Group Policy loading

  • Thread starter Thread starter Brent
  • Start date Start date
B

Brent

Hello everyone,

Here is the problem that I am having. I have a system
that I am working on now that is a Dell OptiPlex SX270
computer running Windows XP Pro. The system has a built
in Intel Gig NIC, I have also connected a Dell TrueMobile
1180 USB Wireless Network Adapter which connects via
USB. The issue that I have is that GPO's assigned to the
computer are not loading if the system is using the
wireless adapter only. If the system is connected via
the Ethernet cable then the computer GPO's process. We
currently install and update our antivirus software using
the Software Installation option on the computer
configuration section to assign the software to the
computers in the domain.

If the computer only has the USB NIC and no wired network
connecter the following errors are in the event log.

System
Netlogon Event ID: 5719
No Domain Controller is available for domain due to the
following:
There are currently no logon servers available to service
the logon request...

Application
Userenv Event ID: 1054
Windows cannot obtain the domain controller name for your
computer network. (The specified domain either does not
exist or could not be contacted.) Group Policy
processing aborted.

If the system has the wired Ethernet connection then I do
not get these error messages in the event log during
startup and the GPO's process and the software installs.
I have had no problems with logging into the domain with
a domain user account with the computer on wireless only.

Is there a problem with using USB NIC's and computer
GPO's? Is the USB port and USB network adapter not
getting initialized in time for the GPO's get loaded?
I don't know what the timeline is for drives to get
loaded and Active Directory processing.

So far I have checked another system that we have just
like this one and it is having the same problems.
However it appears that we have not had this problem with
desktops using PIC wireless NIC's and laptops that use
mini PCI or PCMICA wireless NIC's.

Thanks for anyone's help.
Brent
 
Hi Brent,



The 5719 error stating, "No Domain Controller is available for domain due
to..." is probably the best place to start. You need to verify that the
workstations can ping the DCs when they connect using the Wireless
connections.



If they can ping the DCs by shortname and by FQDN then verify they can
connect to \\domain.com\sysvol.



Verify the IP Settings are correct when the wireless is being used and that
they are getting the correct DNS servers and IP Address. If these are not
working then group policy will not process and then you might want to direct
this post to the Networking newsgroup.
 
Hello David,

Thanks for the response.

The system can ping the DC's on wireless only. They can connect and open
the domain sysvol. The system is also getting a valid IP address for the
DHCP server will all valid DNS, WINS, Gateway and subnet mask addresses.

I have also tried a Compex LinkPort/UE202-B Ethernet to USB adapter and get
the same issue.

Brent
 
Hi Brent,



What OS are the workstations using? Are you using ipsec?



Since you are able to connect to \\doamin\sysvol, try running the following
command after you login and see if policies apply or not:



secedit /refreshpolicy machine_policy /enforce (Windows 2000)



and/or



gpupdate /force (Windows XP and 2003)



After running the group policy update check the Application event log for a
blue Informational Event ID: 1704. It should state the group policy was
applied successfully.



If these workstations are Windows XP make sure Fast Logon Optimization is
Disabled. As a test on one machine open gpedit.msc and go to "Computer
Configuration\Administrative Templates\System\Logon and set the "Always wait
for the network at computer startup and logon" to Disabled. Refresh the
policy, reboot and see if the errors no longer occur.



NOTE: Disabling this could cause logon to take longer but it would acts
like Windows 2000 and wait for the network stack to fully load before
attempting to apply policies.

--

David Everett
Microsoft Corporation


This posting is provided "AS IS" with no warranties, and confers no rights.
 
Response under questions.

-----Original Message-----
Hi Brent,



What OS are the workstations using? Are you using ipsec?

Windows XP Pro SP1 with all current updates. I believe
we are not using ipsec, I have not enabled it on anything.
Since you are able to connect to \\doamin\sysvol, try running the following
command after you login and see if policies apply or not:

gpupdate /force (Windows XP and 2003)

After running gpupdate /force I received the following
the text:

User Policy Refresh has completed
Computer Policy Refresh has completed

Certain User policies are enabled that can only run
during logon.
Certain computer policies are enabled that can only run
during startup.

