VPN - GPO Problems

[Guest]

Hello all,

I am having problems with Group Policy being applied over my VPN. Most
polices are failing, including folder redirection and desktop settings. If I
physically connect the user’s PC to the LAN and login as the user, the user
will pick up their settings with cached credentials when I transport the PC
back to the remote site. Of course if the user logins in to computer for the
first time on site, or if I make any GPO changes they will not apply. Clients
on the remote site are also receiving in the Event Viewer: error 1054 –
“Windows cannot obtain the domain controller name for your computer network.
(An unexpected network error occurred.). Group Policy processing aborted.â€

I do not use roaming profiles and do not experience any GPO problems on my
LAN. The VPN is set up between two 3Com firewalls using cable modems. I have
three DC’s on my LAN (one of which is a mail server) and there are about 10
users at the remote site with no servers there. I am also sure the users and
computers are in their correct OU and I am not using any local GPO’s at the
site. The only way I could get clients to connect from the remote site thru
the VPN was to configure them with static IP’s and enter WINS IP addresses in
the “WINS†tab of the clients IP properties, but the clients IP addresses are
showing up in DNS, I can ping by name, and connect using UNC path names.

I have performed a lot of research on this and here is a list of things I
have tried thus far:
1. Disabled “Detect slow links for GPO†at the domain level by setting it to
0.
2. When I tried to ping through the VPN using the “Ping –l 2048 [IP
ADDRESS]†I get no reply. In fact I only get up until about 1450 bytes before
it fails. I cannot find a way on either firewall to up the packet sizes…I may
be SOL here.
3. DNS server’s network properties are pointing to their own IP addresses
for DNS
4. There is not a root “.†Zone in DNS
5. In all three DC’s Event viewers I am receiving event warning “409- The
DNS server list of restricted interfaces contains IP addresses that are not
configured for use at the server computer. Use the DNS manager server
properties, interfaces dialog, to verify and reset the IP addresses the DNS
server should listen on. For more information, see "To restrict a DNS server
to listen only on selected addresses" , but on the interfaces tab I have
selected “Only the following IP addresses†and entered only the IP’s of the 3
DC’s.
6. I ran “DCdiag /v†on all of the DC’s which passed.
7. I ran Netdiag from the clients on the LAN & remote site and received this
error only: “[WARNING] Failed to query SPN registration on DC
'server1.domain.org'.†Not sure if this a problem.
8. Ran “set†& “NSlookup†commands from client and picked up a DC
9. Ran “gpupdate /force†from client.
10. Used Replmon and did not receive any errors.
11. I added subnets to “Sites and services†for the LAN subnet & the remote
subnet, but did not do any other configuration here.
12. Ran “RSOP†on the client and had red X’s and little GPO’s applied.
13. I have not altered any of the security policies on the GPO’s ACL and I’m
pretty sure I haven’t created some sort of GPO conflict.

I’m starting to think there is something I missed in Sites and Services or
DNS, but am not sure. I also noticed that when I run “Gpresult /v†on the
client it tries to pick up the policies from the mail server and when I click
on the “server†in DNS it says the server needs to be configured, but it was
configured and I can see all of the host files in the forward and reverse
lookup zones.

I know this is a lot of information, but I thought it would help eliminate
some further questions and maybe help someone else reading this post.

Thanks,

Brian

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Hello all,

I am having problems with Group Policy being applied over
my VPN. Most polices are failing, including folder
redirection and desktop settings. If I physically connect
the user's PC to the LAN and login as the user, the user
will pick up their settings with cached credentials when
I transport the PC back to the remote site. Of course if
the user logins in to computer for the first time on
site, or if I make any GPO changes they will not apply.
Clients on the remote site are also receiving in the
Event Viewer: error 1054 - "Windows cannot obtain the
domain controller name for your computer network. (An
unexpected network error occurred.). Group Policy
processing aborted."

I do not use roaming profiles and do not experience any
GPO problems on my LAN. The VPN is set up between two
3Com firewalls using cable modems. I have three DC's on
my LAN (one of which is a mail server) and there are
about 10 users at the remote site with no servers there.
I am also sure the users and computers are in their
correct OU and I am not using any local GPO's at the
site. The only way I could get clients to connect from
the remote site thru the VPN was to configure them with
static IP's and enter WINS IP addresses in the "WINS" tab
of the clients IP properties, but the clients IP
addresses are showing up in DNS, I can ping by name, and
connect using UNC path names.

I have performed a lot of research on this and here is a
list of things I have tried thus far:
1. Disabled "Detect slow links for GPO" at the domain
level by setting it to 0.
2. When I tried to ping through the VPN using the "Ping
-l 2048 [IP ADDRESS]" I get no reply. In fact I only get
up until about 1450 bytes before it fails. I cannot find
a way on either firewall to up the packet sizes.I may be
SOL here.

The internet MTU is 1500 bytes - 28 leaves an MTU of 1472 bytes using ping.

3. DNS server's network properties are pointing to their
own IP addresses for DNS

What about the clients? What are they using for DNS?

4. There is not a root "." Zone in DNS
5. In all three DC's Event viewers I am receiving event
warning "409- The DNS server list of restricted
interfaces contains IP addresses that are not configured
for use at the server computer. Use the DNS manager
server properties, interfaces dialog, to verify and reset
the IP addresses the DNS server should listen on. For
more information, see "To restrict a DNS server to listen
only on selected addresses" , but on the interfaces tab I
have selected "Only the following IP addresses" and
entered only the IP's of the 3 DC's.

Each DNS server if on the DC should listen only on the address that File
sharing is enabled on that particular DC/DNS server. This is only for the
"A" record for the FQDN of the DNS server.
Question: Is RAS on a DC with DNS installed?
If it is follow this KB to fix this.
292822 - Name resolution and connectivity issues on a Routing and Remote
Access Server that also runs DNS or WINS:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q292822

6. I ran "DCdiag /v" on all of the DC's which passed.
7. I ran Netdiag from the clients on the LAN & remote
site and received this error only: "[WARNING] Failed to
query SPN registration on DC 'server1.domain.org'." Not
sure if this a problem.
8. Ran "set" & "NSlookup" commands from client and picked
up a DC

Does nslookup domain.org return the IP addresses of All domain controllers
that file sharing is enabled on?
Make sure that on all DCs that are multihomed that the internal interface
that has file sharing enabled is at the top of the binding order. (Right
click Network places, choose properties, Advanced menu, select Advanced
settings, move the interface that has file sharing enabled to the top of the
connections pane.

Finally try netdiag /fix & DCdiag /fix on all DCs.

 

[Guest]

Thanks for the reply Kevin! I put you questions\suggestion below with my
answers. Hopefully it will be easy for you to read.

**Each DNS server if on the DC should listen only on the address that File
sharing is enabled on that particular DC/DNS server. This is only for the "A"
record for the FQDN of the DNS server.
-In DNS I went to the server’s properties > interfaces tab > “Only the
following IP addresses†is checked and listed only the IP address for that
DNS server

**Question: Is RAS on a DC with DNS installed?
-No RAS on my network.

**Does nslookup domain.org return the IP addresses of All domain controllers
that file sharing is enabled on?
-Yes, but there is also a external subnet address, which from my ISP. See
below:
C:\Documents and Settings\bpeffer>nslookup Domain.org
Server: file2.Domain.org
Address: 10.1.1.17
Name: Domain.org
Addresses: 10.1.1.18, 10.1.1.17, 10.1.1.16, 24.154.178.0


**Make sure that on all DCs that are multihomed that the internal interface
that has file sharing enabled is at the top of the binding order. (Right
click Network places, choose properties, Advanced menu, select Advanced
settings, move the interface that has file sharing enabled to the top of the
connections pane.
-I checked the IP properties again and made sure the correct IP address was
at the top and the server’s IP was listed as its own for primary DNS server.

**Finally try netdiag /fix & DCdiag /fix on all DCs.
-I ran netdiag /fix and DCdiag /fix and only received this error for Netdiag:
LDAP test. . . . . . . . . . . . . : Passed
[WARNING] Failed to query SPN registration on DC 'file1.domain.org'.
[WARNING] Failed to query SPN registration on DC 'file2.domain.org'.
[WARNING] Failed to query SPN registration on DC 'mail.domain.org'.
I read article that said this error can occur when using an older version of
netdiag, so I don’t think it is a problem.

**What about the clients? What are they using for DNS?
-Like I mentioned early I had to configure the remote clients with static
IP’s and WINS for the VPN to work for file sharing\internet etc. Here is what
I get when I run IPconfig /all from the remote site.
Windows IP Configuration

Host Name . . . . . . . . . . . . : computername
Primary Dns Suffix . . . . . . . : domain.org
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domain.org

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 3Com 3C920 Integrated Fast
Ethernet
Controller (3C905C-TX Compatible)
Physical Address. . . . . . . . . : 00-08-74-03-61-C5
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 20.20.20.240
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 20.20.20.1
DNS Servers . . . . . . . . . . . : 10.1.1.16
10.1.1.17
Primary WINS Server . . . . . . . : 10.1.1.16
Secondary WINS Server . . . . . . : 10.1.1.17

The IP addresses 10.1.1.16, and 10.1.1.17 are two of my DC’s that are
running DNS, WINS, and DHCP. Notice that the “Connection-specific DNS Suffixâ€
is blank, that does not occur on the LAN.

Thanks for your help

Brian

In

Hello all,

I am having problems with Group Policy being applied over
my VPN. Most polices are failing, including folder
redirection and desktop settings. If I physically connect
the user's PC to the LAN and login as the user, the user
will pick up their settings with cached credentials when
I transport the PC back to the remote site. Of course if
the user logins in to computer for the first time on
site, or if I make any GPO changes they will not apply.
Clients on the remote site are also receiving in the
Event Viewer: error 1054 - "Windows cannot obtain the
domain controller name for your computer network. (An
unexpected network error occurred.). Group Policy
processing aborted."

I do not use roaming profiles and do not experience any
GPO problems on my LAN. The VPN is set up between two
3Com firewalls using cable modems. I have three DC's on
my LAN (one of which is a mail server) and there are
about 10 users at the remote site with no servers there.
I am also sure the users and computers are in their
correct OU and I am not using any local GPO's at the
site. The only way I could get clients to connect from
the remote site thru the VPN was to configure them with
static IP's and enter WINS IP addresses in the "WINS" tab
of the clients IP properties, but the clients IP
addresses are showing up in DNS, I can ping by name, and
connect using UNC path names.

I have performed a lot of research on this and here is a
list of things I have tried thus far:
1. Disabled "Detect slow links for GPO" at the domain
level by setting it to 0.
2. When I tried to ping through the VPN using the "Ping
-l 2048 [IP ADDRESS]" I get no reply. In fact I only get
up until about 1450 bytes before it fails. I cannot find
a way on either firewall to up the packet sizes.I may be
SOL here.

The internet MTU is 1500 bytes - 28 leaves an MTU of 1472 bytes using ping.

3. DNS server's network properties are pointing to their
own IP addresses for DNS

What about the clients? What are they using for DNS?

4. There is not a root "." Zone in DNS
5. In all three DC's Event viewers I am receiving event
warning "409- The DNS server list of restricted
interfaces contains IP addresses that are not configured
for use at the server computer. Use the DNS manager
server properties, interfaces dialog, to verify and reset
the IP addresses the DNS server should listen on. For
more information, see "To restrict a DNS server to listen
only on selected addresses" , but on the interfaces tab I
have selected "Only the following IP addresses" and
entered only the IP's of the 3 DC's.

