??

Thank you

Herbert

Meinolf Weber

unread,
Mar 3, 2008, 4:38:36 PM3/3/08
to
Hello Herbert,

Start with dcdiag /v and netdiag /v and replmon to check on all DC's for
errors and if you have some, solve them. Then check that Active directory
sites and services is configured and the DC's for the sites are placed correct.
If this is fine and working go on with the clients.


Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Herbert Peißl

unread,
Mar 6, 2008, 4:12:00 PM3/6/08
to
Hello Meinolf,

Here is the solution:
"The Windows method for locating a domain controller is that the workstation
checks connectivity with the DC it first uses a normal icmp ping. If the
normal ping succeeds it then tests the connection speed with an oversized
ping. Specifically the size is 2048k* which puts the total packet size over
2k due to headers. This isn't a problem when you are on a local network with
nothing between you and the DC but a switch. Our VPN is operated by a Vigor
2930 Router. The Router denies
oversized icmp traffic (Ping of Death) by default. Because of this behavior
workstations at remote sites succeed with the first normal ping but
fail on the oversized one. That causes the following error to show up
in the workstation's event log.

Windows cannot obtain the domain controller name for your computer

network. Return value (59).


We have deactivated this feature on our routers. And all is fine! :-))


Another solution i found in the www would be: (by own risk!!)
Its really easy to find solutions if you know the whole problem! :-))
********************************************************
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
"GroupPolicyMinTransferRate"=dword:00000000

Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System]
"GroupPolicyMinTransferRate"=dword:00000000

These keys tell the workstation to not test the speed of the connection
with the DC. This setting is also available in group-policy; however,
the computers must first have the setting to download the group-policy!

********************************************************
Bye and thank you

--
W2K Sm2003 Sp2
1100 Clients Windows XP Sp2

0 new messages