Network interruption whenever GPO updates (event log SciCli Event ID 1704)

Discussion in 'Windows Server' started by Erik Wogstad, Jun 18, 2009.

  1. Erik Wogstad

    Erik Wogstad Guest

    I have a single Windows 2000 Advanced server, fully patched, that's
    been working flawlessly for years. Primarily used as a file server.
    But now get LAN traffic interruptions whenever group policiy objects
    are updated (event log SceCli 1704), which seems to fire once or twice
    per day. Any workstations with files in use on the server temporarily
    lose track of these files.

    Problem clears up in a minute or two, but some programs lock up and
    files can get corrupted. Very predictable failure, but annoying.

    Don't see any other log messages on server. Any suggestions?
     
    Erik Wogstad, Jun 18, 2009
    #1
    1. Advertisements

  2. Hello Erik,

    The GPO update runs by default every 90-120 minutes. Are there errors or
    warnings in the event viewer?

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Jun 18, 2009
    #2
    1. Advertisements

  3. Erik Wogstad

    Erik Wogstad Guest

    Thanks!

    No errors or warnings in the event viewer. I do realize Event ID 1704
    is an informational message, not a warning, so all the more curious.
    I've been searching thru MS KB and see that GPO and security policies
    seem tightly integrated (are GPO and security policies the same?).
    Couple of mentions of 17 hour intervals for security policy refresh if
    a stand-alone server, which sounds about right for my experience.

    What I do know is that whenever interruptions occur, the coincide with
    SciCli Event ID 1704 in the event log and that these interruptions and
    event logs are about that far apart.

    I found KB Article ID: 277543 "(How to delay security policies from
    being applied") that explains how to delay security policy updates,
    but I'd like to fix the underlying issue.
     
    Erik Wogstad, Jun 18, 2009
    #3
  4. Hello Erik,

    You are correct, security settings are applied every 16 hours. But this shouldn't
    have the effect you see. Is the server on the same subnet as the DC or on
    a different one?

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Jun 20, 2009
    #4
  5. Erik Wogstad

    Erik Wogstad Guest

    I have only this server and it is the domain controller, so the subnet
    must be one and the same, right? When I run ipconfig on the server
    and the workstations, the same subnet mask is identified.

    Don't know if this is relevant, but the server has a dual NIC, each of
    which has a unique address, but have the same subnet mask.

    Thoughts?

    Regards,
    Erik
     
    Erik Wogstad, Jun 21, 2009
    #5
  6. Hello Erik,

    Ok, good that you mention that. It is relevant. A server, especially Domain
    controller should never be mlutihomed. What is the reason that you did this?
    Please post the unedited ipconfig /all from the server and the client. GPOs
    will not be apllied correct, slow logons and many more thinks will happen
    that you don't want to have.

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Jun 21, 2009
    #6
  7. Erik Wogstad

    Erik Wogstad Guest

    When we started having the network interruptions, I suspected hardware
    failure somewhere, so replaced network switches and server's NIC
    (disabled built-in dual-NIC and added hp replacement dual- NIC card).
    I thought I was replicating the prior settings, but perhaps got
    something wrong. Per your suggestion, I ran ipconfig /all on the
    Win2K server and my workstation. See results below (The only editing
    I did was to substitute generic "myserver" and "mycompanyname.local"
    and "mywrkstn")

    Thanks for checking this out.

    Regards,
    Erik


    FROM SERVER:

    Windows 2000 IP Configuration
    Host name....................... myserver
    Primary DNS Suffix.............. mycompanyname.local
    Node Type....................... Broadcast
    IP Routing Enabled.............. No
    WINS Proxy Enabled.............. No
    DNS Suffix Search List.......... mycompanyname.local

    Ethernet adapter Local Area Connection 3:
    Connection-specific DNS Suffix.. mycompanyname.local
    Description..................... HP NC7170 Dual Gigabit Server
    Adapter #2
    Physical Address................ 00-02-A5-4D-91-CB
    DHCP Enabled.................... Yes
    Autoconfiguration Enabled....... Yes
    IP Address...................... 10.0.0.158
    Subnet Mask..................... 255.255.255.0
    Default Gateway................. 10.0.0.1
    DHCP Server..................... 10.0.0.100
    DNS Servers..................... 10.0.0.100
    208.67.222.222
    208.67.220.220
    Lease Obtained.................. Sunday, ...
    Leas Expires.................... Thursday, ...

