none
Startup script GPO fails to deploy

    Question

  • Hello everyone,

    I've been bashing my head against an issue I've encountered at my new job as a sysadmin - I need to deploy an inventory software via GPO (OCSInventory). Going through the software's documentation, I prepared everything required (startup/logon script and executable), created the GPO and... nothing. Now, some overview: we have four domain controllers spread out across three sites (a site and a failed DC had to be decomissioned, which I did cleanly with dcpromo /forceremoval and metadata cleanup). AD is a mess inherited from someone else but I've verified that SYSVOL replication (DFS) is normal, DNS is configured and is working properly and accounts are setup correctly.

    Workstations are Windows 7 Pro x64 SP1 fully updated. Servers are Windows Server 2008 R2 x64.

    GPO: startup script at %SYSVOL%\-domain-\Policies\-GPO-\Machine\Scripts\Startup invokes a silent installation and connection to webserver of an executable that's located in the same folder as the scripts (per OCSInventory's instructions).

    Synchronous deployment ("Always wait for network...") is Enabled. Gpresult shows that the GPO is applied and not filtered out but script doesn't run.

    When I start a workstation, I get the following errors:

    Log Name:      System
    Source:        NETLOGON
    Date:          1/30/2017 9:06:35 AM
    Event ID:      5719
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      COMPUTER.DOMAIN.com
    Description:
    This computer was not able to set up a secure session with a domain controller in domain DOMAIN due to the following: 
    There are currently no logon servers available to service the logon request. 
    This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.  

    ADDITIONAL INFO 
    If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="NETLOGON" />
        <EventID Qualifiers="0">5719</EventID>
        <Level>2</Level>
        <Task>0</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2017-01-30T07:06:35.000000000Z" />
        <EventRecordID>9446</EventRecordID>
        <Channel>System</Channel>
        <Computer>COMPUTER.DOMAIN.com</Computer>
        <Security />
      </System>
      <EventData>
        <Data>DOMAIN</Data>
        <Data>%%1311</Data>
        <Binary>5E0000C0</Binary>
      </EventData>
    </Event>

    Log Name:      System
    Source:        Microsoft-Windows-GroupPolicy
    Date:          1/30/2017 9:06:35 AM
    Event ID:      1055
    Task Category: None
    Level:         Error
    Keywords:      
    User:          SYSTEM
    Computer:      COMPUTER.DOMAIN.com
    Description:
    The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following: 
    a) Name Resolution failure on the current domain controller. 
    b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />
        <EventID>1055</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>1</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2017-01-30T07:06:35.656019900Z" />
        <EventRecordID>9513</EventRecordID>
        <Correlation ActivityID="{FED3F85B-CD89-45F8-917D-2178EAE88BF9}" />
        <Execution ProcessID="400" ThreadID="1188" />
        <Channel>System</Channel>
        <Computer>COMPUTER.DOMAIN.com</Computer>
        <Security UserID="S-1-5-18" />
      </System>
      <EventData>
        <Data Name="SupportInfo1">1</Data>
        <Data Name="SupportInfo2">2052</Data>
        <Data Name="ProcessingMode">1</Data>
        <Data Name="ProcessingTimeInMilliseconds">0</Data>
        <Data Name="ErrorCode">1355</Data>
        <Data Name="ErrorDescription">The specified domain either does not exist or could not be contacted. </Data>
      </EventData>
    </Event>

    Until last week the workstations also generated the following errors:

    Log Name:      System
    Source:        Microsoft-Windows-Time-Service
    Date:          1/27/2017 3:02:26 PM
    Event ID:      129
    Task Category: None
    Level:         Warning
    Keywords:      
    User:          LOCAL SERVICE
    Computer:      COMPUTER.DOMAIN.com
    Description:
    NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 3473457 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E1)
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Time-Service" Guid="{06EDCFEB-0FD0-4E53-ACCA-A6F8BBF81BCB}" />
        <EventID>129</EventID>
        <Version>0</Version>
        <Level>3</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2017-01-27T13:02:26.589472000Z" />
        <EventRecordID>9375</EventRecordID>
        <Correlation />
        <Execution ProcessID="1008" ThreadID="2068" />
        <Channel>System</Channel>
        <Computer>COMPUTER.DOMAIN.com</Computer>
        <Security UserID="S-1-5-19" />
      </System>
      <EventData Name="TMP_EVENT_DOMAIN_PEER_DISCOVERY_ERROR">
        <Data Name="ErrorMessage">The entry is not found. (0x800706E1)</Data>
        <Data Name="RetryMinutes">3473457</Data>
      </EventData>
    </Event>

    I got this resolved after noticing that the main site DC1 was configured with the loopback address 127.0.0.1 ONLY in the DNS Servers in the IPv4 Network Adapter properties -> I added the other site DCs as DNS servers, although I left the loopback address as primary DNS as this is the only DC in the main site. I also had to reboot it to complete the removal of properties from the removed site/DC, and I haven't seen the Ntp errors recur (note that workstations are getting time properly).

