November 10th, 2004, 14:35 PM
Event ID:1030 & 1054 GP not applied
I have a new domain on a windows 2003 server running as a Domain Controller/dns server. There are no other DC's on this domain. There are other domains on this network that have their own settings. My clients are Windows XP Pro.
The clients are set to use the dns server of my new domain.
I am able to join my new domain, search for computers, and Nslookup appears to work. However domain policies are not applied I get a Event ID: 1030 and 1054 in the error logs on the clients. I began trying to debug these problems but can't seem to figure out what is configured wrong on the server.
When I use DCDIAG on the clients or server it reports no problems.
When I use Netdiag I get changing problems.
For this example my domain is called mydomain.local
Netdiag shows host name as computername.different.org
this different.org is the name of the other domain which runs the network and not mydomain.local... ??
DC List Test Failed - Error No Browser Servers Found
When I do a Netdiag /test:dclist it passes the test
Some times when I run the netdiag I also get a DNS test failed the DNS registration for computername.mydomain.local is incorrect on all dns servers.
I am not sure what to try next. I am sure it is something I just don't know that I have configured incorrectly.
I'd appreciate your help!
Last edited by wills3; November 10th, 2004 at 14:41 PM.
Reason: format mistakes
November 10th, 2004, 18:53 PM
DHCP comes from the other Domain
Perhaps the problem is that the DHCP service is provided by a server on the other domain (same network) different.org? Could this be why I get those messages.
November 23rd, 2004, 20:51 PM
That is very possible since that DHCP server..on your old domain, maybe be giving your clients the address to that dns server on the old domain instead of the new.
Have you tried to scavenge stale resource records? Maybe it replicated data from the dns servers on the other domain. Also check your fowarders, by default they are set to forward to all other domains. But you might want to turn that off for the new domain. Also, to see a move advanced log of group policy apply issues on your client machines. If you go to windows\debug\usermode\userenv.log. Look in there and see what common errors your getting. It will tell you if the client machines are even seeing the GP. Hope any of this helps.
November 28th, 2004, 09:40 AM
Triple Platinum Member
Is your DHCP server including the DNS of the other domain in the provided settings?
Is the DHCP server registering the leases in that DNS/DC server?
Is it nearly Christmas already?
November 28th, 2004, 14:47 PM
Succeded in braking Windo
I never did really thought on how to run more than one Domain in the same network. I had always separated the networks thru the physical media. As pointed out DHCP will register automatically with DNS. I also hear in one webcast 2 weeks ago, that on multiple domains (here becomes kind of fuzzy my memory) even thought you are registered with one domain, if you are getting settings from another, it will try to talk with the other bla bla bla. Sorry, I can't remember well, but it should provide some area to think. I would say, Check which GC you are connecting too. Check the DNS settings in the DNS server. (from the DNS console and the network properties) Make sure it is pointing to itself, and that it has forwarders set up. Check the partners replication (you don't want it to synch with other domain DNS)(thought then again, in some cases you might want to)
I find it a lot easier, to make a list of which server should have which service, and then I check to make sure those settings are true
November 29th, 2004, 11:22 AM
This problem has been solved. Thank you all, for your help!!
Although the single or dual cause could not determined these are the two things that seemed to contribute to the problem.
I had two NIC's on the client one was not connected to the internet the other was. I disabled one totally.
I had Norton Internet Security but it was still set to only trust the old domain. I added the ip address of the new DC/DNS/AD server.
The clue here was the error message in GPMC which said there was a core failure - I could edit and see GP's from the machine in question but GP could not be applied..
I did a:
Everything appears to be working now according to GPMC. (It is so much easier to use the new GPMC then the old MMC RSOP add in)
Also the KB MS document:
for trouble shooting GP in MS Win Serv 2003 was a big help.
My next task is to determine how to properly harden my DC/AD/DNS server with a firewall.
November 30th, 2004, 00:05 AM
Succeded in braking Windo
IF you want to really harden it, then you know you need layer 7, and that the servers have to have firewall in them too. I haven't played with the firewall in the server because my boss seems to think it is more important to give the users continuos access withouth interruptions (which will occurr while deployment and testing) than security. He thinks a layer 2 and 3 firewall is enough. Should I show him the logs from my web server??