locked
Forefront UAG 2010 - GP not updating RRS feed

  • Question

  • I have installed UAG Server 2010 and configured it by referring this blog.
    When the Client PC in connected to the External N/W, it can ping to the DC and as well as access the share folder from the DC. But, it cannot update the Group Policy.
    Error while updating GP:
     
    The processing of Group Policy failed because of lack of network connectivity to
     a domain controller. This may be a transient condition. A success message would
     be generated once the machine gets connected to the domain controller and Group
     Policy has succesfully processed. If you do not see a success message for sever
    al hours, then contact your administrator.
    The processing of Group Policy failed because of lack of network connectivity to
     a domain controller. This may be a transient condition. A success message would
     be generated once the machine gets connected to the domain controller and Group
     Policy has succesfully processed. If you do not see a success message for sever
    al hours, then contact your administrator.
    Thanks and Regards,

    Iniyan G

    Friday, July 8, 2011 8:28 AM

Answers

  • You must move your NLS to run on a different DNS name. Because the name of your NLS website is https://uagdc.uag.local, that excludes the name uagdc.uag.local from DirectAccess altogether, so currently you have zero access to uagdc.uag.local because of this. You have to move NLS to another website (make a new DNS host record for nls.uag.local and point it at the same IP as the uagdc server). Then walk back through the DA wizards and define the NLS website as nls.uag.local instead. This will adjust your NRPT so that uagdc.uag.local is now included in the DirectAccess tunnels, and you should be all set.

    • Marked as answer by Erez Benari Friday, August 26, 2011 10:58 PM
    Tuesday, July 19, 2011 1:53 PM

All replies

  • From the client PC, if you run "nltest /dclist:" does it show you any domain controllers?
    MrShannon | Concurrency Blogs | UAG SP1 DirectAccess Configuration Guide
    Sunday, July 10, 2011 4:38 PM
  • Thanks for you reply. I typed the command "nltest /dclist:" when the client is connected to External Network.

    Output:

    "Cannot find DC to get DC list from.Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN"

    Monday, July 11, 2011 4:02 AM
  • From your ability to browse a file share on the DC that would typically indicate that at least one of your IPsec tunnels is established, but from the trouble you are experiencing it definitely seems that your DA connection is not getting full access.

    Is there any way you can submit a log from the DirectAccess Connectivity Assistant? That will contain a lot of information that would be useful for troubleshooting this scenario.

    Monday, July 11, 2011 1:30 PM
  • Hello Jordan,

    Find the DcaDefaultLog.txt below,

     

    YELLOW: Corporate connectivity requires user action.
    Internet Connectivity is not available. Please connect your computer to the Internet, or start network diagnostics.
    12/7/2011 12:50:17 (UTC)


    Probes List
    FAIL  PING: uagdc.uag.local
    PASS  HTTP: http://uagdc.uag.local
    FAIL  FILE: \\uagdc.uag.local

    DTE

    C:\Windows\system32\LogSpace\{A0A43B81-9FA6-4B61-B3F2-C6588F065CCA}>ipconfig /all

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : uagtest
       Primary Dns Suffix  . . . . . . . : uag.local
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : uag.local

    Ethernet adapter Internal:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Adapter
       Physical Address. . . . . . . . . : 00-15-5D-97-A9-3D
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::4837:d23f:7d30:dcb6%11(Preferred)
       IPv4 Address. . . . . . . . . . . : 10.0.0.7(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.0.0.0
       Default Gateway . . . . . . . . . : fe80::5ed9:98ff:fe59:c756%11
       DNS Servers . . . . . . . . . . . : 10.0.0.5
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter isatap.{C5049DBD-4890-49B9-9C7A-70EE901958A4}:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter iphttpsinterface:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : iphttpsinterface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    C:\Windows\system32\LogSpace\{A0A43B81-9FA6-4B61-B3F2-C6588F065CCA}>netsh int teredo show state
    Teredo Parameters
    ---------------------------------------------
    Type                    : client
    Server Name             : 16.15.14.10 (Group Policy)
    Client Refresh Interval : 30 seconds
    Client Port             : unspecified
    State                   : offline
    Error                   : general system failure
    Error Code              : 1231


