Solved

GPO not applying on Server 2003

Posted on 2003-10-24
18
1,317 Views
Last Modified: 2009-07-29
Firstly my AD GPOs are working on all machines on the
network just fine.  I have Win2k, XP and Server 2003.

On just ONE server that was upgraded from Win2k to
Windows 2003 server GPOs will not apply to it.

When I run GPRESULT I get the error

"INFO: The user does not have RSOP data."

When I run RSOP.MSC i get an error

"The RSoP snap-in was unable to generate the RSoP data due
to the error listed below.
Access denied"

In the windows eventlog

Event Type:      Error
Event Source:      Userenv
Event Category:      None
Event ID:      1030
Date:            10/23/2003
Time:            12:35:09 PM
User:            ABC\USER1
Computer:      ABCWEB1
Description:
Windows cannot query for the list of Group Policy objects.
Check the event log for possible messages previously
logged by the policy engine that describes the reason for
this.

Event Type:      Error
Event Source:      Userenv
Event Category:      None
Event ID:      1058
Date:            10/23/2003
Time:            12:35:09 PM
User:            ABC\User1
Computer:      ABCWEB1
Description:
Windows cannot access the file gpt.ini for GPO CN=
{278B6C14-E72B-4B94-A246-
CEF26D6E7003},CN=Policies,CN=System,DC=abc,DC=com. The
file must be present at the location
<\\abc.com\SysVol\abc.com\Policies\{278B6C14-E72B-4B94-
A246-CEF26D6E7003}\gpt.ini>. (The network path was not
found. ). Group Policy processing aborted.

some more information....

from the server I cannot hit the sysvol DFS share if I type

\\abc.com\sysvol

If I do this I get the error

"No network provider accepted the given network path"

Another thing that is wrong is that I cannot connect to
this server via RDP.  When I try remote to it I get the
error

"The system cannot log you on due to the following error:
The RPC server is unavailable"

Anyone any ideas?
0
Comment
Question by:darrenburke
  • 7
  • 5
  • 3
  • +1
18 Comments
 
LVL 2

Expert Comment

by:vivekpara
ID: 9615785
Is this computer and DC?  If it is, it sounds like you have a JRNLWRP problem.  Is your security policy set to keep event logs on that computer for 7 days?  If it is, it will not allow File Replication to start and will generate ID 1003 errors.  Do you see any of those errors in the File Replication log?
0
 
LVL 8

Expert Comment

by:nader alkahtani
ID: 9615855
Details
Product: Windows Operating System
ID: 1030
Source: Active Directory
Version: 5.0
Symbolic Name: DIRLOG_BAD_ATT_SCHEMA_SYNTAX
Message: Internal error: The syntax %1 defined in the schema for attribute %2 is incorrect. Stop and restart this Windows Domain Controller and try again.  
   
Explanation
Internal error: Active Directory could not add an attribute to an object because either the syntax defined for the attribute is incorrect or the object does not exist.
 
   
User Action
Restart this local domain controller, and then try again.
 
 

--------------------------------------------------------------------------------
 


Details
Product: Windows Operating System
ID: 1030
Source: IAS
Version: 5.0
Symbolic Name: IASP_NO_POLICY_MATCH
Message: The user's information did not match a Remote Access Policy.  
   
Explanation
This event record indicates that the user may not belong to a group. It is possible that the user was intentionally left out of a group.
 

0
 
LVL 8

Expert Comment

by:nader alkahtani
ID: 9615859
0
 
LVL 8

Expert Comment

by:nader alkahtani
ID: 9615947
Although this apply for XP , but it may help for 2003 :

Group Policies Are Not Applied The Way You Expect; "Event ID 1058" and "Event ID 1030" Errors in the Application Log
   


This article was previously published under Q314494
For a Microsoft Windows 2000 version of this article, see 259398.

IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows Registry

SYMPTOMSOn your Windows XP-based computer, group policies may not be applied as you expect. When you look at the Application Log of the Event Viewer, you see error data similar to the following:

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1058
Date: 2/8/2002
Time: 7:25:40 AM
User: NT AUTHORITY\SYSTEM
Computer: MYCOMPUTER
Description: Windows cannot access the file gpt.ini for GPO
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=lcds,DC=lab
The file must be present at the location \\lcds.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
(Access is denied) Group Policy processing aborted.


Event Type: Error
Event Source: SceCli
Event Category: None
Event ID: 1030
Date: 2/8/2002
Time: 7:30:46 AM
User: N/A
Computer: MYCOMPUTER
Description: Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.
CAUSEThis behavior may occur if both of the following conditions are true:
Your Windows XP-based computer is a member of a domain.

-and-
The Microsoft Distributed File System (DFS) client is turned off (disabled).
NOTE: The \\Active Directory Domain Name\Sysvol share is a special share that requires the DFS client to make a connection.
RESOLUTIONTo resolve this issue, turn on (enable) the DFS client. To do this, follow these steps.

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.


Click Start, and then click Run.
In the Open box, type regedt32, and then click OK.
In the Registry Editor window, locate the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mup

In the right details pane, double-click DisableDFS.

