?
Solved

I know we've seen this before!! But I can't make it stop!! ARRGHH!!

Posted on 2003-03-05
7
Medium Priority
?
1,513 Views
Last Modified: 2008-01-09
Problem: (Ok. This is a bit long but Please give it a glance!!)

These (3) errors pop up in App Log on member servers roughly every 2 hours.

#1
Event Type:     Error
Event Source:     Userenv
Event Category:     None
Event ID:     1000
Date:          3/5/2003
Time:          11:17:06 AM
User:          NT AUTHORITY\SYSTEM
Computer:     DOT_SRVR_3
Description:
Windows cannot access the registry information at \\dotnj.org\sysvol\dotnj.org\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\registry.pol with (5).
==========================
#2
Event Type:     Error
Event Source:     SceCli
Event Category:     None
Event ID:     1001
Date:          3/5/2003
Time:          11:17:06 AM
User:          N/A
Computer:     DOT_SRVR_3
Description:
Security policy cannot be propagated. Cannot access the template. Error code = 3.
     \\dotnj.org\sysvol\dotnj.org\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
==============================
#3
Event Type:     Error
Event Source:     Userenv
Event Category:     None
Event ID:     1000
Date:          3/5/2003
Time:          11:17:06 AM
User:          NT AUTHORITY\SYSTEM
Computer:     DOT_SRVR_3
Description:
The Group Policy client-side extension Security was passed flags (17) and returned a failure status code of (3).
========================================
Setup:
dot_proxy - 1st server in. Original PDC. Was upgraded from NT4 (will retire soon)
dot_nt_1 - NT4 Mail Server to be replaced by dotmail1
dot_nt_2 - 2nd server (DC)
dot-sql - 3rd server (DC)
dotfile1 - 4th server (DC) will be new PDC (gets errors)
dotmail1 - member (gets errors)
dot-appeal - member (gets errors)
dot_srvr_3 - member (gets errors)
dotsql2 - member (gets errors)
dotiis1 - member (DOES NOT get errors - STRANGE)
dotvpn1 - member (gets errors)
dot-test1 - member (gets errors)

Recent Changes:
1) Renamed a member server from dotnt4 to dotmail1.
2) In AD/U&C Operations Master I changed the RID/PDC/Infrastructure from the original PDC (dot_proxy) to the new (much more powerful) server (dotfile1).
Note; Changed it #2 back to DOT_PROXY - no change.
Note: Put it back to dotfile1 since dot_proxy will be decommissioned at some point (stability would be nice!).

The errors have been coming up daily since 2/14/03.
This is about when I changed the server name in #1 above.  I normally keep a 'change log' but for some reason I did't on that day (guess I was trying to get home to the Wife on Valentines day! 8-( --

I've looked at MANY different 'answers' and can't seem to figure tis one out.  I've been from here to Microsoft to eventID.net and a few other places.  Arrghh!

The File & Printer Sharing is enabled and 'top listed' on each of the servers in question as well as the original PDC.

Here's a strange thing: The directory of:
\\dotnj.org\sysvol\dotnj.org\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf

On the PDC has 'system, full access', 'creator owner, no access', 'authenticated users, R?E-L-R' at the root, sysvol and doaminname (dotnj.org) but are NOT propogated to policies or any lower. I DID check the box and under adanced try to force.  I can set them manually -

QUESTION: WHAT ARE THE REQUIRED SYSVOL PERMISSIONS, at what level and shouldn't they propogate all the way down?

ANY HELP IS GREATLY APPRECIATED.
I will post what I have done (tech notes, etc) but in the mean time. HELP!!!

Matthew Jones
matthewjones@comcast.net

0
Comment
Question by:matthewjones
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 1

Author Comment

by:matthewjones
ID: 8073849
Here's another item which may be srange.

If I open Domain Security Policy or DC Sec Policy
the
Restricted Groups
System Services
Registry
Filesystem

all have a 'locked lock' on the file folder.
If I highlight any of them there are no objects visable.
Is this correct?
NOTE: System services does list a number of objects.

