If anybody could offer any help i would greatly appreciate it.
here's a quick breakdown
we have a new domain that we are starting to migrate to from an old one since we had to conform to some change that will be happening within the next year lets call the new domain newdomain.xyz and we will refer to the old domain as olddomain.xyz
2. there is a two way forest trust between the domains that is validated and confirmed working since people in the old domain can get to resources we have already pulled over to the new domain
3. we currently use cert based authentication tied with microsoft network policy server looking at our on premise CAs that we manage and can confirm the radius authentication work with 0 issue when a machine gets group policy and is then told to get a certificate based on our certificate auto enrollment policy
4. (This is where the major problem is) most machines we either pull from the old domain into the new one or if we image a test machine (we have imaged a machine 13 different times in our testing) when any user whether they are an admin or not logs in it just sits and spins.
5. we have narrowed it down to group policy not applying correctly and the GPSVC having a timeout of 600000 which is insane, when the machine is attempting to log in i can open event viewer on a machine I'm logged into and remotely pull the event logs for the testing machine we are messing with and i can guarantee the top level event log for the system logs is saying something to the effect of "winlogon notification subscriber (gpclient) is taking a long time"
6. we have enabled the GPSVC debug logs and i will figure out some way to include the logs in any posts i make so people can go through and look at it whenever they want. while testing we have installed Wireshark on both of our domain controllers DC01 and DC02 along with installing it on the testing machine.
a. when we initiate a GPUPDATE /FORCE on the testing machine we don't see the normal traffic with SMB2 protocol pulling the policies from sysvol but when we initiate a gpupdate from the group policy management window by right clicking the OU and clicking group policy update it seems to work.
b. this issue is not consistent, as we have some machines that have almost no issue with group policy and are able to do group policy update without any issue and i can see their network traffic hitting our domain controllers so i know group policy is working, and in turn that tells me that the sysvol share is replicating between our domain controller and accessible from the machines we have.
7. all our domain controllers and servers are sitting in a vlan 200 (x.22.x.x IP space) and our testing machine is sitting in our vlan 400 (x.24.x.x IP space) which has access to essentially everything. when we run gpupdate on our servers which are sitting in the same IP space as the domain controllers we have no issue but as soon as we try to run gpupdate with specific machines in the .24 IP space or any other IP space we have it doesn't work, my co workers machine that is in the new domain works with 0 issue but the test machines we are freshly imaging and testing with almost with multiple others just refuse to update their group policy.
I've been fighting with this for almost a week and a half now and cant make heads or tails of it.
The first comment below this is going to contain an excerpt of the GPSVC log
