I ran into a problem today while trying to get a remotely managed server to receive new Group Policy Objects (GPOs). In the Group Policy Management Console (GPMC), the GPO was linked at the domain level, the Authenticated Users group was removed from the security filtering section of the policy, and the computer’s machine account was explicitly added along with the machine accounts of other servers. From a command prompt on the destination server, I ran gpupdate /force to force the server to update its group policy settings. The event logs indicated that the server had successfully updated its policies; however, I could immediately tell that the server did not receive the new GPOs by checking a couple of registry keys.
I ran the Resultant Set of Policy (RSOP) wizard in the GPMC and it indicated that the server was being denied the GPOs due to security filtering. This did not make sense as I had explicitly added the server to the GPO’s security filtering. I checked the advanced permissions to ensure that the server did not have a Deny permission buried somewhere. Everything was configured just as it should be! I then checked the DNS Event Log and noticed the 4515 events shown below (the computer name and domain name have been blurred to protect the guilty).
I checked the %systemroot%\dns directory on the server and discovered a static DNS zone file, which also happened to include an incorrect IP address for the server. DNS in the domain is Active Directory-Integrated so I knew the zone file was not needed but was unsure whether it could be the cause of the GPO problem. I deleted the zone file and forced another group policy update from the command prompt. The server successfully received the new GPOs. The moral of the story is, if all else fails when troubleshooting group policy issues, check the DNS event log!
