Windows 2000 Advanced Server DC - Event 1202 - SceCli

Rebooted the DC last night and thsi morning I get this error in the Application Log:

Source:  SceCli
Security policies are propagated with warning. 0xd : The data is invalid.

For best results in resolving this event, log on with a non-administrative account and search http://support.microsoft.com for "Troubleshooting Event 1202s".

I googled around and found a couple or articles,,all of which I tried,,but to no end.

I have the hisecdc.inf imported into the "Domain Security Poilcy" and the "Domain Controller Security Policy".  In the Domain Group Poilcy, I have the "Default Domain Policy".

It is causing sparactic network connection problems for some of my users, but not all.  in my winlogon.log I get:

Error 13: The data is invalid. Error convert %SYSVOL%\DOMAIN\POLICIES

and in my userenv.log I get:

Process GPOs: Extension Security ProcessGroupPolicy failed, status 0xd

I have consulted MS KB 256000, but it did not work.

Any help is greatly!!!!!!!! appreciated.

Thanks,
Rob
pgp4privacyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sunray_2003Commented:
0
sunray_2003Commented:
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pgp4privacyAuthor Commented:
I am trying your jsiinc fix now.

I had the hisec imported a hwile back, then I imported basicdc to troubleshoot,,I think that is where the problem started.  I have recently imported hisec again as i stated above.

is there a direct issue with re-importing the hisec that you know of?

Thanks,
Rob

0
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

pgp4privacyAuthor Commented:
No such luck my friend.

still made another 1202 entry in the appliation log 5 minutes later.  

Should I revert back to the basicdc.inf on the "Domain Security Poilcy" and the "Domain Controller Security Policy"?

Thanks,
Rob
0
sunray_2003Commented:
Rob,

Not sure why it gave you another entry

Try reverting back.

Sunray
0
pgp4privacyAuthor Commented:
I tried a reboot before I reverted back to the basicdc.inf,,and now, weird behaviour.

I terminal'd in and noticed the machine to be really lagging,,like it was chomping on something.

I go to the event viewer, and notice no new SceCli warning messages(1202) like before, but instead a new SceCli information entry(1704).  I tried to open it, and it bombed on me.  I noticed right before it bombed some other Databse and Logging Error entries above that information entry.  

Now the machine seems to busy to answer my Terminal Service Connect attempt.

Any suggestions?

Thanks,
Rob
0
sunray_2003Commented:
Rob,

check this

http://www.monitorware.com/en/events/details.asp?details_id=1917&PrinterVersion=1

It says policy applied successfully . Should be same for windows 2003

Sunray
0
sunray_2003Commented:
Rob,

same info
http://support.microsoft.com/?kbid=284461

Scroll down and check 1704

Sunray
0
pgp4privacyAuthor Commented:
Ok, new, worse issue.

now, from a domain logged in machine,,I go to browse the network..  And there are zero objects shown...as if nothing is added to the domain :o

Rob
0
pgp4privacyAuthor Commented:
addendum to above problem.

when trying to connect directly to a networked machien,,\\<server name>, I also get:

no logon servers available to service your request.

Rob
0
pgp4privacyAuthor Commented:
Ok, went to the machine and logged in.

When I went up to the machine, It said "Hard Error",,and I hit OK and it popped back up about 20 times.  Then it, rebooted itself.

When it came backup, all seemed well, I got the following "good"  entries:

Logging/Recovery:
ntfrs(1288) The database engine has successfully completed recovery steps.

ntfrs (1288) The database engine is replaying log file c:\winnt\ntfrs\jet\log\edb.log

tcpsvcs(1020) The database engine has successfully completed recovery steps.

wins(1532) The database engine has successfully completed recovery steps.

SVC:
MS DTC has started.

SceCli:
Security policy in the Group policy objects are applied successfully.

But, unfortunately, I still have some clients who cannot browse the network or connect to network servers.

And now, I get the following error for various machines:

SYSTEM LOG
IPSEC:
Received <n> packet(s) in the clear from <client ip> which should have been secured.  This could be a temporary glitch; if it persists please stop and restart hte IPSec Policy Agent service on this machine.

I did restart it, but it didn't seem to help.  There are a lot of these error entries.

Thanks,
Rob




0
Rob StoneCommented:
Do you have a backup of this server?  
0
pgp4privacyAuthor Commented:
I had a ghost image,,but tried to load it on another identical machine earlier,,and it was corrupted.  I tell you, this is not my lucky week.

You know of any way to build another machine, migrate, and promote?

As of this mroning, the errors above have stopped except the IPSEC error,,which I think I can track to my gig ethernet adapter.  

Also, got transaction log write errors and disk warning in my event viewer, and a "Hard Error" message popup.  Seems as though, I am having hardware issues.  Need to get this DC on another machine.

Rob
0
Rob StoneCommented:
When you use DCPROMO on another machine it should synconise the AD Directory and objects.

I will see if I can fish out a URL for you.
0
Rob StoneCommented:
This link has some helpful topics:
http://www.microsoft.com/windows2000/en/server/help/

I would configure another server with AD, backup the data off the current server and restore it onto the 2nd server, and if the place is shut down on friday afternoon/saturday go in and test the new one on its own.

Have you an old ERD to try?
0
pgp4privacyAuthor Commented:
I have demoted and promoted a client machine back in to the domain,,no luck.

I am having serious connection issues today...hardly anyone can connect to the network shares.  Keep getting:

<servername> network path cannot be found.

or

<drive letter> another name is already in use.

Logins are slow.

But I see no specific errors in the event viewer.

Thanks,
Rob
0
pgp4privacyAuthor Commented:
Even better one for you now,,and I assume this compliments the IPSEC errors above.  Occasionally when opening files from the file server to a domain authenticated client,,and then saving them back,,the file gets corrupted.

Any clues?

This is definitely a deteriorating situation,,and am not sure what path to take.

Thanks,
Rob
0
pgp4privacyAuthor Commented:
This machine is fried beyong belief.  I am rebuilding the domain on a second machine.

Do I rebuild with same name and infomration?  if so, how do I migrate domain information?  or can I?

Thanks,
Rob
0
Rob StoneCommented:
I would build the new server with a new name, take over DNS, AD, etc.

If you want to move the DNS database files they are in the WINNT\SYSTEM32\DNS folder (same for WINS).

Set it up as DHCP and set the scope the same, then deactivate the scope on the current server and activate the scope on the new server.

Copy the Files over last, get AD/DNS/DHCP working first.  If you have any policies it may be worth doing them after everything else too to make sure the server is working correctly first.

Once its been promoted use the syncronisation of AD to copy the objects across.
0
pgp4privacyAuthor Commented:
Ok, I ended up just building it identical to the first box, and adding in my machines.  It worked just fine.  Just finishing up this morning.

Since the actual question was about the SceCli entry, I am awarding the points to sunray.

Thank you both for your help!

This has been a trying Microsoft moment for me.....Long Live Unix!!!

Thanks,
Rob
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.