VMware Horizon Community
epa80
Hot Shot
Hot Shot
‎09-12-2017 08:20 AM

UEM GPO Randomly not Applying

I know this is more of an Active Directory/GPO question, but, going to post it here and see if anyone has come across a similar experience.

We were troubleshooting a pool earlier, where, at a very high rate, our VMs were not applying the UEM GPO. For whatever reason, it was only this one pool of 500 (we have 3000 VMs total), and even in this pool, it wasn't every time. Very hit or miss.

When digging through the event viewer, we came across this error exactly on the problem desktops:

http://itcalls.blogspot.com/2014/09/event-1096-processing-of-group-policy.html

These VMs were created on August 11th. We have a locally set limit of 90 days before the computer account password can expire, so that wasn't it. We tried linking it to refreshes, but again, hit or miss. Meaning I could refresh a desktop, sometimes it would be ok, sometimes not. Frustrating that we can't spot anything consistently linked, other than the pool itself. Which means perhaps the parent? But we don't know what to really look for. Our parent is built off the domain, and joining the domain is handled via QuickPrep.

We did delete the pool outright, and all computer accounts, and thus far our testing has gone well, 19 out of 20 logins show UEM properly working. Of course, there's ONE to keep us annoyed. Has anyone seen issues similar to this? I'll be happy to talk to my Domain guy about it, but, I just need a bit more ammo.

Thanks in advance.

Tags (1)
Reply
0 Kudos
3 Replies
DEMdev
VMware Employee
VMware Employee
‎09-12-2017 03:29 PM

Hi epa80,

You might need a GPODev, ADDev, or HorizonDev instead of me :-), but here are a few thoughts:

  • Is there any relevant info in the details of the event log messages?
  • Are other GPOs coming through correctly to the VMs in this pool?
  • Could there be an (intermittent) issue with connectivity to the DC(s)?
Reply
0 Kudos
epa80
Hot Shot
Hot Shot
‎09-13-2017 06:22 AM

Thanks for the reply. And yeah, I don't think this has anything to do with UEM, I posted it here though just because I thought with UEM so reliant on GPO running properly, maybe some mother UEM customer has come across this type of issue. In truth though, any VDI environment reliant on GPOs would see it.

Just this morning I logged into our pool we believe is having the issue, and again saw the issue. Some further testing showed another pool having the issue. The commonality of these 2 pools is they exist in the same VDI cluster of hosts. So now we're at that level, cluster. Another pool we tested in a separate cluster, we couldn't get the issue to happen.

So, on the VM it happened on today, this is the screenshot of the error in event viewer, and the text from the details tab is below that. You'll see that the error happened at 8:28AM. I didn't login through View onto the VM until about 8:55AM. Our working theory right now goes something like this:

  • VMs in this cluster get refreshed.
  • Some of the VMs for some reason are not binding to the network fast enough, and thus their GPOs do not run initially.
  • If a user logs in before the GPO update interval occurs, the user will have the GPO not running issue. Noticed mostly by UEM because we deliver a ton of icons with them.

So we're at a bit of a loss. Any input is appreciated.

snip_20170913090015_edited.png

+ System

  - Provider

   [ Name]  Microsoft-Windows-GroupPolicy

   [ Guid]  {AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}

   EventID 1096

   Version 0

   Level 2

   Task 0

   Opcode 1

   Keywords 0x8000000000000000

  - TimeCreated

   [ SystemTime]  2017-09-13T12:28:34.256250000Z

   EventRecordID 45808

  - Correlation

   [ ActivityID]  {8ECF79A7-CAD3-4787-BF63-A1AFA9B125C4}

  - Execution

   [ ProcessID]  112

   [ ThreadID]  1320

   Channel System

   Computer REDACTED

  - Security

   [ UserID]  S-1-5-18

- EventData

  SupportInfo1 2

  SupportInfo2 1254

  ProcessingMode 1

  ProcessingTimeInMilliseconds 3188

  ErrorCode 64

  ErrorDescription The specified network name is no longer available. 

  DCName \\domain.controller.fqdn

  GPOCNName LDAP://CN=Machine,cn={DE16CA21-9FDB-4B20-8FED-DC8297247855},cn=policies,cn=system,DC=rdacted,DC=redacted,DC=redacted

  FilePath \\domain\sysvol\domain\Policies\{DE16CA21-9FDB-4B20-8FED-DC8297247855}\Machine\registry.pol

Reply
0 Kudos
DEMdev
VMware Employee
VMware Employee
‎09-13-2017 08:26 AM

ErrorDescription The specified network name is no longer available also seems to point to some networking issue, but I'm afraid I have no ideas for further troubleshooting.

You could of course configure UEM in NoAD mode​ so you're not dependent on GPO, but it's probably better to get your infrastructure issues sorted first 🙂

Reply
0 Kudos