hoping somebody can help with this as I'm banging my head against a brick wall with it.
Problem
Group Policy Computer Configurations are not applying on any machine apart from the DC, User policies are applying.
History
Somebody else set up this domain and its probably been like this for a while but given they don't use many GPOs and user rights etc seem unaffected they don't seem to have noticed.
Earlier in the week I had to manually recreate the _msdcs domain which had been deleted (or potentially never existed) to get domain joins working properly, its very possible that this issue is a hangover from that or that other serious flaws exist in this domain, I'm just having trouble figuring out what they might be or how to fix them.
Initial Error Details
gpupdate processes fine when targeted at users (/TARGET:User) but not when targeted at Computers, it generates a generic error and points to the details section for more info:
Generic Error
The processing of Group Policy failed. Windows attempted to retrieve new Group Policy settings for this user or computer. Look in the details tab for error code and description. Windows will automatically retry this operation at the next refresh cycle. Computers joined to the domain must have proper name resolution and network connectivity to a domain controller for discovery of new Group Policy objects and settings. An event will be logged when Group Policy is successful.
Detailed Error
ErrorCode 8341
ErrorDescription A directory service error has occurred.
DCName \SERVER01.domain.local
What I've Tried
I have been working on the understanding that this error is caused by the computer not authenticating with the DC for access to the GPO as a computer account.
Thus I've tried:
- Drop off domain and add back on
- Set up entirely new server and connect to the domain
I have also looked at the domain health given it was a previous issue (see history) but I'm not getting very far on repairing the issues, the AD Best Practice Analyzers notes some errors in the domain and I'm planning a server reboot overnight hoping it will resolve these, there are too many to easily post here but they are all related to DNS records not being properly registered to identify the DC as a primary catalogue, kerberos server and other domain functions.
Potential Thoughts
My current thinking is that repairing the domain (bearing in mind its a live domain and we can't go around too many drastic thing, especially during working hours) in some way will resolve this, but I'm out of my depth on what needs repairing or how to do it.
Any suggestions would be great appreciated, and sorry its such a long post!
Best Answer
This issue was (as the commentors suggested) ties to the errors in the Best Practices Analyzer.
The domain.local domain was not AD integrated and thus the DC wasn't managing to make the records it needed to to allow domain computers to find the relevant services.
I changed the domain to Active Directory Integrated and then ran "ipconfig /flushdns" and "ipconfig /registerdns" and restart the netlogon service on the DC.
This resolved the GPO issue and the Active Directory Best Practices errors