none
Event ID: 1054 - Group policy processing aborted.- Windows XP SP3 Clients + Windows 2003 Std Server

    Question

  • Hello,

    I am having trouble with some machines loading the domain group policy. Currently the network is spread out in different locations connected via draytek router VPN IPSec tunnels into our main router. Some of the XP (All have latest updates) machines load the group policy sucessfully, but others do not. The machines which are on the local network subnet 192.168.1.* load the group policy fine as they are in the same building. Every other machine is on its own subnet e.g 192.168.3.*, 192.168.4.* etc etc. Current, only a few of them are actualy loading the group policy from the DC (Windows 2003 std + latest updates)

    This is the error that appears on the XP SP3 Workstations:

    Source: Userenv
    Event ID: 1054

    Description: Windows cannot obtain the domain controller name for you computer network. (the specified domain either does not exist or could not be contacted. ). Group policy processing aborted.

    If anyone could shed some light on some things to try that would be great.

    I have tried the following already;

    1. Removed XP Workstation and rejoined the domain
    2. http://support.microsoft.com/kb/324174

     

    any idea's would be great.

     

    thanks

    Wednesday, October 27, 2010 8:20 PM

Answers

  • Hi,

     

    According to my research, this issue also can be caused by the slow link detection.

     

    To disable slow link detection on the Windows XP client computers, set the following registry values:

     

    Registry subkey: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System

    Value name: GroupPolicyMinTransferRate

    Value type: DWORD

    Value Data: 0

     

    Registry subkey: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System

    Value name: GroupPolicyMinTransferRate

    Value type: DWORD

    Value Data: 0

     

    These registry settings must be configured manually because Group Policy is not applied in this scenario. These registry settings are otherwise set by the following Group Policy settings:

     

    Policy location: Computer Configuration\Administrative Templates\System\Group Policy

    Policy name: Group Policy slow link detection

    Policy setting: Enabled with a value of 0

     

    Policy location: User Configuration\Administrative Templates\System\Group Policy

    Policy name: Group Policy slow link detection

    Policy setting: Enabled with a value of 0

     

    If it does not work, please also check if the following Microsoft KB article applies to your situation:

     

    Cannot connect to domain controller and cannot apply Group Policy with Gigabit Ethernet devices

    http://support.microsoft.com/kb/326152

     

    If the issue persists, please run the commands: dcdiag /v and netdiag /v on the DC, and then post the outputs if any failures are encountered. Please also run the command: ipconfig /all on a problematic and a good Windows XP client, and then post the outputs. We would like to check if there are any network connectivity issue.

     

    Regards,


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Sal-IT Thursday, November 4, 2010 3:51 AM
    Thursday, October 28, 2010 10:16 AM
    Moderator
  • Hello,

     Finnaly i have resolved the issues. Here is what i have done.

    1. One each client machine, changed the following.

    Registry subkey: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System
    Value name: GroupPolicyMinTransferRate
    Value type: DWORD
    Value Data: 0
     
    Registry subkey: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
    Value name: GroupPolicyMinTransferRate
    Value type: DWORD
    Value Data: 0

    Policy location: Computer Configuration\Administrative Templates\System\Group Policy

    Policy name: Group Policy slow link detection

    Policy setting: Enabled with a value of 0

     

    Policy location: User Configuration\Administrative Templates\System\Group Policy

    Policy name: Group Policy slow link detection

    Policy setting: Enabled with a value of 0

    2. On each XP client machine, make sure the DNS is set to the DC. I set my machines to Automatic and had the VPN router from the location it was at point its DNS to the DC on the correct subnet. e.g

    1. 192.168.2.*
    2. 192.168.3.*
    3. 192.168.4.*

    All these subnets set by the routers, connect to the router's subnet which is 192.168.1.* where the DC sits.

    3. Some machines may have been cloned in the past (while i was not with the organisation), so i ran newsid and changed the sides on all the client machines. I then took them of the Domain and rejoined them.

    Everything seems to work now.

    Thanks everyone who replied to this post, thanks Arthur & Guy

    • Marked as answer by Sal-IT Thursday, November 4, 2010 3:59 AM
    Thursday, November 4, 2010 3:59 AM

All replies

  • Hi,

    This error indicates that the machine can't talk to a domain controller so the cause is typically related to the network, network settings or AD. 

     

    Some things you can check/try:

    Are there any other errors on the problem machines? specifically looking for events related to AD, DNS and networking.

    Do you get the same error if you run 'gpupdate /force' in a command prompt window?

    Is the behavior consistent? in other words, do the machines that apply GPOs always work and ones that don't always fail?

    Are there any differences between machines that apply GPOs and those that don't? (different sites, segment, configurations, DCs, etc)

    Do you only have DCs in one subnet? how many DCs are there?

     

    Please post the answers to these for further assistance,

     

    Thanks,

    Guy

    Wednesday, October 27, 2010 8:30 PM
  • Hello Guy,

    when i try a 'gpupdate /force' the following error occurs in the Application log of the even viewer.

    Source: Userenv
    Event ID: 1054
    
    Description: Windows cannot obtain the domain controller name for you computer network. (the specified domain either does not exist or could not be contacted. ). Group policy processing aborted.

    There is another DC, both on subnet 192.168.1.*. But it does not hold any responsibility. DC1 has all the AD and policies etc. As far as i can tell the machines that the GP's apply to always work.

    i have also checked this http://support.microsoft.com/kb/938448  and it is ok so i have elminated this option.

     

    thanks

     

    david

     

     

    Wednesday, October 27, 2010 10:13 PM
  • Hi,

     When you run gpresult, which DC is listed at the top? Which DC is running DNS and which one are the client pointing to? The policies should be replicating to both DCs, can you check the directory service and FRS event log on the DCs to see if there are replication related errors? can you log into the clients using an AD account?

     

    Thanks,

    Guy

    Thursday, October 28, 2010 5:08 AM
  • Hey guy,

    i just ran gprsult

    gpresult
    INFO: The policy object does not exist.

    i can log in succesfully under AD accounts on the machines, i can map network drives and also ping both DC's fine. I can also access the sysvol share correctly from the client machine.

    :(

     

    i will keep googling mabe i will come up with some ideas

    Thursday, October 28, 2010 5:18 AM
  • Hi,

     Make sure you have a DNS server with all the AD records (_msdcs records). The client must be pointing at this server. I've seen this behavior when AD DNS is not set up correctly.

     

    Thanks,

    Guy

     

     

    Thursday, October 28, 2010 5:26 AM
  • Guy,

     

    When i log into the client PC as Administrator on the AD, gpresult works. When i log in under the user account im trying, it does not. The use has domain user level and both the PC and user account are in the OU assigned to the GP.

     

    Thursday, October 28, 2010 5:33 AM
  • Hi,

     

    According to my research, this issue also can be caused by the slow link detection.

     

    To disable slow link detection on the Windows XP client computers, set the following registry values:

     

    Registry subkey: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System

    Value name: GroupPolicyMinTransferRate

    Value type: DWORD

    Value Data: 0

     

    Registry subkey: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System

    Value name: GroupPolicyMinTransferRate

    Value type: DWORD

    Value Data: 0

     

    These registry settings must be configured manually because Group Policy is not applied in this scenario. These registry settings are otherwise set by the following Group Policy settings:

     

    Policy location: Computer Configuration\Administrative Templates\System\Group Policy

    Policy name: Group Policy slow link detection

    Policy setting: Enabled with a value of 0

     

    Policy location: User Configuration\Administrative Templates\System\Group Policy

    Policy name: Group Policy slow link detection

    Policy setting: Enabled with a value of 0

     

    If it does not work, please also check if the following Microsoft KB article applies to your situation:

     

    Cannot connect to domain controller and cannot apply Group Policy with Gigabit Ethernet devices

    http://support.microsoft.com/kb/326152

     

    If the issue persists, please run the commands: dcdiag /v and netdiag /v on the DC, and then post the outputs if any failures are encountered. Please also run the command: ipconfig /all on a problematic and a good Windows XP client, and then post the outputs. We would like to check if there are any network connectivity issue.

