GPO's with XP & 2K

[StormRage]

Hi,

We have a PARENT domain with CHILD-* domains at all our branches.

All servers are Windows 2000 and is currently up to date as per Microsoft Update.

Client machines are Windows 2000 and currently we are replacing these with Windows XP.

GPO processing works perfectly with the 2K clients, yet not with XP...

Whenever a user or admin account logs on, EventID 1006 is displayed, followed directly by EventID1030. GPO are not applied.... i.e:-

--------------------------------------------------------------------------------------------

Event Type: Error

Event Source: Userenv

Event Category: None

Event ID: 1006

Date: 10/12/2007

Time: 6:38:18 PM

User: CHILD-1\Administrator

Computer: STORES-1

Description:

Windows cannot bind to PARENT.co.za domain. (Server Down). Group Policy processing aborted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

-----------------------------------------------------------------------------------------------

Event Type: Error

Event Source: Userenv

Event Category: None

Event ID: 1030

Date: 10/12/2007

Time: 6:38:18 PM

User: CHILD-1\Administrator

Computer: STORES-1

Description:

Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

-----------------------------------------------------------------------------------------------

The Sysvol share on the client and parent is accessibly to users and admins...

User Environment Logging has been enabled in the registry.

-----------------------------------------------------------------------------------------------

USERENV(1ec.1f0) 18:38:17:620 LoadUserProfile: LoadUserProfileP succeeded

USERENV(1ec.1f0) 18:38:17:620 LoadUserProfile: Returning success. Final Information follows:

USERENV(1ec.1f0) 18:38:17:620 lpProfileInfo->UserName = <Administrator>

USERENV(1ec.1f0) 18:38:17:620 lpProfileInfo->lpProfilePath = <\\Server.CHILD-1.PARENT.co.za\Profiles$\Administrator>

USERENV(1ec.1f0) 18:38:17:620 lpProfileInfo->dwFlags = 0x0

USERENV(1ec.1f0) 18:38:17:620 LoadUserProfile: Returning TRUE. hProfile = <0x7d8>

USERENV(1ec.1f0) 18:38:17:714 IsSyncForegroundPolicyRefresh: Synchronous, Reason: FirstPolicyRefresh

USERENV(1ec.5b8) 18:38:17:714 IsSyncForegroundPolicyRefresh: Synchronous, Reason: FirstPolicyRefresh

USERENV(1ec.5b8) 18:38:18:214 ApplyGroupPolicy: Entering. Flags = 6

USERENV(1ec.5b8) 18:38:18:214 ProcessGPOs:

USERENV(1ec.5b8) 18:38:18:214 ProcessGPOs:

USERENV(1ec.5b8) 18:38:18:214 ProcessGPOs: Starting user Group Policy (Background) processing...

USERENV(1ec.5b8) 18:38:18:214 ProcessGPOs:

USERENV(1ec.5b8) 18:38:18:214 ProcessGPOs:

USERENV(1ec.5b8) 18:38:18:214 EnterCriticalPolicySectionEx: Entering with timeout 600000 and flags 0x0

USERENV(1ec.5b8) 18:38:18:214 EnterCriticalPolicySectionEx: User critical section has been claimed. Handle = 0x7ec

USERENV(1ec.5b8) 18:38:18:214 EnterCriticalPolicySectionEx: Leaving successfully.

USERENV(1ec.5b8) 18:38:18:307 ProcessGPOs: Machine role is 2.

USERENV(1ec.5b8) 18:38:18:307 PingComputer: Adapter speed 1000000000 bps

USERENV(1ec.5b8) 18:38:18:307 PingComputer: First time: 0

USERENV(1ec.5b8) 18:38:18:307 PingComputer: Fast link. Exiting.

USERENV(1ec.5b8) 18:38:18:307 ProcessGPOs: User name is: CN=Administrator,CN=Users,DC=CHILD-1,DC=PARENT,DC=co,DC=za, Domain name is: CHILD-1

USERENV(1ec.5b8) 18:38:18:307 ProcessGPOs: Domain controller is: \\Server.CHILD-1.PARENT.co.za Domain DN is CHILD-1.PARENT.co.za

USERENV(1ec.5b8) 18:38:18:323 ReadGPExtensions: Rsop entry point not found for gptext.dll.