Each DNS server if on the DC should listen only on the address that File
sharing is enabled on that particular DC/DNS server. This is only for the
"A" record for the FQDN of the DNS server.
Question: Is RAS on a DC with DNS installed?
If it is follow this KB to fix this.
292822 - Name resolution and connectivity issues on a Routing and Remote
Access Server that also runs DNS or WINS:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q292822

6. I ran "DCdiag /v" on all of the DC's which passed.
7. I ran Netdiag from the clients on the LAN & remote
site and received this error only: "[WARNING] Failed to
query SPN registration on DC 'server1.domain.org'." Not
sure if this a problem.
8. Ran "set" & "NSlookup" commands from client and picked
up a DC

Does nslookup domain.org return the IP addresses of All domain controllers
that file sharing is enabled on?
Make sure that on all DCs that are multihomed that the internal interface
that has file sharing enabled is at the top of the binding order. (Right
click Network places, choose properties, Advanced menu, select Advanced
settings, move the interface that has file sharing enabled to the top of the
connections pane.

Finally try netdiag /fix & DCdiag /fix on all DCs.

 

[Guest]

I think I am getting close now, but I am just missing something stupid, so
any help would be greatly appreciated! I changed my remote firewall's DNS to
point to my ISP's DNS server and changed the DNS settings in the clients to
point at my internal DNS.

Now I noticed that the 1054 error is not appearing for the for the computer
settings when I reboot or run "GPupdate /target:computer" and the GPO
settings are applying even if I make changes to GPO or move the Computer into
a different OU. Also if there is a current cached profile that has the "Group
Policy slow link threshold 0 kbps" it appears new GPO's will be applied and
no error 1054 will appear when logging in or running GPupdate.

The problem that still exist is if a user logs in for the first time
remotely, the "User Settings" will not apply, and the "Group Policy slow link
threshold" will be 500 kbps also folder redirection, and other settings fail.
If I run gpresult /v I get the error: "Info: The policy object does not
exist" and of course I get the 1054 error in Event Viewer.

Any other ideas? Anyone?

Thanks,

Brian

Thanks for the reply Kevin! I put you questions\suggestion below with my
answers. Hopefully it will be easy for you to read.

**Each DNS server if on the DC should listen only on the address that File
sharing is enabled on that particular DC/DNS server. This is only for the "A"
record for the FQDN of the DNS server.
-In DNS I went to the server’s properties > interfaces tab > “Only the
following IP addresses†is checked and listed only the IP address for that
DNS server

**Question: Is RAS on a DC with DNS installed?
-No RAS on my network.

**Does nslookup domain.org return the IP addresses of All domain controllers
that file sharing is enabled on?
-Yes, but there is also a external subnet address, which from my ISP. See
below:
C:\Documents and Settings\bpeffer>nslookup Domain.org
Server: file2.Domain.org
Address: 10.1.1.17
Name: Domain.org
Addresses: 10.1.1.18, 10.1.1.17, 10.1.1.16, 24.154.178.0


**Make sure that on all DCs that are multihomed that the internal interface
that has file sharing enabled is at the top of the binding order. (Right
click Network places, choose properties, Advanced menu, select Advanced
settings, move the interface that has file sharing enabled to the top of the
connections pane.
-I checked the IP properties again and made sure the correct IP address was
at the top and the server’s IP was listed as its own for primary DNS server.

**Finally try netdiag /fix & DCdiag /fix on all DCs.
-I ran netdiag /fix and DCdiag /fix and only received this error for Netdiag:
LDAP test. . . . . . . . . . . . . : Passed
[WARNING] Failed to query SPN registration on DC 'file1.domain.org'.
[WARNING] Failed to query SPN registration on DC 'file2.domain.org'.
[WARNING] Failed to query SPN registration on DC 'mail.domain.org'.
I read article that said this error can occur when using an older version of
netdiag, so I don’t think it is a problem.

**What about the clients? What are they using for DNS?
-Like I mentioned early I had to configure the remote clients with static
IP’s and WINS for the VPN to work for file sharing\internet etc. Here is what
I get when I run IPconfig /all from the remote site.
Windows IP Configuration

Host Name . . . . . . . . . . . . : computername
Primary Dns Suffix . . . . . . . : domain.org
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domain.org

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 3Com 3C920 Integrated Fast
Ethernet
Controller (3C905C-TX Compatible)
Physical Address. . . . . . . . . : 00-08-74-03-61-C5
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 20.20.20.240
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 20.20.20.1
DNS Servers . . . . . . . . . . . : 10.1.1.16
10.1.1.17
Primary WINS Server . . . . . . . : 10.1.1.16
Secondary WINS Server . . . . . . : 10.1.1.17

The IP addresses 10.1.1.16, and 10.1.1.17 are two of my DC’s that are
running DNS, WINS, and DHCP. Notice that the “Connection-specific DNS Suffixâ€
is blank, that does not occur on the LAN.

