Windows clients don't pull group policies correctly

Hi folks,
since I’ve managed to take over my Windows domain to UCS5 I’m still having some issues.

I’ve operating a Primary- and a Backup node on a Proxmox hypervisor, the IP addresses of both nodes are distributes via DHCP to the clients, mostly fix leases.
First issue: The Windows Clients only show the first DNS server (primary node) in the ip credentials, not the second DNS Server (backup node).

First tests with a virtual Win11 client looks good regarding the GPO’s taken over from the Windows DC, at least most of the GPO’s seem to work. Pulling the GPO’s with “gpupdate /force” on the command line is also working.

Another physical Win11 client doesn’t want to pull the GPO’s at all. Even after removing the physical W11 client from the UCS domain and a re-join the device, the GPO’s aren’t working at all. Also pulling the GPO’s with “gpupdate /force” on the commandline does not work. Even more: The DNS resolution of the UCS primary node failed.

A nslookup to my domain works perfectly on both machines, both DNS server can be resolved.

I’ve also checked the settings of the virtual and the physical W11 clients in UCS and both are identical - apart from the MAC- and IP-Address.

Suppose there is something wrong with the DNS settings, but I can’t get any further. When I’m starting the Server Manager (RSAT) on the physical W11 client I can manage the GPO’s, but NOT the DNS settings (yes! the RSAT module for DNS has been installed).

Any idea what’s wrong here?


did you also test with powerd down backup node ?
check samba drs replication status on both nodes.
windows takes the faster responding dc for gpo pull - so check if the gpo’s are in sync and the acl are right there

you may check on any w11 client by '\\dc-server\sysvol\' and look if you can list all gpo’s there


Hi Christian,

thanks for the hint, seem to be down to the sync of the primary- and backup node. Investigations are ongoing …

The sysvol-share is available on either clients.


1 Like