Branch Office

Discussion in 'DNS Server' started by Robert Craig, Jun 9, 2008.

  1. Robert Craig

    Robert Craig Guest

    I have a branch office that is connected to the main office via VPN routers.
    Everything works fine (able to access network, email, dns, etc.). But for
    some reason my error logs on the branch office computers keep filling up
    error (1054 Windows cannot obtain the domain controller name for your
    computer network. (An unexpected network error occurred. ). Group Policy
    processing aborted.). Yet, when I do a manual gpupdate /force from the
    command prompt, the error log says Successful. I've tried various network
    diagnostics tools and haven't been able to find any problems. Anyone have
    any ideas?
    Server 2003 - DNS - Two subnets
    Using hardware router for entire network (NOT USING RRAS)

    Robert Craig, Jun 9, 2008
    1. Advertisements

  2. In
    With the limited configuration information you provided, it's difficult to
    tell. I can say this is usually an indication of a DNS infrastructure
    misconfiguration. It can also be based on blocked ports or other things,
    such as some required services mistakenly disabled, etc.

    Is the VPN wide open (no firewall rules in place)?

    Are AD Sites configured?

    What errors show up on the DCs? Please post the EventID# and Source names

    Please post an unedited ipconfig /all of a sample workstation that is having
    this problem, as well as from a sample DC at the workstation's location, and
    a sample DC from the other location.

    Any default services altered from automatic to manual or disabled on any of
    the DCs or workstations?


    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
    MVP Microsoft MVP - Directory Services
    Microsoft Certified Trainer

    For urgent issues, you may want to contact Microsoft PSS directly. Please
    check for regional support phone numbers.

    Infinite Diversities in Infinite Combinations
    Ace Fekay [MVP], Jun 9, 2008
    1. Advertisements

  3. Robert Craig

    Robert Craig Guest

    There is only one DC and it is at the main office. The VPN tunnel is
    connected via VPN routers. There is no firewall in place that I'm aware of.
    The only AD site that is configured is the default one when the AD was
    setup. I didn't think I needed to setup another site just because I had a
    different subnet. There are no errors on the DC's, just the clients at the
    branch office.

    The following error is generated on all branch office machines, obviously
    with different computer names.

    Event ID 1054
    User: NT Authority/System
    Source: Userenv
    Computer: TSHOP1
    Message: Windows cannot obtain the domain controller name for your computer
    network. (An unexpected network error occurred.) Group Policy processing


    HOST NAME................TSHOP1
    NODE TYPE................HYBRID

    DHCP ENABLED...........NO
    IP ADDRESS.............
    SUBNET MASK............


    HOST NAME................ATWDC1
    NODE TYPE................UNKNOWN

    DHCP ENABLED...........NO
    IP ADDRESS.............
    SUBNET MASK............
    DNS SERVERS............
    Robert Craig, Jun 9, 2008
  4. I didn't think I needed to setup another site just because I had a
    Setting up another site would allow the computers in that site to use the DC
    in that site to logon instead of going across the WAN.

    I would suggest setting up DNS on the branch server and point the computers
    in that site to that local DNS server.

    Danny Sanders, Jun 9, 2008
  5. Robert Craig

    Robert Craig Guest

    Well, because of budget constraints, setting up another DNS server is out of
    the question. I have to deal with online having one DNS server. So, what
    do I need to do for the time being?

    Robert Craig, Jun 9, 2008
  6. Read inline please.

    The problem is not just because you have one DNS server, you could have many
    DNS servers, but if you have only one DC, and it is at the main site, all
    the computers at the remote sites have to authenticate and get the policies
    applied across the VPN. There is no quick fix, setting up sites won't do any
    good because sites are intended for member clients going to the DC at their
    site for GPOs and Authentication.

    Best regards,
    Kevin D. Goodknecht Sr. [MVP]
    Hope This Helps

    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    Keep a back up of your OE settings and folders
    with OEBackup:
    Kevin D. Goodknecht Sr. [MVP], Jun 10, 2008
  7. Robert Craig

    Robert Craig Guest

    So, in other words, the only way to fix this for good would be to setup a
    secondary DC at the branch office. I have my GPO refresh set at 15min. I
    believe that increasing that time would allow for the computers to refresh
    their policies across the VPN and not have any conflicts. I've noticed that
    the error doesn't appear every 15 minutes. It's almost as if every now and
    then the information gets lost going across the VPN. Installing a secondary
    DC with DNS at the remote site would eliminate this problem?

    Robert Craig, Jun 10, 2008
  8. In
    Yes, it would. VPNs are depended on their respective ISP link. The weaker
    one is the weakest link. A GPO's default slow link threshold by default is
    500kb. Anything under that speed, other than security and password options,
    many other portions of a GPO will not apply. You can force change it if
    desired, but I recommend not to touch it. And keep in mind Async lines, if
    you have one, are different upload/download speed and the slower speed is
    what will apply. Example is a cable line with 1.5 -6 Mbps (or more) download
    speeds, but with many cable services only offering 384Kbps upload speed.

    What type of line are in both locations? T1 (sync), SDSL (sync), ADSL
    (async), FIOS (async), cable(async), Frame (scync), or MPLS (sync)?

