Link to home
Start Free TrialLog in
Avatar of tkawika
tkawika

asked on

GPO Access Issue. 1058 and 1030 Event ID. Please help

System Details:
(2) Windows 2003 Domain controllers
Both DC are DNS servers.

We are having an issue with GPO.  We are receiving Event ID 1058 and 1030.  I have searched and reviewed all forum documents concerning these errors, but to no avail we are still having these errors.  We cannot modify our GPO and the workstations are receiving the same error.  The following links we have reviewed and tried there are many more but most of these have sublinks.  

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q314494
https://www.experts-exchange.com/questions/21009677/Group-Policy-problems-Client-PC-can't-receive-GPT-ini-from-the-PDC.html?query=gpt.ini&clearTAFilter=true
https://www.experts-exchange.com/questions/21091244/Windows-cannot-access-the-file-gpt-ini-for-GPO.html?query=gpt.ini&clearTAFilter=true

Some things that we have run into that were not mentioned in the previous links and related links.
1) When you go to "Start/Program Files/ Admin Tools/Domain Control Security Policy or Domain Security Policy" The error received is titled "Group Policy Error" Error message is "Failed to open Group Policy Object.  You may not have appropriate rights."  In the details window reads "Configuration information could not be read from the Domain Controller, either because the machine is unavailable, or access has been denied."

2)  When you go the “\\domain.com\sysvol” folder and right click to properties.  Click the DFS tab.  The window titled “Referral list” has our 2 servers in it.  Server 1 shows to be active and Server 2 is not.  When you click the “Check Status” button, when Server 1 is highlighted, it shows an “Unreachable” status, but if you click status on Server 2, its Okay status.  We have tried to make Server 2 active and still receive the same errors.

3)  From the either 2003 servers and any XP workstation, you cannot reach from the “Run”  \\domain.com\sysvol\.  You receive an error
 
“\\domain.com\sysvol is not accessible.  You might not have the permission to use this network resource.  Contact the Administrator of this server to find out if you have access permission.

Configuration information could not be read from the Domain Controller, either because the machine is unavailable, or access has been denied”.  

The funny thing is that if you go to the \\server1\sysvol you get full access from each server and any workstations.

Any help would be much appreciated.  Thank you.
Avatar of Joseph Nyaema
Joseph Nyaema
Flag of Kenya image

Active directory relies heavily on DNS
so that should be working perfectly before looking elsewhere.

Check your TCP/IP settings on the server...
Your DNS settings there could be misconfigured.
REmove any references to DNS servers on all the adapters
this forces the server to look at itself as the DNS server.
(of course this assumes that the local server has a DNS server installed on it)
Do the same for other DCs in the domain.
The DNS servers should be configured to use forwarders for foreign domains.

Does that sort your problem?
Avatar of tkawika
tkawika

ASKER

Will try these and get back to you.  Thanks
Have you removed/Edited the Default GPO on the Domain Controllers Organizational Unit?  That could be another cause of the problem.

Here's a link to the error that you specified:
http://support.microsoft.com/default.aspx?scid=kb;en-us;828760

Here's a link concerning GPO Permissions for the Sysadmins:
http://support.microsoft.com/default.aspx?scid=kb;en-us;294257

There's also a KB doc that I can't find at the moment that gives information as to what happens when the Default GPO for the Domain Controllers OU is removed/tampered with.  Basically, it explains that you shouldn't modify the policy, but create a new policy to change the settings.  Do a search on http://support.microsoft.com for "Removing Default GPO Domain Controller" and you should be able to find it.
Avatar of tkawika

ASKER

Its fixed!!!!!!!!!!!!!!!!!This one for the ages.  We had hired four separate contractors to come in none were able to give us much help and now we are calling Microsoft.  We were on the phone with Microsoft for 15 and half hours.  From 9am 11/24 to 1:30am 11/25.  They were great and very knowledgeable.  One of my techs was on the phone for 10 straights hours, I was on the phone for the 5.5 hours.  At one point we had 5 Microsoft technicians/ consultants on a sharing session on our servers.  This kind of gives you a background on what we been through here.

Its was a very long day, it is about 1:10am on Thanksgiving and we all want to go home.  The tech is now explaining that he would like his networking department look at a network monitoring log and see where the traffic is going or what it is doing when its trying to get to the SYSVOL folder.  Because after many gyrations and fixes  \\domain.com\sysvol still doesn't work from any workstation and servers.  So we are about to close the sharing session and in the process of setting up a Monday session, when on the phone background you can hear "that’s it, it has to be it!!!" from one of the other techs working on it at Microsoft.  Both myself and the tech I am speaking too look at the sharing session screen and on the screen on the new pdc we promoted is AD Domains and Trust window and the trust properties on the domain.  In that Trusts area, they were 4 items.  3 Child domains and one realm domain.  The realm domain was Server1.domain.com with a transitive trust.  This was not supposed to be there and it was removed promptly.  You could hear the air leave the room when servers were rebooted and Event ID's 1030 and 1058 were nowhere to be found in the Applications Event viewer.  Checked a workstation and it was also showing no signs of the previous errors.  This was a bitter sweet moment, we through some many different fixes that my and my tech heads were spinning, and it was just a trust issue.  Simple 5 minute job.  I apologize for anyone looking for the fast answer.  I feel I am just in giving story behind the madness of our issues.  Below, is the short version I hope this helps.

FIX:
Check Trusts, if there is a REALM trust with another DC on the same domain.  Remove it.  Reboot servers.  It will work.  If it doesn't and you have tried every other KB or article from above, call Microsoft.

Tkawika

ASKER CERTIFIED SOLUTION
Avatar of PAQ_Man
PAQ_Man
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial