I recently went to deploy a new Powershell based Startup script in my test environment, and while the majority of my Windows machines happily complied, 2 of my test servers that were running Remote Desktop Services did not like the new Startup policy. The script itself was pretty straight forward – it pulled some files down from an IIS server, ran a script locally on the remote server to install some software and scheduled a task to automatically update that software.
The script was deployed using the Default Domain Policy and using the following policy:
Computer Configuration > Policies > Windows Settings > Scripts (Startup/Shutdown) > Startup
Since this is a Startup script, it should be the machine account accessing the script, so I also made sure to give Domain Computers read access to the script.
Out of 10 or so Windows 2012 R2 Servers only the 2 servers running Remote Desktop Services gave me issues. One server was running a full Remote Desktop deployment with RemoteApp and the other was acting as the Remote Desktop Gateway Server. I honestly do not know if this was an issue caused by RDS or maybe some of the random patches I installed in hopes of fixing RDS bugs or maybe even that one time I had 2 separate AD Forests setup to auth through these servers (talk about a good time). This may not even have had anything to do with RDS, what I can say is that all of the machines in the environment were at least at the same patch level as far as I could tell.
The errors in the event logs were as follows:
The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
Log Name: System
Source: GroupPolicy
Event ID: 1055
Level: Error
User: System
And that Event would immediately be followed by the following event:
Startup script failed.
GPO Name : Default Domain Policy
GPO File System Path : \\domain.net\sysvol\domain.net\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine
Script Name: Domain-Machine-Policy-Script-Installer-Updater.ps1
Log Name: System
Source: GroupPolicy
Event ID: 1130
Level: Error
User: System
Initially, these errors made me think that DNS was not resolving and/or maybe there were some issues with the host records. First I tried creating some local host file entries to ensure DNS was resolved accurately, but this made absolutely no difference. At this point I was not sure what direction to go in as everything looked to be configured correctly, so to google I went.
Unfortunately, since Group Policy has been around for a while, there is quite a bit of dated information and random fixes for these generic errors. In my case, nothing I found was able to resolve my issue. However I was pointed in the direction of the following Group Policy Templates:
Computer Configuration > Policies > Administrative Templates > System > Group Policy
And after reviewing that directory, I noticed a policy named “Specify startup policy processing wait time”, and then it hit me – what if the issue is that DNS is not able to resolve because the network is not up at the time the GPO is running? So I enabled this policy and set the time to wait to 60 seconds, ran GPUpdate /force and rebooted the host.
Finally, after much trial and error I received an Event ID 1502 – “The Group Policy settings for the computer were processed successfully. New settings from 4 Group Policy objects were detected and applied.”