I've recently tried to push out software (and updates) through windows server 2008 gpo. I did not work for quite some time and I wasn't getting any indication that it was even trying to install the software in the logs. It turns out that it had to do with our switch having spanning tree portfast setting disabled. Once I turned this on in the port our test computer was using, it worked fine.
The problem is I don't fully understand this setting and most of our computers are hooked up to voip phones with their own switch built in. Basically, I don't understand what it's doing and therefore the potential consequences of doing this.
I've found a couple of gpo solutions that other people have had success with but I am not having any. One setting, "Startup policy processing wait time" doesn't appear to be working and I'm not quite sure how to check that it is. I've tried running gpresult /r but it shows the gpo is empty. I turned the delay up to 240 seconds and I didn't notice startup taking any longer than normal.
The other solution I tried was "Always wait for the network at computer startup and logon." Again, this does nothing. I've turned on net logon debug and looked at the logs and it seems like the main error is 05/30 12:47:34 [CRITICAL] MYDOMAIN: NlDiscoverDc: Cannot find DC.
So, am I on the right track? Is there a way to verify that these gpo's are actually be applied at start up. Any help would be appreciated.
Best Answer
Windows is failing to apply Group Policy because it's not locating and communicating with a Domain Controller (DC) early enough in the boot process. That's the cause of your errors. The Spanning Tree Protocol (STP) requires that the switch port go through a progression of states (listening and learning) that do not allow the newly-connected host to transmit. Windows is "seeing" the network being "connected" but, being unaware that STP is in play, it is going ahead and attempting to perform DC location.
"Always wait for the network at computer startup and logon." isn't what you're looking for-- that just controls synchronous application of Group Policy (i.e. the entire computer policy applies before a logon and the entire user policy applies before the Desktop is shown). You're not getting policy application to begin with so this setting isn't helpful.
The "Startup policy processing wait time" setting sounds like a much better bet for your needs, albeit I've never actually used it in production (because I always just enable spanning tree portfast). There is a Microsoft Knowledge Base article that describes this setting in detail so I won't re-hash it here. It sounds like you've tried to apply the setting via Group Policy. I think I'd go ahead and create the
GpNetworkStartTimeoutPolicyValueREG_DWORD value underHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogonat least initially and see what it does for you. It's unclear to me why yourgpresultis showing your GPO containing this setting as empty but, at least initially, I'd "hard set" the setting in the registry while you experiment.