    C:\Windows\system32\LogSpace\{A0A43B81-9FA6-4B61-B3F2-C6588F065CCA}>netsh int httpstunnel show interfaces

    Interface IPHTTPSInterface (Group Policy)  Parameters
    ------------------------------------------------------------
    Role                       : client
    URL                        :
    https://wmsvc-uagserver:443/IPHTTPS
    Last Error Code            : 0x2afc
    Interface Status           : failed to connect to the IPHTTPS server. Waiting to reconnect


    C:\Windows\system32\LogSpace\{A0A43B81-9FA6-4B61-B3F2-C6588F065CCA}>netsh dns show state

    Name Resolution Policy Table Options
    --------------------------------------------------------------------

    Query Failure Behavior                : Always fall back to LLMNR and NetBIOS
                                            if the name does not exist in DNS or
                                            if the DNS servers are unreachable
                                            when on a private network

    Query Resolution Behavior             : Resolve only IPv6 addresses for names

    Network Location Behavior             : Let Network ID determine when Direct
                                            Access settings are to be used

    Machine Location                      : Outside corporate network

    Direct Access Settings                : Configured and Enabled

    DNSSEC Settings                       : Not Configured


    C:\Windows\system32\LogSpace\{A0A43B81-9FA6-4B61-B3F2-C6588F065CCA}>netsh name show policy

    DNS Name Resolution Policy Table Settings

    Settings for uagdc.uag.local
    ----------------------------------------------------------------------
    Certification authority                 : DC=local, DC=uag, CN=uag-UAGDC-CA
    DNSSEC (Validation)                     : disabled
    DNSSEC (IPsec)                          : disabled
    DirectAccess (DNS Servers)              :
    DirectAccess (IPsec)                    : disabled
    DirectAccess (Proxy Settings)           : Use default browser settings

     

    Settings for .uag.local
    ----------------------------------------------------------------------
    Certification authority                 : DC=local, DC=uag, CN=uag-UAGDC-CA
    DNSSEC (Validation)                     : disabled
    DNSSEC (IPsec)                          : disabled
    DirectAccess (DNS Servers)              : 2002:100f:e0b::100f:e0b
    DirectAccess (IPsec)                    : disabled
    DirectAccess (Proxy Settings)           : Bypass proxy

     


    C:\Windows\system32\LogSpace\{A0A43B81-9FA6-4B61-B3F2-C6588F065CCA}>netsh name show effective

    DNS Effective Name Resolution Policy Table Settings


    Settings for uagdc.uag.local
    ----------------------------------------------------------------------
    Certification authority                 : DC=local, DC=uag, CN=uag-UAGDC-CA
    DNSSEC (Validation)                     : disabled
    IPsec settings                          : disabled
    DirectAccess (DNS Servers)              :
    DirectAccess (Proxy Settings)           : Use default browser settings

     

    Settings for .uag.local
    ----------------------------------------------------------------------
    Certification authority                 : DC=local, DC=uag, CN=uag-UAGDC-CA
    DNSSEC (Validation)                     : disabled
    IPsec settings                          : disabled
    DirectAccess (DNS Servers)              : 2002:100f:e0b::100f:e0b
    DirectAccess (Proxy Settings)           : Bypass proxy

     


    C:\Windows\system32\LogSpace\{A0A43B81-9FA6-4B61-B3F2-C6588F065CCA}>netsh int ipv6 show int level=verbose 

    Interface Loopback Pseudo-Interface 1 Parameters
    ----------------------------------------------
    IfLuid                             : loopback_0
    IfIndex                            : 1
    State                              : connected
    Metric                             : 50
    Link MTU                           : 4294967295 bytes
    Reachable Time                     : 24500 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : disabled
    Neighbor Unreachability Detection  : disabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled

    Interface isatap.{C5049DBD-4890-49B9-9C7A-70EE901958A4} Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_4
    IfIndex                            : 12
    State                              : disconnected
    Metric                             : 50
    Link MTU                           : 1280 bytes
    Reachable Time                     : 43500 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : disabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled

    Interface Internal Parameters
    ----------------------------------------------
    IfLuid                             : ethernet_6
    IfIndex                            : 11
    State                              : connected
    Metric                             : 5
    Link MTU                           : 1500 bytes
    Reachable Time                     : 39000 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 1
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : enabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 64
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled

    Interface iphttpsinterface Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_7
    IfIndex                            : 16
    State                              : disconnected
    Metric                             : 50
    Link MTU                           : 1280 bytes
    Reachable Time                     : 35000 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 1
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : enabled
    Router Discovery                   : enabled
    Managed Address Configuration      : enabled
    Other Stateful Configuration       : enabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled


    C:\Windows\system32\LogSpace\{A0A43B81-9FA6-4B61-B3F2-C6588F065CCA}>netsh advf show currentprofile

    Private Profile Settings:
    ----------------------------------------------------------------------
    State                                 ON
    Firewall Policy                       BlockInbound,AllowOutbound
    LocalFirewallRules                    N/A (GPO-store only)
    LocalConSecRules                      N/A (GPO-store only)
    InboundUserNotification               Enable
    RemoteManagement                      Disable
    UnicastResponseToMulticast            Enable

    Logging:
    LogAllowedConnections                 Disable
    LogDroppedConnections                 Disable
    FileName                              %systemroot%\system32\LogFiles\Firewall\pfirewall.log
    MaxFileSize                           4096

    Ok.


    C:\Windows\system32\LogSpace\{A0A43B81-9FA6-4B61-B3F2-C6588F065CCA}>netsh advfirewall monitor show consec

    Global Settings:
    ----------------------------------------------------------------------
    IPsec:
    StrongCRLCheck                        0:Disabled
    SAIdleTimeMin                         5min
    DefaultExemptions                     ICMP
    IPsecThroughNAT                       Never
    AuthzUserGrp                          None
    AuthzComputerGrp                      None

    StatefulFTP                           Enable
    StatefulPPTP                          Enable

    Main Mode:
    KeyLifetime                           60min,0sess
    SecMethods                            DHGroup2-AES128-SHA256,DHGroup2-AES128-SHA1,DHGroup2-3DES-SHA1
    ForceDH                               No

    Categories:
    BootTimeRuleCategory                  Windows Firewall
    FirewallRuleCategory                  Windows Firewall
    StealthRuleCategory                   Windows Firewall
    ConSecRuleRuleCategory                Windows Firewall


    Quick Mode:
    QuickModeSecMethods                   ESP:SHA1-None+60min+100000kb,ESP:SHA1-AES128+60min+100000kb,ESP:SHA1-3DES+60min+100000kb,AH:SHA1+60min+100000kb
    QuickModePFS                          None

    Security Associations:

    No SAs match the specified criteria.


    C:\Windows\system32\LogSpace\{A0A43B81-9FA6-4B61-B3F2-C6588F065CCA}>Certutil -store my 
    my
    CertUtil: -store command completed successfully.