USERENV(1ec.5b8) 18:38:18:323 ReadGPExtensions: Rsop entry point not found for dskquota.dll.

USERENV(1ec.5b8) 18:38:18:323 ReadGPExtensions: Rsop entry point not found for gptext.dll.

USERENV(1ec.5b8) 18:38:18:323 ReadGPExtensions: Rsop entry point not found for iedkcs32.dll.

USERENV(1ec.5b8) 18:38:18:323 ReadGPExtensions: Rsop entry point not found for scecli.dll.

USERENV(1ec.5b8) 18:38:18:323 ReadGPExtensions: Rsop entry point not found for C:\WINDOWS\System32\cscui.dll.

USERENV(1ec.5b8) 18:38:18:323 ReadGPExtensions: Rsop entry point not found for gptext.dll.

USERENV(1ec.5b8) 18:38:18:323 ReadExtStatus: Reading Previous Status for extension {35378EAC-683F-11D2-A89A-00C04FBBCFA2}

USERENV(1ec.5b8) 18:38:18:323 ReadExtStatus: Reading Previous Status for extension {0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}

USERENV(1ec.5b8) 18:38:18:323 ReadExtStatus: Reading Previous Status for extension {25537BA6-77A8-11D2-9B6C-0000F8080861}

USERENV(1ec.5b8) 18:38:18:323 ReadExtStatus: Reading Previous Status for extension {3610eda5-77ef-11d2-8dc5-00c04fa31a66}

USERENV(1ec.5b8) 18:38:18:323 ReadExtStatus: Reading Previous Status for extension {426031c0-0b47-4852-b0ca-ac3d37bfcb39}

USERENV(1ec.5b8) 18:38:18:323 ReadExtStatus: Reading Previous Status for extension {42B5FAAE-6536-11d2-AE5A-0000F87571E3}

USERENV(1ec.5b8) 18:38:18:323 ReadExtStatus: Reading Previous Status for extension {4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}

USERENV(1ec.5b8) 18:38:18:323 ReadExtStatus: Reading Previous Status for extension {827D319E-6EAC-11D2-A4EA-00C04F79F83A}

USERENV(1ec.5b8) 18:38:18:323 ReadExtStatus: Reading Previous Status for extension {A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}

USERENV(1ec.5b8) 18:38:18:323 ReadExtStatus: Reading Previous Status for extension {B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}

USERENV(1ec.5b8) 18:38:18:323 ReadExtStatus: Reading Previous Status for extension {C631DF4C-088F-4156-B058-4375F0853CD8}

USERENV(1ec.5b8) 18:38:18:323 ReadExtStatus: Reading Previous Status for extension {c6dc5466-785a-11d2-84d0-00c04fb169f7}

USERENV(1ec.5b8) 18:38:18:323 ReadExtStatus: Reading Previous Status for extension {e437bc1c-aa7d-11d2-a382-00c04f991e27}

USERENV(1ec.5b8) 18:38:18:323 ProcessGPOs: Calling GetGPOInfo for normal policy mode

USERENV(1ec.5b8) 18:38:18:323 GetGPOInfo: ********************************

USERENV(1ec.5b8) 18:38:18:323 GetGPOInfo: Entering...

USERENV(1ec.5b8) 18:38:18:323 GetGPOInfo: Server connection established.

USERENV(1ec.5b8) 18:38:18:323 GetGPOInfo: Bound successfully.

USERENV(1ec.5b8) 18:38:18:323 SearchDSObject: Searching <DC=CHILD-1,DC=PARENT,DC=co,DC=za>

USERENV(1ec.5b8) 18:38:18:323 SearchDSObject: Found GPO(s): <[LDAP://CN={580DD35E-3D11-4B11-8BC4-321F7036EFA0},CN=Policies,CN=System,DC=PARENT,DC=co,DC=za;2][LDAP://CN={C27A9EAC-A8FD-4B2D-98F6-56D5017D9E8B},CN=Policies,CN=System,DC=CHILD-1,DC=

PARENT,DC=co,DC=za;2][LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=CHILD-1,DC=PARENT,DC=co,DC=za;0]>

USERENV(1ec.5b8) 18:38:18:323 ProcessGPO: ==============================

USERENV(1ec.5b8) 18:38:18:323 ProcessGPO: Deferring search for <LDAP://CN={580DD35E-3D11-4B11-8BC4-321F7036EFA0},CN=Policies,CN=System,DC=PARENT,DC=co,DC=za>

USERENV(1ec.5b8) 18:38:18:323 ProcessGPO: ==============================

USERENV(1ec.5b8) 18:38:18:323 ProcessGPO: Deferring search for <LDAP://CN={C27A9EAC-A8FD-4B2D-98F6-56D5017D9E8B},CN=Policies,CN=System,DC=CHILD-1,DC=PARENT,DC=co,DC=za>

USERENV(1ec.5b8) 18:38:18:323 ProcessGPO: ==============================

USERENV(1ec.5b8) 18:38:18:323 ProcessGPO: Deferring search for <LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=CHILD-1,DC=PARENT,DC=co,DC=za>

USERENV(1ec.5b8) 18:38:18:339 SearchDSObject: Searching <CN=CHILD-1,CN=Sites,CN=Configuration,DC=PARENT,DC=co,DC=za>

USERENV(1ec.5b8) 18:38:18:339 SearchDSObject: No GPO(s) for this object.

USERENV(1ec.5b8) 18:38:18:339 EvaluateDeferredGPOs: Doing an ldap bind to cross-domain <PARENT.co.za>

USERENV(1ec.5b8) 18:38:18:542 EvaluateDeferredGPOs: ldap_bind_s failed with = <81>

USERENV(1ec.5b8) 18:38:18:542 GetGPOInfo: EvaluateDeferredGPOs failed. Exiting

USERENV(1ec.5b8) 18:38:18:542 GetGPOInfo: Leaving with 0

USERENV(1ec.5b8) 18:38:18:542 GetGPOInfo: ********************************

USERENV(1ec.5b8) 18:38:18:542 ProcessGPOs: GetGPOInfo failed.

USERENV(1ec.5b8) 18:38:18:542 ProcessGPOs: No WMI logging done in this policy cycle.

USERENV(1ec.5b8) 18:38:18:542 ProcessGPOs: Processing failed with error 58.

USERENV(1ec.5b8) 18:38:18:542 LeaveCriticalPolicySection: Critical section 0x7ec has been released.

USERENV(1ec.5b8) 18:38:18:542 ProcessGPOs: User Group Policy has been applied.

USERENV(1ec.5b8) 18:38:18:542 ProcessGPOs: Leaving with 0.

USERENV(1ec.5b8) 18:38:18:542 ApplyGroupPolicy: Leaving successfully.

USERENV(1ec.634) 18:38:18:542 GPOThread: Next refresh will happen in 106 minutes

USERENV(1ec.1f0) 18:38:18:745 IsSyncForegroundPolicyRefresh: Synchronous, Reason: FirstPolicyRefresh

USERENV(558.730) 18:38:19:058 LibMain: Process Name: C:\WINDOWS\system32\userinit.exe

USERENV(224.244) 18:38:19:136 ImpersonateUser: Failed to impersonate user with 5.

USERENV(224.244) 18:38:19:136 GetUserNameAndDomain Failed to impersonate user

USERENV(224.244) 18:38:19:136 ImpersonateUser: Failed to impersonate user with 5.

USERENV(224.244) 18:38:19:136 GetUserDNSDomainName: Failed to impersonate user

USERENV(644.2bc) 18:38:19:870 LibMain: Process Name: C:\WINDOWS\system32\WgaTray.exe

USERENV(7f4.7f8) 18:38:20:527 LibMain: Process Name: C:\WINDOWS\Explorer.EXE

USERENV(d0.cc) 18:38:20:730 LibMain: Process Name: C:\WINDOWS\system32\mobsync.exe

USERENV(7f4.7f8) 18:38:20:964 GetProfileType: Profile already loaded.

USERENV(7f4.7f8) 18:38:20:964 GetProfileType: ProfileFlags is 0

USERENV(16c.170) 18:38:21:417 LibMain: Process Name: C:\WINDOWS\system32\wbem\wmiprvse.exe

USERENV(3ac.3f4) 18:38:26:981 LibMain: Process Name: C:\WINDOWS\system32\ie4uinit.exe

USERENV(3ac.3f4) 18:38:27:184 GetProfileType: Profile already loaded.

