GPO's Not Replicating

[tbaze]

I'm having a great deal of trouble getting GPs to pull over the domain. I've beaten my head against the wall and just cannot resolve it.

So, currently -

• dcdiag turns up no errors on the pdc.
  ipv6 is turned off.
  domain authentication works perfectly.
  I cannot telnet to port 389 on the DC but I can telnet to 23 (after enabling telnet server). It shows that it is listening on 389 in netstat.
  SYSVOL properties are as they should be.
  DC2 replicates/pulls the GP fine. It's everything outside of those 2 that does not.
  The PDC/DNS server is using its own IP for DNS.
  GPResult reads:
  Group Policy Infrastructure failed due to the error listed below.
  
  The network is not present or not started.
  
  Note: Due to the GP Core failure, none of the other Group Policy components processed their policy. Consequently, status information for the other components is not available.

I've done a number of other things but cannot remember them all off the top of my head.

[tbaze]

GPResult from GPUpdate and Group Modeling Report found here - http://cid-acd77f58b67d0b4a.skydrive...e.aspx/.Public

[Big Fish]

Have you checked whether Windows Firewall is turned on? Can you post the ipconfig /all results? Also post the "dcdiag.exe /c /v" results from both domain controllers, you can also do dcdiag /c /e /v where the "/e" will do it for all Domain Controllers. Have you checked the Event Logs?

[tbaze]

Windows Firewall Service is disabled.

IPConfig
Windows PowerShell
Copyright (C) 2009 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : M1CMS001
Primary Dns Suffix . . . . . . . : testadservs.net
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : testadservs.net

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) 82575EB Gigabit Network Connection
Physical Address. . . . . . . . . : 00-30-48-BC-83-5F
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 172.17.250.51(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.17.250.5
DNS Servers . . . . . . . . . . . : 172.17.250.51
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{563CB7A9-906E-4C07-B724-0D66853F044B}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

DCDiag:

I was futzing around with FRS today a bit so is likely the cause of a couple of the event log errors.

Directory Server Diagnosis

Performing initial setup:
Trying to find home server...
* Verifying that the local machine M1CMS001, is a Directory Server.
Home Server = M1CMS001
* Connecting to directory service on server M1CMS001.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=testadservs,DC=net,LDAP_SCOPE_SUBTREE,(object Category=ntDS
SiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=testadservs,CN=Sites,CN=Configuration,DC=testadservs,DC=net
Getting ISTG and options for the site
* Identifying all servers.

[Janos™]

So you blew away the whole AD environment and then made a totally new AD Forest and domain, if that is the case, then have you disjoined and then joined the client to the new domain? Normally, Clients locate DCs by DNS, specifically the SRV records. Incase you see a DC that doesnt exist in the logs, it may be from DNS. Guessing you kept the same DNS name, have you deleted the old zones and allowed DCPROMO to create new ones at the time of promotion?

[tbaze]

Yes, that's precisely what I did. DCPromo'd the secondary, removed - DCPromo'd the primary, removed/deleted domain. I did not perform any manual deletion of DNS zones, etc. I subsequently re-installed Windows Server 2008 (Windows first instance was moved to Windows.old).

I thought maybe there was a caching issue on old servers so I stood up a new VM and tried a GPUpdate there which resulted in a domain name that we've never had, at all. I checked all the SRV records in DNS and saw no mention of either the old domain servers or the new "domain". Going to \\testadservs.net\sysvol works without issue... I'm *this* close to calling Microsoft. :(

On new server:

COMPUTER SETTINGS
------------------
CN=TMPENT2K8,CN=Computers,DC=testadservs,DC=net
Last time Group Policy was applied: 1/3/2010 at 11:16:33 PM
Group Policy was applied from: N/A
Group Policy slow link threshold: 500 kbps
Domain Name: 37L4247D25-07 (no idea where this is from)
Domain Type: WindowsNT 4

[agarwalm11]

So, it seems to have cleaned itself up. For the Event id 1129, its a normal message, possibly appearing before FRS and everything getting straightened out. Check the link here for more information - http://eventid.net/display.asp?event...Policy&phase=1

[tbaze]

So it'd have you believe. :(

Still fails, same Eventlog error.

Modeling from the GPMC succeeds, no errors.

GPResults still results in:

Group Policy Infrastructure failed due to the error listed below.

The network is not present or not started.

Note: Due to the GP Core failure, none of the other Group Policy components processed their policy. Consequently, status information for the other components is not available.

Additional information may have been logged. Review the Policy Events tab in the console or the application event log for events between 1/4/2010 5:51:14 PM and 1/4/2010 5:51:17 PM.

Note, it's had this error the entire time.