    C:\Windows\system32\LogSpace\{A0A43B81-9FA6-4B61-B3F2-C6588F065CCA}>Systeminfo

    Host Name:                 UAGTEST
    OS Name:                   Microsoft Windows 7 Enterprise
    OS Version:                6.1.7600 N/A Build 7600
    OS Manufacturer:           Microsoft Corporation
    OS Configuration:          Member Workstation
    OS Build Type:             Multiprocessor Free
    Registered Owner:          uagclient
    Registered Organization:  
    Product ID:                00392-918-5000002-85230
    Original Install Date:     7/12/2011, 4:27:17 PM
    System Boot Time:          7/12/2011, 6:03:13 PM
    System Manufacturer:       Microsoft Corporation
    System Model:              Virtual Machine
    System Type:               x64-based PC
    Processor(s):              1 Processor(s) Installed.
                               [01]: Intel64 Family 6 Model 30 Stepping 5 GenuineIntel ~2533 Mhz
    BIOS Version:              American Megatrends Inc. 090004 , 3/19/2009
    Windows Directory:         C:\Windows
    System Directory:          C:\Windows\system32
    Boot Device:               \Device\HarddiskVolume1
    System Locale:             en-us;English (United States)
    Input Locale:              en-us;English (United States)
    Time Zone:                 (UTC+05:30) Chennai, Kolkata, Mumbai, New Delhi
    Total Physical Memory:     1,024 MB
    Available Physical Memory: 570 MB
    Virtual Memory: Max Size:  2,048 MB
    Virtual Memory: Available: 1,478 MB
    Virtual Memory: In Use:    570 MB
    Page File Location(s):     C:\pagefile.sys
    Domain:                    uag.local
    Logon Server:              N/A
    Hotfix(s):                 N/A
    Network Card(s):           2 NIC(s) Installed.
                               [01]: Microsoft Virtual Machine Bus Network Adapter
                                     Connection Name: Internal
                                     DHCP Enabled:    No
                                     IP address(es)
                                     [01]: 10.0.0.7
                                     [02]: fe80::4837:d23f:7d30:dcb6
                               [02]: Microsoft Virtual Machine Bus Network Adapter
                                     Connection Name: External
                                     Status:          Hardware not present

    C:\Windows\system32\LogSpace\{A0A43B81-9FA6-4B61-B3F2-C6588F065CCA}>whoami /groups 

    GROUP INFORMATION
    -----------------

    Group Name                             Type             SID          Attributes                                       
    ====================================== ================ ============ ==================================================
    BUILTIN\Administrators                 Alias            S-1-5-32-544 Enabled by default, Enabled group, Group owner   
    Everyone                               Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
    NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
    Mandatory Label\System Mandatory Level Label            S-1-16-16384                                                  

    Tuesday, July 12, 2011 12:55 PM
  • Sorry for the delay, the forum has decided to stop sending me email udpates when someone replies to my post. Anyway, this log file indicates that you have a problem with the Teredo adapter, it's reporting "general system failure", so that could be a problem but possibly could just be a timing thing with when you took this log file. Mainly, I think you have a mis-configuration in your environment. Are you running the NLS (Network Location Server) on this DC that you are trying to contact? I see in your NRPT (naming table) that you are telling *.uag.local to go through the DirectAccess tunnels, yet you are excluding uagdc.uag.local from the tunnels. Usually this means that uagdc.uag.local is the name of your NLS website, because the NLS website by default gets excluded from the DirectAccess tunnel. This is necessary for DA to work properly. So because you have UAGDC excluded, you will not be able to see it over DirectAccess.

    If you want to be able to contact UAGDC.uag.local over DirectAccess, you'll need to move your NLS website to a different DNS name. It can still be hosted on this server, but you need to assign it a name like NLS.uag.local so that DA excludes only that name, not the server itself.

    Thursday, July 14, 2011 3:30 PM
  • Hello Jordan,

    Thanks for your reply. And the answer is YES, the NLS is on my DC. So, GP Updating is not possible. But, if I'm right there must be a reply when I ping to uagdc.uag.local from my client machine in DA right?

    Tuesday, July 19, 2011 3:30 AM
  • You must move your NLS to run on a different DNS name. Because the name of your NLS website is https://uagdc.uag.local, that excludes the name uagdc.uag.local from DirectAccess altogether, so currently you have zero access to uagdc.uag.local because of this. You have to move NLS to another website (make a new DNS host record for nls.uag.local and point it at the same IP as the uagdc server). Then walk back through the DA wizards and define the NLS website as nls.uag.local instead. This will adjust your NRPT so that uagdc.uag.local is now included in the DirectAccess tunnels, and you should be all set.

    • Marked as answer by Erez Benari Friday, August 26, 2011 10:58 PM
    Tuesday, July 19, 2011 1:53 PM