none
Windows 10 group policy not updating

    Question

  • Group policy is not updating on some of our Windows 10 workstations.  I know there are a lot of references to this problem on the Net, but I am either not finding the correct answer or I am implementing them incorrectly.

    Disabling Windows Firewall allows the policies to process correctly.

    Domain controllers are:
    2012 Standard (PDC)
    2008 R2 Standard
    2008 Standard

    Symptoms are that GP is not updated when running gpupdate /force from a command prompt and very long delays when logging into the computer.

    Gpupdate failure results:
    "The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.

    User Policy update has completed successfully."

    Things I have tried--
    1)  DCDIAG on all domain controllers pass all tests and SYSVOL and NETLOGON folders are there.  Neither was accessible until I...

    2)  ...added the following registry keys to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths:
    \\*\\NETLOGON with values RequireMutualAuthentication=0, RequireIntegrity=0, RequirePrivacy=0
    \\*\\SYSVOL with values RequireMutualAuthentication=0, RequireIntegrity=0, RequirePrivacy=0

    3)  Disjoined and rejoined the workstation to the domain.

    4)  Added the Group Policy templates by installing on the local machines as well as one of our domain controllers.  Should they be installed on all domain controllers?

    5)  Created a PolicyDefinitions folder here:
    \\DC1\sysvol\DOMAIN\Policies\

    Copied the PolicyDefinitions folder from that DC to this folder.  This folder replicated to the othe domain controllers properly.

    Items 4 and 5 are the attempts that I am unsure were correctly implemented.


    System logs:
    Event ID 1054
    The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.

    Group Policy log:
    Event ID 7326
    Group Policy failed to discover the Domain Controller details in 42734 milliseconds.

    Event ID 7017
    The LDAP call to connect and bind to Active Directory completed. 
    (One of our DC's FQDN)
    The call failed after 21000 milliseconds.

    This seems to repeat, attempting contact with two DCs, but never attempting the third DC (2008 R2 Standard) which holds the operation master roles.

    Any help would be greatly appreciated.

    Thanks.







    Monday, March 13, 2017 1:32 PM

All replies

  • Hi,
    Have you checked if there is DNS resolution issue to locate DCs?
    If this is the case, I would recommend the follows:
    1. Make sure that each DC has only one IP address in use and only one NIC card enabled, other NICs should be disabled;
    2. Make sure that public DNS servers are configured as DNS forwarders and not in IP settings of DCs
    3. Choose a healthy DC / DNS server and make each DC point to it as primary DNS server
    4. Make each DC / DNS server point to its private IP address as secondary DNS server
    5. Make sure that needed ports for AD replication are opened: http://technet.microsoft.com/en-us/library/bb727063.aspx
    6. Check your DNS zones and remove manually all obsolete / unused DNS records for DCs;
    7. Once done, run ipconfig /registerdns and restart netlogon on each DC you have;
    8. On the client computer, run ipconfig /flushdns and check again.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, March 14, 2017 5:22 AM
    Moderator
  • Thank you very much for your response.

    1-4 are correct.

    5. I admit that I'm a bit lost reading all of this.  However, AD replication appears to be working fine.

    6. Done.  None were found.

    7-8 Done.  Same result.  Computer policy update fails, user policy update completes successfully.

    Turning off the firewall allows both to complete successfully.



    Tuesday, March 14, 2017 3:06 PM
  • Hi,
    >>Turning off the firewall allows both to complete successfully.
    Appreciate for the feedback, can I think that the problem is fixed? If yes, we would appreciate you to mark them as answers, it will be greatly helpful to others who have the same question.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, March 17, 2017 2:50 AM
    Moderator
  • Unfortunately no answer yet.

    Because of company policy I cannot disable Windows firewall.


    Monday, March 20, 2017 1:52 PM
  • Hi,
    In my experience, if disabling firewall is working for fixing issue, it indicates that some needed ports are blocked, in this case, you need to open them up which doesn’t require to turn off firewall.
    You could see required ports for group policy from:
    Configure Firewall Port Requirements for Group Policy
    https://technet.microsoft.com/en-us/library/jj572986.aspx
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, March 23, 2017 1:33 AM
    Moderator
  • Hi,

    Just checking in to see if the information provided was helpful. And if the replies as above are helpful, we would appreciate you to mark them as answers, please let us know if you would like further assistance.

    Best Regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, March 27, 2017 8:34 AM
    Moderator