Group Policy Software deployment issue

[Stillb0rn]

Hello everyone,

I seem to be having group policy issues relating to DNS *possibly*... here's the scenario..

I have multiple locations each with its own GC running windows server 2003 standard, each GC is also a DNS, WINS, DHCP server.

I am trying to set up a group policy for software deployment that uses a DNS alias to point to the local server's IP or fqdn (cname and A records produce same result). For example I want //softdist/apps to be the universal distribution point for software since all servers in multiple locations have identical shares. I have run into several errors along the way to get this working.

The first error i came across was "Access denied" when trying to map to the share. I researched this error and found the solution was to add a registry entry on every server to disable strict name checking.. which I have done.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]

"DisableStrictNameChecking"=dword:00000001

The second error was the inability to map to //softdist/* from the server itself, which I found the solution for.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]

"DisableLoopbackCheck"=dword:00000001

OK. So I now have what should be a working universal DNS software distribution point that GPMC will like. But unfortunately that is not the case. On all local machines on which I have the policy assigned to they cannot access the share. The event log fills up as follows..

Event ID 1085

The Group Policy client-side extension Software Installation failed to execute. Please look for any errors reported earlier by that extension.

Event ID 108

Failed to apply changes to software installation settings. Software changes could not be applied. A previous log entry with details should exist. The error was : %1612

Event ID 102

The install of application Chinese Traditional Fonts Support For Adobe Reader 8 from policy CIFC Adobe Reader failed. The error was : %1612

Now.. This could mean that there is a permission issue or the share is unavailable. To rule out permission I changed the software distribution location to \\servername\apps\whatever and the machines no longer error out. And to rule out share being unavailable I tested mapping to \\softdist\* after user login and this works.

Question.. What am i missing?

[cluberti]

  ERROR_INSTALL_SOURCE_ABSENT									winerror.h
# The installation source for this product is not available.
# Verify that the source exists and that you can access it.
# as an HRESULT: Severity: SUCCESS (0), FACILITY_NULL (0x0), Code 0x64c

What source are you pointing your clients to? CNAMEs and SD GPO's generally don't like each other, btw. You'd be better off with a domain-based DFS that replicated to all sites to point to a single location rather than using CNAMEs to put a virtual location at each site.

[Stillb0rn]

  ERROR_INSTALL_SOURCE_ABSENT									winerror.h
# The installation source for this product is not available.
# Verify that the source exists and that you can access it.
# as an HRESULT: Severity: SUCCESS (0), FACILITY_NULL (0x0), Code 0x64c

What source are you pointing your clients to? CNAMEs and SD GPO's generally don't like each other, btw. You'd be better off with a domain-based DFS that replicated to all sites to point to a single location rather than using CNAMEs to put a virtual location at each site.

I'm pointing my clients to \\softdist\apps where as softdist will be resolved with a different IP for each site. Host records were created in the forward lookup zone on each GC's DNS server as softdist with the GC's IP address.

Problem being each GC's share has slight modifications pertaining to office2003 region specific nonsense, along with some proprietary stuff.. Otherwise dfs would be ideal. I've switched from using cnames to a host record and its the same problem.

If you have any more insight into DFS, maybe to exclude certain directories that would be perfect. I've never actually used dfs myself other than the standard netlogon and sysvol shares.

[nmX.Memnoch]

Problem being each GC's share has slight modifications pertaining to office2003 region specific nonsense, along with some proprietary stuff.. Otherwise dfs would be ideal. I've switched from using cnames to a host record and its the same problem.

You get around that by having multiple Office 2003 AIPs (one for each site) and creating a seperate Office 2003 GPO for each site (assuming that the computers/users for each site are in their own containers as they should be ).

[Stillb0rn]

Problem being each GC's share has slight modifications pertaining to office2003 region specific nonsense, along with some proprietary stuff.. Otherwise dfs would be ideal. I've switched from using cnames to a host record and its the same problem.

You get around that by having multiple Office 2003 AIPs (one for each site) and creating a seperate Office 2003 GPO for each site (assuming that the computers/users for each site are in their own containers as they should be ).

Unfortunately there are other things holding me back from using dfs such as the proprietary applications which require certain files with identical names having different content. Its a mess I know.. the best solution for my scenario would be a working DNS pointer.

[cluberti]

Get a network trace from a failing client and see where it's actually trying to go, because the error indicates wherever it thinks it's going, that location doesn't exist .

[Stillb0rn]

Get a network trace from a failing client and see where it's actually trying to go, because the error indicates wherever it thinks it's going, that location doesn't exist .

I've done that and 1 hop is its destination.. i'd love to try a trace while GP is trying to install the updates. After any user logs in i can access the share via rpc just fine.