xehomx
asked on
The processing of Group Policy failed
The processing of Group Policy failed. Windows attempted to read the file \\<Domain Name>\sysvol\Domain Name>\Policies\{31B2F340-0 16D-11D2-9 45F-00C04F B984F9}\gp t.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
If the issue is with a specific group policy or preference, which one? All the group Policies
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
If the issue is with a specific group policy or preference, which one? All the group Policies
First thing I would try is
- track down which policy matches with the GUID.
- edit the policy with Group Policy Management Console. Make some minor change, doesn't matter what it is.
- close the policy
- edit the policy again, removing the setting you added before
I have run into this error and gone through the gamut of checking the existence of the gpt.ini file, verifying Sysvol and GPO folder structure permissions, checking replication, etc., and after finding no problem, simply making a revision to the GPO (as noted above) cleared the error.
If that doesn't help, check out Darren Mar-Elia's (the GPO guy) FAQ at
http://www.gpoguy.com/FAQs/tabid/57/agentType/ViewType/PropertyTypeID/1/Default.aspx
Relevant entry is quoted below:
- track down which policy matches with the GUID.
- edit the policy with Group Policy Management Console. Make some minor change, doesn't matter what it is.
- close the policy
- edit the policy again, removing the setting you added before
I have run into this error and gone through the gamut of checking the existence of the gpt.ini file, verifying Sysvol and GPO folder structure permissions, checking replication, etc., and after finding no problem, simply making a revision to the GPO (as noted above) cleared the error.
If that doesn't help, check out Darren Mar-Elia's (the GPO guy) FAQ at
http://www.gpoguy.com/FAQs/tabid/57/agentType/ViewType/PropertyTypeID/1/Default.aspx
Relevant entry is quoted below:
I keep getting error like the following in the event logs of my clients and GP is not being processed. Why? The Error: Windows cannot access the file gpt.ini for GPO cn={6AC1786C-016F-11D2-945F-00C04fB9 84F9},cn=p olicies,cn =system,DC =cpandl,DC =com. The file must be present at the location <\\cpandl.com\sysvol\compa ny.NET\Pol icies\{6AC 1786C-016F -11D2-945F -00C04fB98 4F9}\gpt.i ni>. (Access is denied. ). Group Policy processing aborted.
There are several reasons that I've seen that cause this error. In cases where computer policy processing is failing with this error but user policy processing is occurring just fine, it could be a network stack timing issue. In that case, check out http://support.microsoft.com/default.aspx?scid=kb;en-us;840669
In cases where its just failing outright for all policy there are at least two other possible reasons for this. The first is that one or more SYSVOL replicas on your DCs are not replicating correctly and the gpt.ini file is actually missing from a given DC that the client is hitting. In this case, Windows is not smart enough to failover to another DFS replica (SYSVOL is just a system-maintained DFS replica) and GP processing will simply fail. In that case, the quickest solution is to copy the contents of the failing GPO from a known-good copy of it on another DC. The last reason I've seen for this failing is when you've implemented a restrictive security policy on the client that is processing GPO. For example, if you implement one of the "High Security" templates from the Server 2003 security guide, which may require, for example, SMB signing of all network traffic between server and client. In that case, if the server does not support that requirement, basic file communications between the client processing GP and server will fail. Usually the solution there is to apply a less restrictive security template to the client processing GP (or to the DC serving up GP if the change was made on the DC side)
What you dont say is:-
Was this a one off? Does it happen all the time?
Is it multiple machines you find the error on?
Have you recently Added or Removed or Lost and DC's from the domain?
Is the error on PC's on a specific site?
Was this a one off? Does it happen all the time?
Is it multiple machines you find the error on?
Have you recently Added or Removed or Lost and DC's from the domain?
Is the error on PC's on a specific site?
Check your DNS configuration on your client.
Do you have issues with replication between your DCs? You can verify this using:
repadmin /syncall
Another thing you can try is resetting your TCP stack:
netsh int ip reset resetlog.txt
Do you have issues with replication between your DCs? You can verify this using:
repadmin /syncall
Another thing you can try is resetting your TCP stack:
netsh int ip reset resetlog.txt
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Issue solved
I resolved this issue by making a minor change to the policy reporting the error, closing, editing again then removing the previous setting as footech recommended above.
I would recommend you to check the logs on that DC,.
You can force the Sysvol replication between Domain controllers
http://www.windowstricks.in/2009/11/force-sysvol-replication.html
If this does not help , then you can perfrmo the restore of sysvol by setting Burflag to D2 on problematic DC
http://blogs.dirteam.com/blogs/jorge/archive/2010/08/12/restoring-the-sysvol-non-authoritatively-when-either-using-ntfrs-or-dfs-r-part-1.aspx
Regards,
_Prashant_