    How many users are at each location?

    /Begin Rant
    Don't let some ISPs like Comcast fool you with their HUGE download speeds
    they advertise. Their upload speeds are yet to be desired, which is the part
    they don't advertise. Plus they block many things.
    /End rant

    Sorry, had to get that in there.

    An example of a sync line is where the upload and download are identical,
    such as a T1. Keep in mind, with an async line, such as FIOS or even if
    cable were to offer it, would be a 15Mbps down and 2Mbps up. This will work
    fine with GPOs, that is as long as the line is clean and there are no
    hiccups that you may not notice but when the GPO function runs, and the
    hiccup happens to be there, it could cause an issue. Server NIC, switches,
    etc, can also have a bearing.

    Ace Fekay [MVP], Jun 10, 2008
  9. Robert Craig

    Herb Martin Guest

    Administrative Template (Registry) Settings are also included by default.
    I have never checked this but it is the "average of the up/down speeds" in
    the documention, not the slower (nor download as you might expect if
    Right - it is the actual speed, as measured at the time.
    Herb Martin, Jun 10, 2008
  10. In
    If the upload speed at both locations are 384k, then that will be the best
    the two can communicate on. So you are saying if it tests the line with a
    few packets before it attempts to download, then I can see it may get
    fooled, but I believe it tests it from the source DC at the time the GetGPO
    function runs to download the template.
    Ace Fekay [MVP], Jun 11, 2008
  11. Robert Craig

    Herb Martin Guest

    Yes. That is what it does. If you have the same SLOW speed (current,
    not theorectical) then it will likely use that but if your were going to a
    fast network from an ASYNC line, e.g., 384/2MB you would pass the
    512 Kbps default (probably).

    The client does the testing because clients actually (physically) pull
    GPO changes from the DCs. (I don't like to use the word "pull"
    around naive AD admins but you are beyond that. -- conceptual,
    AD feels like a push, but technically it is a pull.)

    I like to say that Group Police allows us to PROJECT POLICY
    so as to avoid those terms.
    Herb Martin, Jun 11, 2008
  12. Robert Craig

    Robert Craig Guest

    OK, I know exactly what you are talking about and already see my problem.
    It doesn't surprise me one bit. My server side has a wireless 10mb/10mb
    connection (perfect for all the services I host). But, the client side is
    on a junk Cox Business services line (they say up to 5mb down and 512k up).
    I've always hated Cox for the lies they tell you about their service.
    Unfortunately, I am still under a contract at the client side. But, when it
    expires later this year, I will be exploring different options for internet.
    Thanks for your help guys. I really appreciate it.

    Robert Craig, Jun 12, 2008
  13. In
    I still think the least common denominator. After all, if both are throttled
    to 384k, then how can the other download any faster?

    I agree.
    Ace Fekay [MVP], Jun 12, 2008
  14. In

    No problem. :)

    Keep in mind, even if the advertised up speed is 512, with all the overhead
    and other traffic, the GetGPO function will wind up getting a slower test
    speed therefore falling under the 500k threshold.

    Don't you just love those (especially cable) ISPs and their exaggerated
    truths? You can complain but all you hear from them when you call in is, "We
    see nothing wrong on our end," but I do on my end!!
    Ace Fekay [MVP], Jun 12, 2008
  15. Robert Craig

    Herb Martin Guest

    You are confusing the algorithm with the outcome of the test.

    It is measured FROM THE CLIENT as the average of up and
    down speeds.

    If there is a bottleneck in BOTH directions that make these equal
    then it will be that speed, but no matter which is larger or smaller
    as measured, the outcome will be THE AVERAGE of up and down.

    And I usually include the explantion for 'smart students' (the only type
    I allow in my classes <grin>) they know the effect, the feel, and the
    technical reality.
    Herb Martin, Jun 12, 2008
  16. Robert Craig

    Herb Martin Guest

    You can measure it yourself (e.g., or
    now I believe).

    Then YOU can decide if you REALLY want to change the settings or
    algorithm parameters.

    Let's say you really did have 8kbps DOWN (they claim 5) and only
    128 up -- the average is less than 512.

    You MIGHT decide to alter the threshold or algorithm settings.

    Be careful -- decide by testing.
    Herb Martin, Jun 12, 2008
  17. In
    So it's a slow speed, nonetheless.
    Ace Fekay [MVP], Jun 12, 2008
  18. In
    Good point, test it first.
    Ace Fekay [MVP], Jun 12, 2008
  19. In
    But even the tests don't take into account the inherit delay, hiccups and
    drag in a cable op's line. For instance, if you test a Comcast line in the
    Philly/NJ/DE region, one IP I used to test, I would get 21 hops. I get 12
    to the same place using FIOS. The extra hop count is herendous. The tests
    don't take this into account.
    Ace Fekay [MVP], Jun 12, 2008
  20. Robert Craig

    Robert Craig Guest

    Yeah, I know. They always say that. Wouldn't it be great is they could
    guarantee your speed? Even asymetrical? Of course, that would dramatically
    drop the price of a t1.

    Robert Craig, Jun 13, 2008
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.