Solved

GPO Error Server 2003 DC

Posted on 2004-03-30
4
1,167 Views
Last Modified: 2010-04-19
Hi!

Event log show error 1030 / Userenv, my Server 2003 Domain controller.

When i run rsop.msc, it give User Configuration error:

Group Policy Infrastructure failed due to the error listed below.
Overlapped I/O operation is in progress.
Note:  Due to the GP Core failure, none of the other Group Policy components processed their policy.  Consequently, status information for the other components is not available.
Additional Information:
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.

Other server and workstation, rsop, work well !

Thanks in advance!

- Kalle
0
Comment
Question by:Kallef1
4 Comments
 
LVL 44

Accepted Solution

by:
CrazyOne earned 250 total points
ID: 10721525
http://www.eventid.net/display.asp?eventid=1030&source=Userenv

Event ID: 1030
Source Userenv  
Type Error  
Description Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.  
Things to understand What is the Group Policy?  
Comments Adrian Grigorof (Last update 8/28/2003):
As per Q810907 (applicable to Windows XP) this may occur in conjunction with Event id 1058 and it is a confirmed (known) problem with XP. A hotfix is available.

This event is also reported in many instances of upgrades from Windows NT or Windows 2000 to Windows 2003 Server.
Some other recommendations in regards to this (from newsgroup posts) is to verify that:
- DFS service on all DCs is started and set to "Automatic"
- there are no FRS issues - (if there are, toubleshoot those first)
- TCP/IP Netbios Helper service is started and set to "Automatic"
- the "Everyone" has the "bypass traverse checking" user right
on the default domain controller policy
- the antivirus (if installed) is not scanning the sysvol or subfolders, if so, exclude it
- consider that the error description in event id 1058 ("network path not found" or "access denied") is caused by different problems and have different solutions.

Other posts from Microsoft engineer suggest that if a domain controller is multi-homed (more than 1 network card) they may experience this problem (note that "network card" could mean a physical or a virtual one - i.e. VMWare or VPN virtual adapters). The posts also indicate that the Client for Microsoft Networks and the File and Printer Sharing services have to be bound to the network adapter.

See also Q307900 on updating Windows 2000 Group Policy for Windows XP.

In some other conditions (upgrading to Windows 2003 Server), the 1030 event appears together with event id 1097 from Userenv. From a newsgroup post by a Microsoft engineer: "What is happening is that the TCP/IP Netbios Helper Service is trying to start before the KDC starts upon reboot. It corrects itself. You can safely ignore it. I am trying to get these errors suppressed in a later service pack or hotfix. You can track this running subsequent userenv and netlogon logs. See Q221833 and Q109626."

Ionut Marin (Last update 1/21/2004):
From a newsgroup post: "I connected to the Sysvol share as the current user (non- administrator), and noticed that I could get into "mydomain" directory, but when I tried to get into Policies I received "Access Denied". All of the share/file permissions were correct, allowing this user to get to the share and to traverse/read the files within it. I tracked it down to the fact that I was not allowing read access for Authenticated Users, Everyone, Domain Users, and/or the users Group from the root (C:) to the SYSVOL directory. Once I allowed Everyone, or Authenticated Users, or Domain Users read permissions to from C: -> WINNT -> SYSVOL the users were then able to receive the GPO’s".

From a newsgroup post: "Here is what you should do to get rid of this error and of Event ID 1058 on Windows Server 2003. Edit the hosts file on each domain controller. Put in the IP address for your domain controller (the local IP address should be first in the list), and then next to the IP address do not put the host name, but put the name of the domain. Then list the IP address for each domain controller in your domain, on the same hosts file (with the domain name next to it). In other words, your hosts file should look like this (if you have just two domain controllers):
<IP 1>   yourdomainname.com

<IP 2>   yourdomainname.com

Where <IP 1> = the IP address of the local domain controller for this hosts file.
Where <IP 2> = the IP address of your other domain controller.

yourdomainname.com = the name of your domain

The list would be reversed (as far as IP address) on the hosts file on the other domain controller. Yes, you need a hosts file on each domain controller".

Also check Q832215 for more details.

Daniel Conlon (Last update 10/5/2003):
After upgrading from Win2k to Win2k3 I found I was getting this error every 5 minutes in event log along with error 1053. To solve it I had set the following attributes in the Default Domain Controller Policy:
1. Network Access: Let Everyone permissions apply to anonymous users = "Enabled".
2. Network Access: Shares that can be accessed anonymously -> Add SYSVOL to the list. This is because the servers are trying to access the SYSVOL share as LocalSystem which by default does not have access to network resources.

John Poff (Last update 8/28/2003):
On Windows 2003 I received this error when I disabled TCP/IP NetBios help service. Apparently this has changed since Windows 2000. You can no longer disable this service and have access to Group Policy Objects.

Tom Holland
As per Microsoft: "This behavior may occur if both of the following conditions are true:
Your Windows XP-based computer is a member of a domain.
-and-
The Microsoft Distributed File System (DFS) client is turned off (disabled).
NOTE: The \\Active Directory Domain Name\Sysvol share is a special share that requires the DFS client to make a connection." See Q314494.

Sean Wallbridge
In the past, I was configuring Domain Controller's in a Windows 2000 domain to have the Distributed File System Services stopped and set to manual until such time as they were needed. This was a recommendation based on services that could be stopped according to Microsoft from some time ago to bring machines to a "only what is required state". We disabled DFS worldwide with Windows 2000, NT and Win98 clients with no issues incurred by this.

However, after a while I discovered I was having all sorts of Group Policy application errors on my Windows XP workstation in my Windows 2000 domain.

Looks like Windows XP speaks quite a bit differently to AD and wants/needs more information (and expects it from DFS shares - \\<domain>.<name>). In fact, from my XP machine, I tried connecting to my domain share (\\<domain>.<name>) and I was told access was denied yet it was available from Win2k machines (event ids 1030 and 1058). So, if you have Windows XP clients or just plain aren't worried about someone cranking up DFS and screwing something up somewhere, plan on leaving DFS enabled again.

Also, while working through this I discovered that besides the already cool "Resultant Set of Policy" MMC snap-in in Windows XP, there is also a "GPUPDATE" command in Windows XP which, when used with the /force switch, will blast computer policy settings to your Windows XP machine immediately.  
Our Approach This information is only available to subscribers. An example of "approach" is available here.  
Links Q221833 , Q109626 , Q307900 , Q314494 , Q810907 , Q832215 , Event id 1097 from Userenv, Event id 1058 from Userenv  
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 10721788
CrazyOne

well, 10/10 for detail there!
Cheers

JamesDS
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now