+ Post New Thread
Results 1 to 15 of 15
Windows Server 2008 R2 Thread, Group Policies not applying in Technical; Good Afternoon All, I am troubleshooting (and raging at) an issue with group policies not being applied intermittently in our ...
  1. #1
    Zenden's Avatar
    Join Date
    Mar 2009
    Location
    Manchester
    Posts
    153
    Thank Post
    69
    Thanked 32 Times in 25 Posts
    Rep Power
    16

    Group Policies not applying

    Good Afternoon All,

    I am troubleshooting (and raging at) an issue with group policies not being applied intermittently in our ICT Suites.

    Symptoms:

    PC boots up and fails to perform an LDAP bind
    Then applies no group policies to the PC
    then applies no group policies to any user who logs in!

    Error Log:
    System - Event ID 1006 - "The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.
    ErrorCode - 85
    ErrorDescription - Timeout


    Notes:

    Restarting the PC completely resolves the issue as the bind then works at the next bootup and group policies are applied
    The issue happens to one computer in 30ish so is proving very dificult to chase!
    The issue does not happen to the same PC each time

    Things I have already done:
    Checked, double checked and treble checked our DNS infrastructure, all is perfect.
    Disabled Large Send Offload on the Virtual NIC for our virtual Domain controller (one virtual and one physical)

    I am completely baffled, can anyone shed any light on this? any help hugely appreciated

  2. #2

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    8,941
    Thank Post
    232
    Thanked 1,510 Times in 1,206 Posts
    Rep Power
    328
    I'm guessing you have more than one DC set up with DNS? If yes, it could be workstations talking to different DCs. I suspect at least one of your DCs is causing the problem.

  3. Thanks to Michael from:

    Zenden (26th February 2013)

  4. #3
    Zenden's Avatar
    Join Date
    Mar 2009
    Location
    Manchester
    Posts
    153
    Thank Post
    69
    Thanked 32 Times in 25 Posts
    Rep Power
    16
    Quote Originally Posted by Michael View Post
    I'm guessing you have more than one DC set up with DNS? If yes, it could be workstations talking to different DCs. I suspect at least one of your DCs is causing the problem.
    Yes, I have one physical DC and one Virtual DC on a hyper-v cluster. Annoyingly enough the error log does not flag up which dc it tried to bind with (this would have helped a lot!). They both have DNS running. At a guess I would say the virtual DC is the problem due to it sharing the physical NIC on the HyperV host (hence I disabled Large Send offload which is described in a similar problem at Intermittent failures apparently related to DNS ).

    Can anyone recomend a good troubleshooting method to narrow this down?

  5. #4
    chazzy2501's Avatar
    Join Date
    Jan 2008
    Location
    South West
    Posts
    1,723
    Thank Post
    206
    Thanked 254 Times in 206 Posts
    Rep Power
    65
    if you run a GPresult it'll show you which DC it was using.

    you may also look at your switches and see if you have RSTP enabled for your edge devices as this may delay them getting a proper IP address before they boot and login.

  6. Thanks to chazzy2501 from:

    Zenden (28th February 2013)

  7. #5

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    8,941
    Thank Post
    232
    Thanked 1,510 Times in 1,206 Posts
    Rep Power
    328
    I'd agree that the virtual DC is most likely the culprit. Remove its DNS IP from DHCP Server. After a number of days you should be able to tell if it's worked, allowing you to concentrate on fixing the problem.

  8. Thanks to Michael from:

    Zenden (28th February 2013)

  9. #6
    ricki's Avatar
    Join Date
    Jul 2005
    Location
    uk
    Posts
    1,466
    Thank Post
    20
    Thanked 164 Times in 157 Posts
    Rep Power
    51
    Hi

    Is the time on the client and the server being synced and the same. If they are more than 5 mins out kerberos will fail.

    Have you tried a netdiag and a dcdiag and on your servers to see if there are errors.

    Are your domain controllers replicating? Try repadmin /showrepl on the servers.

    Have you checked the servers for errors in the event log?

    If you do a rsop.msc on the client does it show any errors.

    Try bginfo to set the wallpaper with the logon server on the screen. It might help you tied down which server it is.

    Richard

  10. Thanks to ricki from:

    Zenden (28th February 2013)

  11. #7
    Zenden's Avatar
    Join Date
    Mar 2009
    Location
    Manchester
    Posts
    153
    Thank Post
    69
    Thanked 32 Times in 25 Posts
    Rep Power
    16
    Quote Originally Posted by chazzy2501 View Post
    if you run a GPresult it'll show you which DC it was using.

    you may also look at your switches and see if you have RSTP enabled for your edge devices as this may delay them getting a proper IP address before they boot and login.
    I did run a gpresult when i was troubleshooting this last week and i believe it came back with no RSOP data. But i will double check as its been a hectic week and my head is a bit all over the place.

    Quote Originally Posted by Michael View Post
    I'd agree that the virtual DC is most likely the culprit. Remove its DNS IP from DHCP Server. After a number of days you should be able to tell if it's worked, allowing you to concentrate on fixing the problem.
    I will keep this til last in my troubleshooting as a final "trial and error" step if i cant narrow it down any further, good idea

    Quote Originally Posted by ricki View Post
    Hi

    Is the time on the client and the server being synced and the same. If they are more than 5 mins out kerberos will fail.

    Have you tried a netdiag and a dcdiag and on your servers to see if there are errors.

    Are your domain controllers replicating? Try repadmin /showrepl on the servers.

    Have you checked the servers for errors in the event log?

    If you do a rsop.msc on the client does it show any errors.

    Try bginfo to set the wallpaper with the logon server on the screen. It might help you tied down which server it is.

    Richard
    Ive done the diag tests although I havent run a replication test so I will get doing that Time on the client seems fine but they are quite outdated machines, perhaps the time in the cmos could be related?

