Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Group Policy Not Applying Correctly 1

Status
Not open for further replies.
Oct 21, 2004
183
US
The problem I'm running into involves WSUS. I had to change servers and WSUS is on a new server now.

Well of course I had all these system that where going to the old server so I changed the Group Policy to go towards the new WSUS server.

Problem is that some of them aren't detecting. I got all clients to detect by going to each system and manually editting the registry to go to the new WSUS...But the next time the Group Policy applies it sets it back.

This is only on about 7 out of 35 machines that this is happening. The reset are doing fine.

Any suggestions?
 
first sorry to post so much I'm finding things as I go.

DCDiag on PDC all checks out.

DCDiag on the other one yet again has some warning stuff.

Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\SERVER
Starting test: Connectivity
......................... SERVER passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\SERVER
Starting test: Replications
......................... SERVER passed test Replications
Starting test: NCSecDesc
......................... SERVER passed test NCSecDesc
Starting test: NetLogons
......................... SERVER passed test NetLogons
Starting test: Advertising
......................... SERVER passed test Advertising
Starting test: KnowsOfRoleHolders
......................... SERVER passed test KnowsOfRoleHolders
Starting test: RidManager
......................... SERVER passed test RidManager
Starting test: MachineAccount
......................... SERVER passed test MachineAccount
Starting test: Services
SMTPSVC Service is stopped on [SERVER]
......................... SERVER failed test Services
Starting test: ObjectsReplicated
......................... SERVER passed test ObjectsReplicated
Starting test: frssysvol
......................... SERVER passed test frssysvol
Starting test: kccevent
An Warning Event occured. EventID: 0x80000679
Time Generated: 01/06/2006 15:40:10
Event String: The Inter-Site Messaging Service requested an
An Error Event occured. EventID: 0xC00005BA
Time Generated: 01/06/2006 15:40:10
Event String: The Inter-Site Messaging Service SMTP Transport
An Warning Event occured. EventID: 0x80000581
Time Generated: 01/06/2006 15:40:10
Event String: The Inter-Site Messaging Service SMTP Transport
An Error Event occured. EventID: 0xC000055D
Time Generated: 01/06/2006 15:40:10
Event String: The query for messages for service
......................... SERVER failed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0x00000457
Time Generated: 01/06/2006 15:39:00
Event String: Driver hp deskjet 960c required for printer
An Error Event occured. EventID: 0x00000452
Time Generated: 01/06/2006 15:39:00
Event String: The printer could not be installed.
An Error Event occured. EventID: 0x0000041B
Time Generated: 01/06/2006 15:39:40
Event String: The DHCP/BINL service has determined that it is
......................... SERVER failed test systemlog

Running enterprise tests on : DOMAIN.Local
Starting test: Intersite
......................... DOMAIN.Local passed test Intersite
Starting test: FsmoCheck
......................... DOMAIN.Local passed test FsmoCheck
 
On each server run the following commands:

IPCONFIG /FLUSHDNS
IPCONFIG /REGISTERDNS

Wait at least 15 minutes then re-run your DCDIAG and NETDIAG tests.

I hope you find this post helpful.

Regards,

Mark
 
Also make absolutley certain that each server only has itself and the other server listed on the NIC for DNS.

ISP DNS servers shoudl only be listed on the DNS Forwarders tab in the DNS Snap-In.

I hope you find this post helpful.

Regards,

Mark
 
Did that on both server and my "problem server" is still showing the same on both of those.

I noticed this in the event log about 4 1/2 hours ago.

The DNS server encountered a packet addressed to itself -- IP address IP OF THIS MACHINE WAS HERE.

The DNS server should never be sending a packet to itself. This situation usually indicates a configuration error.

Check the following areas for possible self-send configuration errors:
1) Forwarders list. (DNS servers should not forward to themselves).
2) Master lists of secondary zones.
3) Notify lists of primary zones.
4) Delegations of subzones. Must not contain NS record for this DNS server unless subzone is also on this server.

Example of self-delegation:
-> This DNS server dns1.foo.com is the primary for the zone foo.com.
-> The foo.com zone contains a delegation of bar.foo.com to dns1.foo.com,
(bar.foo.com NS dns1.foo.com)
-> BUT the bar.foo.com zone is NOT on this server.

Note, you should make this delegation check (with nslookup or DNS manager) both on this DNS server and on the server(s) you delegated the subzone to. It is possible that the delegation was done correctly, but that the primary DNS for the subzone, has any incorrect NS record pointing back at this server. If this incorrect NS record is cached at this server, then the self-send could result. If found, the subzone DNS server admin should remove the offending NS record.
 
how many zones do you have?


I hope you find this post helpful.

Regards,

Mark
 
To reiterate what mark said, go to the TCP/IP properties of the NIC on ALL DC's. Each DC should be setup as an internal DNS server for AD.

On each NIC, the primary DNS Server should be itself. The secondary should be the other DC.

On each DNS Server config, you should have a forwarder setup for all unknown requests to go to upstream DNS servers, like your ISP.
 
That could be a problem...I know the primary on the server that's causing issues is the other server with no secondary...I'll change that when I get back Monday and see if it helps.

As far as:
On each DNS Server config, you should have a forwarder setup for all unknown requests to go to upstream DNS servers, like your ISP.

Could you explain or point me to a guide that explains how to do this....I new to all this DNS DC stuff.

THX for the help guys...much appreciated!
 
If you open the DNS server manager, you can go into the properties of the DNS server. On the properties menu, you should have a forwarders tab. On that tab, you should already have an entry in the top part of the page that says something like "All other...". When you highlight that entry, you should be able to go intot he bottom part and add IP's. So now when you highlight the "All other..." part at the top, you should see the IP's you entered for upstream DNS providers like your ISP.

 
Ok I've now changed the DNS fields and the Nic Settings.

The problem machine had the other server as the primary and itself as the secondary so I switched the two.

The other problem when going into the forwarder area was that it was set to forward to itself. Most likely because it used the be the PDC at our other location and the 3rd party that helped in the move didn't format and clean install it like I wanted.

So I've now removed that so we'll see if it helps at all.

Do you think this will fix the GPO issue. I guess my fix of disjoining and rejoining the machines didn't work because all those machine haven't contacted the WSUS server since so I'm guessing they were changed back by the OLD GPO.
 
Since you made those changes, you may want to flush the DNS server cache, and do these commands from the DNS servers:

ipconfig /flushdns
ipconfig /registerdns


Once you do those steps, go to one of your workstations that should get the policy and run gpupdate /force. If you know some of the settings that should be applied, run rsop.msc and check that setting.
 
Ok I think it's working.....I actually had to restart that server just now for others reasons and when it came back up it started downloaded the WSUS updates.

Went to a station that hasn't checked and and did a gpupdate /force and it changed!!

Thanks so much for your help guys!

I've learned something new:)
 
Coming back in case anyone else ever had this issue. Turned out that helped somewhat but still didn't fix the issue. I guess the GPO I had for the WSUS service I was using didn't have read right for Enterprise Domain Controllers and that was causing the issue.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top