The DFS client is turned off if the value in the Value data box is 1.
The DFS client is turned on if the value in the Value data box is 0.
In the Edit DWORD Value dialog box that appears, type 0 in the Value data box, and then click OK.
On the File menu, click Exit to quit Registry Editor.
Additionally, turn on File and Printer Sharing for Microsoft Networks on the interface. To do this, follow these steps:
Click Start, point to Connect To, and then click Show all connections.
Right-click the appropriate connection, and then click Properties.
Click the General tab.
Under This connection uses the following items, verify that the check box next to File and Printer Sharing for Microsoft Networks is selected, and then click OK.
MORE INFORMATIONFor additional information about problems that may occur when Windows applies group policies, click the following article number to view the article in the Microsoft Knowledge Base:
814112 Files on Network Shares Open Slowly or Read-Only or You Receive an Error

Under this scenario on a Microsoft Windows 2000-based computer, you receive the following event IDs:
UserEnv Event ID 1000SceCli Event ID 1001
These are different from those received on a Windows XP-based computer.
The information in this article applies to:
Microsoft Windows XP Professional
Microsoft Windows XP Tablet PC Edition


http://support.microsoft.com/default.aspx?scid=kb;en-us;314494#appliesto
0
 
LVL 8

Expert Comment

by:nader alkahtani
ID: 9615971
Updtae it

Gpupdate
I am so pleased that Windows 2000's Secedit is now obsolete, the syntax was horrendous.  Gpupdate completely replaces Secedit on Server 2003 and XP.  Mostly I just use Gpupdate as a simple command on its own, occasionally I tweak it with the following switches:

/target:computer  or /target:user applies only the user or computer section of your policy.  Normally I would use plain Gpupdate without the optional target switch.

/logoff   Useful for settings that do not apply until the user logs on again.

/boot   Handy for configuration which need the computer to restart.

/force reapplies all settings



http://www.computerperformance.co.uk/w2k3/W2K3_group_policy.htm
0
 
LVL 4

Author Comment

by:darrenburke
ID: 9615988
This machine is not a DC.  It is a Web server running 2003 (Enterprise Edition).

It really looks like a local DNS problem.   (and yes my DNS servers are setup right).  I even tried to put static entries for DNS names in the locat HOSTS file!!!

I am going to update the NIC drivers today at 3pm to see if this helps.
0
 
LVL 4

Author Comment

by:darrenburke
ID: 9616018
NADIT - I say that Q article and I did try setried setting "DisableDFS" to 0.
It did not work.


0
 
LVL 4

Author Comment

by:darrenburke
ID: 9617278
more info.....

when I type "IPCONFIG /REGISTERDNS" I get the following error.

Windows IP Configuration
Registration of DNS records failed: The system cannot find the file specified.

This is defitely DNS!!!

on ALL other machines the same command works jus fine.

What can cause local DNS to stop working?


0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 2

Expert Comment

by:vivekpara
ID: 9617543
I think you might need to reinstall the TCP/IP protocol stack.  Sometimes, if you do a repair on Internet Explorer, it can fix this problem as IE needs to fix the protocol stack.  Otherwise, remove TCP/IP and then reinstall. it from the Network and Dial-Up connections panel on that LAN adapter.

0
 
LVL 2

Expert Comment

by:vivekpara
ID: 9617544
I think you might need to reinstall the TCP/IP protocol stack.  Sometimes, if you do a repair on Internet Explorer, it can fix this problem as IE needs to fix the protocol stack.  Otherwise, remove TCP/IP and then reinstall. it from the Network and Dial-Up connections panel on that LAN adapter.

0
 
LVL 8

Expert Comment

by:nader alkahtani
ID: 9618920
"Registration of DNS records failed: The system cannot find the file specified."

This may mean that HOSTS file is corrupted,  try to restore it

Did you try ipconfig /flushdns  ??

http://is-it-true.org/nt/nt2000/atips/atips142.shtml
0
 
LVL 4

Author Comment

by:darrenburke
ID: 9619940
I copied a new HOSTS file to the server
Rebooted
Reinstalled the NIC driver and the teaming/failover software suite

...still the same problem.

How do I uninstall the TCPIP protocol from 2003?  The uninstall option is greyed out when I click on it?
0
 
LVL 4

Author Comment

by:darrenburke
ID: 9621052
some more info....

I did get the dynamic DNS registrations working by setting the DNS and DHCP clients to use "local system" rather that NT Authority accounts.

So at this stage ipconfig /registerdns works however I still cannot open shares via DNS names.  NetBios or IP work fine.

The server works fine otherwise - it just will not apply GPOs and this is definitely because it cannot open \\abc.com\sysvol.  I am absolutely positive that if I can browse to DNS names share that the problem will get fixed.
0
 
LVL 4

Author Comment

by:darrenburke
ID: 9623057
....and some more info!

When I disable "NetBIOS over TCPIP" on the IP settings of the NIC then I cannot access any remote computers.  Any connections that is could make are obviously via NetBIOS.

so local DNS is broken!
0
 
LVL 4

Author Comment

by:darrenburke
ID: 9623139
ahhhhhh - I found the problem.  Someone had disabled the "TCP/IP NetBIOS Helper" service in the box (or it was disabled as part of the upgrade).

The server is now working fine.

Thank you all for your help

0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 12492185
PAQed, with points refunded (300)

modulo
Community Support Moderator
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Introduction How to create multiboot configuration with XP\Vista and Windows 7 on it? And most important question - how to do this correctly so not to have any kind of nightmares we get when system gets screwed? First of all one should realize t…
Just about everyone has an old PC laying around.  Ask anyone in the IT industry, whether they are a professional or play in it as a hobby.  From outdated Desktops to cheap "throwaway" laptops, they are all around and not as hard to "fix up" as you m…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now