none
GPUpdate fails: Event ID: 1054 - Windows could not obtain the name of a domain controller

    Question

  • In troubleshooting another issue (windows updates failing to download with code 8024402c, unsure if related), I noticed that gpupdate fails to execute on my machine.  This is a Win7 x86 client on a domain with three 2008/2008R2 DCs.

    GPUpdate /force reports:

    Updating Policy...
    
    User policy could not be updated successfully. The following errors were encountered:
    
    The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by
     a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
    Computer policy could not be updated successfully. The following errors were encountered:
    
    The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by
     a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
    
    To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access informati
    on about Group Policy results.

    Event Logs Show:

    Log Name: System
    Source: GroupPolicy:
    Event ID: 1054
    Level: Error
    User: System
    OpCode: (1)
    
    The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
    
    Details:
    - EventData 
    
      SupportInfo1 1 
      SupportInfo2 1903 
      ProcessingMode 0 
      ProcessingTimeInMilliseconds 1123 
      ErrorCode 58 
      ErrorDescription The specified server cannot perform the requested operation.  

    Client is configured with three DNS servers.  Each return all three DCs, and the correct IP addresses, when queried for _ldap._tcp.dc._msdcs.domainname.

    Checking the event logs, this seems to have been happening consistently for the last month or so.  There is an occassional group policy application success in the event logs, but 99% are failures.  I don't see any other relevant errors in the event logs.

    DCDiag is fine.

    GPResult shows GPOs being applied.

    How can I figure out why GPUpdate can't find a DC?  Does the error detail "The Specified server cannot perform the requestion operation." suggest that the issue isn't actually finding a DC, but something else failing?


    • Edited by Mark Hasd Friday, October 19, 2012 6:04 PM
    Friday, October 19, 2012 6:03 PM

Answers

  • Hello,

    As I see, you may have have DNS issues to locate DCs.

    If this is the case, I would recommend proceeding like that:

    1. Make sure that each DC has only one IP address in use and ONLY one NIC card enabled (Other NICs should be disabled)
    2. Make sure that public DNS servers are configured as DNS forwarders and not in IP settings of DCs
    3. Choose a healthy DC / DNS server and make each DC point to it as primary DNS server
    4. Make each DC / DNS server point to its private IP address as secondary DNS server
    5. Make sure that needed ports for AD replication are opened: http://technet.microsoft.com/en-us/library/bb727063.aspx
    6. Check your DNS zones and remove manually all obsolete / unused DNS records for DCs

    Once done, run ipconfig /registerdns and restart netlogon on each DC you have.

    On the client computer, run ipconfig /flushdns and check again.


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    Sunday, October 21, 2012 4:57 PM
  • Hi,

    Regarding the current issue, I suggest we could refer to the following article for troubleshooting.

    Event ID 1054 — Group Policy Preprocessing (Security)

    http://technet.microsoft.com/en-us/library/cc727331(v=ws.10).aspx

    Hope this helps.

    Regards,

    Andy

    Sunday, October 21, 2012 1:18 PM
    Moderator

All replies

  • Mark-

    Just out of curiosity, is the TCPIP/NetBIOS Helper Service stopped on these machines?

    Darren


    Darren Mar-Elia MS-MVP, Group Policy
    www.gpoguy.com
    www.sdmsoftware.com - "The Group Policy Experts"

    Friday, October 19, 2012 10:23 PM
  • Hi,

    Regarding the current issue, I suggest we could refer to the following article for troubleshooting.

    Event ID 1054 — Group Policy Preprocessing (Security)

    http://technet.microsoft.com/en-us/library/cc727331(v=ws.10).aspx

    Hope this helps.

    Regards,

    Andy

    Sunday, October 21, 2012 1:18 PM
    Moderator
  • Hello,

    As I see, you may have have DNS issues to locate DCs.

    If this is the case, I would recommend proceeding like that:

    1. Make sure that each DC has only one IP address in use and ONLY one NIC card enabled (Other NICs should be disabled)
    2. Make sure that public DNS servers are configured as DNS forwarders and not in IP settings of DCs
    3. Choose a healthy DC / DNS server and make each DC point to it as primary DNS server
    4. Make each DC / DNS server point to its private IP address as secondary DNS server
    5. Make sure that needed ports for AD replication are opened: http://technet.microsoft.com/en-us/library/bb727063.aspx
    6. Check your DNS zones and remove manually all obsolete / unused DNS records for DCs

    Once done, run ipconfig /registerdns and restart netlogon on each DC you have.

    On the client computer, run ipconfig /flushdns and check again.


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    Sunday, October 21, 2012 4:57 PM
  • I had this very same issue and it turned out to be a DNS resolution issue between the VPN server and the DC. the DC had changed and the DNS server still had a record pointing to the old address. updated DNS and that resolved this issue for me. In my case it was easy to figure out it was a DNS issue because I couldn't even sign in with the admin account. If you have the same issue as that look at the eventvwr on the vpn server. I am sure you will see resolution errors.
    Wednesday, March 25, 2015 11:29 PM
  • Absolutely, 100% not the answer, not even an answer. This is a microsoft bug and has wasted hours of my time this week and last. Get your mess fixed.
    Friday, December 4, 2015 6:55 PM
  • What is the bug?
    Monday, January 9, 2017 12:44 AM
  • how did updated dns by removing the old address can you please tell me...I have the same error
    Friday, February 10, 2017 2:35 PM
  • I have the same error, anyone figure out what it could be?  I see someone said it was a bug, but nothing more. 
    Friday, March 3, 2017 12:01 AM