Re: Cannot Apply GPO

From: John Losey (loseyjf_at_NOSPAM-comcast.net)
Date: 01/14/04

  • Next message: John Losey: "Re: Event Log monitoring"
    Date: Tue, 13 Jan 2004 22:11:58 -0800
    
    

    What specifically are you thinking is wrong?

    Looking at the post, I see a few big things jumping out.
    * This server is VERY far behind in security updates, did you never hear of
    Blaster? Install SP3 or SP4 and MS03-039 right away...
    * It is pointing towards itself for WINS, yet the WINS test failed. Check
    to see if the server is up.
    * It is pointing towards itself for DNS, maybe you've got an Island DNS
    situation? Point all the Win2K DCs towards the same DC for Primary DNS.
    See KB 275278.
    * You're also having a problem with the DC List test.

    * The odds are that you're also having replication issues, run "repadmin
    /showreps" to see this.
    * A "netdiag /v" is also more helpfull for describing what is erroring for
    the tests that are failing.

    THE ABSOLUTE FIRST THING TO DO IS TO INSTALL A CURRENT SERVICE PACK, AND
    THEN THE CRITICAL UPDATES FROM http://windowsupdate.microsoft.com

    After that, I'd probably start with pointing ALL the DCs towards the same DC
    for Primary DNS, setting the zone to "Automatic Updates - Yes" (at least
    temporarily), deleting the 4 "_" subdomains ("_msdcs", "_sites", "_tcp",
    "_udp") in DNS, then running the following on each DC: "ipconfig /flushdns"
    "ipconfig /registerdns" "net stop netlogon" "net start netlogon". This will
    clear up the DNS Islands and should help your replication & name resolution
    issues.

    Also, if it is the clients who cannot apply a GPO, make sure that ICMP isn't
    being blocked between them and the DC. The Netdiag from the DC shows some
    things, but the application log on the machines not getting GPOs will tell
    more. Are you seeing SceCli 1202's and UserENV 1000's? If so, what is the
    errors listed in the text of those errors? If you run "gpotool /verbose" on
    one of the DCs, do you see version mismatch errors between the DC's SYSVOL
    versions?

    The file MPSRPT_DIRSVC.exe from
    http://www.microsoft.com/downloads/details.aspx?FamilyID=cebf3c7c-7ca5-408f-88b7-f9c79b7306c0&DisplayLang=en
    will run many of the tools (gpotool, netdiag, dcdiag, repadmin, etc.) that
    are often helpfull for finding the cause of GPOs not applying. This is what
    the folks from PSS would use to collect a snapshot of the system to help
    identify the problem. The results of the tests will be written to
    %systemroot%\mpsreports\dirsvc\logs (usually C:\winnt\mpsreports\dirsvc\logs
    on a Win2K system).

    John

    275278 - DNS Server Becomes an Island When a Domain Controller Points to
    Itself for the _Msdcs.ForestDnsName Domain
    http://support.microsoft.com/?id=275278

    "Sage Morales" <sage_morales@hotmail.com> wrote in message
    news:eXMS6Xt1DHA.1336@TK2MSFTNGP12.phx.gbl...
    > I rand the netdiag command and got the follwoing; can anybody tell me if
    > they see something wrong with this?:
    >
    >
    >
    >
    > Computer Name: REALTY
    > DNS Host Name: realty.realtyventures.biz
    > System info : Windows 2000 Server (Build 3718)
    > Processor : x86 Family 15 Model 2 Stepping 4, GenuineIntel
    > List of installed hotfixes :
    > Q147222
    >
    >
    > Netcard queries test . . . . . . . : Passed
    > [WARNING] The net card 'RAS Async Adapter' may not be working because
    it
    > has not received any packets.
    >
    >
    >
    > Per interface results:
    >
    > Adapter : Local Area Connection
    >
    > Netcard queries test . . . : Passed
    >
    > Host Name. . . . . . . . . : realty
    > IP Address . . . . . . . . : 192.168.1.148
    > Subnet Mask. . . . . . . . : 255.255.255.0
    > Default Gateway. . . . . . : 192.168.1.1
    > Primary WINS Server. . . . : 192.168.1.148
    > Dns Servers. . . . . . . . : 192.168.1.148
    >
    >
    > AutoConfiguration results. . . . . . : Passed
    >
    > Default gateway test . . . : Passed
    >
    > NetBT name test. . . . . . : Passed
    > No remote names have been found.
    >
    > WINS service test. . . . . : Failed
    > The test failed. We were unable to query the WINS servers.
    >
    >
    > Global results:
    >
    >
    > Domain membership test . . . . . . : Passed
    >
    >
    > NetBT transports test. . . . . . . : Passed
    > List of NetBt transports currently configured:
    > NetBT_Tcpip_{BAC8F160-80D0-4984-ADB4-13AB392008FB}
    > 1 NetBt transport currently configured.
    >
    >
    > Autonet address test . . . . . . . : Passed
    >
    >
    > IP loopback ping test. . . . . . . : Passed
    >
    >
    > Default gateway test . . . . . . . : Passed
    >
    >
    > NetBT name test. . . . . . . . . . : Passed
    >
    >
    > Winsock test . . . . . . . . . . . : Passed
    >
    >
    > DNS test . . . . . . . . . . . . . : Passed
    > PASS - All the DNS entries for DC are registered on DNS server
    > '192.168.1.148' and other DCs also have some of the names registered.
    >
    >
    > Redir and Browser test . . . . . . : Passed
    > List of NetBt transports currently bound to the Redir
    > NetBT_Tcpip_{BAC8F160-80D0-4984-ADB4-13AB392008FB}
    > The redir is bound to 1 NetBt transport.
    >
    > List of NetBt transports currently bound to the browser
    > NetBT_Tcpip_{BAC8F160-80D0-4984-ADB4-13AB392008FB}
    > The browser is bound to 1 NetBt transport.
    >
    >
    > DC discovery test. . . . . . . . . : Passed
    >
    >
    > DC list test . . . . . . . . . . . : Failed
    > Failed to enumerate DCs by using the browser.
    > [ERROR_NETNAME_DELETED]
    >
    >
    > Trust relationship test. . . . . . : Skipped
    >
    >
    > Kerberos test. . . . . . . . . . . : Passed
    >
    >
    > LDAP test. . . . . . . . . . . . . : Passed
    >
    >
    > Bindings test. . . . . . . . . . . : Passed
    >
    >
    > WAN configuration test . . . . . . : Skipped
    > No active remote access connections.
    >
    >
    > Modem diagnostics test . . . . . . : Passed
    >
    > IP Security test . . . . . . . . . : Skipped
    >
    > Note: run "netsh ipsec dynamic show /?" for more detailed information
    >
    >
    > The command completed successfully
    >
    >


  • Next message: John Losey: "Re: Event Log monitoring"