GPO Access Issue.  1058 and 1030 Event ID.  Please help

Posted on 2004-11-12
Last Modified: 2007-12-19
System Details:
(2) Windows 2003 Domain controllers
Both DC are DNS servers.

We are having an issue with GPO.  We are receiving Event ID 1058 and 1030.  I have searched and reviewed all forum documents concerning these errors, but to no avail we are still having these errors.  We cannot modify our GPO and the workstations are receiving the same error.  The following links we have reviewed and tried there are many more but most of these have sublinks.;en-us;Q314494

Some things that we have run into that were not mentioned in the previous links and related links.
1) When you go to "Start/Program Files/ Admin Tools/Domain Control Security Policy or Domain Security Policy" The error received is titled "Group Policy Error" Error message is "Failed to open Group Policy Object.  You may not have appropriate rights."  In the details window reads "Configuration information could not be read from the Domain Controller, either because the machine is unavailable, or access has been denied."

2)  When you go the “\\\sysvol” folder and right click to properties.  Click the DFS tab.  The window titled “Referral list” has our 2 servers in it.  Server 1 shows to be active and Server 2 is not.  When you click the “Check Status” button, when Server 1 is highlighted, it shows an “Unreachable” status, but if you click status on Server 2, its Okay status.  We have tried to make Server 2 active and still receive the same errors.

3)  From the either 2003 servers and any XP workstation, you cannot reach from the “Run”  \\\sysvol\.  You receive an error
“\\\sysvol is not accessible.  You might not have the permission to use this network resource.  Contact the Administrator of this server to find out if you have access permission.

Configuration information could not be read from the Domain Controller, either because the machine is unavailable, or access has been denied”.  

The funny thing is that if you go to the \\server1\sysvol you get full access from each server and any workstations.

Any help would be much appreciated.  Thank you.
Question by:tkawika
    LVL 16

    Expert Comment

    Active directory relies heavily on DNS
    so that should be working perfectly before looking elsewhere.

    Check your TCP/IP settings on the server...
    Your DNS settings there could be misconfigured.
    REmove any references to DNS servers on all the adapters
    this forces the server to look at itself as the DNS server.
    (of course this assumes that the local server has a DNS server installed on it)
    Do the same for other DCs in the domain.
    The DNS servers should be configured to use forwarders for foreign domains.

    Does that sort your problem?

    Author Comment

    Will try these and get back to you.  Thanks
    LVL 4

    Expert Comment

    Have you removed/Edited the Default GPO on the Domain Controllers Organizational Unit?  That could be another cause of the problem.

    Here's a link to the error that you specified:;en-us;828760

    Here's a link concerning GPO Permissions for the Sysadmins:;en-us;294257

    There's also a KB doc that I can't find at the moment that gives information as to what happens when the Default GPO for the Domain Controllers OU is removed/tampered with.  Basically, it explains that you shouldn't modify the policy, but create a new policy to change the settings.  Do a search on for "Removing Default GPO Domain Controller" and you should be able to find it.

    Author Comment

    Its fixed!!!!!!!!!!!!!!!!!This one for the ages.  We had hired four separate contractors to come in none were able to give us much help and now we are calling Microsoft.  We were on the phone with Microsoft for 15 and half hours.  From 9am 11/24 to 1:30am 11/25.  They were great and very knowledgeable.  One of my techs was on the phone for 10 straights hours, I was on the phone for the 5.5 hours.  At one point we had 5 Microsoft technicians/ consultants on a sharing session on our servers.  This kind of gives you a background on what we been through here.

    Its was a very long day, it is about 1:10am on Thanksgiving and we all want to go home.  The tech is now explaining that he would like his networking department look at a network monitoring log and see where the traffic is going or what it is doing when its trying to get to the SYSVOL folder.  Because after many gyrations and fixes  \\\sysvol still doesn't work from any workstation and servers.  So we are about to close the sharing session and in the process of setting up a Monday session, when on the phone background you can hear "that’s it, it has to be it!!!" from one of the other techs working on it at Microsoft.  Both myself and the tech I am speaking too look at the sharing session screen and on the screen on the new pdc we promoted is AD Domains and Trust window and the trust properties on the domain.  In that Trusts area, they were 4 items.  3 Child domains and one realm domain.  The realm domain was with a transitive trust.  This was not supposed to be there and it was removed promptly.  You could hear the air leave the room when servers were rebooted and Event ID's 1030 and 1058 were nowhere to be found in the Applications Event viewer.  Checked a workstation and it was also showing no signs of the previous errors.  This was a bitter sweet moment, we through some many different fixes that my and my tech heads were spinning, and it was just a trust issue.  Simple 5 minute job.  I apologize for anyone looking for the fast answer.  I feel I am just in giving story behind the madness of our issues.  Below, is the short version I hope this helps.

    Check Trusts, if there is a REALM trust with another DC on the same domain.  Remove it.  Reboot servers.  It will work.  If it doesn't and you have tried every other KB or article from above, call Microsoft.



    Accepted Solution

    PAQed with points refunded (500)

    Community Support Moderator

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Sometimes a user will call me frantically, explaining that something has gone wrong and they have tried everything (read - they have messed it up more and now need someone to clean up) and it still does no good, can I help them?!  Usually the standa…
    I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension ( This reminded me of questions tha…
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now