Group Policy Problem

All,

I have a group policy that was previously working prior to using the Active Driectory Migration Wizzard to move a group of computers to a new domain.

Here is the error I receive in the applicaiton log:

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 4/7/2000
Time: 4:30:46 AM
User: NT AUTHORITY\SYSTEM
Computer: MYCOMPUTER
Description: The Group Policy client-side extension Security was passed flags (17) and returned a failure status code of (3).

Microsoft state the following below as possible resolutions to this, but the question I have, what system to I need to investigate for these registry entries? I have checked the domain controller where the policy sits, no setting, and checked the local PC for these key entries with no result. Any one else expereinced this?




CAUSE
The \\Active Directory Domain Name\Sysvol share is a special share that requires the distributed file system (DFS) client to make a connection, and a valid Domain name record in DNS. If the DFS client is disabled, the domain records are missing, or the DNS records are not being registered properly, the error messages are generated.
RESOLUTION
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

Check the following registry value:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mup
DisableDFS: REG_DWORD: range: 0 or 1
0 = enabled; 1 = disabled
Default: 0
Make sure that the value is set to 0, enabling the Dfs client. Also, File and Printer Sharing for Microsoft Networks must be enabled on the interface.

Verify the DNS Forward Lookup Zone has the correct A records for the domain name and domain controllers. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
258213 Registration of gc._msdcs.DnsForestName Records Is Required
To ensure the DNS Records are being registered, verify the following registry setting:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Value: RegisterDnsARecords
Data type: REG_DWORD
Default value: 1 (1=Enabled, 0=Disabled)
LVL 1
sysbw1Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Debsyl99Commented:
Hi
I think it's basically asking you to check that these items aren't disabled in the registry - If there's no item there then they usually aren't. Some registry keys need to be specifically added by someone or some process to disable services etc, after which you need to change the assigned value to enable or disable that particular referenced service.

I'd check DNS - that the zones have the correct host records for the domain controller, are active directory integrated and will accept dynamic updates. Then at the client type from a command prompt  ipconfig /registerdns - check the event log after 15 minutes for any problems. The client nic must be pointing at your internal dns  dc server for preferred dns. Check for any DNS errors on the server, and if that doesn't work try rejoin a machine to the domain,

Deb :))
0
sysbw1Author Commented:
Hi Deb and thanks for responding.

I attempted ipconfig /registerdns and it did not return any errors. It also unfortunately did not return any results, the problem still remained.

I also verified that the address records in the DNS server, both onsite and remote were correct.

Per your recommendation, I took my computer out of the domain all together, and deleted my computer from AD. I then replicated with my partners and then joined my computer again. Unfortunately my problem still remains.

Do you have any additional thoughts?
0
Debsyl99Commented:
Yep - it's just Friday night here now and it's also bonfire nights for us Brits, so if it's ok I'll come back to you on Monday - Have a good weekend,
Deb :))
0
Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

sysbw1Author Commented:
no problem what so ever. I was sleeping like a baby early this morning! :) Talk to you then.
0
Debsyl99Commented:
Event ID: 1000
http://www.eventid.net/display.asp?eventid=1000&eventno=136&source=Userenv&phase=1

Hi
Have a good work through the above article - userenv errors are notorious for having many causes. It sounds like it is most likely related to your migration, so I'd check that the sysvol is shared properly, has correct permissions on it, and that valid  accounts are referenced in the affected group policies. I'd also check that the pc's are members of the domain computers users are members of domain users group, as the failure status code of 3 means "the system cannot find the path specified" which is possibly related to the sysvol and the systems inability to find it. This usually means a permissions issue,

Deb :))
0
sysbw1Author Commented:
Myself and another co-worker working the problem with me, have (for the most part) reached the same conclusion and looking further we think it all boils down to replication issues.

BTW, I love the web site. I will have to keep that one in my back pocket.

Here is our plan so far, and I am curious on your thoughts.

In total, we have migrated 3 DCs that function as global catalogs at their respective sites. At each site, we created a temp DC to function as a global catalog on the destination domain. We think this may have been our first mistake. We would run the migration on the PCs, once a site was complete, demote from old domain and promote the DC into the new domain, then demote the temp DC.

Since all three sites now are completely migrated over, they no longer have a temp dc acting as the global catalog, rather the primary DC.

The Plan: One site at a time, demote the DC and wait for replication. We figured we would wait one hour after demotion for replication to sort everything out. We will have 4 passes of directory migration in that hour. Once we have 4 passes, promote the DC again in to the domain, make it the global catalog and let Active Directory create the replication partners automatically.
0
Debsyl99Commented:
Hi
Do you have a firewall between these sites? Are these dc's configured as site servers within ad sites and services, with separate subnets/sitelinks? Have you any events logged on the servers? How have you got dns setup on these servers? It's possible to get dns islanding which will interfere with replication, although a quick workaround for this would be to point the site server at the main dns server for the domain as preferred dns server in tcp/ip and itself as secondary. If it is replication problem, then these tools should help you determine what, and may enable you to resolve the issue without running dcpromo as if it is a replication issue, then dcpromo may not be successful. The following links may or may not be of use (I am hoping that they are!)
How To Use DNSLint to Troubleshoot Active Directory Replication Issues
http://support.microsoft.com/kb/321046
Using Repadmin.exe to Troubleshoot Active Directory Replication
http://support.microsoft.com/kb/229896
Active Directory Operations Overview
Troubleshooting Active Directory Replication Problems
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/opsguide/part1/adogd12.mspx
Active Directory Replication over Firewalls
http://www.microsoft.com/serviceproviders/columns/config_ipsec_P63623.asp
DNS Server Becomes an Island When a Domain Controller Points to Itself for the _Msdcs.ForestDnsName Domain
http://support.microsoft.com/default.aspx?scid=kb;en-us;275278&id=kb;en-us;275278

Deb :))
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sysbw1Author Commented:
Hi Deb,

Thank you very much for all that you have provided. I gave all points to the last post. I will be sure to update with a status and what was the most help in directly dealing with the issue. Thanks again, very much,  for all the help and guidance! :)
0
Debsyl99Commented:
Thanks - let me know how it goes :))
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.