Strange DNS, Group Policy & Active Directory Issues - Can't track down root issue!

For the last few weeks, we've been getting complaints, from our developers, about not being able to authenticate on various systems.  The issues were hit & miss but still problematic enough to warrant our looking into it.  It seems to be getting worse...  I now have new servers that aren't getting group policy updates.  They may get some, like the list of local admins but won't pick up NTFS permissions for folder-access.  Those that pick up the AD group full of local admins have trouble authenticating members of the group.  Some were showing event log entries regarding authentication issues due to being unable to contact an AD DC.  We reloaded that DC but many of the issues still persist.  At this point, I'm running out of places to look for ideas.  I've spent the last week looking up Event Log IDs and looking though their meanings and possible remedies but, again, the issues persist.  It doesn't seem to matter what the OS is.  We've been seeing this on 2008, 2008-R2 & 2012-R2.

Here are some examples of events I'm seeing.  I can't figure out the root cause(s).

Log Name:      Application
Source:        Group Policy Files
Date:          2/19/2015 2:35:12 PM
Event ID:      4098
Task Category: (2)
Level:         Warning
Keywords:      Classic
User:          SYSTEM
Computer:      H2T8-IOLDP1.HOMENET.local
Description:
The computer 'uptime.exe' preference item in the 'APPS (UpTime) {3BF05605-27C0-43AD-AC0F-873B678EB217}' Group Policy Object did not apply because it failed with error code '0x80090006 Invalid Signature.' This error was suppressed.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Group Policy Files" />
    <EventID Qualifiers="34305">4098</EventID>
    <Level>3</Level>
    <Task>2</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-02-19T19:35:12.000000000Z" />
    <EventRecordID>1871</EventRecordID>
    <Channel>Application</Channel>
    <Computer>H2T8-IOLDP1.HOMENET.local</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data>computer</Data>
    <Data>uptime.exe</Data>
    <Data>APPS (UpTime) {3BF05605-27C0-43AD-AC0F-873B678EB217}</Data>
    <Data>0x80090006 Invalid Signature.</Data>
  </EventData>
</Event>

Log Name:      Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin
Source:        Microsoft-Windows-TerminalServices-RemoteConnectionManager
Date:          2/19/2015 9:38:13 AM
Event ID:      20499
Task Category: None
Level:         Warning
Keywords:      
User:          NETWORK SERVICE
Computer:      H2T8-IOLDP1.HOMENET.local
Description:
Remote Desktop Services has taken too long to load the user configuration from server \\h2s3-addc1.HOMENET.local for user RSickler
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-TerminalServices-RemoteConnectionManager" Guid="{C76BAA63-AE81-421C-B425-340B4B24157F}" />
    <EventID>20499</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x4000000000000000</Keywords>
    <TimeCreated SystemTime="2015-02-19T14:38:13.182363700Z" />
    <EventRecordID>4</EventRecordID>
    <Correlation />
    <Execution ProcessID="1932" ThreadID="2156" />
    <Channel>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin</Channel>
    <Computer>H2T8-IOLDP1.HOMENET.local</Computer>
    <Security UserID="S-1-5-20" />
  </System>
  <UserData>
    <EventXML xmlns="Event_NS">
      <ServerName>\\h2s3-addc1.HOMENET.local</ServerName>
      <UserName>RSickler</UserName>
    </EventXML>
  </UserData>
</Event>

Note that these servers are sitting in OUs that are full of other servers that don't have these issues.  These GPOs have been in place for years.  I suspect there's a deeper issue with AD, GP or a combination thereof.  The group policy issues seem to only affect freshly loaded servers...
February 20th, 2015 3:37pm

Hi Rob,

First thing, please provide run "dcdiag /e" on domain controller and post the result here. Run the below commands from your client machine.

nltest /sc_query:<domain name>

nltest /dclist:<domain name>

Thanks,

Umesh.S.K

Free Windows Admin Tool Kit Click here and download it now
February 20th, 2015 3:42pm

Hi Rob,

First thing, please provide run "dcdiag /e" on domain controller and post the result here. Run the below commands from your client machine.

