Group Policy Management Console (GPMC) fails to connect from a virtual machine on one NSX segment to a domain controller located on a different NSX segment within the same virtual datacenter (vDC). The error suggests potential connectivity issues between the segments, though other network traffic may be functioning properly.

Specific symptoms include:

• Group Policy Management Console cannot connect to the domain controller
• The issue occurs specifically between VMs on different NSX segments
• Basic connectivity tests may succeed while GPMC connectivity still fails

Steps to validate:

• Verify that the VM can ping the domain controller
• Test basic network connectivity using Test-NetConnection to port 389 (LDAP)
• Check if other Active Directory services function correctly
• Review Event Viewer logs for specific Group Policy errors with details on the failure

• VMware NSX-T Datcenter
• VMware NSX
• Windows Server with Group Policy Management Console
• Active Directory Domain Controller
• Multiple NSX segments within the same vDC

The most common causes for this issue include:

• Windows Group Policy services not functioning as expected despite basic network connectivity
• Firewall rules or distributed firewall settings in NSX blocking specific types of authentication traffic
• Authentication issues between the client and domain controller that appear as connectivity problems
• Security policies or group membership issues affecting domain authentication
• Windows service-level problems on either the client or domain controller

When basic network connectivity tests pass but Group Policy Management Console still fails, the issue is typically related to service configuration or authentication rather than basic network connectivity.

Follow these steps to isolate and resolve the issue:

1. First, confirm basic network connectivity between the VMs:
   • Use Test-NetConnection with appropriate ports to verify network connectivity:

     Test-NetConnection -ComputerName [DC-IP-ADDRESS] -Port 389

   • Test additional ports required for Active Directory services:

     Test-NetConnection -ComputerName [DC-IP-ADDRESS] -Port 445
     Test-NetConnection -ComputerName [DC-IP-ADDRESS] -Port 88

2. If network connectivity tests succeed, enable Group Policy debug logging on the Windows client:
   • Create the debug directory:

     md %windir%\debug\usermode

   • Set the registry value for verbose logging:

     reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics" /v GPSvcDebugLevel /t REG_DWORD /d "0x00030002"

   • Run Group Policy update:

     gpupdate /force

   • Examine the log file at %windir%\debug\usermode\gpsvc.log
3. Check Event Viewer for Group Policy errors:
   • Open Event Viewer
   • Navigate to Windows Logs > System
   • Filter for Group Policy events
   • Check the Group Policy operational logs at Applications and Services Logs > Microsoft > Windows > GroupPolicy > Operational
4. Consider temporarily bypassing NSX to confirm if it's the source of the issue:
   • Connect the VM directly to a standard port group
   • Test Group Policy functionality
   • If successful, review NSX distributed firewall rules
5. If NSX-T is confirmed as the source of the issue:
   • Create or modify NSX firewall rules to explicitly allow all required Active Directory traffic
   • Ensure the rules have proper priority in the rule processing order
   • Verify segment connectivity policies are properly configured
6. For persistent Group Policy issues:
   • Restart the Group Policy service on the client
   • Restart the domain controller
   • Reset Group Policy with the following commands:

     gpupdate /force /target:computer
     gpupdate /force /target:user

If the error persists after following these steps, contact Broadcom Support for further assistance.

• Applying Group Policy troubleshooting guidance
• Troubleshooting NSX Network Connectivity Issues
• Test-Connection PowerShell cmdlet documentation

When opening a support case with Broadcom related to this issue, please provide:

• NSX Manager logs
• NSX Edge logs
• NSX Host logs
• Group Policy debug logs from the affected Windows machine
• Event Viewer logs (System and GroupPolicy Operational logs)

Resources for working with Broadcom Support:

• Uploading files to cases on the Broadcom Support Portal
• Creating and managing Broadcom support cases