    Now here comes the weird part...

    I booted some VMs on my workstation. One clean Windows 7 x64, one updated to SP1, one fully updated. ALL deployed the GPO. Ran gpresult /R and rscop.msc and the GPO is applied normally, no errors at all. The software is being installed at startup.

    I also noticed that if I tested by disabling and enabling the GPO to a test group of PCs after they have booted up and connected to the network, they're not generating errors in the event logs. New settings from GPO are being applied.

    This leads me to believe that the network adapters aren't starting fully or there are some networking issues that prevent the startup script from executing, as it takes time for the machines to login and authenticate to the DC but I am at a loss why.

    Any ideas would be greatly appreciated...

    Monday, January 30, 2017 10:05 AM

All replies

  • Hi,
    If I understand correctly, the GPO with startup script is successfully applied and the software is installed after rebooting the clients, am I right?
    If that is the case, please check if the following policy is enabled:
    Computer Configuration\Administrative Templates\System\Logon\ Always wait for the network at computer startup and logon, if not, please have a try to see if it works.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, January 31, 2017 3:16 AM
    Moderator
  • Hello Wendy,

    No, unfortunately the software isn't being installed at startup - I get all of the errors described above when a workstations boot up. I've now tested on nearly a dozen machines and all get Ntp time and authenticate to the DC several seconds after the system boots and attempts to load GPOs. I've tried both the "Always wait for network as computer startup" and "Policy processing wait time" set to 90 seconds, both configured via the GPO (tried several hierarchy arrangements) and at the Default Domain Policy GPO... none worked. The workstations simply initiate the network with a delay! 

    RSOP.msc shows an Infrastructure error at the computer level. Notice that this does clear after a workstation has connected to a DC over the network and I manually do a gpupdate /force... but then the error reappears after a reboot and no software deployment happens.

    It seems it works on the virtual machines I've setup as they're hosted by my own workstation and they initialize network connection to the DC prior to starting to process GPOs, likely due to them being bridge networked via the workstations NIC.

    I've actually managed to find a workaround - I've setup the script at Shutdown, and setup a 90 second GPO policy processing time. It works, and workstations do shutdown slower than usual on the first time processing of the policy as the software is being deployed.

    It's not an optimal solution though and I want to pinpoint what causes the GPO to fail at startup level? It's obviously not authentication and security group filtering, as manually forcing a gpupdate applies the GPO (it's readable) and it can be applied at shutdown; it's not replication or name resolution issues.

    It might be the NIC drivers on the workstations (they're almost all Dell Optiplex 7010 ones using an Intel NIC) but it seems odd; if that's the case, it is essentially preventing us from deploying software via GPOs at computer level during startups, and potentially any startup scripts! This is unacceptable, so I need to pinpoint the root cause ...

    Any further suggestions are appreciated!

    Wednesday, February 01, 2017 2:39 PM
  • Hi,

    Great share and update. And according to the event 5719 message, I would suggest you take a look at the following articles to see if it helps:

    https://support.microsoft.com/en-sg/help/938449/netlogon-event-id-5719-or-group-policy-event-1129-is-logged-when-you-start-a-domain-member

    https://blogs.technet.microsoft.com/instan/2008/09/18/netlogon-5719-and-the-disappearing-domain-controller/

    Best Regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, February 06, 2017 1:38 AM
    Moderator
  • Hi,

    I am checking how the issue going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, February 10, 2017 8:44 AM
    Moderator
  • Not really a resolution - sadly, I haven't been able to get to the bottom of the issue. I deployed a second, more powerful domain controller and offloaded some of the work to it, which has reduced the Ntp errors. The software deploys just fine as Shutdown scripts. Still no clue why it doesn't work at Startup...
    Monday, March 27, 2017 5:47 PM