nltest /sc_query:<domain name>

nltest /dclist:<domain name>

Thanks,

Umesh.S.K

Didn't know which DC you wanted me to run the DIAG on but I grabbed a random one and did it.  This forum nags about the size of the post so I had to place it into PasteBin: H2S3-ADDC2_dcdiag.txt

H2T8-IOLRPC1_dclist.txt:

Get list of DCs in domain 'homenet.local' from '\\H2S2-ADDC2.HOMENET.local'.
           DC2.HOMENET.local        [DS] Site: WestChester
    H2S2-ADDC2.HOMENET.local        [DS] Site: AtlantaStaging
           dc1.HOMENET.local [PDC]  [DS] Site: WestChester
     H2P-ADDC1.HOMENET.local        [DS] Site: AtlantaH2P
     H2P-ADDC2.HOMENET.local        [DS] Site: AtlantaH2P
     H3R-ADDC1.HOMENET.local        [DS] Site: AtlantaH3R
     H3R-ADDC2.HOMENET.local        [DS] Site: AtlantaH3R
    H2S3-ADDC1.HOMENET.local        [DS] Site: AtlantaStaging
    H2S3-ADDC2.HOMENET.local        [DS] Site: AtlantaStaging
    H2S2-ADDC1.HOMENET.local        [DS] Site: AtlantaStaging
The command completed successfully

H2T8-IOLRPC1_sc_query.txt:

Flags: 30 HAS_IP  HAS_TIMESERV 
Trusted DC Name \\h2s3-addc1.HOMENET.local 
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully

February 20th, 2015 4:07pm

Hello,

assure that no firewall is blocking connection for AD required ports as listed in https://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx

----------------------------

You have error about not connect setup from AD sites and services with the used subnets in your network and linking them to the correct site, please check this in AD sites and services and also have the DCs placed correct to the site they belong to.

"During the past 4.20 hours there have been 83 connections to this Domain Controller from client machines whose IP addresses don't map to any of the existing sites in the enterprise. Those clients, therefore, have undefined sites and may connect to any Domain Controller including those that are in far distant locations from the clients. A client's site is determined by the mapping of its subnet to one of the existing sites. To move the above clients to one of the sites, please consider creating subnet object(s) covering the above IP addresses with mapping to one of the existing sites.  The names and IP addresses of the clients in question have been logged on this computer in the following log file '%SystemRoot%\debug\netlogon.log' and, potentially, in the log file '%SystemRoot%\debug\netlogon.bak' created if the former log becomes full. The log(s) may contain additional unrelated debugging information. To filter out the needed information, please search for lines which contain text 'NO_CLIENT_SITE:'. The first word after this string is the client name and the second word is the client IP address. The maximum size of the log(s) is controlled by the following registry DWORD value 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\LogFileMaxSize'; the default is 20000000 bytes.  The current maximum size is 20000000 bytes.  To set a different maximum size, create the above registry value and set the desired maximum size in bytes."

----------------------------

This error is about a not run adprep /rodcprep:

Starting test: NCSecDesc
  •          Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
  •             Replicating Directory Changes In Filtered Set
  •          access rights for the naming context:
  •          DC=ForestDnsZones,DC=HOMENET,DC=local
  •          Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
  •             Replicating Directory Changes In Filtered Set
  •          access rights for the naming context:

    ----------------------------

    So either run the command on a DC or ignore this error.

    Please provide also the following data as file:

    ipconfig /all >c:\ipconfig.log [all DCs]
    dcdiag /v /c /d /e /s:dcname >c:\dcdiag.log
    repadmin /showrepl dc* /verbose /all /intersite >c:\repl.log  ["dc* is a place holder for the starting name of the DCs if they all begin the same (if more then one DC exists)]
    dnslint /ad /s "DCipaddress" (http://support.microsoft.com/kb/321045)
    ADREPLSTATUS: http://www.microsoft.com/en-us/download/details.aspx?id=30005 can also be exported to file.

    As the output will become large, DON'T post them into the thread, please use Windows Sky Drive(with open access!) https://skydrive.live.com and add the link from it here. Also the /e in dcdiag scans the complete forest, so better run it on COB.

Free Windows Admin Tool Kit Click here and download it now
February 23rd, 2015 3:25am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics