Hello,I've contacted Cisco for help thinking that packets are being dropped, but they claim this is not the issue and to contact MS. I thought I'd try here first since its free.I have a Windows 2003 AD DC hosting DNS, WINS, & DHCP in subnet 10.0.6.0/24. This has worked well for many years. I would like to now expand and add a remote site via site to site VPN using two Cisco PIX's. The site to site VPN using two Cisco PIX's is functional except for one issue mentioned below.Remote subnet is 192.168.15.x. The VPN seems to be working well, the remote site can log into a domain, transfer files, change passwords, etc, WSUS updates are pushed, and antivirus updates are pushed through.However, it appears the group policies do not get applied to remote PCs (all are Windows XP Pro SP3 boxes).On the remote PC, when the comand GPUPDATE /FORCE is run, two similar events are seen in the app log:Event Type:Error- Event Source:Userenv- Event Category:None- Event ID:1054- Date:11/30/2009- Time:2:28:49 PM- User:NT AUTHORITY\SYSTEM- Computer:PC1234- Description:- Windows cannot obtain the domain controller name for your computer network. (An unexpected network error occurred. ). Group Policy processing aborted.When I use the Network Monitor during this transaction on the remote PC, only 47 lines are recorded. One of them being:"DNS-0x7749:Std Qry Resp. Auth. NS is myDomain.local. of type SOA on class INET addr. : Name does not exist"The above network capture, or event log error message do not appear on LAN PCs. When doing the network capture of a LAN PC during the GPUPDATE /FORCE command there are 636 events recorded.Clearly there is something wrong, but I don't know where to start. Do you have any suggestions? Obviously I am new to multi-subnet networks and VPNs.Drew

Drew,When I use the Network Monitor during this transaction on the remote PC, only 47 lines are recorded. One of them being:"DNS-0x7749:Std Qry Resp. Auth. NS is myDomain.local. of type SOA on class INET addr. : Name does not exist"This packet shouldtell you everything you need to know. Check the DNS Packet for the following.1) What DNS server is the client using?2) Does the DNS Server host the myDomain.local zone? If so what is the SOA record pointing to?3) Can the client resolve the hostnamein the SOA record to an IP Address?4) Where does this DNS Server forward to? Is the myDomain.local. Zone there?From the packet header it appears the myDomain.local is not the DNS Server the client is talking to, add the serve does not forward to another DNS server with that Zone.

Thanks for the quick reply.1) Remote PC: IP Address = 192.168.15.10 Gateway = 192.168.15.1 DHCP Server = 192.168.15.1 DNS Server = 10.0.6.48 = desired DNS server2) Yes, the DNS server hosts the zone for myDomain.local SOA record on the DNS server points to itself (computerName.myDomain.local)3) No, the ping -a 10.0.6.48 command does not resolve the name of 10.0.6.48 (can ping the hostnameof the DNS serversuccessfully)4) As I'm not as familiar with this as you are, I'm not sure if I will give the correct information... I believe the system forwards all other domains to root servers Right Click DNS server in DNS admin tool (win 2003) > Forwarders Tab > "DNS Domain" = "All other domains None = Selected Domains Forwarded IP addressWhat do you recomend to try or look at next?Drew

Sorry, I did not read your comment properly.The Packet provides this information (hope I'm providing what you asked):1) Question Section-Question Name: _ldap._tcp.dc._msdcs.myDNSServer.myDomain.local (expected)Authority Section-Resource Name: myDomain.local (expected)Authority Section-SOA2) Yes. SOA points to myDNSServer.myDomain.local3) No, client cannot resolve myDNSServer to IP4) Not sure how to find this informationDrew

It looks like you have got some ports blocked.Can you use any software like portqry uiin order to check ports 53, 135-139 etc ?PortQry UI:http://www.microsoft.com/downloads/details.aspx?FamilyID=8355e537-1ea6-4569-aabb-f248f4bd91d0&displaylang=en

Drew, We need to do a few more tests to determine the actual cause, but it appears you may have improper DNS configuration (client or server). Item 3 (No, client cannot resolve myDNSServer to IP) appears to be the main issue. However, this contradicts your previous post of "Item 3-can ping the hostnameof the DNS serversuccessfully" We need to get a correct answer to this question.Client:"client cannot resolve myDNSServer to IP"Pingall the following:the IP Address,the shortname myDNSServer, and the FQDN myDNSServer.myDomain.local? failure to ping by IP address indicates a possible routing issue.failures on shortname indicates an incorrect DNS Suffix Search order list.failures on the FQDN myDNSServer.myDomain.local could be several different issues. Most likely it is a DNS server issue, spelling issue, incorrect DNS server IP address, etc.Read the following KB an verify your client is configured correctlyThe computer should be a member of the domainTthe Primary DNS suffix should be set to the domainThe DNS Suffix search order should contain the domain myDomain.local http://networkadminkb.com/kb/Knowledge%20Base/DNS/How%20the%20Client%20DNS%20Settings%20work%20to%20resolve%20DNS%20names.aspxDNS Server:Check the followingmyDNSServer.myDomain.local: Must have an host (A) record in the DNS server._ldap._tcp.dc._msdcs.myDNSServer.myDomain.localshould point to one or more valid host (A) records in DNS. Delete in any invalid records for DC's that no longer exist.Note: "ping -a 10.0.6.48" the -a option requires the reverse lookup zone to be created and a PTR record to exist. You can create that 6.0.10.in-addr.arpa zone if you like. Then run ipconfig /registerdns on all theDCs.

Thanks for the help.A second call to Cisco has determined that packets were being dropped. Adding lines similar to:IP AUDIT SIGNATURE 2000resolves the problem.Thanks all the help.Drew