Group Policy Issues with WAN

[freaknut]

I am administering a WAN where there are two office locations with the domain controller (The domain controller is Server 2003 Standard Edition, Service Pack 2) at a third location. On both networks there are a couple PCs using Cat5, whereas the rest are laptops (about 30 or so) using wireless connections. Until just recently (about 3 months ago), all of the machines were running Windows XP Pro. We have begun to add new laptops and decided to start moving over to Vista Business, so all new laptops have Vista, but the old machines still have XP.

This is the problem I'm having: Some of the machines do not apply group policy from the domain controller, but others will apply it just fine.

• I am only having this issue with XP Pro machines (all of the Vista laptops are working fine so far).
• Not all of the XP machines are having this problem.
• The machines that have this problem can not be browsed over the network using Windows explorer. Machines that do apply group policy CAN be browsed over the network.
• All XP machines, regardless of whether or not they apply group policy, get the following System Event Log:
  • Event Type: Error
    Event Source: NETLOGON
    Event Category: None
    Event ID: 5719
    Date: 3/22/2008
    Time: 3:16:35 AM
    User: N/A
    Computer: TECHSUPPORT
    Description:
    No Domain Controller is available for domain GCBDD due to the following:
    There are currently no logon servers available to service the logon request. .
    Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
    
    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    Data:
    0000: 5e 00 00 c0 ^..À
    
• All of the Vista machines, even though they do apply group policy, get the following System Event Log:
  • Log Name: System
    Source: NETLOGON
    Date: 4/2/2008 11:19:21 AM
    Event ID: 5719
    Task Category: None
    Level: Error
    Keywords: Classic
    User: N/A
    Computer: MaryAnn.GCBDD.ORG
    Description:
    This computer was not able to set up a secure session with a domain controller in domain GCBDD due to the following:
    There are currently no logon servers available to service the logon request.
    This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.
    
    ADDITIONAL INFO
    If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
    </Event>
• You can ping all the machines that will apply group policy, but can not ping any machines that do NOT apply group policy
• I have compared network settings between computers that do apply group policy and computers that do not. I have not found any differences in the network settings.
• I have tried removing some of the problem computers from the domain, deleting the computers from active directory, then adding the machines back on. To no avail.
• For laptops on wireless connections...I have tried switching to a Cat5 connection. Again, to no avail.
• I know for a fact that it is not on a user basis: I have used the same user for all testing, and it has worked on some machines and not worked on other machines.

Thanks for you help!

 

[Wanderer2]

Do the machines exist in Active Directory?
Does DNS have these machines listed with host and ptr records?
Does each server run DNS server?
What DNS server is the third site pointed to of the two available?
XP windows firewalls disabled?

Appears to me from the errors, your name resolution is not working properly, which points to DNS

 

[freaknut]

Do the machines exist in Active Directory?

Yes

Does DNS have these machines listed with host and ptr records?

I'm not sure exactly what you mean by this question, but all the computers are listed as host records with IP addresses in the Forward Lookup Zone for this specific domain.

Does each server run DNS server? What DNS server is the third site pointed to of the two available?

I apologize for not neing more clear. There are two office locations that do NOT have servers. The only server on the network is at a third hosting location and is used as the DNS server for the entire WAN.

XP windows firewalls disabled?

Yes

Appears to me from the errors, your name resolution is not working properly, which points to DNS

Those were initially my thoughts, but all computer names, when I ping them, resolve properly. I just don't get any ping responses.

 

[Wanderer2]

"The only server on the network is at a third hosting location and is used as the DNS server for the entire WAN."

This is the same server rolling out the group policies eg. MS server running AD and DNS?

On the machines that can't be browsed is netbios disabled? [tcp/ip/advanced/wins tab]

 

[freaknut]

"The only server on the network is at a third hosting location and is used as the DNS server for the entire WAN."

This is the same server rolling out the group policies eg. MS server running AD and DNS?

Correct.

On the machines that can't be browsed is netbios disabled? [tcp/ip/advanced/wins tab]

netbios is set to default. I tried setting it to Enabled and restarted it a few times, but that didn't make a difference, so I set it back to default.

 

[Wanderer2]

How are the pcs getting their ip addresses?
Are they pointed to the MS server for DNS? First listing in workstation dns list?

This maybe the key: are the two remote sites defined in Active Directory sites and services? They should be in different subnets so you would enter sites and services and define the site by subnet. This way AD knows about them.

 

[freaknut]

How are the pcs getting their ip addresses?
Are they pointed to the MS server for DNS? First listing in workstation dns list?

The internal IP for the DNS server is at the top of the workstation dns list.

This maybe the key: are the two remote sites defined in Active Directory sites and services? They should be in different subnets so you would enter sites and services and define the site by subnet. This way AD knows about them.

The only item defined in AD Sites and Services is under Sites --> Default-First-Site-Name --> Servers --> [SERVER NAME]

I am not a certified network tech, and am merely keeping up the WAN that was set up before I came here, so I'm not completely familiar with everything used in setting up WANs and Domains (AD Sites and Services being one such thing).

 

[Wanderer2]

I would suggest creating two sites, one for each remote location. Under each new site you have subnets. Add those sites subnet to each. See if this solves the GP issue. You can always remove these sites later with no impact.

 

[freaknut]

I'm currently working on adding these sites, but I'm unfamiliar with Active Directory Sites and Services. Do you have any suggestions on how-to reading materials? I'm going through the msdn guide right now.

 

[tipstir]

Active Directory isn't the hard to learn you Server has enough info on how to setup, configure and administration. Setting up user and computer groups is where I would start first. I don't know how you have your users login by name or number which in this case doesn't matter. Each user will have a profile of what software group, internet they can access. The same can be done for the computer name also. Take some work but you can do it. I never read any books on the subject myself, just know what to do by hands on experience.

 

[freaknut]

I'm familiar with Active Directory Users and Computers. I've done plenty of configuration with users, groups, group policy, etc., but I haven't done a whole lot of WAN configuration, which I guess is where the Active Directory Sites and Services comes in.

So I added a new site and added a subnet that points to that site. Do I have to add a server to that new site?

 

[tipstir]

Yes.. and that depends on the type of access you want to give on that server?

 

[Wanderer2]

No you do not have to add a server. All you did was let Active Directory know about that subnet.

Any difference in GPO rollout?

 

[tipstir]

Can be done also but that's optional..

 

[freaknut]

No change yet.