I am having an issue with some remote sites. These sites do not have a domain controller. All users are logging on across VPN connections to the central office. The workstation computers are a mix of Windows XP SP3 and Windows 7. There are 4 remote sites in total. It appears that some machines are successfully logging on successfully, and some are not. Group Policy application is inconsistent as well. I have provided the common error messages documented in the Application Logs at the end of this post. I have done quite a bit of troubleshooting on this. 1. I looked at DNS. All machines have the primary DNS servers pointed to the Domain Controller. They do have a backup server listed as their ISPs DNS server in case the VPN is down. Taking out the ISP DNS servers makes no difference. 2. I have disabled Slow Link detection for Group Policy application. GroupPolicyMinTransferRate and SlowLinkDetectEnabled have been set to 0 where appropriate (both user and machine profiles.) This was done via registry settings on the client machines and not a GPO. In some cases this has worked. 3. Firewalls have been adjusted to allow pings, file and printer sharing, and all necessary Windows services. 4. I have enabled Logon Debugging, but it hasn’t led to anything concrete. 5. I have run various diagnostics on the DC and everything checks out. I would appreciate any advice in troubleshooting these issues. Installing Domain Controllers at each site is not an option. Event Log Messages: Event Type: Error Event Source: Userenv Event Category: None Event ID: 1097 Date: 5/23/2011 Time: 2:58:31 PM User: NT AUTHORITY\SYSTEM Computer: GW_STATION1 Description: Windows cannot find the machine account, No authority could be contacted for authentication. . Event Type: Error Event Source: Userenv Event Category: None Event ID: 1030 Date: 5/23/2011 Time: 2:58:31 PM User: NT AUTHORITY\SYSTEM Computer: GW_STATION1 Description: Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.

Hello, please post an unedited ipconfig /all from the DC/DNS servers of the domain and a remote client with problems. Please keep in mind that ISPs DNS server configured on the domain machines result in problems with applying GPOs and also with logging on to a domain.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

C:\Users\Administrator>ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : Server2K8 Primary Dns Suffix . . . . . . . : somedomain.local Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : somedomain.local Ethernet adapter Local Area Connection 2: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : HP NC326i PCIe Dual Port Gigabit Server A dapter #2 Physical Address. . . . . . . . . : 1C-C1-DE-72-E3-C0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 192.168.1.11(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.1.1 DNS Servers . . . . . . . . . . . : 192.168.1.11 NetBIOS over Tcpip. . . . . . . . : Enabled Tunnel adapter isatap.{E0486385-E430-409B-8DAC-92A3F7552C98}: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Microsoft ISATAP Adapter Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes Tunnel adapter Local Area Connection* 12: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes C:\Users\Administrator> --------------------------------------------------------------------------------------------- H:\>ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : NF-ADMIN Primary Dns Suffix . . . . . . . : somedomain.local Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : somedomain.local Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet Physical Address. . . . . . . . . : 00-19-BB-5F-5A-C9 Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 192.168.7.34 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.7.1 DHCP Server . . . . . . . . . . . : 192.168.7.1 DNS Servers . . . . . . . . . . . : 192.168.1.11 68.87.75.194 68.87.64.146 Lease Obtained. . . . . . . . . . : Monday, May 23, 2011 5:33:03 PM Lease Expires . . . . . . . . . . : Wednesday, June 22, 2011 5:33:03 PM H:\>

Here is another common error in the Event Log: Event Type: Error Event Source: Userenv Event Category: None Event ID: 1053 Date: 5/23/2011 Time: 5:17:55 PM User: NT AUTHORITY\SYSTEM Computer: NF-ADMIN Description: Windows cannot determine the user or computer name. (An internal error occurred. ). Group Policy processing aborted. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Hello, the problems you have belong to the 68.87.75.194 and 68.87.64.146 on the NIC, please remove them complete and run ipconfig /flushdns and ipconfig /registerdns and then reboot the client. Additional make sure the subnet 192.168.7.x is added in AD sites and services to the site where the DC is located that should authenticate them.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

Hello, I have already tried removing those DNS servers. It makes no difference at all. I need to keep these DNS servers because the company uses hosted Exchange. If the VPN goes down, Exchange must remain available at the ISP. All the subnets including 192.168.7.0/24 have already been added to the DC site. Thanks!