Thanks for your help

Brian

In

Hello all,

I am having problems with Group Policy being applied over
my VPN. Most polices are failing, including folder
redirection and desktop settings. If I physically connect
the user's PC to the LAN and login as the user, the user
will pick up their settings with cached credentials when
I transport the PC back to the remote site. Of course if
the user logins in to computer for the first time on
site, or if I make any GPO changes they will not apply.
Clients on the remote site are also receiving in the
Event Viewer: error 1054 - "Windows cannot obtain the
domain controller name for your computer network. (An
unexpected network error occurred.). Group Policy
processing aborted."

I do not use roaming profiles and do not experience any
GPO problems on my LAN. The VPN is set up between two
3Com firewalls using cable modems. I have three DC's on
my LAN (one of which is a mail server) and there are
about 10 users at the remote site with no servers there.
I am also sure the users and computers are in their
correct OU and I am not using any local GPO's at the
site. The only way I could get clients to connect from
the remote site thru the VPN was to configure them with
static IP's and enter WINS IP addresses in the "WINS" tab
of the clients IP properties, but the clients IP
addresses are showing up in DNS, I can ping by name, and
connect using UNC path names.

I have performed a lot of research on this and here is a
list of things I have tried thus far:
1. Disabled "Detect slow links for GPO" at the domain
level by setting it to 0.
2. When I tried to ping through the VPN using the "Ping
-l 2048 [IP ADDRESS]" I get no reply. In fact I only get
up until about 1450 bytes before it fails. I cannot find
a way on either firewall to up the packet sizes.I may be
SOL here.

The internet MTU is 1500 bytes - 28 leaves an MTU of 1472 bytes using ping.

3. DNS server's network properties are pointing to their
own IP addresses for DNS

What about the clients? What are they using for DNS?

4. There is not a root "." Zone in DNS
5. In all three DC's Event viewers I am receiving event
warning "409- The DNS server list of restricted
interfaces contains IP addresses that are not configured
for use at the server computer. Use the DNS manager
server properties, interfaces dialog, to verify and reset
the IP addresses the DNS server should listen on. For
more information, see "To restrict a DNS server to listen
only on selected addresses" , but on the interfaces tab I
have selected "Only the following IP addresses" and
entered only the IP's of the 3 DC's.

Each DNS server if on the DC should listen only on the address that File
sharing is enabled on that particular DC/DNS server. This is only for the
"A" record for the FQDN of the DNS server.
Question: Is RAS on a DC with DNS installed?
If it is follow this KB to fix this.
292822 - Name resolution and connectivity issues on a Routing and Remote
Access Server that also runs DNS or WINS:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q292822

6. I ran "DCdiag /v" on all of the DC's which passed.
7. I ran Netdiag from the clients on the LAN & remote
site and received this error only: "[WARNING] Failed to
query SPN registration on DC 'server1.domain.org'." Not
sure if this a problem.
8. Ran "set" & "NSlookup" commands from client and picked
up a DC

Does nslookup domain.org return the IP addresses of All domain controllers
that file sharing is enabled on?
Make sure that on all DCs that are multihomed that the internal interface
that has file sharing enabled is at the top of the binding order. (Right
click Network places, choose properties, Advanced menu, select Advanced
settings, move the interface that has file sharing enabled to the top of the
connections pane.

Finally try netdiag /fix & DCdiag /fix on all DCs.

 

[Guest]

I thought that I had exhausted all of my resources, but then I found this
article:
http://lists.virus.org/ntbugtraq-0310/msg00049.html

I did re-configure my remote client's static IP settings not to use WINS but
only my internal DNS servers. But think the main problem was about the ping
packet size (2048) being too high for my firewall. Since neither of my
firewalls will allow you to configure the packet size, this left me with the
method of editing the registry on my 10 remote clients. Once I did this all
of the policies loaded and the 1054 error went away.