    Ethernet adapter Local Area Connection 2:
    Connection-specific DNS Suffix.. mycompanyname.local
    Description..................... HP NC7170 Dual Gigabit Server
    Adapter #2
    Physical Address................ 00-02-A5-4D-91-CA
    DHCP Enabled.................... No
    IP Address...................... 10.0.0.100
    Subnet Mask..................... 255.255.255.0
    Default Gateway................. 10.0.0.1
    DNS Servers..................... 10.0.0.100



    FROM CLIENT WORKSTATION:

    Windows IP Configuration
    Host name....................... mywrkstn
    Primary DNS Suffix.............. mycompanyname.local
    Node Type....................... Hybrid
    IP Routing Enabled.............. No
    WINS Proxy Enabled.............. No
    DNS Suffix Search List.......... mycompanyname.local
    mycompanyname.local

    Ethernet adapter Local Area Connection 3:
    Connection-specific DNS Suffix.. mycompanyname.local
    Description..................... Broadcom NetXtreme Gigabit
    Ethernet for hp
    Physical Address................ 00-30-6E-B6-F5-8C
    DHCP Enabled.................... Yes
    Autoconfiguration Enabled....... Yes
    IP Address...................... 10.0.0.153
    Subnet Mask..................... 255.255.255.0
    Default Gateway................. 10.0.0.1
    DHCP Server..................... 10.0.0.100
    DNS Servers..................... 10.0.0.100
    208.67.222.222
    208.67.220.220
    Lease Obtained.................. Sunday, ...
    Leas Expires.................... Thursday, ...
     
    Erik Wogstad, Jun 21, 2009
    #7
  8. Hello Erik,

    Your server should look like this, only one NIC in use, disable the other
    one, that's your conflict:

    DHCP Enabled.................... NO
    Autoconfiguration Enabled....... Yes
    IP Address...................... 10.0.0.100
    Subnet Mask..................... 255.255.255.0
    Default Gateway................. 10.0.0.1
    DNS Servers..................... 10.0.0.100

    The 208.67.222.222 and 208.67.220.220 have not to be used on the NIC, i assume
    these are the ISPs DNS server. That ones you have to configure as FORWARDERS
    under the DNS server properties, in the DNS management console.

    If reconfigured, remove the not needed ip addresses from the DNS zones and
    DNS server/zones properties, check all tabs. After that run ipconfig /flushdns
    and ipconfig /registerdns and restart the netlogon service on the DC.

    A server, especially Domain controller should never use DHCP, always give
    it a fixed ip address, that's the reason for the x.x.x.100 in my example
    above. Do NOT stop the DHCP client service, this is needed for DNS registration,
    even if fixed ips are used. You can use of course ip addresses for your needs.

    The second NIC disable, you don't need it. What you can do is to use both
    NICs with the HP teaming software, this creates a virtual NIC with virtual
    MAC address and you can configure it for loadbalance or failover, again the
    teamed NIC needs ONE ip address.

    For the client it is the same, remove the ISPs DNS server and use the domain
    internal DNS server. The DNS server will use the forwarders if it can not
    resolve a name, so internet will still work.

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Jun 21, 2009
    #8
  9. Erik Wogstad

    Erik Wogstad Guest

    Thank you so much! I will implement your suggestions and report back
    on the results.

    Regards,
    Erik
     
    Erik Wogstad, Jun 22, 2009
    #9
  10. Erik,

    Why not just team the NICs so they act together as one NIC? They are the
    same exact model numbers, so with the HP software, you can team them. This
    will offer load balancing and fault tolerance, and it will only use one IP
    on the network. The following is HP's White Paper on Teaming:

    HP ProLiant Network Adapter Teaming White PaperFile Format: PDF
    This white paper specifically discusses HP ProLiant Network Adapter Teaming
    for Microsoft Windows ...
    http://h20000.www2.hp.com/bc/docs/support/.../c01415139.pdf

    As for the 208.x.x.x ISP's DNS addresses, definitely follow Meinolf's
    suggestions.

