none
Possible DNS Issues?? RRS feed

  • Question

  • Hi,

    I work with a domain where most the PC's have been turned off for around 20 days, problems started when I turned them on and looked in the event logs, most of the windows 7 machines have got 5719 netlogon and 1055 group policy errors in the event logs. Reboot the machines and the errors aren't coming up again??? I assumed it was something to do with the new group policy windows updates that came out recently and have applied the wait for startup policy fix so the 1055 error won't come up.

    I have now looked at our PDC and have found a load of the following errors all at around the same time on one day when we were turning PC's on in mass and forcing group policy update from the group policy management console:

    The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server onepc$. The target name used was RPCSS/differentpc.domain.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (DOMAIN.LOCAL) is different from the client domain (DOMAIN.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

    and

    DCOM was unable to communicate with the computer pc.domain.local using any of the configured protocols; requested by PID     1948 (C:\Windows\system32\mmc.exe).

    There seem to be no problems logging on and the only thing I can think of is that DNS scavenging is not turned on on the forward zone in DNS. DC replication tests fine

    Should I assume all is OK now? We have made no other changes to the domain apart from having to reboot the DC's recently.

    Kind Regards,

    John

    Sunday, August 28, 2016 9:00 AM

Answers

  • Hi John,

    >>they just come up with the netlogon 5719 error without the GP 1055 one so I guess this is OK?

    Did you mean that you have fixed 5719 error and then it comes up again?

    If yes, please check the article below to fix it:

    Netlogon 5719 and the Disappearing Domain [Controller]

    https://blogs.technet.microsoft.com/instan/2008/09/18/netlogon-5719-and-the-disappearing-domain-controller/

    >>These errors only appeared when I ran group policy update from the mmc.

    Please try to uninstall the updates and then check if issue still exists?

    Best Regards

    John


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by John Lii Wednesday, September 14, 2016 6:32 AM
    • Marked as answer by Leo HanModerator Friday, September 16, 2016 1:42 AM
    Wednesday, August 31, 2016 5:47 AM

All replies

  • Hi John,

    >>most of the windows 7 machines have got 5719 netlogon and 1055 group policy errors in the event logs

    The behavior is caused by a race condition between network initialization, locating a Domain Controller and processing Group policy.

    You could follow the link below to understand and fix it:

    Windows 7 Clients intermittently fail to apply group policy at startup

    https://support.microsoft.com/en-sg/kb/2421599

    >>The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server onepc$.

    According to your error message, you could reference the article to fix it:

    Fixing the Security-Kerberos / 4 error

    https://blogs.technet.microsoft.com/dcaro/2013/07/04/fixing-the-security-kerberos-4-error/

    >>DCOM was unable to communicate with the computer pc.domain.local using any of the configured protocols; requested by PID     1948

    The remote target server happens to be offline for a short time.

    Please reference article below to understand and fix it:

    How to troubleshoot DCOM 10009 error logged in system event?

    https://blogs.msdn.microsoft.com/asiatech/2010/03/15/how-to-troubleshoot-dcom-10009-error-logged-in-system-event/

    Best Regards

    John


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, August 29, 2016 8:37 AM
  • Ive applied the GpNetworkStartupPolicyValue fix and it seems to work.... I applied it on a couple of PC's in safemode (without networking) and started them up and they just come up with the netlogon 5719 error without the GP 1055 one so I guess this is OK?

    Its a bit weird though that I am suddently getting these errors, they only thing I can see that has changed and could be related and the 2 updates: Kb3159398 kb3161561.

    Re the keberos errors I am pretty sure that these are down to DNS duplications. But if they are not related to the netlogon 5719 and Group Policy 1055 errors then i'm not majorly concerned at the moment. These errors only appeared when I ran group policy update from the mmc.

    Tuesday, August 30, 2016 11:01 AM
  • Hi John,

    >>they just come up with the netlogon 5719 error without the GP 1055 one so I guess this is OK?

    Did you mean that you have fixed 5719 error and then it comes up again?

    If yes, please check the article below to fix it:

    Netlogon 5719 and the Disappearing Domain [Controller]

    https://blogs.technet.microsoft.com/instan/2008/09/18/netlogon-5719-and-the-disappearing-domain-controller/

    >>These errors only appeared when I ran group policy update from the mmc.

    Please try to uninstall the updates and then check if issue still exists?

    Best Regards

    John


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by John Lii Wednesday, September 14, 2016 6:32 AM
    • Marked as answer by Leo HanModerator Friday, September 16, 2016 1:42 AM
    Wednesday, August 31, 2016 5:47 AM
  • Hi,

    I mean that the registry key only fixes the 1055 error.

    It is hard to tell if the updates are definitely the cause as this seems to only happen when a DHCP lease expires so I would have to uninstall the updates and then leave the PC off for over 8 days before testing.

    Wednesday, August 31, 2016 8:24 PM
  • Hi John

    I am waiting for your result of operation.

    Have you tried to reference link above to fix issue?

    Did it solve your problem or has there showed other errors?

    You could catch the network package on DHCP server by using monitor.

    Best Regards

    John


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, September 1, 2016 2:35 AM
  • Hi,

    Just want to confirm the current situations.

    Please feel free to let us know if you need further assistance.

    Best Regards

    John


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, September 14, 2016 6:32 AM