Random trouble enforcing group policy over a NAT

Discussion in 'Active Directory' started by williaa, Feb 28, 2006.

  1. williaa

    williaa Guest

    I have 15 computers behind a NAT. Each computer is virtually identical (the
    same image) except for different SIDs, IPs, etc. Each computer

    is running a fully patched copy of Windows XP. Each computer is a member of
    a domain. The Domain controller, DNS, etc. are all outside of

    the NAT, so all communication from the 15 machines to the DC go through the
    NAT.

    I need to be able to restart all of these computers at about the same time
    and have them start back up correctly. However, almost everytime

    I restart more than 5 (sometimes even with 5), several fail to apply all of
    the group policys I have in place. Running gpupdate /force

    always resolves the problem. Each computer has experienced this issue, and
    each has restarted successfully without experiencing it.

    The eventlogs show errors accessing the registry.pol file in the domain's
    sysvol share for my policy.

    I get one or more of the following:

    Event ID 1043
    Windows cannot access the registry information at
    <removed>\Machine\registry.pol. (Access is denied. ).

    Event ID 1096
    Windows cannot access the registry policy file,
    <removed>\Machine\registry.pol. (Access is denied. ).

    Event ID 1096
    Windows cannot access the registry policy file,
    <removed>\Machine\registry.pol. (The data is invalid. ).


    I have checked the file on all of our domain controllers. None are corrupt,
    all have the default security policies, and all DC's have a

    copy of the file. I even manually recreated the policy and still received
    the same error. When I log into a failed machine and check the

    file, it has access to the file.

    I've tried using different NATs and network hardware. I've updated network
    drivers and tweaked settings. I do not believe it is a problem

    with the NAT.

    The policy is fine, the NAT is fine, DNS is fine, and the machines are
    capable of applying the policy correctly.

    I'm not really sure where to go from here and would appreciate any advice on
    how to fix this problem.
     
    williaa, Feb 28, 2006
    #1
    1. Advertisements

  2. I can't remember if this is a support configuration, nor can I recall
    looking at such a setup, so I can't be 100% sure if this all works as
    planned or not. Lets test a few things...

    Pick a PC and enable verbose userenv logging (Google for KB)
    Reboot and then logon.
    Check %systemroot%\debug\usermode\userenv.log


    Post about twenty lines from the bottom of the file. Feel free to edit the
    domain name.

    Also, please install the support tools and run the following command:

    nltest /dsgetdc:domain-name.com
    nltest /dsgetsite


    Note. The support tools are on the media CD or available for download:
    -- http://www.msresource.net/content/view/53/46/
     
    Paul Williams [MVP], Mar 1, 2006
    #2
    1. Advertisements

  3. williaa

    williaa Guest

    I'm not sure how useful the last 20 lines will be.

