Re: Cannot Apply GPO

• Previous message: John Losey: "Re: Looking for a Windows 2003 Terminal Server Security Checklist"
• In reply to: Sage Morales: "Cannot Apply GPO"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 13 Jan 2004 22:11:58 -0800

What specifically are you thinking is wrong?

Looking at the post, I see a few big things jumping out.
* This server is VERY far behind in security updates, did you never hear of
Blaster? Install SP3 or SP4 and MS03-039 right away...
* It is pointing towards itself for WINS, yet the WINS test failed. Check
to see if the server is up.
* It is pointing towards itself for DNS, maybe you've got an Island DNS
situation? Point all the Win2K DCs towards the same DC for Primary DNS.
See KB 275278.
* You're also having a problem with the DC List test.

* The odds are that you're also having replication issues, run "repadmin
/showreps" to see this.
* A "netdiag /v" is also more helpfull for describing what is erroring for
the tests that are failing.

THE ABSOLUTE FIRST THING TO DO IS TO INSTALL A CURRENT SERVICE PACK, AND
THEN THE CRITICAL UPDATES FROM http://windowsupdate.microsoft.com

After that, I'd probably start with pointing ALL the DCs towards the same DC
for Primary DNS, setting the zone to "Automatic Updates - Yes" (at least
temporarily), deleting the 4 "_" subdomains ("_msdcs", "_sites", "_tcp",
"_udp") in DNS, then running the following on each DC: "ipconfig /flushdns"
"ipconfig /registerdns" "net stop netlogon" "net start netlogon". This will
clear up the DNS Islands and should help your replication & name resolution
issues.

Also, if it is the clients who cannot apply a GPO, make sure that ICMP isn't
being blocked between them and the DC. The Netdiag from the DC shows some
things, but the application log on the machines not getting GPOs will tell
more. Are you seeing SceCli 1202's and UserENV 1000's? If so, what is the
errors listed in the text of those errors? If you run "gpotool /verbose" on
one of the DCs, do you see version mismatch errors between the DC's SYSVOL
versions?

The file MPSRPT_DIRSVC.exe from
http://www.microsoft.com/downloads/details.aspx?FamilyID=cebf3c7c-7ca5-408f-88b7-f9c79b7306c0&DisplayLang=en
will run many of the tools (gpotool, netdiag, dcdiag, repadmin, etc.) that
are often helpfull for finding the cause of GPOs not applying. This is what
the folks from PSS would use to collect a snapshot of the system to help
identify the problem. The results of the tests will be written to
%systemroot%\mpsreports\dirsvc\logs (usually C:\winnt\mpsreports\dirsvc\logs
on a Win2K system).

John

275278 - DNS Server Becomes an Island When a Domain Controller Points to
Itself for the _Msdcs.ForestDnsName Domain
http://support.microsoft.com/?id=275278

"Sage Morales" <sage_morales@hotmail.com> wrote in message
news:eXMS6Xt1DHA.1336@TK2MSFTNGP12.phx.gbl...
> I rand the netdiag command and got the follwoing; can anybody tell me if
> they see something wrong with this?:
>
>
>
>
> Computer Name: REALTY
> DNS Host Name: realty.realtyventures.biz
> System info : Windows 2000 Server (Build 3718)
> Processor : x86 Family 15 Model 2 Stepping 4, GenuineIntel
> List of installed hotfixes :
> Q147222
>
>
> Netcard queries test . . . . . . . : Passed
> [WARNING] The net card 'RAS Async Adapter' may not be working because
it
> has not received any packets.
>
>
>
> Per interface results:
>
> Adapter : Local Area Connection
>
> Netcard queries test . . . : Passed
>
> Host Name. . . . . . . . . : realty
> IP Address . . . . . . . . : 192.168.1.148
> Subnet Mask. . . . . . . . : 255.255.255.0
> Default Gateway. . . . . . : 192.168.1.1
> Primary WINS Server. . . . : 192.168.1.148
> Dns Servers. . . . . . . . : 192.168.1.148
>
>
> AutoConfiguration results. . . . . . : Passed
>
> Default gateway test . . . : Passed
>
> NetBT name test. . . . . . : Passed
> No remote names have been found.
>
> WINS service test. . . . . : Failed
> The test failed. We were unable to query the WINS servers.
>
>
> Global results:
>
>
> Domain membership test . . . . . . : Passed
>
>
> NetBT transports test. . . . . . . : Passed
> List of NetBt transports currently configured:
> NetBT_Tcpip_{BAC8F160-80D0-4984-ADB4-13AB392008FB}
> 1 NetBt transport currently configured.
>
>
> Autonet address test . . . . . . . : Passed
>
>
> IP loopback ping test. . . . . . . : Passed
>
>
> Default gateway test . . . . . . . : Passed
>
>
> NetBT name test. . . . . . . . . . : Passed
>
>
> Winsock test . . . . . . . . . . . : Passed
>
>
> DNS test . . . . . . . . . . . . . : Passed
> PASS - All the DNS entries for DC are registered on DNS server
> '192.168.1.148' and other DCs also have some of the names registered.
>
>
> Redir and Browser test . . . . . . : Passed
> List of NetBt transports currently bound to the Redir
> NetBT_Tcpip_{BAC8F160-80D0-4984-ADB4-13AB392008FB}
> The redir is bound to 1 NetBt transport.
>
> List of NetBt transports currently bound to the browser
> NetBT_Tcpip_{BAC8F160-80D0-4984-ADB4-13AB392008FB}
> The browser is bound to 1 NetBt transport.
>
>
> DC discovery test. . . . . . . . . : Passed
>
>
> DC list test . . . . . . . . . . . : Failed
> Failed to enumerate DCs by using the browser.
> [ERROR_NETNAME_DELETED]
>
>
> Trust relationship test. . . . . . : Skipped
>
>
> Kerberos test. . . . . . . . . . . : Passed
>
>
> LDAP test. . . . . . . . . . . . . : Passed
>
>
> Bindings test. . . . . . . . . . . : Passed
>
>
> WAN configuration test . . . . . . : Skipped
> No active remote access connections.
>
>
> Modem diagnostics test . . . . . . : Passed
>
> IP Security test . . . . . . . . . : Skipped
>
> Note: run "netsh ipsec dynamic show /?" for more detailed information
>
>
> The command completed successfully
>
>

• Previous message: John Losey: "Re: Looking for a Windows 2003 Terminal Server Security Checklist"
• In reply to: Sage Morales: "Cannot Apply GPO"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]