    Unfortunately BGinfo fails (i actually use it anyway) as the script runs through group policy! Perhaps running it through the AD profile tab will force the issue though!

    Much appreciated advice all :-)

  12. #8
    ricki's Avatar
    Join Date
    Jul 2005
    Location
    uk
    Posts
    1,466
    Thank Post
    20
    Thanked 164 Times in 157 Posts
    Rep Power
    51
    Hi

    Have you tried knocking them off the domain and putting them back on. Also dont forget to check they are in the correct ou.

    Richard

  13. Thanks to ricki from:

    Zenden (28th February 2013)

  14. #9
    ricki's Avatar
    Join Date
    Jul 2005
    Location
    uk
    Posts
    1,466
    Thank Post
    20
    Thanked 164 Times in 157 Posts
    Rep Power
    51
    Hi

    Is the nic card in this machine a gig card?

    Also is the machine picking up a dhcp ip address or an apia address.

    Richard

  15. Thanks to ricki from:

    Zenden (28th February 2013)

  16. #10
    Zenden's Avatar
    Join Date
    Mar 2009
    Location
    Manchester
    Posts
    153
    Thank Post
    69
    Thanked 32 Times in 25 Posts
    Rep Power
    16
    Quote Originally Posted by ricki View Post
    Hi

    Have you tried knocking them off the domain and putting them back on. Also dont forget to check they are in the correct ou.

    Richard
    Hi Richard,

    The same Pc actually works fine after a reboot so it is not an issue with domain membership or with the group policy setup or OU location as these all work correctly after a reboot (and then fine for a couple of weeks). It is an issue with the PC (which is never the same PC each time) binding the domain during bootup in order to then apply the policies. It is very strange issue indeed.

  17. #11
    Zenden's Avatar
    Join Date
    Mar 2009
    Location
    Manchester
    Posts
    153
    Thank Post
    69
    Thanked 32 Times in 25 Posts
    Rep Power
    16
    Quote Originally Posted by ricki View Post
    Hi

    Is the nic card in this machine a gig card?

    Also is the machine picking up a dhcp ip address or an apia address.

    Richard
    Gigabit Card and picking up an address. It can ping the server, nslookup is fine etc. it is the initial bind of the Pc via ldap which is failing.
    Last edited by Zenden; 28th February 2013 at 11:04 AM.

  18. #12
    Zenden's Avatar
    Join Date
    Mar 2009
    Location
    Manchester
    Posts
    153
    Thank Post
    69
    Thanked 32 Times in 25 Posts
    Rep Power
    16
    Good Morning All,

    Sorry for the lack of an update, I had a weeks holiday from work (moving house so not really a holiday but hey!). It seems (hopefully) that this issue is now resolved and that it was in fact the "large send offload" setting on the VMs network card which caused the issue. After returning on Friday I haven't seen the issue once and my technicians are reporting that it hadn't happened while I was away either!.

    So far anyone on HyperV with a virtual DC. Disable Large Send offload for IP4 and 6 on your VMs network card or you will end up chasing your tail like I did!

    Thanks for the help everyone

  19. #13
    ricki's Avatar
    Join Date
    Jul 2005
    Location
    uk
    Posts
    1,466
    Thank Post
    20
    Thanked 164 Times in 157 Posts
    Rep Power
    51
    Hi

    Have a look at this Windows 7 Clients intermittently fail to apply group policy at startup we had this problem on some computers till applying this when the network was running slow.

    We traced our network running slow to a couple a bad nic cards and some machines broardcasting but we had to sniff the network to find them.

    Richard

  20. #14
    Zenden's Avatar
    Join Date
    Mar 2009
    Location
    Manchester
    Posts
    153
    Thank Post
    69
    Thanked 32 Times in 25 Posts
    Rep Power
    16
    Quote Originally Posted by ricki View Post
    Hi

    Have a look at this Windows 7 Clients intermittently fail to apply group policy at startup we had this problem on some computers till applying this when the network was running slow.

    We traced our network running slow to a couple a bad nic cards and some machines broardcasting but we had to sniff the network to find them.

    Richard
    Hi Richard,

    My apologies for the delay in getting back to you, i did not notice your response!

    Did you have the event logs listed on that microsoft KB when you had the problem? My event logs were only showing event 1006 (which is LDAP bind failed)

  21. #15
    Zenden's Avatar
    Join Date
    Mar 2009
    Location
    Manchester
    Posts
    153
    Thank Post
    69
    Thanked 32 Times in 25 Posts
    Rep Power
    16
    Quote Originally Posted by ricki View Post
    Hi

    Have a look at this Windows 7 Clients intermittently fail to apply group policy at startup we had this problem on some computers till applying this when the network was running slow.

    We traced our network running slow to a couple a bad nic cards and some machines broardcasting but we had to sniff the network to find them.

    Richard
    This issue did return intermittently but has lessened a fair bit (now once every week if that). I have enabled the setting as linked Richard to 90 seconds and will review it over the next half term, hopefully this will be the end of it.

    Thanks very much.

SHARE:
+ Post New Thread

Similar Threads

  1. Group Policy not applying
    By ricki in forum Windows
    Replies: 6
    Last Post: 30th April 2010, 04:36 PM
  2. group policy not applying
    By bart21 in forum Windows
    Replies: 4
    Last Post: 20th April 2010, 07:45 PM
  3. Group Policy not applying
    By Maximus in forum Wireless Networks
    Replies: 10
    Last Post: 4th June 2008, 10:51 PM
  4. Replies: 20
    Last Post: 12th November 2007, 04:55 PM
  5. Group Policy not applying
    By edie209 in forum Windows
    Replies: 18
    Last Post: 27th September 2006, 07:48 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •