C
CCicchini
Hi,
I'm currently running a Windows 2000 domain on a number of domain
controllers (DCs) across various sites.
Recently, our FSMO server (which is also a PDC Emulator), Server1 went
offline. We restored from backups to get it running again. When it
came back online, it immediately updated any changes that were made to
Active Directory (AD) during it's downtime, so it was assumed that
everything was all right.
However, during the time Server1 was offline, changes were made to
Group Policy (GP) (creating, modifying, deleting etc) on Server2,
which is located on the same site.
Two days later after Server1 was brought back online and the changes
were made to GP, we found that the GPs weren't applying to the clients
at our other sites. I used the GPRESULT.EXE tool to verify this.
I used the GPOTOOL on the DCs and found that an error was generated on
Server2, which was:
Error: Cannot access
\\Server2\sysvol\mydomain\policies\{CF5495EF-7667-4241-A5FA-8EBCD4658A51},
error 2.
The GP that the error message refers to is one called AutoUpdates,
which I deleted from Server2. I verified that the folder no longer
exists, so it seems that even though all references to AutoUpdates was
deleted GPO seems to think that AutoUpdates still exists. I ran
GPOTOOL on the other DCs except for Server1 and got the same error
message as described above.
I get no error messages running GPOTOOL on Server1. As far as it's
concerned, AutoUpdates doesn't exist. All the other changes and
additions of GPs seemed to have replicated fine too.
I have tested the replication on both AD and FRS, and they seem to
both be working fine. Seem to in the sense that changes to AD are
getting replicated as are changes to files under the NETLOGON share.
There is one note of interest however in that I am getting an Event ID
1388 error message in the Event Logs, once a day, under Directory
Service which is:
Source: NTDS Replication
Category: Replication
Event ID: 1388
"This destination system received an update for object which should
have been present locally, but was not. The attribute set included in
the packet is not sufficient to create the object. A full copy of the
object will be requested.
Object Name: CN="c30088cd-bd62-4c7b-a411-e9ad579e0e63
DEL:e5b19c5a-eb2d-44bb-9b3c-f322f7a4bd9a",CN=Deleted
Objects,CN=Configuration,DC=xxx,DC=xxx,DC=com,DC=au Object GUID:
e5b19c5a-eb2d-44bb-9b3c-f322f7a4bd9a Partition:
CN=Configuration,DC=xxx,DC=xxx,DC=com,DC=au Transport-specific source
address: 6874f717-4088-450d-ac08-6575a1fc7e7a._msdcs.xxx.xxx.com.au
Destination highest property update USN: 828973 "
Searches on the net for this event id hasn't exactly yielded a battery
of hits, so I'm completely lost.
My question is: is there a way of resynching the GPs on Server2,
Server3 etc with the information on Server1? Will that even resolve
the problem?
Any input will be greatly appreciated.
Claudio
I'm currently running a Windows 2000 domain on a number of domain
controllers (DCs) across various sites.
Recently, our FSMO server (which is also a PDC Emulator), Server1 went
offline. We restored from backups to get it running again. When it
came back online, it immediately updated any changes that were made to
Active Directory (AD) during it's downtime, so it was assumed that
everything was all right.
However, during the time Server1 was offline, changes were made to
Group Policy (GP) (creating, modifying, deleting etc) on Server2,
which is located on the same site.
Two days later after Server1 was brought back online and the changes
were made to GP, we found that the GPs weren't applying to the clients
at our other sites. I used the GPRESULT.EXE tool to verify this.
I used the GPOTOOL on the DCs and found that an error was generated on
Server2, which was:
Error: Cannot access
\\Server2\sysvol\mydomain\policies\{CF5495EF-7667-4241-A5FA-8EBCD4658A51},
error 2.
The GP that the error message refers to is one called AutoUpdates,
which I deleted from Server2. I verified that the folder no longer
exists, so it seems that even though all references to AutoUpdates was
deleted GPO seems to think that AutoUpdates still exists. I ran
GPOTOOL on the other DCs except for Server1 and got the same error
message as described above.
I get no error messages running GPOTOOL on Server1. As far as it's
concerned, AutoUpdates doesn't exist. All the other changes and
additions of GPs seemed to have replicated fine too.
I have tested the replication on both AD and FRS, and they seem to
both be working fine. Seem to in the sense that changes to AD are
getting replicated as are changes to files under the NETLOGON share.
There is one note of interest however in that I am getting an Event ID
1388 error message in the Event Logs, once a day, under Directory
Service which is:
Source: NTDS Replication
Category: Replication
Event ID: 1388
"This destination system received an update for object which should
have been present locally, but was not. The attribute set included in
the packet is not sufficient to create the object. A full copy of the
object will be requested.
Object Name: CN="c30088cd-bd62-4c7b-a411-e9ad579e0e63
DEL:e5b19c5a-eb2d-44bb-9b3c-f322f7a4bd9a",CN=Deleted
Objects,CN=Configuration,DC=xxx,DC=xxx,DC=com,DC=au Object GUID:
e5b19c5a-eb2d-44bb-9b3c-f322f7a4bd9a Partition:
CN=Configuration,DC=xxx,DC=xxx,DC=com,DC=au Transport-specific source
address: 6874f717-4088-450d-ac08-6575a1fc7e7a._msdcs.xxx.xxx.com.au
Destination highest property update USN: 828973 "
Searches on the net for this event id hasn't exactly yielded a battery
of hits, so I'm completely lost.
My question is: is there a way of resynching the GPs on Server2,
Server3 etc with the information on Server1? Will that even resolve
the problem?
Any input will be greatly appreciated.
Claudio