Solved

Windows cannot access the file gpt.ini for GPO.

Posted on 2004-08-12
5
1,522 Views
Last Modified: 2008-01-09
Am running a Windows 2003 server as Domain Controller with Domain functional level: Windows 2000 mixed and Forrest functional level: Windows 2000

Get the following two errors with Source:Userenv in the Event Log every five minutes.
1.
(a)
Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=dsrc1,DC=dsrc1,DC=com. The file must be present at the location <\\domain.com\sysvol\dsrc1.dsrc1.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied. ). Group Policy processing aborted.

(b)
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.


I then performed the following diagnostics which lead me to believe that the problem lies in DNS configuration.

2.
ping domain.com
Pinging domain.com [150.0.7.7] with 32 bytes of data:
Reply from 150.0.7.7: bytes=32 time<1ms TTL=128
Reply from 150.0.7.7: bytes=32 time<1ms TTL=128
Reply from 150.0.7.7: bytes=32 time<1ms TTL=128
Reply from 150.0.7.7: bytes=32 time<1ms TTL=128
Ping statistics for 150.0.7.7:    
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),Approximate round trip times in milli-seconds:    Minimum = 0ms, Maximum = 0ms, Average = 0ms

3.
ping server.domain.com
Pinging server.domain.com [150.0.7.7] with 32 bytes of data:
Reply from 150.0.7.7: bytes=32 time<1ms TTL=128
Reply from 150.0.7.7: bytes=32 time<1ms TTL=128
Reply from 150.0.7.7: bytes=32 time<1ms TTL=128
Reply from 150.0.7.7: bytes=32 time<1ms TTL=128
Ping statistics for 150.0.7.7:    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),Approximate round trip times in milli-seconds:    Minimum = 0ms, Maximum = 0ms, Average = 0ms

4.

\\server.domain.com\SYSVOL\domain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\GPT.INI

The above UNC works and the file opens in Notepad.

5.

\\domain.com\SYSVOL\domain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\GPT.INI

The above UNC does not work and results in the following error message. Error message is part of message in the Error Log.

Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied.

6. DCDiag gives the following errors..
Note: Server2 is no longer in use.
(a)
      Starting test: KnowsOfRoleHolders
         Warning: Server2 is the Schema Owner, but is not responding to DS RPC Bind.
         [DSRC1] LDAP bind failed with error 8341,
         A directory service error has occurred..
         Warning: Server2 is the Schema Owner, but is not responding to LDAP Bind.
         Warning: Server2 is the Domain Owner, but is not responding to DS RPC Bind.
         Warning: Server2 is the Domain Owner, but is not responding to LDAP Bind.
         ......................... Server failed test KnowsOfRoleHolders

(b)
      Starting test: FsmoCheck
         Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
         A Global Catalog Server could not be located - All GC's are down.
         ......................... domain.com failed test FsmoCheck

7. Running nslookup at the command prompt gives the following message.

*** Can't find server name for address 150.0.7.7: Non-existant domain
Default Server:  UnKnown
Address:  150.0.7.7

0
Comment
Question by:rohan_ryan
  • 2
5 Comments
 
LVL 6

Accepted Solution

by:
youre1m earned 250 total points
ID: 11782848
You don't appear to have a Global Catalogue Server running, which is absolutley essential for your domain to function, as are the other FSMO roles. I think you should seize the role of GC on your chosen server and test again, it may not be the end answer but until you have a GC running there's no point in looking at anything else.

Global Catalogs can be added by going into 'AD Sites and Services' and then expand down to the NTDS Settings and right click and then Properies, check the box for Global Catalog and check the event log to check the status (takes a few minutes to replicate across)

the FSMO roles need to transfered, this can be done by going to into 'AD Active Directory Users....' on your new box and right click the root, then select 'Operations Masters' and then clicking change will transfer the role to the new DC, do this for all three roles and thats that!!

If you get problems transfering roles then your DNS probably won't be working properly. If you get any problems you can force a transfer or use NTDSUTIL to move the roles, but this way the other controller must be down.

also look at http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q255504

and

http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q223787
0
 

Author Comment

by:rohan_ryan
ID: 11783383
youre1m,

    Thank you for the prompt reply. Based on your answer, I have now been able to partially solve the problem.

Running DCDiag now results in both (a) Starting test: KnowsOfRoleHolders and (b) Starting test: FsmoCheck succeeding.

    The Userenv error continue to log in the database every five minutes and the other symptions continue to exist. Are there any other checks I can perform in order to help diagnose the problem ?

Regards,
Rohan

0
 
LVL 6

Expert Comment

by:youre1m
ID: 11785040
Well here's some checks for you to have a look through, I'm afraid I'm off home now and off tomorrow so won't be looking again till next week but a few tips at least.

It looks like the GPT.inin file may be related to replication, are you running more than 1 DC or have you been in the past and now it is no longer available. If no longer available you will need to ensure the old server is completely removed from Ad and perform a metadata cleanup. If there are more than 1 I think you have a replication problem between the 2, try using replmon from the Dc to force replication between all DC's.

Check your DNS, are you running AD intergrated, secure updates only etc.

It could be that promoting a GC has now sorted your problem and you just need the domain to replicate. Otherwise you have a problem with your policy settings, have you created any new ones that may have caused this problem.

also use the NBTSTAT util from the command line to further investigate your DNS environment. Hope this helps, I gotta beat the traffic home!! Good luck.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now