    USERENV(260.284) 09:18:44:025 ImpersonateUser: Failed to impersonate user
    with 5.
    USERENV(260.284) 09:18:44:025 GetUserNameAndDomain Failed to impersonate user
    USERENV(260.284) 09:18:44:035 ImpersonateUser: Failed to impersonate user
    with 5.
    USERENV(260.284) 09:18:44:035 GetUserDNSDomainName: Failed to impersonate user
    USERENV(260.284) 09:18:44:035 ProcessAutoexec: Cannot process autoexec.bat.
    USERENV(698.32c) 09:18:44:486 LibMain: Process Name: C:\WINDOWS\Explorer.EXE
    USERENV(698.810) 09:18:45:668 GetProfileType: Profile already loaded.
    USERENV(698.810) 09:18:45:668 GetProfileType: ProfileFlags is 0
    USERENV(698.32c) 09:18:57:755 ImpersonateUser: Failed to impersonate user
    with 5.
    USERENV(698.32c) 09:18:57:765 GetUserNameAndDomain Failed to impersonate user
    USERENV(698.32c) 09:18:57:765 ImpersonateUser: Failed to impersonate user
    with 5.
    USERENV(698.32c) 09:18:57:765 GetUserDNSDomainName: Failed to impersonate user
    USERENV(698.32c) 09:18:57:775 ProcessAutoexec: Cannot process autoexec.bat.
    USERENV(698.32c) 09:18:57:785 ImpersonateUser: Failed to impersonate user
    with 5.
    USERENV(698.32c) 09:18:57:785 GetUserNameAndDomain Failed to impersonate user
    USERENV(698.32c) 09:18:57:795 ImpersonateUser: Failed to impersonate user
    with 5.
    USERENV(698.32c) 09:18:57:795 GetUserDNSDomainName: Failed to impersonate user
    USERENV(698.32c) 09:18:57:795 ProcessAutoexec: Cannot process autoexec.bat.
    USERENV(594.794) 09:18:59:878 LibMain: Process Name:
    C:\WINDOWS\system32\RUNDLL32.EXE
    USERENV(8ac.8a8) 09:19:02:051 LibMain: Process Name:
    C:\WINDOWS\system32\ctfmon.exe
    USERENV(c10.c04) 09:19:06:958 LibMain: Process Name:
    C:\WINDOWS\System32\wbem\wmiprvse.exe
    USERENV(384.7c4) 09:19:09:602 ProcessAutoexec: Cannot process autoexec.bat.
    USERENV(384.474) 09:19:09:812 ProcessAutoexec: Cannot process autoexec.bat.
    USERENV(214.cd8) 09:19:14:649 ProcessAutoexec: Cannot process autoexec.bat.
    USERENV(c94.ca4) 09:19:15:701 LibMain: Process Name:
    C:\WINDOWS\system32\userinit.exe
    USERENV(6f4.b9c) 09:23:12:752 LibMain: Process Name:
    C:\WINDOWS\system32\notepad.exe


    Also, both of the support tool commands were successful.
     
    williaa, Mar 1, 2006
    #3
  4. williaa

    williaa Guest

    This seems to be the part of the userenv log where the problem occurs.

    USERENV(20c.3b4) 09:51:20:157 ParseRegistryFile: Entering with
    <\\<removed>\SysVol\<removed>\Policies\{8F1518CF-9AFD-4F2C-BDDF-B24AA324E978}\Machine\registry.pol>.
    USERENV(474.478) 09:51:20:397 LibMain: Process Name:
    C:\WINDOWS\System32\alg.exe
    USERENV(20c.3b4) 09:51:21:278 ParseRegistryFile: CreateFile failed with 5
    USERENV(20c.3b4) 09:51:21:328 ParseRegistryFile: Leaving.
    USERENV(20c.3b4) 09:51:21:328 ProcessGPORegistryPolicy: ParseRegistryFile
    failed.
    USERENV(20c.3b4) 09:51:21:338 LeaveCriticalPolicySection: Critical section
    0x7d4 has been released.
    USERENV(20c.3b4) 09:51:21:338 ProcessGPOList: ProcessGPORegistryPolicy failed.
    USERENV(20c.3b4) 09:51:21:338 ProcessGPOList: Extension Registry was able to
    log data. RsopStatus = 0x0, dwRet = -2147467259, Clearing the dirty bit
    USERENV(20c.3b4) 09:51:21:358 ProcessGPOs: Extension Registry
    ProcessGroupPolicy failed, status 0x80004005.
     
    williaa, Mar 1, 2006
    #4
  5. williaa

    Al Mulnick Guest

    I'm trying to understand how you can be so sure this is not a problem with
    the NAT device?
    Can you expand on that?

    The failed to impersonate user and logon errors makes me think that during
    heavy loads, your NAT device is not keeping up with the traffic. Could be
    elsewhere, but that's the first suspect I'd want to look at in this case.


    Al
     
    Al Mulnick, Mar 2, 2006
    #5
  6. williaa

    williaa Guest

    I did look at the situation some more today and it does seem to be some sort
    of connectivity issue. That would explain all the variety of error messages
    I get (access denied when it browses the directory,but loses the connection
    before touching the file, invalid file when it loses connection while reading
    the file, etc.) but I have yet to prove the NAT is responsible.

    I'm going to follow up on this some more and hopefully find a good clue as
    to what is going on. Thanks for the help so far, looking at that log file
    really helped me get a better understanding of how things were playing out.
     
    williaa, Mar 2, 2006
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.