-
Title
Systems or clients are failing to get group policies after upgrading windows 2012 R2 -
Description
Implemented Windows 2012 R2 domain controllers in the environment. Systems starting failing to push down the group policies to the client. This has been seen in environments where the domain name and netbios name is different.
/opt/quest/bin/vgptool rsop shows no policies on the client
/opt/quest/bin/vgptool -d5 apply show the following:
ERROR: Unable to copy the network GPT.INI
Unable to copy file from CIFS: \\example.com\SysVol\example.com\Policies\{FEC2DC60-04A5-4B9F-BBB6-7BA810679C59}\GPT.INI
Could not connect to any server: NT_STATUS_CONNECTION_REFUSED
Caused By:
Callback Error: Failure to authenticate with security blob.
VAS_ERR_INTERNAL: Internal error
First call to gss_init_sec_context() failed, minor_status = 0, result = 65536, display_status = " An unsupported mechanism was requested", Mechanism-Specific error text: "Server (cifs/ad-dc1.example.com@example.com) unknownA"
Caused By:
Unable to parse tree connect response: NT_STATUS_ACCESS_DENIED
Caused By:
Unable to parse tree connect response: NT_STATUS_DUPLICATE_NAM -
Cause
Change in Windows 2012 R2 code. In debug we see the wrong UNC is getting returned to our code. Microsoft is loggind a defect for this however we are chaning our code to workaround it.
Product Defect:366460
* vgp: On apply, if vgptool gets NT_STATUS_DUPLICATE_NAME, try again using netbios name instead of fqdn of domain.
-
Resolution
WORKAROUND:
Add the DisableStrickNameChecking registry key as per Microsoft article instructions on all domain controllers in the environment:
http://technet.microsoft.com/en-us/library/ff660057(v=ws.10).aspxPlease note: Only making the change on the DC you are joined to won't resolve the issue. VGP connects to the SYSVOL share using a UNC path, which is round robined by DNS.
STATUS:
Fixed in Authentication Services 4.0.3 Maintenance Release and 4.1 Maintenance Release .
-
Change Request
366460