DNS & Group Policy
Kevin Gallo
(using Windows Server 2003).
I had to recreate my DNS structures after I did a domain rename. I used
netdiag /fix to do this which resolved all but one problem.
Most of the machines work fine but some of the machines will not install
assigned software using GP due to the following error on the windows XP
machine.
---------------
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1054
Date: 11/27/2003
Time: 11:22:32 AM
User: NT AUTHORITY\SYSTEM
Computer: COMPUTER1
Description:
Windows cannot obtain the domain controller name for your computer network.
(The specified domain either does not exist or could not be contacted. ).
Group Policy processing aborted.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
-----------
Most other processes can find the domain but I cannot figure out what GP is
querying DNS for and what entries are missing. After logon the machine can
find the domain fine and I can logon using domain credentials.
I also have an intermittent problem using netdiag where it reports the
following error. It happens almost every other time I run netdiag. I am
not sure if it is related.
--
LDAP test. . . . . . . . . . . . . : Failed
[FATAL] Cannot do NTLM authenticated ldap_bind to 'foo.domain.com': T
imeout.
[FATAL] No LDAP servers work in the domain 'FOO'.
--
Can someone shed some light on what may be causing this to fail?
Thanks,
Kevin
![Ace Fekay [MVP]'s profile photo](https://lh3.googleusercontent.com/a/default-user=s40-c)
Ace Fekay [MVP]
Kevin Gallo <kevin...@hotmail.com> posted their thoughts, then I offered
mine
99% of the time, these errors are due to you using your ISP's DNS addresses
or your router as a DNS address in your machines' IP properties (on your DCs
and clients). If this is your case, you should remove them immediately and
only use your own. If your clients are set to DHCP and getting those
addresses that way, remove them out of the options too.
The idea is to use ONLY your internal DNS server for your clients and DCs.
Configure a forwarder for efficient Internet resolution as per
http://support.microsoft.com/?id=300202.
The problem is, if this is your case, it's asking your ISP's DNS "Where is
my domain" or :"Where is my domain controller?" and it does not have that
answer.
If this is your case, and once you've removed them, test it again. If the
problem continues, we'll need to see any Event log errors that occur, mainly
the Usrenv errors, netlogon and NTDS errors.
--
Regards,
Ace
Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.
Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
=================================
Kevin Gallo
system log errors from computer1 (the XP machine). The DC has no errors for
NTDS.
-----
Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5719
Date: 11/28/2003
Time: 11:28:34 PM
User: N/A
Computer: COMPUTER1
Description:
No Domain Controller is available for domain FOO due to the following:
There are currently no logon servers available to service the logon request.
.
Make sure that the computer is connected to the network and try again. If
the problem persists, please contact your domain administrator.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 5e 00 00 c0 ^..À
---
Thanks for the help.
--
"Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&LastNa...@hotmail.com> wrote in
message news:OXgvhyit...@tk2msftngp13.phx.gbl...
WJ
"Kevin Gallo" <kevin...@hotmail.com> wrote in message news:elH1Wvkt...@TK2MSFTNGP10.phx.gbl...
> I tried this and it still has the same errors. Here are the only other
> system log errors from computer1 (the XP machine). The DC has no errors for
> NTDS.
> -----
> Event Type: Error
> Event Source: NETLOGON
> Event Category: None
> Event ID: 5719
> Date: 11/28/2003
> Time: 11:28:34 PM
> User: N/A
> Computer: COMPUTER1
> Description:
> No Domain Controller is available for domain FOO due to the following:
> There are currently no logon servers available to service the logon request.
> .
> Make sure that the computer is connected to the network and try again. If
> the problem persists, please contact your domain administrator.
>
> assigned software using GP due to the following error on the windows XP
> machine.
You may try to delete these troubled "computer accounts" in the domain.computer container. Reboot the DC. And have the troubled pc
re-join the domain. Make sure the local DNS registers these computers properly.
> I had to recreate my DNS structures after I did a domain rename. I used
> netdiag /fix to do this which resolved all but one problem.
I had to rebuild the entire DC. The renaming of a domain after it was setup apparently has some problems but I could not figure out
what.... But in my case, no XP could join the domain.
John
Ace Fekay [MVP]
Kevin Gallo
foo.bar.org.
All the SRVs exist that are in netlogon.dns. I am beginning to think that
there is an authentication problem with the machines. If I look at the logs
from some of the other machines they indicate that they have either invalid
credentials (an error reported from netlogon). This is also consistent with
the netdiag indication that it cannot do NTLM or negotiated protocol when
doing the ldap test.
I am going to try to delete the computer accounts and recreate them (as
someone else suggested). I did this for one machine and it did not work but
I will give it a try on the others.
"Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&LastNa...@hotmail.com> wrote in
message news:ubUCzHqt...@TK2MSFTNGP10.phx.gbl...
Ace Fekay [MVP]
Kevin Gallo <kevin...@hotmail.com> posted their thoughts, then I offered
mine
> No - but the error just reports the child domain. It actually is
> foo.bar.org.
>
> All the SRVs exist that are in netlogon.dns. I am beginning to think
> that there is an authentication problem with the machines. If I look
> at the logs from some of the other machines they indicate that they
> have either invalid credentials (an error reported from netlogon).
> This is also consistent with the netdiag indication that it cannot do
> NTLM or negotiated protocol when doing the ldap test.
>
> I am going to try to delete the computer accounts and recreate them
> (as someone else suggested). I did this for one machine and it did
> not work but I will give it a try on the others.
>
Reset the computer accounts, don['t delete them.
My question was do the SRVs exist in DNS, not in the netlogon.dns file. They
will exist in that file whether or not they exist under you foo.bar.org
zone.
Are all machines only using the DNS server in IP properties that host this
zone?
Can you post an UNEDITED ipconfig /all from the Forest root DC (bar.org) and
one of the child DC (foo.bar.org) please?
Thanks
Kevin Gallo
all but 1 machine worked fine. I decided to reinstall Windows XP SP1 on
that machine to see if someone was wrong with that machine and that seemed
to fix the problem.
Thanks for all the help and things are working fine now.
"Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&LastNa...@hotmail.com> wrote in
message news:ehFzCXwt...@TK2MSFTNGP11.phx.gbl...
Ace Fekay [MVP]
> fixes all but 1 machine worked fine. I decided to reinstall Windows
> XP SP1 on that machine to see if someone was wrong with that machine
> and that seemed to fix the problem.
>
> Thanks for all the help and things are working fine now.
>
Good. No prob for the help.