Ok to Reboot
After running the group policy update check the Application event log for a
blue Informational Event ID: 1704. It should state the group policy was
applied successfully.

In the event log the following was logged:
Event ID: 1704
Security policy in the Group Policy objects has been
applied successfully.
If these workstations are Windows XP make sure Fast Logon Optimization is
Disabled. As a test on one machine open gpedit.msc and go to "Computer
Configuration\Administrative Templates\System\Logon and set the "Always wait
for the network at computer startup and logon" to Disabled. Refresh the
policy, reboot and see if the errors no longer occur.

This has already been in place for a few months on the
domain because of the Antivirus software that we install
via GP software installation.

On the system it list State 1 for the SyncForegroundPolicy
after running the Resultant Set of Policy MMC snap in.
 
The problem only appears to be during start up. After
the system starts and displays the "Press Ctrl-Alt-Del"
screen the system and network connection acts fine.

Brent
 
It appears there are no issues getting policies to manually apply once you
have logged onto the workstation.



You may want to redirect this post to the
"microsoft.public.windows.networking.wireless" newsgroup and see if there
are any known issues with using USB Wireless NICs.



1. Make sure you have the latest firmware for the wireless adapter and the
latest drivers.

2. Make sure you have the following hotfixes installed on the USB Wireless
systems:



826942 Wireless Update Rollup Package for Windows XP is Available
http://support.microsoft.com/?id=826942



815485 Overview of the WPA Wireless Security Update in Windows XP
http://support.microsoft.com/?id=815485
 
Thanks for the help David. I created a post in the wireless networking
group to see.

Brent
 
I have also posted this problem in the Microsoft wireless networking
newsgroups and have only gotten a response that it is a know problem that
GPO times out after 2-3 seconds.

Has Microsoft tested Windows XP Pro systems using USB network adapters and
domain computer GPO's? If it is a know issue that computer GPO's will not
process with system using USB network adapters are there any plans on
updating Windows with a fix?

Thank you,
Brent
 
I'm not aware of any known issues using a USB Wireless NIC and getting
computer policy settings applied. You should consider opening a case and if
it is found to be a bug in the OS you will not be changed for the incident
and a hotfix will be created.

Do you have the latest firmware for the wireless adapter and the latest
drivers?

Do you have the following hotfixes installed on the USB Wireless systems?

826942 Wireless Update Rollup Package for Windows XP is Available
http://support.microsoft.com/?id=826942

815485 Overview of the WPA Wireless Security Update in Windows XP
http://support.microsoft.com/?id=815485
 
I have seen the same issue with almost all of our Dell Optiplex pc's
using USB wireless NICs. Have you found a solution to the problem?

Thanks
 
The wireless USB network adapter has the latest firmware
and the system is running the latest drivers. I do have
the 826942 and 815485 hotfixes installed on the system.
Still does not work.

Brent
 
So far I have not found a solution yet.

Brent

-----Original Message-----
I have seen the same issue with almost all of our Dell Optiplex pc's
using USB wireless NICs. Have you found a solution to the problem?

Thanks



"Brent" <[email protected]> wrote in message
.
 
I have also experinced this problem with almost exactly
the same setup. Here is a copy of a support incident that
I have just set up with Microsoft. There is a fix you can
put in in the mean time. (NB You might find a copy of this
message on an Internet forum saying that I think it's the
Dell drivers. I posted that yesterday but after research
it seems to be a problem with XP, not the Dell drivers):

My support incident to Microsoft starts here:

I am experiencing a problem with a Dell OptiPlex SX270 and
a Dell TrueMobile 1180 USB 802.11b wireless card,
connecting to a Buffalo WLA-G54 Wireless Access Point. I
have installed the latest wireless rollup (826942) and the
latest Dell and Buffalo firmware and drivers but to no
avail. This is a clean RIS install of Windows XP SP1 with
all the latest hotfixes using the Microsoft Wireless Zero
Configuration service, so there's no dodgy software or
settings. I am also using the SyncForegroundPolicy
('Always wait for the network at computer startup and
logon') option to make Windows XP wait for the network to
start up before attempting to apply Group Policy.