     

    Regards,


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Sal-IT Thursday, November 4, 2010 3:51 AM
    Thursday, October 28, 2010 10:16 AM
    Moderator
  • Hey Guys,

     

    it seems to be a replication problem with the second DC. Now, the second DC does not do anything, can i simply run dcpromo on the second dc and remove the link and let the DC 1 run on its own?

     

    btw Arthur, thanks for the reply, i tried adding the reg values in on the client, made no difference. :(

    regards,

     

    dave

    Thursday, October 28, 2010 1:19 PM
  • Hi dave,

     Typically, you need replication to be functional before you can use dcpromo to remove a domain controller. I would start by looking into the replication problems and seeing if it is a simple fix. If not, there are processes to manually remove a DC from your domain if replication can't be fixed, but it will require you to rebuild the second DC since you won't be able to dcpromo it.

     

    If you want to post the error events from the directory service log that are related to replication, we can try to help get it fixed. You can also try posting in the directory service forum here: http://social.technet.microsoft.com/Forums/en-US/winserverDS/threads

     

    Thanks,

    Guy

    Thursday, October 28, 2010 3:33 PM
  • Hello,

    Thanks for all the replies and help. I have followed this thread http://www.minasi.com/forum/topic.asp?TOPIC_ID=20825 and tried the following.

    Go to Command Prompt --> Copy Paste the below lines
    
    cd /d %windir%\system32 
    regsvr32 /n /I userenv.dll 
    cd wbem 
    mofcomp scersop.mof 
    gpupdate /force
    gpresult
    

    I did this on the DC.

    The following error i now get when i run gpresult on the client machnes is.

    gpresult
    INFO: The user "Domain\UserName" does not have RSOP data.

    where domain = my domain name and user name is the user im trying.

    i also tried creating a fresh account with domain user level, moved it into the OU, still had the same problem.

    any ideas?

    Friday, October 29, 2010 5:30 AM
  • Hi,

     

    Event ID 1054 indicates a network connectivity or configuration problem exists. Group Policy settings cannot be applied until the problem is fixed.

     

    To troubleshoot the network connectivity or configuration problem, try one or all of the following:

     

    l  In Event Viewer, click System, and check for any networking-related messages, such as Netlogon messages, that indicate a network connectivity issue.

    l  At the command prompt, type netdiag, and note any errors. Those errors usually have to be resolved before Group Policy processing can continue.

    l  At the command prompt, type gpupdate, and then check Event Viewer to see if the Userenv 1054 event is logged again.

    l  To verify that the domain controller can be contacted through Domain Name System (DNS), try to access \\mydomain.com\sysvol\mydomain.com, where mydomain.com is the fully qualified DNS name of your domain.

    l  Verify that you can access the domain controller by using tools such as the Active Directory Users and Computers snap-in.

    l  Check to see whether other computers on your network are having the same problem.

    l  If this computer is a part of a cross-forest domain, verify that the forest for the user account is currently available and can be contacted by the computer on which the Group Policy processing failed.

     

    For more information, please refer to the following link:

    http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+Operating+System&ProdVer=5.2&EvtID=1054&EvtSrc=Userenv&LCID=1033

     

    If the issue persists, please upload the outputs of the following commands I required in my previous post to workspace for our further research:

     

    Dcdiag /v >C:\dcdiag.txt

    Netdiag /v >C:\netdiag.txt

    Ipconfig /all >C:\ipconfig.txt

     

    For your convenience, I have created a workspace for you. You can upload the information files to the following link. (Please choose "Send Files to Microsoft")

     

    Workspace URL: https://sftasia.one.microsoft.com/choosetransfer.aspx?key=606ae5b0-9113-4afe-b912-061b7efe84c7

    Password: ^^xsmDPDjaQG*6#

     

    Note: Due to differences in text formatting with various email clients, the workspace link above may appear to be broken.  Please be sure to include all text between '(' and ')' when typing or copying the workspace link into your browser. Meanwhile, please note that files uploaded for more than 72 hours will be deleted automatically. Please ensure to notify me timely after you have uploaded the files. Thank you for your understanding.

     

    Regards,


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, November 1, 2010 7:49 AM
    Moderator
  • Hi,

     

    I would like to confirm what is the current situation? If there is anything that I can do for you, please do not hesitate to let me know, and I will be happy to help.

