pgp4privacy
asked on
Windows 2000 Advanced Server DC - Event 1202 - SceCli
Rebooted the DC last night and thsi morning I get this error in the Application Log:
Source: SceCli
Security policies are propagated with warning. 0xd : The data is invalid.
For best results in resolving this event, log on with a non-administrative account and search http://support.microsoft.com for "Troubleshooting Event 1202s".
I googled around and found a couple or articles,,all of which I tried,,but to no end.
I have the hisecdc.inf imported into the "Domain Security Poilcy" and the "Domain Controller Security Policy". In the Domain Group Poilcy, I have the "Default Domain Policy".
It is causing sparactic network connection problems for some of my users, but not all. in my winlogon.log I get:
Error 13: The data is invalid. Error convert %SYSVOL%\DOMAIN\POLICIES
and in my userenv.log I get:
Process GPOs: Extension Security ProcessGroupPolicy failed, status 0xd
I have consulted MS KB 256000, but it did not work.
Any help is greatly!!!!!!!! appreciated.
Thanks,
Rob
Source: SceCli
Security policies are propagated with warning. 0xd : The data is invalid.
For best results in resolving this event, log on with a non-administrative account and search http://support.microsoft.com for "Troubleshooting Event 1202s".
I googled around and found a couple or articles,,all of which I tried,,but to no end.
I have the hisecdc.inf imported into the "Domain Security Poilcy" and the "Domain Controller Security Policy". In the Domain Group Poilcy, I have the "Default Domain Policy".
It is causing sparactic network connection problems for some of my users, but not all. in my winlogon.log I get:
Error 13: The data is invalid. Error convert %SYSVOL%\DOMAIN\POLICIES
and in my userenv.log I get:
Process GPOs: Extension Security ProcessGroupPolicy failed, status 0xd
I have consulted MS KB 256000, but it did not work.
Any help is greatly!!!!!!!! appreciated.
Thanks,
Rob
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I am trying your jsiinc fix now.
I had the hisec imported a hwile back, then I imported basicdc to troubleshoot,,I think that is where the problem started. I have recently imported hisec again as i stated above.
is there a direct issue with re-importing the hisec that you know of?
Thanks,
Rob
I had the hisec imported a hwile back, then I imported basicdc to troubleshoot,,I think that is where the problem started. I have recently imported hisec again as i stated above.
is there a direct issue with re-importing the hisec that you know of?
Thanks,
Rob
ASKER
No such luck my friend.
still made another 1202 entry in the appliation log 5 minutes later.
Should I revert back to the basicdc.inf on the "Domain Security Poilcy" and the "Domain Controller Security Policy"?
Thanks,
Rob
still made another 1202 entry in the appliation log 5 minutes later.
Should I revert back to the basicdc.inf on the "Domain Security Poilcy" and the "Domain Controller Security Policy"?
Thanks,
Rob
Rob,
Not sure why it gave you another entry
Try reverting back.
Sunray
Not sure why it gave you another entry
Try reverting back.
Sunray
ASKER
I tried a reboot before I reverted back to the basicdc.inf,,and now, weird behaviour.
I terminal'd in and noticed the machine to be really lagging,,like it was chomping on something.
I go to the event viewer, and notice no new SceCli warning messages(1202) like before, but instead a new SceCli information entry(1704). I tried to open it, and it bombed on me. I noticed right before it bombed some other Databse and Logging Error entries above that information entry.
Now the machine seems to busy to answer my Terminal Service Connect attempt.
Any suggestions?
Thanks,
Rob
I terminal'd in and noticed the machine to be really lagging,,like it was chomping on something.
I go to the event viewer, and notice no new SceCli warning messages(1202) like before, but instead a new SceCli information entry(1704). I tried to open it, and it bombed on me. I noticed right before it bombed some other Databse and Logging Error entries above that information entry.
Now the machine seems to busy to answer my Terminal Service Connect attempt.
Any suggestions?
Thanks,
Rob
Rob,
check this
http://www.monitorware.com/en/events/details.asp?details_id=1917&PrinterVersion=1
It says policy applied successfully . Should be same for windows 2003
Sunray
check this
http://www.monitorware.com/en/events/details.asp?details_id=1917&PrinterVersion=1
It says policy applied successfully . Should be same for windows 2003
Sunray
ASKER
Ok, new, worse issue.
now, from a domain logged in machine,,I go to browse the network.. And there are zero objects shown...as if nothing is added to the domain :o
Rob
now, from a domain logged in machine,,I go to browse the network.. And there are zero objects shown...as if nothing is added to the domain :o
Rob
ASKER
addendum to above problem.
when trying to connect directly to a networked machien,,\\<server name>, I also get:
no logon servers available to service your request.
Rob
when trying to connect directly to a networked machien,,\\<server name>, I also get:
no logon servers available to service your request.
Rob
ASKER
Ok, went to the machine and logged in.
When I went up to the machine, It said "Hard Error",,and I hit OK and it popped back up about 20 times. Then it, rebooted itself.
When it came backup, all seemed well, I got the following "good" entries:
Logging/Recovery:
ntfrs(1288) The database engine has successfully completed recovery steps.
ntfrs (1288) The database engine is replaying log file c:\winnt\ntfrs\jet\log\edb
tcpsvcs(1020) The database engine has successfully completed recovery steps.
wins(1532) The database engine has successfully completed recovery steps.
SVC:
MS DTC has started.
SceCli:
Security policy in the Group policy objects are applied successfully.
But, unfortunately, I still have some clients who cannot browse the network or connect to network servers.