Hi, I am trying to involve someone to further look at this issue. There might be some time delay. Appreciate your patience. Thank you for your understanding and support. Brent Hu TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, Cause: ============== The cause of this problem is that there is a different mechanism between connecting to the domain via VPN and locally. If we connect to the domain via VPN, we will logon to the computer with domain user account and then dial up the VPN connection. When we logon to the computer (cached logon), the computer does not connect to the domain because the VPN connection is not established. Therefore, the user group policy will not be applied so the logon script does not run. After the VPN connection is established, the computer will apply the group policy. However, the logon script will not be executed since it only runs during the logon. Suggestion: ==================== To solve the problem, we have the following options: 1. Select the "log on using dial-up connection" check box (if you use Microsoft VPN) in the logon screen after we press ctrl-alt-del. The system will establish the VPN connection before the user logs on. Once the VPN connection is established, the computer will be able to contact the domain controller and apply the group policy. The logon script will run during the logon. 2. If you use any third party VPN client, it may not work if have no function to establish VPN connection before user logs on. Some third party VPN clients also support establishing the connection before logging in. If you use third party VPN, you may confirm with the vendor to verify if it supports pre-login connection.

Jim, It's not that kind of VPN. These are point-to-point IPSec lines between branch offices. The VPN is transparent to the users.

Brent, thank you.

Hi, Thanks for your clarification. Suppose you disabled the slow link detection by setting the following path. Registry subkey: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System Value name: GroupPolicyMinTransferRate Value type: DWORD Value Data: 0 Registry subkey: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System Value name: GroupPolicyMinTransferRate Value type: DWORD Value Data: 0 You can try the following action: Adjust PingBufferSize to 512 by following http://support.microsoft.com/kb/816045. You can manually change the ICMP ping packet size, create the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Value name: PingBufferSize Value type: DWORD (decimal) Value range: 512 We may need to gather userenv log on Windows XP to check the GP apply process: Please enable Userenv debug logging on one problematic Windows XP: Under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon, create a REG_DWORD value UserEnvDebugLevel, and set the value as 10002 (Hexadecimal) Reboot this computer to check userenv 1054 is logged and then gather Userenv.log from %Systemroot%\Debug\UserMode\ to the following link: URL: https://sftus.one.microsoft.com/choosetransfer.aspx?key=5d748287-ec6f-447e-8b05-0ac6f9209a12 Password: CM-a[@vuniabq Thanks.

Thanks, I made the adjustment to the PingBufferSize as you suggested. I also uploaded the userenv.log file.

