Hello everyone,
I've been bashing my head against an issue I've encountered at my new job as a sysadmin - I need to deploy an inventory software via GPO (OCSInventory). Going through the software's documentation, I prepared everything required (startup/logon script and executable), created the GPO and... nothing. Now, some overview: we have four domain controllers spread out across three sites (a site and a failed DC had to be decomissioned, which I did cleanly with dcpromo /forceremoval and metadata cleanup). AD is a mess inherited from someone else but I've verified that SYSVOL replication (DFS) is normal, DNS is configured and is working properly and accounts are setup correctly.
Workstations are Windows 7 Pro x64 SP1 fully updated. Servers are Windows Server 2008 R2 x64.
GPO: startup script at %SYSVOL%\-domain-\Policies\-GPO-\Machine\Scripts\Startup invokes a silent installation and connection to webserver of an executable that's located in the same folder as the scripts (per OCSInventory's instructions).
Synchronous deployment ("Always wait for network...") is Enabled. Gpresult shows that the GPO is applied and not filtered out but script doesn't run.
When I start a workstation, I get the following errors:
Log Name: System
Source: NETLOGON
Date: 1/30/2017 9:06:35 AM
Event ID: 5719
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: COMPUTER.DOMAIN.com
Description:
This computer was not able to set up a secure session with a domain controller in domain DOMAIN due to the following:
There are currently no logon servers available to service the logon request.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.
ADDITIONAL INFO
If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified
domain.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="NETLOGON" />
<EventID Qualifiers="0">5719</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2017-01-30T07:06:35.000000000Z" />
<EventRecordID>9446</EventRecordID>
<Channel>System</Channel>
<Computer>COMPUTER.DOMAIN.com</Computer>
<Security />
</System>
<EventData>
<Data>DOMAIN</Data>
<Data>%%1311</Data>
<Binary>5E0000C0</Binary>
</EventData>
</Event>
Log Name: System
Source: Microsoft-Windows-GroupPolicy
Date: 1/30/2017 9:06:35 AM
Event ID: 1055
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: COMPUTER.DOMAIN.com
Description:
The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />
<EventID>1055</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>1</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2017-01-30T07:06:35.656019900Z" />
<EventRecordID>9513</EventRecordID>
<Correlation ActivityID="{FED3F85B-CD89-45F8-917D-2178EAE88BF9}" />
<Execution ProcessID="400" ThreadID="1188" />
<Channel>System</Channel>
<Computer>COMPUTER.DOMAIN.com</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="SupportInfo1">1</Data>
<Data Name="SupportInfo2">2052</Data>
<Data Name="ProcessingMode">1</Data>
<Data Name="ProcessingTimeInMilliseconds">0</Data>
<Data Name="ErrorCode">1355</Data>
<Data Name="ErrorDescription">The specified domain either does not exist or could not be contacted. </Data>
</EventData>
</Event>
Until last week the workstations also generated the following errors:
Log Name: System
Source: Microsoft-Windows-Time-Service
Date: 1/27/2017 3:02:26 PM
Event ID: 129
Task Category: None
Level: Warning
Keywords:
User: LOCAL SERVICE
Computer: COMPUTER.DOMAIN.com
Description:
NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 3473457 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E1)
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Time-Service" Guid="{06EDCFEB-0FD0-4E53-ACCA-A6F8BBF81BCB}" />
<EventID>129</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2017-01-27T13:02:26.589472000Z" />
<EventRecordID>9375</EventRecordID>
<Correlation />
<Execution ProcessID="1008" ThreadID="2068" />
<Channel>System</Channel>
<Computer>COMPUTER.DOMAIN.com</Computer>
<Security UserID="S-1-5-19" />
</System>
<EventData Name="TMP_EVENT_DOMAIN_PEER_DISCOVERY_ERROR">
<Data Name="ErrorMessage">The entry is not found. (0x800706E1)</Data>
<Data Name="RetryMinutes">3473457</Data>
</EventData>
</Event>
I got this resolved after noticing that the main site DC1 was configured with the loopback address 127.0.0.1 ONLY in the DNS Servers in the IPv4 Network Adapter properties -> I added the other site DCs as DNS servers, although I left the loopback address as primary DNS as this is the only DC in the main site. I also had to reboot it to complete the removal of properties from the removed site/DC, and I haven't seen the Ntp errors recur (note that workstations are getting time properly).
Now here comes the weird part...
I booted some VMs on my workstation. One clean Windows 7 x64, one updated to SP1, one fully updated. ALL deployed the GPO. Ran gpresult /R and rscop.msc and the GPO is applied normally, no errors at all. The software is being installed at startup.
I also noticed that if I tested by disabling and enabling the GPO to a test group of PCs after they have booted up and connected to the network, they're not generating errors in the event logs. New settings from GPO are being applied.
This leads me to believe that the network adapters aren't starting fully or there are some networking issues that prevent the startup script from executing, as it takes time for the machines to login and authenticate to the DC but I am at a loss why.
Any ideas would be greatly appreciated...