Thanks again.
0
 
LVL 1

Expert Comment

by:sjhaveri
ID: 8073885
look at eventid.net and browse through USRENV
FOR event 1000
Source Userenv  
Type Error  
Description Windows cannot access the registry information at \\mydomain.com\sysvol\mydomain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\registry.pol with (<error code>).  
Comments Adrian Grigorof: As first step, use NET HELPMSG <error code> for a first clue as what it wrong.

Error code 5 - "Access denied" - See Q290647. Also, from a newsgroup post: "I have been plagued by the same message on my system for months. Most of the postings I saw claimed that this was due to my system being multi-homed and the order of the priority of the NICs being incorrect. In my case, the suggested remedies did not work. Today I checked and found out the the node "C:\WINNT\sysvol\sysvol" was not shared. After I shared that node to system and Administrator, the error messages stopped."

Error code 51 - "The remote computer is not available." - "The \\Active Directory Domain Name\Sysvol share is a special share that requires the distributed file system (Dfs) client to make a connection. If the Dfs client is disabled, the error messages are generated. ". See the link to Q259398.

Error code 53 - "The network path was not found." - Caused by File and Printer Sharing service not being enabled on the Domain Controller interface(s). See the link to Q279742.

Jürgen Reithmayr: Error: 1351 - "Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied."

Josh Tanski: Setting the TCP/IP Netbios Helper Service to manual startup caused this and related events for me, as it prevented me from accessing DFS shares. I set the service back to automatic startup to solve the problem.

Bob A. Schelfhout Aubertijn: Q258296 explains in detail how to prevent this error from popping up every 5 minutes in the event log. The trick is to move the NIC that has file and printer sharing bound to it to the top of the binding order in, network connections > advanced > advanced settings.

Thomas Blatti: In my case, the reason for this error was the server, it had the IRPSStackSize to low (on 11). Default for Windows 2000 is 15 (range from 11 to 50 refering Q177078). Registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
A refering document from MS (Q106167) is outdated and should be corrected for Windows 2000.

Kevin Austin: Error 1351 - MS knowledgebase had my solution in article Q258960. It referenced a buffer limitation of 15 ip addresses in Lmhsvc.dll which is resolved in SP2.

Ander Taylor: I had this problem on all my member servers, it turned out to be a permissions problem with SYSVOL.
I fixed it as follows:
Start > Programs > Administrative Tools > Domain Controllers Security Policy > Security Settings > Double click "File System" > Double click "%SYSVOL%\Domain\Policies" > Edit Security> Make sure the appropriate permissions are set and tick the "Allow Inheritable Permissions ........" checkbox. Note that the permissions in "%SYSVOL%" must be set properly too.
 

FOR event 1001
Source SceCli  
Type Error  
Description Security policy cannot be propagated. Cannot access the template. Error code = 3. \\mydomain.com\sysvol\mydomain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.  
Comments Adrian Grigorof: This event can occur if the %SystemRoot%\SYSVOL\Domain\Policies Group Policy directory structure is missing or is incorrect. The Replication service is trying to replicate the directory but cannot locate it. We also observed this error message when File and Print Services are not enabled. Error code 3 means "The system cannot find the path specified.". On systems with multiple network cards you may want to check the order of network card bindings.  
0
 
LVL 1

Author Comment

by:matthewjones
ID: 8074133
Here's another item which may be srange.

If I open Domain Security Policy or DC Sec Policy
the
Restricted Groups
System Services
Registry
Filesystem

all have a 'locked lock' on the file folder.
If I highlight any of them there are no objects visable.
Is this correct?
NOTE: System services does list a number of objects.

Thanks again.
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 26

Expert Comment

by:Vahik
ID: 8077157
0
 
LVL 5

Expert Comment

by:cempasha
ID: 8603987
This question is still open and getting old. If any of the comment(s) above helped you please accept it as an answer or split the points who ever helped you in this question. Your attention in finalising this question is very much appreciated. Thanks in advance,

****** PLEASE DO NOT ACCEPT THIS AS AN ANSWER ********

- If you would like to close this question and have your points refunded, please post a question in community support area on http://www.experts-exchange.com/Community_Support/ giving the address of this question. Thank you      

Pasha

Cleanup Volunteer


0
 

Accepted Solution

by:
Chmod earned 0 total points
ID: 8703059
PAQ'd, points NOT refunded

Chmod
Community Support Moderator @Experts Exchange
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question