Thanks. I checked the logs and found all GP applied process is the same and like below: ---------------------------------------------- USERENV(3b0.fbc) 10:48:26:361 ProcessGPOs: USERENV(3b0.fbc) 10:48:26:361 ProcessGPOs: USERENV(3b0.fbc) 10:48:26:361 ProcessGPOs: Starting computer Group Policy (Background) processing... USERENV(3b0.fbc) 10:48:26:361 ProcessGPOs: USERENV(3b0.fbc) 10:48:26:361 ProcessGPOs: USERENV(3b0.fbc) 10:48:26:376 EnterCriticalPolicySectionEx: Entering with timeout 600000 and flags 0x0 USERENV(3b0.fbc) 10:48:26:376 EnterCriticalPolicySectionEx: Machine critical section has been claimed. Handle = 0x750 USERENV(3b0.fbc) 10:48:26:376 EnterCriticalPolicySectionEx: Leaving successfully. USERENV(3b0.fbc) 10:48:26:376 ProcessGPOs: Machine role is 2. USERENV(3b0.fbc) 10:48:26:376 IsSlowLink: Slow link transfer rate is 0. Always download policy. USERENV(3b0.fbc) 10:48:26:439 ProcessGPOs: network name is 192.168.8.0 USERENV(3b0.fbc) 10:48:26:767 ProcessGPOs: User name is: CN=GWORKSTATION10,CN=Computers,DC=tiltonfitness,DC=local, Domain name is: TILTONFITNESS USERENV(3b0.fbc) 10:48:26:767 ProcessGPOs: Domain controller is: \\Server2K8.tiltonfitness.local Domain DN is tiltonfitness.local … USERENV(3b0.8ec) 12:14:27:873 ProcessGPOs: USERENV(3b0.8ec) 12:14:27:873 ProcessGPOs: USERENV(3b0.8ec) 12:14:27:873 ProcessGPOs: Starting user Group Policy (Background) processing... USERENV(3b0.8ec) 12:14:27:873 ProcessGPOs: USERENV(3b0.8ec) 12:14:27:873 ProcessGPOs: USERENV(3b0.8ec) 12:14:27:873 EnterCriticalPolicySectionEx: Entering with timeout 600000 and flags 0x0 USERENV(3b0.8ec) 12:14:27:873 EnterCriticalPolicySectionEx: User critical section has been claimed. Handle = 0xb24 USERENV(3b0.8ec) 12:14:27:873 EnterCriticalPolicySectionEx: Leaving successfully. USERENV(3b0.8ec) 12:14:27:888 ProcessGPOs: Machine role is 2. USERENV(3b0.8ec) 12:14:28:013 IsSlowLink: Slow link transfer rate is 0. Always download policy. USERENV(3b0.8ec) 12:14:28:670 ProcessGPOs: User name is: CN=Mat Suran,OU=Users,OU=Galloway,OU=Tilton Fitness,DC=tiltonfitness,DC=local, Domain name is: TILTONFITNESS USERENV(3b0.8ec) 12:14:28:670 ProcessGPOs: Domain controller is: \\Server2K8.tiltonfitness.local Domain DN is tiltonfitness.local ------------------------------------------ There is no errro showed in userenv, would you mind to paster one or two Userenv 1097 and 1030 during the log collecting time? Thanks.

It's strange, the Ping adjustment fixed the issue on one of the machines. Another machine, is still having the issues. I am posting the log entries below. This machine was a fresh installation of Windows very recently. I am going to try to upload another userenv.log file. Event Type: Error Event Source: Userenv Event Category: None Event ID: 1097 Date: 5/27/2011 Time: 3:30:03 PM User: NT AUTHORITY\SYSTEM Computer: PJS-GALLOWAY Description: Windows cannot find the machine account, No authority could be contacted for authentication. . For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Event Type: Error Event Source: Userenv Event Category: None Event ID: 1030 Date: 5/27/2011 Time: 3:30:03 PM User: NT AUTHORITY\SYSTEM Computer: PJS-GALLOWAY Description: Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Thanks. ------------------------------------- USERENV(440.8e8) 15:30:03:309 GetMachineToken: InitializeSecurityContext failed with 0x80090311 USERENV(440.8e8) 15:30:03:309 GetGPOInfo: Failed to get the machine token with -2146893039 USERENV(440.8e8) 15:30:03:325 GetGPOInfo: Leaving with 0 USERENV(440.8e8) 15:30:03:325 GetGPOInfo: ******************************** USERENV(440.8e8) 15:30:03:325 ProcessGPOs: GetGPOInfo failed. USERENV(440.8e8) 15:30:03:325 ProcessGPOs: No WMI logging done in this policy cycle. USERENV(440.8e8) 15:30:03:325 ProcessGPOs: Processing failed with error -2146893039. USERENV(440.8e8) 15:30:03:325 LeaveCriticalPolicySection: Critical section 0x94c has been released. USERENV(440.8e8) 15:30:03:325 ProcessGPOs: Computer Group Policy has been applied. USERENV(440.8e8) 15:30:03:325 ProcessGPOs: Leaving with 0. USERENV(440.8e8) 15:30:03:325 EnterCriticalPolicySectionEx: Entering with timeout 600000 and flags 0x0 USERENV(440.8e8) 15:30:03:325 EnterCriticalPolicySectionEx: Machine critical section has been claimed. Handle = 0x94c USERENV(440.8e8) 15:30:03:325 EnterCriticalPolicySectionEx: Leaving successfully. USERENV(440.8e8) 15:30:03:434 LeaveCriticalPolicySection: Critical section 0x94c has been released. USERENV(440.8e8) 15:30:03:450 GPOThread: Next refresh will happen in 94 minutes --------------------------------------------- Error code 0x80090311 indicated No authority could be contacted for authentication. The issue is related to a network issue. Suggestion ------------------- (1). Please first check if the "portfast" for spanning tree algorithm has been enabled on the switch. (2). Please check and disable the Spanning Tree Algorithm on the switch to test this issue. (3). MTU: force kerberose to use TCP instead of UDP Start Registry Editor. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters. Note If the Parameters key does not exist, create it now. On the Edit menu, point to New, and then click DWORD Value. Type MaxPacketSize, and then press ENTER. Double-click MaxPacketSize, type 1 in the Value data box, click to select the Decimal option, and then click OK. Quit Registry Editor. Restart your computer PJS-GALLOWAY. Thanks.