    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Please reply back to the newsgroup/forum to benefit from collaboration among
    responding engineers, as well as to help others benefit from your
    resolution.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
    Microsoft Certified Trainer

    http://twitter.com/acefekay

    For urgent issues, you may want to contact Microsoft PSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.
     
    Ace Fekay [Microsoft Certified Trainer], Jun 22, 2009
    #10
  11. Erik Wogstad

    Erik Wogstad Guest

    Hi Meinolf,

    I've tried to implement your instructions. I disabled all but one
    server NIC, and made sure DHCP was not enabled on it, so there is only
    one static IP address for the server, 10.0.0.100.

    I'm not sure what to change on the workstation, however. I have
    copied latest ipcofing /all results for both the server and my own
    workstation (see below). I don't know how important this is, but
    you'll see that the 208.67... IP addrresses (for my ISP?) still show
    up on ipconfig info for the workstation, DNS Servers list. These
    addresses do not correspond to the addresses listed on the server's
    DNS Forwarders list. Rather, I found these addresses listed in the
    DHCP console, Scope optins > DNS Servers list. All think all of this
    dates back to when server was first set up.

    In any case, my initial problem still remains: I encoutered a network
    interruptiong this am, coinciding with SceCli event log ID 1704. What
    am I missing?

    Thanks again.

    Regards,
    Erik


    FROM SERVER:

    Windows 2000 IP Configuration
    Host name....................... myserver
    Primary DNS Suffix.............. mycompanyname.local
    Node Type....................... Broadcast
    IP Routing Enabled.............. No
    WINS Proxy Enabled.............. No
    DNS Suffix Search List.......... mycompanyname.local

    Ethernet adapter Local Area Connection 2:
    Connection-specific DNS Suffix.. mycompanyname.local
    Description..................... HP NC7170 Dual Gigabit Server
    Adapter
    Physical Address................ 00-02-A5-4D-91-CA
    DHCP Enabled.................... No
    IP Address...................... 10.0.0.100
    Subnet Mask..................... 255.255.255.0
    Default Gateway................. 10.0.0.1
    DNS Servers..................... 10.0.0.100


    FROM CLIENT WORKSTATION:

    Windows IP Configuration
    Host name....................... mywrkstn
    Primary DNS Suffix.............. mycompanyname.local
    Node Type....................... Hybrid
    IP Routing Enabled.............. No
    WINS Proxy Enabled.............. No
    DNS Suffix Search List.......... mycompanyname.local
    mycompanyname.local

    Ethernet adapter Local Area Connection:
    Connection-specific DNS Suffix.. mycompanyname.local
    Description..................... Broadcom NetXtreme Gigabit
    Ethernet for hp
    Physical Address................ 00-30-6E-B6-F5-8C
    Dhcp Enabled.................... Yes
    Autoconfiguration Enabled....... Yes
    IP Address...................... 10.0.0.153
    Subnet Mask..................... 255.255.255.0
    Default Gateway................. 10.0.0.1
    DHCP Server..................... 10.0.0.100
    DNS Servers..................... 10.0.0.100
    208.67.222.222
    208.67.220.220
    Lease Obtained.................. Sunday, ...
    Leas Expires.................... Thursday, ...
     
    Erik Wogstad, Jun 22, 2009
    #11
  12. Hi Erik,

    The 208.x.x.x addresses need to be removed from your client machines, too.
    In DHCP Option 006, simply remove them. Once that is done, and the clients
    restarted, the errors should disappear.

    Don't forget to create a forwarder to those two 208.x.x.x addresses in DNS
    properties.

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Jun 22, 2009
    #12
  13. Erik Wogstad

    Erik Wogstad Guest

    Ace,

    Thanks. I removed both 208.67... refernces from DHCP Option 006 and
    added same to DNS forwarder entries. I can confirm that ipconfig
    /all no longer shows these entires on the DNS servers list.

    I'll let you know if interruption errors stop over next 24 hrs. ( BTW,
    for testing purposes, is there a way to force the SceCli event 1704
    Group Policy Update to fire?)