You need to add these keys:
•HKEY_LOCAL_MACHINE\software\Policies\Microsoft\Windows\System
“GroupPolicyMinTransferRate†DWORD to 0
•HKEY_CURRENT_USER\software\Policies\Microsoft\Windows\System
“GroupPolicyMinTransferRate†DWORD to 0

Since I had disabled “Group Policy Slow link detection†at Default Domain
policy for users & computers these settings already existed on my LAN so I
just exported the LAN registry keys into a .REG file and double clicked it at
the remote site. When you change the registry for for HKEY_CURRENT_USER to
will need to either need to be logged in as the user(which user may have a
policy restricting editing the registry), or use the Multi-Remote Registry
Change v4 tool, which is what I did. It is free for up to 10 users and seem
to have worked really well. http://www.eytcheson.com/mrrc.htm

I think I am getting close now, but I am just missing something stupid, so
any help would be greatly appreciated! I changed my remote firewall's DNS to
point to my ISP's DNS server and changed the DNS settings in the clients to
point at my internal DNS.

Now I noticed that the 1054 error is not appearing for the for the computer
settings when I reboot or run "GPupdate /target:computer" and the GPO
settings are applying even if I make changes to GPO or move the Computer into
a different OU. Also if there is a current cached profile that has the "Group
Policy slow link threshold 0 kbps" it appears new GPO's will be applied and
no error 1054 will appear when logging in or running GPupdate.

The problem that still exist is if a user logs in for the first time
remotely, the "User Settings" will not apply, and the "Group Policy slow link
threshold" will be 500 kbps also folder redirection, and other settings fail.
If I run gpresult /v I get the error: "Info: The policy object does not
exist" and of course I get the 1054 error in Event Viewer.

Any other ideas? Anyone?

Thanks,

Brian

Thanks for the reply Kevin! I put you questions\suggestion below with my
answers. Hopefully it will be easy for you to read.

**Each DNS server if on the DC should listen only on the address that File
sharing is enabled on that particular DC/DNS server. This is only for the "A"
record for the FQDN of the DNS server.
-In DNS I went to the server’s properties > interfaces tab > “Only the
following IP addresses†is checked and listed only the IP address for that
DNS server

**Question: Is RAS on a DC with DNS installed?
-No RAS on my network.

**Does nslookup domain.org return the IP addresses of All domain controllers
that file sharing is enabled on?
-Yes, but there is also a external subnet address, which from my ISP. See
below:
C:\Documents and Settings\bpeffer>nslookup Domain.org
Server: file2.Domain.org
Address: 10.1.1.17
Name: Domain.org
Addresses: 10.1.1.18, 10.1.1.17, 10.1.1.16, 24.154.178.0


**Make sure that on all DCs that are multihomed that the internal interface
that has file sharing enabled is at the top of the binding order. (Right
click Network places, choose properties, Advanced menu, select Advanced
settings, move the interface that has file sharing enabled to the top of the
connections pane.
-I checked the IP properties again and made sure the correct IP address was
at the top and the server’s IP was listed as its own for primary DNS server.

**Finally try netdiag /fix & DCdiag /fix on all DCs.
-I ran netdiag /fix and DCdiag /fix and only received this error for Netdiag:
LDAP test. . . . . . . . . . . . . : Passed
[WARNING] Failed to query SPN registration on DC 'file1.domain.org'.
[WARNING] Failed to query SPN registration on DC 'file2.domain.org'.
[WARNING] Failed to query SPN registration on DC 'mail.domain.org'.
I read article that said this error can occur when using an older version of
netdiag, so I don’t think it is a problem.