I have also tried using another manufacturer's drivers
(SiteCom's WL-012 driver) by editing the PCIID in the .inf
file to match that of the Dell TrueMobile card. These
SiteCom drivers are a lot more up to date and work fine on
the Dell card for normal network operations but still have
the problem described below. This makes me think that the
problem is not with the drivers but with Windows XP itself.

The problem is that Group Policy objects are not applying
to the system when the system is booted with only the
wireless card connected. The Application Event Log
contains the following error:

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1054
Date: 17/03/2004
Time: 11:09:17
User: NT AUTHORITY\SYSTEM
Computer: CON01
Description:
Windows cannot obtain the domain controller name for your
computer network. (The specified domain either does not
exist or could not be contacted. ). Group Policy
processing aborted.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

And the System Event Log contains the following error:

Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5719
Date: 17/03/2004
Time: 11:09:17
User: N/A
Computer: CON01
Description:
No Domain Controller is available for domain CRGS due to
the following:
There are currently no logon servers available to service
the logon request. .
Make sure that the computer is connected to the network
and try again. If the problem persists, please contact
your domain administrator.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 5e 00 00 c0 ^..À

Once the system has fully booted up, however, any user is
able to log on to the network and use the network
resources without problems.

If I boot up with the wired connection the GPO *does*
apply properly and everything works as it should.

It seems that Windows XP does not wait long enough for the
wireless card to initialize, negotiate a speed and set up
WEP before attempting to apply Group Policy. But the
wireless card setup does finish in time for the Ctrl-Alt-
Del logon screen so users are still able to log on without
problems. The wired connection does not have this problem
because it does not take so long to start up.

There is one 'easy' method of fixing the problem, but it
has a side effect. If I follow the instructions at MSKB
article 239924 to enable the DisableDHCPMediaSense key
it'll fix the problem but the side effect is that the
computer takes a *long* time on the 'Preparing network
connections' section of starting up Windows XP, which is
not acceptable. My theory is that this doesn't fix the
problem but just makes the computer wait so long to
prepare the network connections that the wireless card is
able to fully initialize before Group Policy starts.

I think it is to do with XP itself rather than the Dell
drivers. I had this problem when we first started using
Buffalo WLA-CB-G54 PCMCIA wireless cards in our laptops
here, but the problem seems to have largely cured itself.
I did update the Buffalo drivers, which seems to have
helped, but sometimes the problem still occurs even on the
Buffalo cards. However it is intermittent, whereas the
Dell cards do it 99% of the time. Maybe the newer Buffalo
drivers are faster than the older Buffalo drivers and the
Dell drivers at connecting to the wireless network, so
they do not show this problem?

The problem may also manifest itself when the computer has
bad wireless coverage - as when the coverage is poor XP
doesn't wait long enough for the card to negotiate down to
the lower speed so that packets can get through.

It may also have something to do with the fact that I use
a Buffalo WLA-G54 802.11g wireless access point and the
TrueMobile 1180 USB is an 802.11b card. Maybe it takes
that little bit longer to negotiate the lower speed? In
any case, either the TrueMobile drivers or XP itself
shouldn't be giving the 'all clear' to start the GPO
application until the network negotiation is successful.

It may also be related to how 'loaded up' the computer is
(a race condition). Most of the laptops that have Buffalo
cards also have Visual Studio .NET 2003 installed and a
whole load of other stuff: they never have this problem.
Other laptops with Buffalo cards that don't have so much
software installed sometimes have this problem. The Dell
computers with the TrueMobile 1180 have similar amounts
of 'stuff' as these laptops but always have the problem.
Of course, all of the computers have different processor
speeds. This makes me think it might be a combination of
the USB drivers taking longer to start up properly and an
XP race condition.