Jim, Thank you. I made the change to force Kerberos to go over TCP, without any changes. I will upload new debug log files. The switches deployed are not Cisco. They are actually unmanaged. These unmanaged switched always operate in the equivalent of the Cisco "portfast" mode. Spanning Tree is not used on the network. thanks again!

Thanks. I checked the userenv log and same symptom. Please let me know if you reboot the computer after making the change to force Kerberos to go over TCP. ---------------------------------------- USERENV(454.fec) 16:01:16:223 GetMachineToken: InitializeSecurityContext failed with 0x80090311 USERENV(454.fec) 16:01:16:223 GetGPOInfo: Failed to get the machine token with -2146893039 USERENV(454.fec) 16:01:16:223 GetGPOInfo: Leaving with 0 USERENV(454.fec) 16:01:16:223 GetGPOInfo: ******************************** USERENV(454.fec) 16:01:16:223 ProcessGPOs: GetGPOInfo failed. USERENV(454.fec) 16:01:16:223 ProcessGPOs: No WMI logging done in this policy cycle. USERENV(454.fec) 16:01:16:223 ProcessGPOs: Processing failed with error -2146893039. ----------------------------------------- The issue mostly related to the computer cannot get the machine token from DC, it seems the token is to big and cannot send to the DC. In this scenario, we may have to capture network monitor trace and MPS reports to analysis. I am afraid that your issue falls into the paid support category which requires a more in-depth level of support. Please visit the below link to see the various paid support options that are available to better meet your needs. http://support.microsoft.com/default.aspx?id=fh;en-us;offerprophone Thanks again.

Thanks. I checked the userenv log and same symptom. Please let me know if you reboot the computer after making the change to force Kerberos to go over TCP. ---------------------------------------- USERENV(454.fec) 16:01:16:223 GetMachineToken: InitializeSecurityContext failed with 0x80090311 USERENV(454.fec) 16:01:16:223 GetGPOInfo: Failed to get the machine token with -2146893039 USERENV(454.fec) 16:01:16:223 GetGPOInfo: Leaving with 0 USERENV(454.fec) 16:01:16:223 GetGPOInfo: ******************************** USERENV(454.fec) 16:01:16:223 ProcessGPOs: GetGPOInfo failed. USERENV(454.fec) 16:01:16:223 ProcessGPOs: No WMI logging done in this policy cycle. USERENV(454.fec) 16:01:16:223 ProcessGPOs: Processing failed with error -2146893039. ----------------------------------------- The issue mostly related to the computer cannot get the machine token from DC, it seems the token is too big and cannot send to the DC. In this scenario, we may have to capture network monitor trace and MPS reports to analysis. I am afraid that your issue falls into the paid support category which requires a more in-depth level of support. Please visit the below link to see the various paid support options that are available to better meet your needs. http://support.microsoft.com/default.aspx?id=fh;en-us;offerprophone Thanks again.

Jim, Thanks for all your help! I definitely rebooted that computer after making the change. I think that paid support is a good option at this point. I am going to use this thread as a starting point with them. Thanks again!

Hi, Once you get the answer for this issue, we hope you can share your solutions here, it will be very beneficial for other community members who have similar questions. BrentPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.