**What about the clients? What are they using for DNS?
-Like I mentioned early I had to configure the remote clients with static
IP’s and WINS for the VPN to work for file sharing\internet etc. Here is what
I get when I run IPconfig /all from the remote site.
Windows IP Configuration

Host Name . . . . . . . . . . . . : computername
Primary Dns Suffix . . . . . . . : domain.org
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domain.org

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 3Com 3C920 Integrated Fast
Ethernet
Controller (3C905C-TX Compatible)
Physical Address. . . . . . . . . : 00-08-74-03-61-C5
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 20.20.20.240
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 20.20.20.1
DNS Servers . . . . . . . . . . . : 10.1.1.16
10.1.1.17
Primary WINS Server . . . . . . . : 10.1.1.16
Secondary WINS Server . . . . . . : 10.1.1.17

The IP addresses 10.1.1.16, and 10.1.1.17 are two of my DC’s that are
running DNS, WINS, and DHCP. Notice that the “Connection-specific DNS Suffixâ€
is blank, that does not occur on the LAN.

Thanks for your help

Brian

In Brian33 <[email protected]> commented
Then Kevin replied inline:
Hello all,

I am having problems with Group Policy being applied over
my VPN. Most polices are failing, including folder
redirection and desktop settings. If I physically connect
the user's PC to the LAN and login as the user, the user
will pick up their settings with cached credentials when
I transport the PC back to the remote site. Of course if
the user logins in to computer for the first time on
site, or if I make any GPO changes they will not apply.
Clients on the remote site are also receiving in the
Event Viewer: error 1054 - "Windows cannot obtain the
domain controller name for your computer network. (An
unexpected network error occurred.). Group Policy
processing aborted."

I do not use roaming profiles and do not experience any
GPO problems on my LAN. The VPN is set up between two
3Com firewalls using cable modems. I have three DC's on
my LAN (one of which is a mail server) and there are
about 10 users at the remote site with no servers there.
I am also sure the users and computers are in their
correct OU and I am not using any local GPO's at the
site. The only way I could get clients to connect from
the remote site thru the VPN was to configure them with
static IP's and enter WINS IP addresses in the "WINS" tab
of the clients IP properties, but the clients IP
addresses are showing up in DNS, I can ping by name, and
connect using UNC path names.

I have performed a lot of research on this and here is a
list of things I have tried thus far:
1. Disabled "Detect slow links for GPO" at the domain
level by setting it to 0.
2. When I tried to ping through the VPN using the "Ping
-l 2048 [IP ADDRESS]" I get no reply. In fact I only get
up until about 1450 bytes before it fails. I cannot find
a way on either firewall to up the packet sizes.I may be
SOL here.

The internet MTU is 1500 bytes - 28 leaves an MTU of 1472 bytes using ping.

3. DNS server's network properties are pointing to their
own IP addresses for DNS

What about the clients? What are they using for DNS?

4. There is not a root "." Zone in DNS
5. In all three DC's Event viewers I am receiving event
warning "409- The DNS server list of restricted
interfaces contains IP addresses that are not configured
for use at the server computer. Use the DNS manager
server properties, interfaces dialog, to verify and reset
the IP addresses the DNS server should listen on. For
more information, see "To restrict a DNS server to listen
only on selected addresses" , but on the interfaces tab I
have selected "Only the following IP addresses" and
entered only the IP's of the 3 DC's.

Each DNS server if on the DC should listen only on the address that File
sharing is enabled on that particular DC/DNS server. This is only for the
"A" record for the FQDN of the DNS server.
Question: Is RAS on a DC with DNS installed?
If it is follow this KB to fix this.
292822 - Name resolution and connectivity issues on a Routing and Remote
Access Server that also runs DNS or WINS:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q292822

6. I ran "DCdiag /v" on all of the DC's which passed.
7. I ran Netdiag from the clients on the LAN & remote
site and received this error only: "[WARNING] Failed to
query SPN registration on DC 'server1.domain.org'." Not
sure if this a problem.
8. Ran "set" & "NSlookup" commands from client and picked
up a DC

Does nslookup domain.org return the IP addresses of All domain controllers
that file sharing is enabled on?
Make sure that on all DCs that are multihomed that the internal interface
that has file sharing enabled is at the top of the binding order. (Right
click Network places, choose properties, Advanced menu, select Advanced
settings, move the interface that has file sharing enabled to the top of the
connections pane.

Finally try netdiag /fix & DCdiag /fix on all DCs.