One other interesting registry key that I would *expect*
to fix the problem is the one documented in these MSKB
articles:

http://support.microsoft.com/default.aspx?scid=KB;en-
us;202840
http://support.microsoft.com/default.aspx?scid=KB;en-
us;163204

The ExpectedDialupDelay key is supposed to make Windows
wait longer before trying to contact the domain
controller, which is exactly what we need it to do.
However, this key seems to have no effect on the Group
Policy applicator for Windows XP, and in fact XP isn't
listed under the 'The information in this article applies
to' section of the articles. Has the key been removed or
moved under XP, or does it simply not apply to the Group
Policy applicator at startup time?

The best fix would be to put a wait condition so that the
computer checks that all wireless cards (and indeed other
network cards) and the Wireless Zero Configuration Service
(or other client software) have had a chance to fully
initialize before Group Policy starts. Alternatively, the
Group Policy applicator could be configured to use the
ExpectedDialupDelay registry entry or another, new
registry entry, to wait for a certain number of seconds
before attempting to connect to the network. If a new
registry key is created, it would be extremely helpful if
it was possible to set this key inside Group Policy just
as you can with ExpectedDialupDelay, but I do not see why
ExpectedDialupDelay could not be used for both purposes.

Thank you very much for your attention. Please contact me
if you are unsure about any of the above.
 
Thank you for this information Christopher. I have been
on the phone with Dell over 5 or 6 hours and talked to
four Technicians' and none of them knew what the problem
was and how to fix it.

I too have tried adjusting the ExpectedDialupDelay
setting is the local GPO of the system that I have been
experimenting with the find a solution. I have also
changed the "Software Installation policy processing"
(because we are installing our Antivirus software by
assigning the package to the domain computers) and
the "Group Policy slow link detection" GPO's and they
also do not seem to help.

If you get any more information on this or a possible fix
from Microsoft could you please let me know.
 
Glad to help. Did you give the DisableDHCPMediaSense key a
try? I worked out that the reason why this fixes the
problem is that the builtin *wired* NIC takes ages to boot
up when this key is enabled and the wired NIC isn't
connected in to the network. If you disable the wired NIC
the DisableDHCPMediaSense key doesn't help. It's a good
fix for the mean time though.

Which all backs up my hypothesis (and the one from the
wireless newsgroup) that Group Policy is just timing out.

Regarding the support incident, I'm just trying to
persuade them to give me a free support incident. I used
one of my two free XP incidents to raise the issue, but
the guy responded and said that the problem was with
Windows Server 2003 instead of XP. I know that the bug is
in XP, not 2K3, but he is just an XP standalone support
guy. The 2K3 team is probably better placed to fix the
problem. So I'm asking him to provide me with a free
incident for 2K3... I'll let you know how I get on. Don't
really want to splash out £80 on a paid support incident...

Chris
 
I have not had a chance to test the DisableDHCPMediaSense
we are down a few technicians so there are just two of us
working right now I my work load has increased. I will
try it out next week to see what results I get. Also as
a note we are still using Windows 2000 server, so if it
is a bug in the server OS then it is older then Win 2K3.

-----Original Message-----
Glad to help. Did you give the DisableDHCPMediaSense key
a
 
Hi,

I've got exactly the same behaviour. When I ping the
machine during the boot process, the first reply I get is
long after the machine tries to apply the GP. When using a
wired connection GP applications works fine.

Have you found a solution for the problem?

Alex
 
This is quite an old thread, but I recently experienced the same
behaviour connecting the new Intel D915GUX motherboard based computer
to a domain.
I tested it in several different configurations, starting with a "live"
network and ending with a freshly installed W2003 DC and the XP
workstation connected directly with a crossed cable (forced 100Mbps
full duplex to eliminate speed negotiation) - the result was always the
same. The OS on the workstation was Win XP (tested with SP1 and SP2,
same results).
The motherboard utilizes an on-board Marvell Yukon 1GB network card.
When I disabled this on-board card and installed an additional PCI
network adapter, the error messages disappeard and group policies were
applied correctly. The same (without problem) with a different
motherboard with an on-board Intel chip based network card.
My conclusion is that this behaviour is not (only) caused by Win XP but
has something to do with network drivers.
 
Back
Top