    Thanks much,
    Erik
     
    Erik Wogstad, Jun 23, 2009
    #13

  14. HI Erik,

    That fires up at the GPO refresh interval. So simply waiting for the refresh
    (+_ 90 min) or simply restart the machine. You can force GPOs to refresh
    using the gpupdate or "gpudate /force." Using the /force will probably
    require a restart, depending on what;s in the GPO.

    Curious, were these machines imaged with sysprep?

    For more info, check this link:
    http://eventid.net/display.asp?eventid=1704&eventno=134&source=SceCli&phase=1

    Give it some time and just monitor your machines to make sure they are all
    working.

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Jun 23, 2009
    #14
  15. Hello Erik,

    Ace already gave you the latest infos. Nice to hear that it goes forward.

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Jun 23, 2009
    #15
  16. Erik Wogstad

    Erik Wogstad Guest

    Ace,

    The Win2K server did not recognize the command "gpudate /force", but
    the link you gave me suggested "secedit /refreshpolicy machine_policy"
    which did fire (with the message that the GPO update may take several
    minutes to complete). After a few minutes my system experienced
    another interruption. I checked the log and found a new error:

    Source: Userenv
    Event ID 1000
    User: NT AUTHORITY\SYSTEM
    "Windows cannot access the file gpt.ini for GPO. the file must be
    present at the location <>. (). Group Poicy processing aborted.

    This was followed up by another Event ID 1000 entry with further text:
    "Windows cannot query for the list of Group Policy Objects. A message
    that describes the reason for this was previously logged by this
    policy engine."

    I found a couple of warning entries from earlier in the day, but these
    could have taken place when I was re-setting NICs and DNS server
    settings:
    Source: WinMgmt
    Event ID: 35
    WMI ADP was unable to load the ASP.NET performance library becaue it
    returned invalid data: 0x0
    And a follow-on Event ID 35:
    WMI ADAP was unable to load the ASP.NET_2.0.50727 performance library
    becuae it returned invalid data: 0x0

    What does all this mean?

    Thanks,
    Erik
     
    Erik Wogstad, Jun 23, 2009
    #16
  17. Erik Wogstad

    Erik Wogstad Guest

    Oops. Forgot to answer your Q: No, sysprep not used.

    Regards,
    Erik
     
    Erik Wogstad, Jun 23, 2009
    #17
  18. Hello Erik,

    Machines created from images MUST be sysprepped to remove the SID and some
    other MS settings. If that are the same if you just clone a computer this
    will result in errors in the domain.

    So run sysprep on all workstations to change the needed settings. Unfortunal
    this requires to change the computername etc. See here about sysprep:
    http://support.microsoft.com/kb/298491

    http://www.microsoft.com/DownLoads/...06-2824-4D2B-ABC1-0E2223133AFB&displaylang=en

    I assume also the event id 1000 will belong to that.

    The other one is just a warning if i am correct which has no functional influence,
    so keep that until the end or use this tool to disable the performance counters
    for them.
    http://www.microsoft.com/downloads/...83-b7ec-4da6-92ab-793193604ba4&displaylang=en

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Jun 23, 2009
    #18
  19. I wouldn't worry too much about the EventID 35 error, but rather find out
    what's going on with the GPOs. And I agree with Meinolf, if these machines
    were imaged, but without using sysprep, it can introduce numerous 'ghost'
    issues. Matter of fact, I had a friend of mine call me yesterday with a
    problem wtih one of his clients. He just image-down a new workstation for a
    user and his home folder and other mapped drives wound up not staying
    connected with access-denied errors. I asked him if he used sysprep, and he
    said no. I suggested to disjoin the machine, run NewSID, and rejoin it. The
    errors went away after he did so.

    And sorry, I thought you were talking about 2003, hence the gpupdate
    suggestions. Glad you figured that one out.

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Jun 23, 2009
    #19
  20. Hello Ace Fekay [Microsoft Certified Trainer],

    I suggest to not use NewSID, because this will only change the SID and will
    not remove also some other MS settigns that happens during sysprep. Unfortunal
    i don't find the article where the other MS settings are described in the
    moment.

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Jun 23, 2009
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.