And now, I get the following error for various machines:
SYSTEM LOG
IPSEC:
Received <n> packet(s) in the clear from <client ip> which should have been secured. This could be a temporary glitch; if it persists please stop and restart hte IPSec Policy Agent service on this machine.
I did restart it, but it didn't seem to help. There are a lot of these error entries.
Thanks,
Rob
When I went up to the machine, It said "Hard Error",,and I hit OK and it popped back up about 20 times. Then it, rebooted itself.
When it came backup, all seemed well, I got the following "good" entries:
Logging/Recovery:
ntfrs(1288) The database engine has successfully completed recovery steps.
ntfrs (1288) The database engine is replaying log file c:\winnt\ntfrs\jet\log\edb
tcpsvcs(1020) The database engine has successfully completed recovery steps.
wins(1532) The database engine has successfully completed recovery steps.
SVC:
MS DTC has started.
SceCli:
Security policy in the Group policy objects are applied successfully.
But, unfortunately, I still have some clients who cannot browse the network or connect to network servers.
And now, I get the following error for various machines:
SYSTEM LOG
IPSEC:
Received <n> packet(s) in the clear from <client ip> which should have been secured. This could be a temporary glitch; if it persists please stop and restart hte IPSec Policy Agent service on this machine.
I did restart it, but it didn't seem to help. There are a lot of these error entries.
Thanks,
Rob
Do you have a backup of this server?
ASKER
I had a ghost image,,but tried to load it on another identical machine earlier,,and it was corrupted. I tell you, this is not my lucky week.
You know of any way to build another machine, migrate, and promote?
As of this mroning, the errors above have stopped except the IPSEC error,,which I think I can track to my gig ethernet adapter.
Also, got transaction log write errors and disk warning in my event viewer, and a "Hard Error" message popup. Seems as though, I am having hardware issues. Need to get this DC on another machine.
Rob
You know of any way to build another machine, migrate, and promote?
As of this mroning, the errors above have stopped except the IPSEC error,,which I think I can track to my gig ethernet adapter.
Also, got transaction log write errors and disk warning in my event viewer, and a "Hard Error" message popup. Seems as though, I am having hardware issues. Need to get this DC on another machine.
Rob
When you use DCPROMO on another machine it should synconise the AD Directory and objects.
I will see if I can fish out a URL for you.
I will see if I can fish out a URL for you.
This link has some helpful topics:
http://www.microsoft.com/windows2000/en/server/help/
I would configure another server with AD, backup the data off the current server and restore it onto the 2nd server, and if the place is shut down on friday afternoon/saturday go in and test the new one on its own.
Have you an old ERD to try?
http://www.microsoft.com/windows2000/en/server/help/
I would configure another server with AD, backup the data off the current server and restore it onto the 2nd server, and if the place is shut down on friday afternoon/saturday go in and test the new one on its own.
Have you an old ERD to try?
ASKER
I have demoted and promoted a client machine back in to the domain,,no luck.
I am having serious connection issues today...hardly anyone can connect to the network shares. Keep getting:
<servername> network path cannot be found.
or
<drive letter> another name is already in use.
Logins are slow.
But I see no specific errors in the event viewer.
Thanks,
Rob
I am having serious connection issues today...hardly anyone can connect to the network shares. Keep getting:
<servername> network path cannot be found.
or
<drive letter> another name is already in use.
Logins are slow.
But I see no specific errors in the event viewer.
Thanks,
Rob
ASKER
Even better one for you now,,and I assume this compliments the IPSEC errors above. Occasionally when opening files from the file server to a domain authenticated client,,and then saving them back,,the file gets corrupted.
Any clues?
This is definitely a deteriorating situation,,and am not sure what path to take.
Thanks,
Rob
Any clues?
This is definitely a deteriorating situation,,and am not sure what path to take.
Thanks,
Rob
ASKER
This machine is fried beyong belief. I am rebuilding the domain on a second machine.
Do I rebuild with same name and infomration? if so, how do I migrate domain information? or can I?
Thanks,
Rob
Do I rebuild with same name and infomration? if so, how do I migrate domain information? or can I?
Thanks,
Rob
I would build the new server with a new name, take over DNS, AD, etc.
If you want to move the DNS database files they are in the WINNT\SYSTEM32\DNS folder (same for WINS).
Set it up as DHCP and set the scope the same, then deactivate the scope on the current server and activate the scope on the new server.
Copy the Files over last, get AD/DNS/DHCP working first. If you have any policies it may be worth doing them after everything else too to make sure the server is working correctly first.
Once its been promoted use the syncronisation of AD to copy the objects across.
If you want to move the DNS database files they are in the WINNT\SYSTEM32\DNS folder (same for WINS).
Set it up as DHCP and set the scope the same, then deactivate the scope on the current server and activate the scope on the new server.
Copy the Files over last, get AD/DNS/DHCP working first. If you have any policies it may be worth doing them after everything else too to make sure the server is working correctly first.
Once its been promoted use the syncronisation of AD to copy the objects across.
ASKER
Ok, I ended up just building it identical to the first box, and adding in my machines. It worked just fine. Just finishing up this morning.
Since the actual question was about the SceCli entry, I am awarding the points to sunray.
Thank you both for your help!
This has been a trying Microsoft moment for me.....Long Live Unix!!!
Thanks,
Rob
Since the actual question was about the SceCli entry, I am awarding the points to sunray.
Thank you both for your help!
This has been a trying Microsoft moment for me.....Long Live Unix!!!
Thanks,
Rob
Check this
http://support.microsoft.com/?kbid=256000
Sunray