Background:

Windows Active Directory Domain
Windows Server 2003R2 and Server 2008R2 Domain Controllers
Windows XP SP3 and Windows 7 SP1 workstations


Problem:

Windows 7 workstations don’t process group policy software installation at all, or process intermittently. This doesn’t affect Windows XP machines.

Following Events are recorded Windows System Logs:

Event ID: 5719
Level: Error
Source: NetLogon
Description:
This computer was not able to set up a secure session with a domain controller in domain [domain-name] due to the following:
There are currently no logon servers available to service the logon request.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.  

Event ID: 1129
Level: Error
Source: GroupPolicy
Description:
The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.

Event ID: 101
Level: Warning
Source: Application Management Group Policy
Description:
The assignment of application [application name] from policy [policy name] failed.  The error was : %%1274

Event ID: 103
Level: Error
Source: Application Management Group Policy
Description:
The removal of the assignment of application [application name] from policy [policy name] failed.  The error was : %%2


Solution:

The problem seems to be caused by a delay in initializing network and locating domain controllers. To resolve the issue we need to give system more time to initiate network before proceeding with the logon process.

First of all try to enable "Always wait for the network at computer startup and logon" via group policy. This option is located in:
Computer Configuration > Administrative Templates > System > Logon
In our situation this option was already turned on.

Issue was fixed by enabling "Startup Policy Processing Wait Time" and setting wait time value to 10 seconds.
You may need to experiment with time-out values. Although in our situation 10 second was enough fix the problem, you may need to specify higher value.
Enabling this option will increase client’s login time by specified number of seconds only if computer is genuinely disconnected from the network. In normal circumstances Windows will constantly check the connection status and as soon as it detects that link is up will immediately proceed with the logon process.

There are two ways to enable this option:
  • Group Policy
    Computer Configuration > [Policies] > Administrative Templates > System >Group Policy > Startup Policy Processing Wait Time – Enable the option and set wait time to 10 - 60 seconds
    Note 1: This option is only supported by Windows Vista and later clients and may be not present on Server 2003 domain controllers
    Note 2: Group policy description tells that the default wait time is 30 seconds, which obviously raises the question how setting time-out to less than 30 seconds can fix the problem. It seems that default 30 seconds interval is not always used and Windows often employs its own algorithms to calculate the time-out (if it's not enforced by Group Policy or Registry)

  • Registry
    On Client Computer:
    1. Start > Regedit.exe
    2. Navigate to  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    3. Create New DWORD value with name GpNetworkStartTimeoutPolicyValue and set Value data (decimal) to the required timeout interval in seconds
    4. Restart the computer


No comments

Leave your comment

In reply to Some User
Captcha Image