Domain group policy not updating over site-to-site VPN

Question

Domain group policy not updating over site-to-site VPN

I have 2 sites:

192.168.10.0/24 - main site, this is where DC is.

192.168.20.0/24 - remote site, connected via site-to-site VPN.

On main site everything works fine, GPO are being updated to members.

On remote site, I can login with domain user, I can ping DC server via IP address and hostname, i can access DC via %logonserver% and i can open SYSVOL and NETLOGON folders.

The problem is that I can't update GPO. If i try to run gpupdate /force, I get this:

Updating policy...

Computer policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
User Policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed. Windows could not resolve the user name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).

To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.

Running GPRESULT /H GPReport.html I get this:

INFO: The user "DOMAIN\user" does not have RSoP data.

In Event Viewer i have Error codes 7017 and 7320.

GpLogView returns this:

GPLogView.exe -a 965ecff1-4502-4f7a-9d82-1c0fb1d92734
Processing events...
2020-04-28 12:27:10.440 4005 Starting manual processing of policy for user DOMAIN\user.
                             Activity id: {965ecff1-4502-4f7a-9d82-1c0fb1d92734}
2020-04-28 12:27:10.443 5340 The Group Policy processing mode is Background.
2020-04-28 12:27:10.444 5320 Attempting to retrieve the account information.
2020-04-28 12:27:10.444 4017 Making system call to get account information.

2020-04-28 12:27:11.070 7017 The system call to get account information completed.

                             The call failed after 641 milliseconds.
2020-04-28 12:27:11.070 5320 Retrying to retrieve account information.
2020-04-28 12:27:11.570 4017 Making system call to get account information.

2020-04-28 12:27:12.210 7017 The system call to get account information completed.

                             The call failed after 625 milliseconds.
2020-04-28 12:27:12.210 5320 Retrying to retrieve account information.
2020-04-28 12:27:12.711 4017 Making system call to get account information.

2020-04-28 12:27:13.420 7017 The system call to get account information completed.

                             The call failed after 704 milliseconds.
2020-04-28 12:27:13.420 5320 Retrying to retrieve account information.
2020-04-28 12:27:13.921 4017 Making system call to get account information.

2020-04-28 12:27:14.468 7017 The system call to get account information completed.

                             The call failed after 546 milliseconds.
2020-04-28 12:27:14.468 7320 Error: Retrieved account information. Error code 0x80090322.
2020-04-28 12:27:14.470 1053 The processing of Group Policy failed. Windows could not resolve the user name. This could be caused by one of more of the following:
                             a) Name Resolution failure on the current domain controller.
                             b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
2020-04-28 12:27:14.473 8005 Completed manual processing of policy for user DOMAIN\user in 4 seconds.
Processed 17 records.

As far as I can see, all required ports are open.

Any advice on what should i troubleshoot next?

group-policy

domain

site-to-site-vpn

asked on Server Fault Apr 28, 2020 by

markec134

1 Answer

We were getting a similar error The processing of Group Policy failed. Windows could not resolve the computer name. The issue for us was that the clocks were out of sync. And they wouldn't sync with AD because they were out of sync (security issue?). Anyways it was a chicken and the egg.

I forced a clock sync with:

w32tm /config /manualpeerlist:"time.google.com" /syncfromflags:manual /reliable:yes /update

And gpupdate ran successfully. This may help you.

answered on Server Fault Mar 17, 2021 by

Carter

User contributions licensed under CC BY-SA 3.0