USERENV(3ac.3f4) 18:38:27:184 GetProfileType: ProfileFlags is 0

USERENV(3ac.3f4) 18:38:27:450 DeleteLinkFile: Failed to delete <C:\Documents and Settings\Administrator\Start Menu\Programs\Internet Explorer.lnk>. Error = 2

USERENV(3ac.3f4) 18:38:27:450 DeleteLinkFile: Failed to delete <C:\Documents and Settings\Administrator\Start Menu\Programs\Internet Explorer (32-bit).lnk>. Error = 2

USERENV(1d0.1cc) 18:38:28:435 LibMain: Process Name: C:\WINDOWS\system32\regsvr32.exe

USERENV(1d0.1cc) 18:38:28:435 GetProfileType: Profile already loaded.

USERENV(1d0.1cc) 18:38:28:435 GetProfileType: ProfileFlags is 0

USERENV(1d0.1cc) 18:38:28:700 GetProfileType: Profile already loaded.

USERENV(1d0.1cc) 18:38:28:700 GetProfileType: ProfileFlags is 0

-------------------------------------------------------------------------------------------

Trying to run rsop.msc on the XP client states:-

-------------------------------------------------------------------------------------------

RSoP data is invalid. Likely causes are, data is corrupt, data has been deleted or data has never been created

Details: Invalid namespace

-------------------------------------------------------------------------------------------

Tried solutions:-

1.) The domain users have been added to the local Administrators Group. - No Go.

2.) The XP machine has been joined, disjoined and joined again - No Go.

3.) All connections in Active Directory Sites and Services have been deleted and automatically recreated via "Check Replication Topology"

The PARENT domain controller does not reflect any issues.

Any takers on how to possibly fix this?

Thanks in advance

[adamt]

Are all your XP clients running SP2? If not - do you find that it works with XP SP1?

Also - just to eliminate any other errors - have you tried dcdiag and netdiag to see what they show?

Can you do both:

net view \\PARENT

and

net view parent.fqdn.co.za ?

[cluberti]

" ldap_bind_s failed with = <81>"

That's bad

Are the child domains connected to the parent domain via a WAN? If so, make sure the Network Location Awareness service is running on the XP clients, or random problems can happen when binding across a WAN...

[StormRage]

Hi guys.

Yip, all clients are Windows XP SP2 (As per MS installation CD) and were updated via MS Update. (Therefore there is no XP SP1 machines - not even to test with)

cluberti - Yes, all branches is connected to Head Office (PARENT) via VPN over ADSL. (WAN) Every branch's DC is a GC.

We are experiencing very bad ADSL connectivity issues @ present between the CHILD-1 branch and Head Office (PARENT). This unfortunately prevents me from running any tests/checks on machines at the CHILD-1 branch domain(site)...

I could do a DCDIAG test this morning @ the CHILD-1 DC , prior to the "disappearing" bandwidth issue...

The DCDIAG, stated the following:-

[PARENT] DsBind() failed with error 1908,

Could not find the domain controller for this domain..

Warning: PARENT is the Schema Owner, but is not responding to DS RPC Bind.

[PARENT] LDAP bind failed with error 31,

A device attached to the system is not functioning..

Warning: PARENT is the Schema Owner, but is not responding to LDAP Bind.

Warning: PARENT is the Domain Owner, but is not responding to DS RPC Bind.

Warning: PARENT is the Domain Owner, but is not responding to LDAP Bind.

......................... CHILD-1 failed test KnowsOfRoleHolders

All the other branch DC's (CHILD-2 & CHILD-3) seems very "happy" on this matter...

Opening Active Directory Domains and Trusts (on the PARENT DC), shows the PARENT and CHILD domains (CHILD-1, CHILD-2 and CHILD-3)

However, trying to view the PROPERTIES on the CHILD-1 sub-domain, all tabs (windows) states:-

The Active Directory object could not be displayed.

A referral was returned from the server.

I'm a bit lost on this one.

Any "ntdsutils" commands that might save the day?

Thanks in advance

Edited October 16, 2007 by StormRage

[cluberti]

You aren't blocking tcp port 88 anywhere on the network, are you?