none
GPO process aborted and event 1054 complaint about DNS

    Question

  • I recently built 4 virtual machines. They are all windows 2003 R2 64 bit servers, but I see a problem that domain GPP fail to apply on these 2003 R2 servers.

    I have run the GPupdate again and event log has error ID 1054 and complain about DNS server, but I go through the all TCP/IP -DNS setting, they are fine and validated.  SRV recorad are fine two.   So what is exactly the problem. I do clone these servers.

     Event Type: Error
    Event Source: Userenv
    Event Category: None
    Event ID: 1054
    Date:  11/17/2010
    Time:  5:13:03 PM
    User:  NT AUTHORITY\SYSTEM
    Computer: xxxxxxxx
    Description:
    Windows cannot obtain the domain controller name for your computer network. (An unexpected network error occurred. ). Group Policy processing aborted.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    Wednesday, November 17, 2010 10:14 PM

Answers

  • Hello Sauga,

    Does this issue occur when windows firewall is turned off?

    Please check the following KB:

    Group Policies may not apply because of network ICMP policies
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;816045

    Brent
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
    • Marked as answer by Sauga Thursday, November 25, 2010 9:36 PM
    Tuesday, November 23, 2010 7:44 AM
    Moderator

All replies

  • Hello,

    if you talk about clones, are they sysprepped BEFORE using the clone? http://support.microsoft.com/kb/314828


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Wednesday, November 17, 2010 11:16 PM
  • I think it relate to the fact that our Domain controller is behind a firewall.  When I move one of these 4 server into the same security zone/subnet with domain controller, the GPO update successfully without such error event. Once I move out of DC subnet/security zone, the problem appear again. 

    Here is the list of port open on the Cisco network firewall to this DC.  Can anyone verify if this is good for a DC to communicate with member server?

    tcp eq 135

    tcp eq domain

      udp eq 389

      tcp eq 445

      tcp eq netbios-ssn

      udp eq netbios-ns

      tcp eq kerberos

      tcp eq 137

      tcp eq 138

      tcp eq ldap

      udp eq kerberos

      udp eq netbios-dgm

      udp eq netbios-ssn

      udp eq 445

      udp eq domain

      udp eq 1025

      tcp eq 1026

      udp eq ntp

      tcp eq 3268

      tcp eq 1025

      tcp eq ldaps

      udp eq 636

      tcp gt 1023

     

    Friday, November 19, 2010 5:46 PM
  • Hello,

    all needed firewall ports are listed here: http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx

    What about the sysprep question?


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Friday, November 19, 2010 8:56 PM
  •  

    I don't think "no using sysprep" will cause such problem or any other problem in future.  By read,  and by practise, I found join in the domain and generize and specialize server new clone without sysprep out of box experience work for me.   

     

     

    Friday, November 19, 2010 10:33 PM
  • Thank for the link..  I think that firewall is the problem. The UDP great than 1024 is not open , and it has cause the GPO failure. I need to wait for next week to get this fixed by our firewall admin.
    Friday, November 19, 2010 10:35 PM
  • Hello,

    we may should have a look on the DNS of the machines, please post an unedited ipconfig /all from the DC/DNS and a problem machine.

    Using not sysprepped images will result in problems with applying GPOs and some more. That's the reason that sysprep must be used to get full support also from Microsoft.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Saturday, November 20, 2010 8:55 AM
  • Hello Sauga,

    Does this issue occur when windows firewall is turned off?

    Please check the following KB:

    Group Policies may not apply because of network ICMP policies
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;816045

    Brent
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
    • Marked as answer by Sauga Thursday, November 25, 2010 9:36 PM
    Tuesday, November 23, 2010 7:44 AM
    Moderator
  • thanks... it is fixed after network team open the ICMP to this domain controller.

     

    Thursday, November 25, 2010 9:45 PM