     

    Regards,

     

    Arthur Li

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, November 3, 2010 4:33 AM
    Moderator
  • Hello,

    Currently i am still having issues. I have tried everything in this thread, apart from reporting the issue as you suggested arthur. I plan to do this by the end of the week if i havent solved the problem.

    Current, out of 25 VPN connections via draytek routers to our Head office (Where DC is), only 4 of the xp machines load the group policy, 15 of them report 'Event ID: 1054 - Group policy processing aborted" in the event log, and the remainder

    gpresult
    INFO: The policy object does not exist.

    I plan to do some more work tommorow, i have been tied up with other parts of my work so i have not been able to reply sooner. I will have a full report on friday.

     

    regards

    david

    Wednesday, November 3, 2010 4:41 AM
  • Ok,

    i have nailed it down to the following. It has to do with something on the xp boxes, the DC is fine. If i log in on the local network on a client machine, group policy works.

    if i log it on a client machine which is connected via our draytek routers VPN LAN TO LAN ipsec it is only working on a few machines. e.g subnets 192.168.14.* and subnet 192.168.16.* are working.

    I think its the actual machines. Is thre anything i can check on the XP Pro clients? they have all the latest service packs and windows updates.

     Also,

    when i log into the client xp machine with Administrator on the local machine, gpresult works, if i log in with the user account, gpresult does not.

     

     

    Wednesday, November 3, 2010 6:10 AM
  • Hello,

     Finnaly i have resolved the issues. Here is what i have done.

    1. One each client machine, changed the following.

    Registry subkey: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System
    Value name: GroupPolicyMinTransferRate
    Value type: DWORD
    Value Data: 0
     
    Registry subkey: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
    Value name: GroupPolicyMinTransferRate
    Value type: DWORD
    Value Data: 0

    Policy location: Computer Configuration\Administrative Templates\System\Group Policy

    Policy name: Group Policy slow link detection

    Policy setting: Enabled with a value of 0

     

    Policy location: User Configuration\Administrative Templates\System\Group Policy

    Policy name: Group Policy slow link detection

    Policy setting: Enabled with a value of 0

    2. On each XP client machine, make sure the DNS is set to the DC. I set my machines to Automatic and had the VPN router from the location it was at point its DNS to the DC on the correct subnet. e.g

    1. 192.168.2.*
    2. 192.168.3.*
    3. 192.168.4.*

    All these subnets set by the routers, connect to the router's subnet which is 192.168.1.* where the DC sits.

    3. Some machines may have been cloned in the past (while i was not with the organisation), so i ran newsid and changed the sides on all the client machines. I then took them of the Domain and rejoined them.

    Everything seems to work now.

    Thanks everyone who replied to this post, thanks Arthur & Guy

    • Marked as answer by Sal-IT Thursday, November 4, 2010 3:59 AM
    Thursday, November 4, 2010 3:59 AM
  • Hi Arthur and Miscrofort helper!

    Currentlly I am a Administrator for Viettel group's LAN office, and user a domain server with win server 2008 r2 OS.

    I have a the same problem with Sal-IT case, but when I regedit to set regitry value in(winxp) :

    Registry subkey: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System

    Value name: GroupPolicyMinTransferRate

    Value type: DWORD

    Value Data: 0

    --> It don't have the value name: GroupPolicyMinTransferRate, Only have 2 value name are: Allow-LogonScript-NetbiosDisabled  and (default), therefore I can't modify this.

    And in :

    Registry subkey: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System

    Value name: GroupPolicyMinTransferRate

    Value type: DWORD

    Value Data: 0

    --> It don't have the forder value "system" after ...\window --> It only have 3 forder: currentversion, shell and shelnoram
    Which happen with PC using win xp.....PCs using win7 the GPO apply OK
    Can you help me handle this problem.

    thank so much!

    Ngobinh.
    Monday, August 6, 2012 7:12 AM
  • Hi All

    I am also having same issue mentioned by Ngobinh. Can not figure out these registry key.

    Can you pls. help me out.

    Regards

    Siddhpal Patel

    Friday, August 24, 2012 1:19 PM