none
Issue with gpupdate /force

    Question

  • Hi There,

    i have typical requirement, In our environment we have a domain Controller which is in private network and one RODC in public network.

    I am able to add system to domain using offline domain Joining Concept successfully.

    but now the problem is after adding system to domain, i am not able to login to server using domain credentials. in gpupdate /force computer GPO is not getting updated. The Error as below.

    Computer policy could not be updated successfully. The following errors were encountered:

    The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify yourDomain Name System (DNS) is configured and working correctly.

    I am able to ping both the servers. communication looks good. dns settings also good in ncpa.cpl

    Thanks

    krishna



    • Edited by BHVKrishna90 Wednesday, December 7, 2016 4:25 PM typo mistake
    • Moved by nzpcmad1 Wednesday, December 7, 2016 7:43 PM From ADFS
    Wednesday, December 7, 2016 4:25 PM

All replies

  • Is there a firewall between the two domain controllers? You need to verify the appropriate ports are open on the firewall for Group Policy processing to work properly. 

    See this Technet article:

    https://technet.microsoft.com/en-us/library/jj572986(v=ws.11).aspx

    What type of account are you attempting to login to the RODC with? By default, if the RODC cannot connect to a writable domain controller, authentication attempts for accounts whose credentials are not cached on the RODC will fail. Domain admins are generally not allowed to cache passwords on the RODC. However, this setting can be controller in the password replication policy. 

    Read this as well:

    https://technet.microsoft.com/en-us/library/cc754956(v=ws.10).aspx


    Cheers,

    Ryan

    Microsoft Server Engineer

    Blog:   Twitter:   LinkedIn:   

    Please remember to mark the replies as answers if they help.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, December 7, 2016 4:35 PM
  • All required ports opened to RODC.

    and also added system to group "Allowed RODC Password replication Group"


    • Edited by BHVKrishna90 Wednesday, December 7, 2016 5:39 PM precise description
    Wednesday, December 7, 2016 5:34 PM
  • Hi,
    Alternatively, you could have a try to temporally turn off the firewall on both DCs and see if it helps.
    In addition, please check the DNS address on the system which is added to domain, please point the DNS address to the IP address of the DC and see if the error disappear. Please see: https://support.microsoft.com/en-us/kb/324174
    You could also run ipconfig /all from the DC/DNS servers and a problem machine, so we can verify the DNS settings.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, December 8, 2016 7:09 AM
    Moderator
  • I Verified all DNS Settings and looks similar in all systems.

    In DC Server :

     DNS Servers . . . . . . . . . . . : ::1
                                         10.164.217.31
                                         127.0.0.1
     NetBIOS over Tcpip. . . . . . . . : Enabled

    IN RODC Server

    DNS Servers . . . . . . . . . . . : 10.164.218.29
                                        10.164.217.31

    NetBIOS over Tcpip. . . . . . . . : Enabled


    In Client :

     DNS Servers . . . . . . . . . . . : 10.164.218.29 (RODC1)
                                         10.164.218.46 (RODC2)
                                         10.164.217.31 (DC01)
     NetBIOS over Tcpip. . . . . . . . : Enabled

    Even though its not working. There is no direct connection to DC01, Communication should happen through RODC


    • Edited by BHVKrishna90 Thursday, December 8, 2016 10:35 AM
    Thursday, December 8, 2016 8:52 AM
  • Hi

     DNS Servers . . . . . . . . . . . : ::1 >>> The dns resolve from Ipv6 but that's not correct setting,so you should configure nic provider order to resolve request from Ipv4.

    https://technet.microsoft.com/en-us/library/cc732472(v=ws.10).aspx

    And you can't able to modfiy the order you should disable Ipv6.(but that's not the recommended).

    After the process you should run "ipconfig /flushdns" ,"ipconfig /registerdns" on the DC.


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Thursday, December 8, 2016 9:24 AM
  • In Our environment, we don't have direct connection to DC01, the communication should happen via RODC.

    All replications are happened from DC to RODC and added system to Allowed password RODC replication group.

    NSlookup also working fine.That's reason we have used offline domain join concept.

    Th proper ports opened to RODC not to DC01.

    The Gpupdate is not happening and not able to login to system using domain credentials.

    Thanks

    Krishna

    Thursday, December 8, 2016 10:35 AM
  • Hi Krishna,
    I would agree with Burak that we could have a try to disable Ipv6 and register DNS and see if it helps.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, December 12, 2016 1:37 AM
    Moderator
  • Hi,

    I am checking how the issue going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, December 16, 2016 8:58 AM
    Moderator