GPupdate fails on new PC's

[TonyMiles]

Hi
I'm trying to install 16 Lenovo PC's on my existing Server 2008 r2 network with Win7 Pro x64 Image.

Everything builds ok but when I go to perform a GPUpdate I get the following message in dos:-

C:\>gpupdate
Updating Policy...

User Policy update has completed successfully.
Computer policy could not be updated successfully. The following errors were enc
ountered:

The processing of Group Policy failed. Windows could not resolve the computer na
me. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain co
ntroller has not replicated to the current domain controller).

To diagnose the failure, review the event log or run GPRESULT /H GPReport.html f
rom the command line to access information about Group Policy results.

The GPReport generated reports the following in the Component Status section:-

Group Policy Infrastructure failed due to the error listed below.

Access is denied.

Note: Due to the GP Core failure, none of the other Group Policy components processed their policy. Consequently, status information for the other components is not available.

Additional information may have been logged. Review the Policy Events tab in the console or the application event log for events between 21/08/2012 10:13:57 and 21/08/2012 10:14:01.

The computers appears ok in AD. I have tried re-imaging using different computer name and I get the same problem

Any ideas from a desperate techie

[cpjitservices]

is DNS working properly ?

[localzuk]

Do the computers appear ok on the DNS server?

[TonyMiles]

Yes everything appears ok.

I can logon access shared rescource connect to the Internet.

[localzuk]

Yes everything appears ok.

I can logon access shared rescource connect to the Internet.

That doesn't confirm the DNS has records for those machines though.

In the DNS server console, do the computers have A records in place, with the correct IP addresses?

[gshaw]

Are they Thinkcentre Edge machines with Realtek NICs by any chance? Drivers for that card are awful, try enabling the GPO "always wait for network" and Google for the DHCP Media sense reg key that you might also need to disable.

[TonyMiles]

Sorry i'm being a bit thick here if i go into the DNS console and look up the forward lookup zone and click on the domain, I can see the coomputer entries are all there. The nics are Intel 82579LM and I can't see any reference to GPO in their settings

[gshaw]

Good news that they're not Realtek cards so that rules one thing out the equation

[TonyMiles]

I suppose so, althoug i'm still no nearer solving the problem

[localzuk]

Have you tried running dcdiag on one of the machines?

[TonyMiles]

I have just tried it and it failed what does it do? Nslookup reolves ok. I have tried logging onto a shared resource on the effected pc and it wont recognise the name but will connect if I enter the ip address, so it must be DNS not resolving the name.

[cpjitservices]

Yep, definitely looks like a DNS issue.

[TonyMiles]

Ok just ran dcdiag on server and it gave the following results:-
irectory Server Diagnosis

Performing initial setup:
Trying to find home server...
Home Server = GLENSVR01
* Identified AD Forest.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\GLENSVR01
Starting test: Connectivity
Message 0x621 not found.
Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
......................... GLENSVR01 failed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\GLENSVR01
Skipping all tests, because server GLENSVR01 is not responding to directory service requests.


Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation

Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation

Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation

Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation

Running partition tests on : Glenfield
Starting test: CheckSDRefDom
......................... Glenfield passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Glenfield passed test CrossRefValidation

Running enterprise tests on : Glenfield.Local
Starting test: LocatorCheck
......................... Glenfield.Local passed test LocatorCheck
Starting test: Intersite
......................... Glenfield.Local passed test Intersite

[TonyMiles]

I've found the fix for the above problem via Microsoft. After appling the fix I re-ran dcdiag again and got the following error message:-

rting test: SystemLog
An error event occurred. EventID: 0x40000004
Time Generated: 08/21/2012 14:08:49
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server ks2s-10$. The target name used was cifs/KS2S-10. T
his indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server princip
al name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is regi
stered on, and only registered on, the account used by the server. This error can also happen when the target service is using a differ
ent password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Pl
ease ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qu
alified, and the target domain (GLENFIELD.LOCAL) is different from the client domain (GLENFIELD.LOCAL), check if there are identically
named server accounts in these two domains, or use the fully-qualified name to identify the server.
......................... GLENSVR01 failed test SystemLog
Starting test: VerifyReferences
......................... GLENSVR01 passed test VerifyReferences

ks2s-10 is 1 of the computers giving me problems. Any suggestions as this is getting abit out of my league?

[Duke5A]

I ran into this just the other day with a student machine. Trying to ping anything by host name was failing, but when I pinged the local machine by its host name it resolved as an IPV6 address. Going into the adapter properties and unchecking IPV6 support resolved the issue.