Bug with Win 2000 group policy and Win XP SP1 client? (Group Policy not applied)

[BaDaBooM]

This is really strange. I got Windows 2000 SP3 native domain and Windows XP SP1 clients. I have RIS setup to install the XP clients. After a completely clean install (using RIS or doing it manually) it boots up normally. Then after about 3 reboots it starts giving me these errors:

Type: Error
Source: Userenv
Catagory: None
Event ID: 1054
User: NT AUTHORITY\SYSTEM

Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Everything else works great; logging into the domain, getting to the domain controller, getting to shares, etc. It just stops applying the group policy.

I can't find anything that works on technet. I got this from google. However I tried it with no hotfixes and also with all critical hotfixes available (including Q329170) but it still happens on either way. I only have one test machine so it is always on the same hardware but I don't think something like this would be hardware related. Anyone got an idea?

 

[Green Man]

Are you sure its getting DNS info from DHCP? Or, if it's static addressing that the XP machine has the correct DNS info configured. You're not blocking port 53, are you? Can you nslookup the server from the Xp machine? Did the server log any DNS errors?

 

[BaDaBooM]

Originally posted by: SpookyFish
Are you sure its getting DNS info from DHCP? Or, if it's static addressing that the XP machine has the correct DNS info configured. You're not blocking port 53, are you? Can you nslookup the server from the Xp machine? Did the server log any DNS errors?

Yes, DNS is correct from DHCP, there is no firewall software or hardware blocking port 53, and I can do an nslookup of the domain, DC, and any other computer on the domain and it works fine. I can log into the domain and get to shares on the DC. It's just group policy.

Edit: FYI, I have also tried this patch - Q810907.

 

[BaDaBooM]

This may be related. I found a bunch of this error in the DC system log:

Type: Warning
Source: MRxSmb
Catagory: None
Event ID: 3019

The redirector failed to determine the connection type.

Microsoft has an article about it:

http://support.microsoft.com/default.aspx?scid=kb;en-us;q267934

It says you can ignore it but I thought I would mention it. This may or may not be helpful.

 

[Saltin]

When you open up your DNS snap in and expand the forward lookup zone for your domain, do you see four folders, _msdcs, _tcp, _udp, _sites?

 

[BaDaBooM]

Originally posted by: Saltin
When you open up your DNS snap in and expand the forward lookup zone for your domain, do you see four folders, _msdcs, _tcp, _udp, _sites?

Yep, that's all there. Domain replication is working fine.

 

[Saltin]

So the issue is most likely on the client side.
Everything I have read about this points to the NIC, not that it is necessarily bad, but that the problem could be related to the initialization rate on the NIC vs. the fast load of the OS.

The problem occurs because link status fluctuates as the NIC driver initializes and as the network adapter hardware negotiates a link with the network infrastructure. The Group Policy application stack executes before the negotiation process is completed and can fail because of the absence of a valid link

I'd look into

1) A new driver for the NIC
2) Trying a different brand of NIC

Finally,

After the machine boots and you get your error, go to the command prompt and enter "gpupdate"
Does it succeed? If so, it makes the case I outlined above more likely.

 

[BaDaBooM]

Originally posted by: Saltin
So the issue is most likely on the client side.
Everything I have read about this points to the NIC, not that it is necessarily bad, but that the problem could be related to the initialization rate on the NIC vs. the fast load of the OS.

The problem occurs because link status fluctuates as the NIC driver initializes and as the network adapter hardware negotiates a link with the network infrastructure. The Group Policy application stack executes before the negotiation process is completed and can fail because of the absence of a valid link

I'd look into

1) A new driver for the NIC
2) Trying a different brand of NIC

Finally,

After the machine boots and you get your error, go to the command prompt and enter "gpupdate"
Does it succeed? If so, it makes the case I outlined above more likely.

Yes, it does work if I do it manually... Hmm, on my test machine it is an onboard nic. Could I just set the 10/100 autonegotiation to 100 statically in the driver options instead of replacing it? (I have the latest driver) There should be no reason that it would be hooked up to a 10 mb hub/switch.

 

[Saltin]

Setting the linespeed / duplex manually on the NIC may speed up its initialization, sure. Give it a try.

If the machine is on DHCP, try giving it a static address and see if that helps. The extra second it saves not waiting on DHCP may be enough to rectify the situation.

As a last resort, you could disable it and try a standard NIC.

At any rate, you know what the issue is now

EDIT:
Also, from what I've read, this issue seems more prevalant on images (Ghost, RIS, etc). You said it's a RIS image. Maybe try a straight install.

 

[BaDaBooM]

I don't know... I tried just setting the card to 100TX but that didn't work. Also I have already tried a normal install as opposed to a RIS install (either way I'd have to get the RIS install working anyway). I'll try using a different NIC, but I have set group policy to always wait for the network on computer start up and logon, so now I'm wondering if it is something else. Also I forgot to post the other event I am getting on the client:

Type: Error
Source: Netlogon
Catagory: None
Event ID: 5719

No Domain Controller is available for domain <Domain Name> due to the following:
There are currently no logon servers available to service the logon request. .
Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.

However this happens before I actually log on. Then when I actually log on it works fine and I have cached logon disabled. Is there some sort of timeout I need to increase? I don't know why it would be slow though because the client is on the same switch as the DC.

 

[BaDaBooM]

Switching out the NICs worked! Well, crap... I got these motherboards specifically because they had the onboard NIC and they could boot to the network. Hopefully it is just this one motherboard. I'll have to see if there are any diagnostic tools for this type of NIC (Sis 900). Thanks Spookyfish and especially Saltin.