Event ID 1058

[Guest]

Hi

Environment: Windows 2003 DC. This server has two NIC's which uses Routing
and Remote Access. This server has not been in service long. In the process
of setting up exchange on another Windows 2003 DC. When I try to open
Domian Cotrolller Security Policy, I recieve the following error:

Failed to open group policy object. You may not have appropriate rights.

Located at the event viewer "Application Log" on both the server and the
clients, the following message is displayed:

Windows cannot access the file gpt.ini for GPO
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=bytron,DC=local.
The file must be present at the location
<\\bytron.local\sysvol\bytron.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>.
(Configuration information could not be read from the domain controller,
either because the machine is unavailable, or access has been denied. ).
Group Policy processing aborted.




On the server inside event viewer "DNS", the following message:

The DNS server was unable to open zone _msdcs.bytron-hq.matthew.bytron.local
in the Active Directory from the application directory partition
ForestDnsZones.bytron-hq.matthew.bytron.local. This DNS server is configured
to obtain and use information from the directory for this zone and is unable
to load the zone without it. Check that the Active Directory is functioning
properly and reload the zone. The event data is the error code.

I have tried to source answer for this problem but can not find the
solution. Can anyone please help.

 

[Steve Duff [MVP]]

This is always a permissions problem - either somewhere in sysvol or AD. Unfortunately that covers a lot of territory, and you may
end up seeing more of it than you want before you find the cause.

But you might get lucky - as a first attack, I'd recommend a dcdiag /fix and netdiag /fix (I sound like a broken record today), make
sure that sysvol is being shared out at all, and check the domain admins permissions as described here:
http://support.microsoft.com/?id=294257

Steve Duff, MCSE, MVP
Ergodic Systems, Inc.

 

[Guest]

Hi Steve

I have run the dcdiag command. Initial errors show that replication is
trying to take place to another DC which no longer exists. This was just an
additional DC on the domain for test purposes. I believe I should of demoted
the server so that the rest of the network knows the DC no longer exists. Is
there an alternative method to stop replication attempts to a DC which does
not exist on the network.

bytron.local
is not registered on one or more DNS servers.
[Replications Check,MATTHEW] A recent replication attempt failed:
From PAT to MATTHEW
Naming Context: DC=bytron,DC=local
The replication generated an error (8524):
Win32 Error 8524
The failure occurred at 2005-07-01 08:47:04.
The last success occurred at 2005-05-04 14:29:57.
1360 failures have occurred since the last success.
The guid-based DNS name
a4161860-3f0c-4385-905f-dbecc51061cc._msdcs.
bytron.local

Starting test: frsevent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... MATTHEW failed test frsevent



As above shows, this can cause Group Policy probs. Do you have any ideas to
fix this replication problem?

Regards

Matthew

 

[Steve Duff [MVP]]

If it doesn't simply show in AD Sites snap-in where you can remove it, then there is a process for manually removing a DC from AD.
This is spelled out in a KB article. I don't have the number handy as I'm out of the office. If you can't locate it at
support.microsoft.com, then post back and I'll find it for you.

You want especially to be sure that there are no FSMO roles still believed to be held by the phantom DC. This can cause important
things to break badly and inexplicably after days, weeks or months. Check the RID, PDC and Infrastructure roles by right-clicking
the domain in AD Users and Computers and selecting "Operations Masters". The Naming role is in the AD Trusts snap-in
(right-click...operations master). The Schema role is in the schema snap-in (you'll have to use add/remove snap-in to get to this
one), right-click schema..."operations master" to check that.

Steve Duff, MCSE, MVP
Ergodic Systems, Inc.

Hi Steve

I have run the dcdiag command. Initial errors show that replication is
trying to take place to another DC which no longer exists. This was just an
additional DC on the domain for test purposes. I believe I should of demoted
the server so that the rest of the network knows the DC no longer exists. Is
there an alternative method to stop replication attempts to a DC which does
not exist on the network.

bytron.local
is not registered on one or more DNS servers.
[Replications Check,MATTHEW] A recent replication attempt failed:
From PAT to MATTHEW
Naming Context: DC=bytron,DC=local
The replication generated an error (8524):
Win32 Error 8524
The failure occurred at 2005-07-01 08:47:04.
The last success occurred at 2005-05-04 14:29:57.
1360 failures have occurred since the last success.
The guid-based DNS name
a4161860-3f0c-4385-905f-dbecc51061cc._msdcs.
bytron.local

Starting test: frsevent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... MATTHEW failed test frsevent



As above shows, this can cause Group Policy probs. Do you have any ideas to
fix this replication problem?

Regards

Matthew

This is always a permissions problem - either somewhere in sysvol or AD. Unfortunately that covers a lot of territory, and you
may
end up seeing more of it than you want before you find the cause.

But you might get lucky - as a first attack, I'd recommend a dcdiag /fix and netdiag /fix (I sound like a broken record today),
make
sure that sysvol is being shared out at all, and check the domain admins permissions as described here:
http://support.microsoft.com/?id=294257

Steve Duff, MCSE, MVP
Ergodic Systems, Inc.

 

[Jorge_de_Almeida_Pinto]

Hi

Environment: Windows 2003 DC. This server has two NIC's which
uses Routing
and Remote Access. This server has not been in service long.
In the process
of setting up exchange on another Windows 2003 DC. When I try
to open
Domian Cotrolller Security Policy, I recieve the following
error:

Failed to open group policy object. You may not have
appropriate rights.

Located at the event viewer "Application Log" on both the
server and the
clients, the following message is displayed:

Windows cannot access the file gpt.ini for GPO
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=Syste
m,DC=bytron,DC=local.

The file must be present at the location
<\bytron.localsysvolbytron.localPolicies{31B2F340-016D-11
D2-945F-00C04FB984F9}gpt.ini>.

(Configuration information could not be read from the domain
controller,
either because the machine is unavailable, or access has been
denied. ).
Group Policy processing aborted.




On the server inside event viewer "DNS", the following
message:

The DNS server was unable to open zone
_msdcs.bytron-hq.matthew.bytron.local
in the Active Directory from the application directory
partition
ForestDnsZones.bytron-hq.matthew.bytron.local. This DNS server
is configured
to obtain and use information from the directory for this zone
and is unable
to load the zone without it. Check that the Active Directory
is functioning
properly and reload the zone. The event data is the error
code.

I have tried to source answer for this problem but can not
find the
solution. Can anyone please help.

see:
http://www.eventid.net/display.asp?eventid=1058&eventno=1752&source=Userenv&phase=1

cheers,

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Hi Steve

I have run the dcdiag command. Initial errors show that replication
is
trying to take place to another DC which no longer exists. This was
just an
additional DC on the domain for test purposes. I believe I should of
demoted
the server so that the rest of the network knows the DC no longer
exists. Is
there an alternative method to stop replication attempts to a DC
which does
not exist on the network.

bytron.local
is not registered on one or more DNS servers.
[Replications Check,MATTHEW] A recent replication attempt
failed:
From PAT to MATTHEW
Naming Context: DC=bytron,DC=local
The replication generated an error (8524):
Win32 Error 8524
The failure occurred at 2005-07-01 08:47:04.
The last success occurred at 2005-05-04 14:29:57.
1360 failures have occurred since the last success.
The guid-based DNS name
a4161860-3f0c-4385-905f-dbecc51061cc._msdcs.
bytron.local

Starting test: frsevent
There are warning or error events within the last 24 hours after
the
SYSVOL has been shared. Failing SYSVOL replication problems may
cause
Group Policy problems.
......................... MATTHEW failed test frsevent



As above shows, this can cause Group Policy probs. Do you have any
ideas to
fix this replication problem?

If it is trying to replicate with a DC that no longer exists, then I have to
assume you did not DC promo it out of the domain, meaning it possibly still
holds one or more of five FSMO roles.
You will have to seize the FSMO roles with ntdsutil then use ntdsutil to run
a metadata cleanup to remove the other DC from AD.

255504 - Using Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain
Controller:
http://support.microsoft.com/default.aspx?scid=kb;en-us;255504

How to remove data in Active Directory after an unsuccessful domain
controller demotion:
http://support.microsoft.com/default.aspx?scid=kb;en-us;216498

 

[Guest]

Hi Steve.

I have removed the DC manually from AD. This is the result from the dcdiag
after removing.

C:\Program Files\Support Tools>dcdiag

Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\MATTHEW
Starting test: Connectivity
......................... MATTHEW passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\MATTHEW
Starting test: Replications
......................... MATTHEW passed test Replications
Starting test: NCSecDesc
......................... MATTHEW passed test NCSecDesc
Starting test: NetLogons
......................... MATTHEW passed test NetLogons
Starting test: Advertising
......................... MATTHEW passed test Advertising
Starting test: KnowsOfRoleHolders
......................... MATTHEW passed test KnowsOfRoleHolders
Starting test: RidManager
......................... MATTHEW passed test RidManager
Starting test: MachineAccount
......................... MATTHEW passed test MachineAccount
Starting test: Services
......................... MATTHEW passed test Services
Starting test: ObjectsReplicated
......................... MATTHEW passed test ObjectsReplicated
Starting test: frssysvol
......................... MATTHEW passed test frssysvol
Starting test: frsevent
......................... MATTHEW passed test frsevent
Starting test: kccevent
......................... MATTHEW passed test kccevent
Starting test: systemlog
......................... MATTHEW passed test systemlog
Starting test: VerifyReferences
......................... MATTHEW passed test VerifyReferences

Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation

Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom

Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation

Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom

Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom

Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom

Running partition tests on : bytron
Starting test: CrossRefValidation
......................... bytron passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... bytron passed test CheckSDRefDom

Running enterprise tests on : bytron.local
Starting test: Intersite
......................... bytron.local passed test Intersite
Starting test: FsmoCheck
......................... bytron.local passed test FsmoCheck

C:\Program Files\Support Tools>

All seems good.


I have also checked that there are no FSMO on the phantom DC. Appears ok.
The only problem I have is that I can not locate the schema role in
add/remove snapin. I am sure I have looked in the correct location by using
the following command in a run box "mmc".

Still reciening the original event ID.

Here is the feed back from the netdiag command.


C:\Program Files\Support Tools>netdiag

.......................................

Computer Name: MATTHEW
DNS Host Name: matthew.bytron.local
System info : Microsoft Windows Server 2003 (Build 3790)
Processor : x86 Family 6 Model 8 Stepping 1, AuthenticAMD
List of installed hotfixes :
KB819696
KB823182
KB823353
KB823559
KB824105
KB824141
KB825119
KB828035
KB828741
KB833987
KB834707
KB835732
KB837001
KB839643
KB839645
KB840315
KB840374
KB840987
KB841356
KB841533
KB842773
KB842933
KB867282
KB867460
KB871250
KB873333
KB873376
KB885250
KB885834
KB885835
KB885836
KB886903
KB888113
KB890047
KB890175
KB890859
KB890923
KB891711
KB891781
KB893066
KB893086
KB893803
Q147222
Q828026


Netcard queries test . . . . . . . : Failed
GetStats failed for 'Realtek RTL8139 Family PCI Fast Ethernet NIC #2'.
[ERRO
R_INVALID_FUNCTION]
GetStats failed for 'Realtek RTL8139 Family PCI Fast Ethernet NIC'.
[ERROR_I
NVALID_FUNCTION]
GetStats failed for '1394 Net Adapter'. [ERROR_INVALID_FUNCTION]
[FATAL] - None of the netcard drivers provided satisfactory results.



Per interface results:

Adapter : Orange

Netcard queries test . . . : Failed
NetCard Status: UNKNOWN

Host Name. . . . . . . . . : matthew
IP Address . . . . . . . . : 192.0.1.236
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.0.1.172
Dns Servers. . . . . . . . : 192.168.1.3
192.0.1.160


AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Passed

NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03>
'Messenge
r Service', <20> 'WINS' names is missing.
No remote names have been found.

WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.

Adapter : Green

Netcard queries test . . . : Failed
NetCard Status: UNKNOWN

Host Name. . . . . . . . . : matthew
IP Address . . . . . . . . : 192.168.1.3
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . :
Dns Servers. . . . . . . . : 192.168.1.3


AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Skipped
[WARNING] No gateways defined for this adapter.

NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03>
'Messenge
r Service', <20> 'WINS' names is missing.
No remote names have been found.

WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.


Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{D3DE0AE1-0748-4D0B-94CA-A113176629CB}
NetBT_Tcpip_{21B4727C-4DCA-4978-8B2C-294F090C269C}
2 NetBt transports currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00> 'WorkStation
Servi
ce', <03> 'Messenger Service', <20> 'WINS' names defined.


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server
'192.168.1.3'
and other DCs also have some of the names registered.
[WARNING] The DNS entries for this DC are not registered correctly on
DNS se
rver '192.0.1.160'. Please wait for 30 minutes for DNS server replication.


Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{D3DE0AE1-0748-4D0B-94CA-A113176629CB}
NetBT_Tcpip_{21B4727C-4DCA-4978-8B2C-294F090C269C}
The redir is bound to 2 NetBt transports.

List of NetBt transports currently bound to the browser
NetBT_Tcpip_{D3DE0AE1-0748-4D0B-94CA-A113176629CB}
NetBT_Tcpip_{21B4727C-4DCA-4978-8B2C-294F090C269C}
The browser is bound to 2 NetBt transports.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Skipped


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

Note: run "netsh ipsec dynamic show /?" for more detailed information


The command completed successfully



Any ideas? Oh, from the netdiag results, the 192.0.1.160 DNS server is a
linux platform on a different network IP range. Not sure why DNS replication
would try and replicate with this DNS server.

Regards

Matthew

 

[Guest]

I checked my path to the GPI file and it does exist. I also tried the
permissions on the file by adding the everyone container to the object.
Still no joy.

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Per interface results:

Adapter : Orange

Netcard queries test . . . : Failed
NetCard Status: UNKNOWN

Host Name. . . . . . . . . : matthew
IP Address . . . . . . . . : 192.0.1.236
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.0.1.172
Dns Servers. . . . . . . . : 192.168.1.3
192.0.1.160<-----remove this address

DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server
'192.168.1.3'
and other DCs also have some of the names registered.
[WARNING] The DNS entries for this DC are not registered
correctly on DNS se
rver '192.0.1.160'. Please wait for 30 minutes for DNS server
replication.

Any ideas? Oh, from the netdiag results, the 192.0.1.160 DNS server
is a linux platform on a different network IP range. Not sure why
DNS replication would try and replicate with this DNS server.

It is not that DNS is trying to replicate to this DNS server, it is that the
DC will attempt registration of its records in all DNS servers listed in
TCP/IP properties, on all interfaces.

If the Linux DNS does not have a copy of the AD domain zone, it cannot be
used in TCP/IP properties, in any position, on any interface.

BTW, 192.0.1.x is a reserved public IP address subnet, owned by Information
Sciences Institute at USC, unless this address was assigned to you, change
the subnet IP range.

 

[Kevin D. Goodknecht Sr. [MVP]]

In Matthew <[email protected]> posted this:

Mutihomed DCs require additional configuration,
1. On the interfaces tab (DNS server properties) make sure only the internal
IP is listed in the listen on addresses.
2. Binding order: Right click on Network Places, choose properties, in the
Advanced menu of the Window that opens choose Advanced settings. In Advanced
settings, Connections pane, the internal interface should be at the top of
the list. In the Bindings pane, Client for MS networks and file sharing
should only be bound to the internal interface.

 

[Guest]

Hi Kevin

I have carried out the advance settings in network properties and checked
the DNS server properties. I have also removed the liux DNS servers. I have
checked DNS event log and appears to be no more errors.

However, I am still recieving Event ID 1058.

Regards

Matthew

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Hi Kevin

I have carried out the advance settings in network properties and
checked the DNS server properties. I have also removed the liux DNS
servers. I have checked DNS event log and appears to be no more
errors.

However, I am still recieving Event ID 1058.

Can you access \\bytron.local\sysvol?

Does bytron.local resolve ONLY to the IP address on the DC that has File
sharing enabled?

 

[Guest]

Steve,
I am having a similar problem as Matthew. I however have only one DC. My
error message from the dcdiag is the same

Starting test: frsevent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.

"
I followed the instructions in the article you pointed to up through step 3.
My adsiedit doesn't show the "problem" policy listed as a "notepad" icon. I
know which policy is the problem. I've checked the permissions on it through
adsiedit and exploere and on the "sysvol" share it self. I also get "domain
controller not found for "mydomain.com" when trying to access group policies
through "AD users and groups" when run from PDC. If I access GP through
client machine's "AD users and groups" group policy comes up and I am able to
modify it. Many of the policies within the group policy "computes" section
are empty however.

I've seen posts about directly modifiing gpt.ini within the problem policy,
but I don't trust that. Especially after seeing what that file contains.

more relevant info: every 5 minutes userenv logs 1030 and 1058
errors started while I was making changes to GP policies for IE browser
interface, GP refresh interval, and screen saver times to require user to
reenter password to use client.

I think if I can create a new, clean default group policy, it will fix the
problem, but I'm not sure how to do it, or ever if it will work.
David

If it doesn't simply show in AD Sites snap-in where you can remove it, then there is a process for manually removing a DC from AD.
This is spelled out in a KB article. I don't have the number handy as I'm out of the office. If you can't locate it at
support.microsoft.com, then post back and I'll find it for you.

You want especially to be sure that there are no FSMO roles still believed to be held by the phantom DC. This can cause important
things to break badly and inexplicably after days, weeks or months. Check the RID, PDC and Infrastructure roles by right-clicking
the domain in AD Users and Computers and selecting "Operations Masters". The Naming role is in the AD Trusts snap-in
(right-click...operations master). The Schema role is in the schema snap-in (you'll have to use add/remove snap-in to get to this
one), right-click schema..."operations master" to check that.

Steve Duff, MCSE, MVP
Ergodic Systems, Inc.

Hi Steve

I have run the dcdiag command. Initial errors show that replication is
trying to take place to another DC which no longer exists. This was just an
additional DC on the domain for test purposes. I believe I should of demoted
the server so that the rest of the network knows the DC no longer exists. Is
there an alternative method to stop replication attempts to a DC which does
not exist on the network.

bytron.local
is not registered on one or more DNS servers.
[Replications Check,MATTHEW] A recent replication attempt failed:
From PAT to MATTHEW
Naming Context: DC=bytron,DC=local
The replication generated an error (8524):
Win32 Error 8524
The failure occurred at 2005-07-01 08:47:04.
The last success occurred at 2005-05-04 14:29:57.
1360 failures have occurred since the last success.
The guid-based DNS name
a4161860-3f0c-4385-905f-dbecc51061cc._msdcs.
bytron.local

Starting test: frsevent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... MATTHEW failed test frsevent



As above shows, this can cause Group Policy probs. Do you have any ideas to
fix this replication problem?

Regards

Matthew

This is always a permissions problem - either somewhere in sysvol or AD. Unfortunately that covers a lot of territory, and you
may
end up seeing more of it than you want before you find the cause.

But you might get lucky - as a first attack, I'd recommend a dcdiag /fix and netdiag /fix (I sound like a broken record today),
make
sure that sysvol is being shared out at all, and check the domain admins permissions as described here:
http://support.microsoft.com/?id=294257

Steve Duff, MCSE, MVP
Ergodic Systems, Inc.

Hi

Environment: Windows 2003 DC. This server has two NIC's which uses Routing
and Remote Access. This server has not been in service long. In the process
of setting up exchange on another Windows 2003 DC. When I try to open
Domian Cotrolller Security Policy, I recieve the following error:

Failed to open group policy object. You may not have appropriate rights.

Located at the event viewer "Application Log" on both the server and the
clients, the following message is displayed:

Windows cannot access the file gpt.ini for GPO
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=bytron,DC=local.
The file must be present at the location
<\\bytron.local\sysvol\bytron.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>.
(Configuration information could not be read from the domain controller,
either because the machine is unavailable, or access has been denied. ).
Group Policy processing aborted.




On the server inside event viewer "DNS", the following message:

The DNS server was unable to open zone _msdcs.bytron-hq.matthew.bytron.local
in the Active Directory from the application directory partition
ForestDnsZones.bytron-hq.matthew.bytron.local. This DNS server is configured
to obtain and use information from the directory for this zone and is unable
to load the zone without it. Check that the Active Directory is functioning
properly and reload the zone. The event data is the error code.

I have tried to source answer for this problem but can not find the
solution. Can anyone please help.

 

[Kevin D. Goodknecht Sr. [MVP]]

I checked my path to the GPI file and it does exist. I also tried the
permissions on the file by adding the everyone container to the
object.

Is the TCP/IP NetBIOS helper service enabled and running?
This service is required for DFS Shares.

 

[Ace Fekay [MVP]]

In

Steve,
I am having a similar problem as Matthew. I however have only one
DC. My error message from the dcdiag is the same
"
I followed the instructions in the article you pointed to up through
step 3. My adsiedit doesn't show the "problem" policy listed as a
"notepad" icon. I know which policy is the problem. I've checked the
permissions on it through adsiedit and exploere and on the "sysvol"
share it self. I also get "domain controller not found for
"mydomain.com" when trying to access group policies through "AD users
and groups" when run from PDC. If I access GP through client
machine's "AD users and groups" group policy comes up and I am able
to modify it. Many of the policies within the group policy "computes"
section are empty however.

I've seen posts about directly modifiing gpt.ini within the problem
policy, but I don't trust that. Especially after seeing what that
file contains.

more relevant info: every 5 minutes userenv logs 1030 and 1058
errors started while I was making changes to GP policies for IE
browser interface, GP refresh interval, and screen saver times to
require user to reenter password to use client.

I think if I can create a new, clean default group policy, it will
fix the problem, but I'm not sure how to do it, or ever if it will
work.
David

David,


GPOs rely on AD fully functioning. AD relies on DNS fully functioning and
configured properlyt. Therefore, I usually look at the basics to make sure
they are operational and configured properly before I ever attempt to alter
any sort of permissions and/or registry entries.

That said, here' some more info from a previous post I made for someone else
that was GPO and other AD related issues:
----------------------------------
AD & DNS basic rules of engagement:
If you have your ISP's DNS addresses in your IP configuration (DCs and
clients), they need to be REMOVED. This is what is
causing the whole problem.

Just a little background: AD uses DNS. DNS stores AD's resource and service
locations in the form of SRV records, hence how everything that is part of
the domain will find resources in the domain. If the ISP's DNS is configured
in the any of the internal AD member machines' IP properties, (including all
client machines and DCs), the machines will be asking the ISP's DNS 'where
is the domain controller for my domain?", whenever it needs to perform a
function, (such as a logon request, replication request, querying and
applying GPOs, etc). Unfortunately, the ISP's DNS does not have that info
and they reply with an "I dunno know", and things just fail.

So you cannot use your ISP's DNS addresses anymore in your client or any
other machines. You cannot use your router as a DNS or DHCP server either.
If you are using your NT4 as a DNS server, that all needs to be changed over
to Win2003 DNS. Same with DHCP. NT4 DNS cannot support AD's SRV requirements
and dynamic updates.

If your current scenario is using your NT4 DNS, your ISP's DNS or your
router's DNS, it is strongly suggested and recommended to only use the
internal DNS servers on the network that is hosting the AD zone name. This
applies to all machines, (DCs and clients). Believe me, Internet resolution
will still work with the use of the Root hints (as long as the root zone
doesn't exist).

However, for more effcient Internet resolution, it's HIGHLY recommended to
configure a forwarder. If the forwarding option is grayed out, delete the
Root zone (looks like a period). If not sure how to preform these two tasks,
please follow one of the two articles listed below, depending on your
operating system. They show a step by step on how to perform these tasks:

323380 - HOW TO Configure DNS for Internet Access in Windows Server 2003 :
http://support.microsoft.com/?id=323380

300202 - HOW TO Configure DNS for Internet Access in Windows Server 2000 :
http://support.microsoft.com/?id=300202

291382 - Frequently asked questions about Windows 2000 DNS and Windows
Server 2003 DNS
http://support.microsoft.com/default.aspx?scid=kb;en-us;291382

---------------------------------


If you feel this wasn't helpful, I think it's time to ask for more specific
configuration information, such as:

1. ipconfig /all from a client and from your DC(s)
2. The DNS domain name of AD (found in ADUC)
3. The zonename in your Forward Lookup Zones in DNS
4. If updates are set to allow under zone properties
5. If this machine has more than one NIC (multihomed)
6. Do you have a firewall? If so, what brand?
7. Is/are forwarder(s) configured?
8. Do the SRV records exist under your zone name?
9. Event ID errors?

Thanks

Ace