Failed to open the Group Policy Object. You may not have appropriate rights. The specified domain either does not exist or could not be contacted.

Posted on 2006-05-19
Last Modified: 2008-02-01
Hi Everyone,

I am having an issue with accessing the Domain Controller Security Policy and Domain Security Policy consoles on all of the 3 DCs in our domain. The error is:

Group Policy Error
Failed to open the Group Policy Object. You may not have appropriate rights.
The specified domain either does not exist or could not be contacted.

The shortcut to Domain Controller Security Policy is:
C:\WINDOWS\system32\dcpol.msc /gpobject:"LDAP://CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=australia,DC=office"

The shortcut to Domain Security Policy is:
C:\WINDOWS\system32\dompol.msc /gpobject:"LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=australia,DC=office"

I have done netdiag, dcdiag, looked at a hunded KB articles and forum posts, but nothing fits/fixes the issue.

A little background. There is one DC in Australia (ERNIE) and there are two DCs in Seattle (DC03 and DATA03.) The Seattle DCs used to be on a different domain but were renamed to the Australian domain. I think it is this domain renaming that is the root of the issues. There are still entries in the DNS (all 3 DCs are DNS servers) that point to the old domain. I've paused the zones relating to the old domain in all 3 DNS servers. All of the replication is working well. No Event Log errors to really speak of. The only issue I have other than the error mentioned is that on both of the Seattle DCs (DC03 and DATA03) the netlogon.dns file in C:\WINDOWS\SYSTEM32\CONFIG has double entries for almost everything. One line entry for the new domain and a duplicate line for the old domain. I've gone through and removed the lines referring to the old domain, but when I restart the Netlogon service the entries reappear.

The only issue in dcdiag and netdiag log was this:

   Running enterprise tests on :
      Starting test: Intersite
         Doing intersite inbound replication test on site Seattle:
            Locating & Contacting Intersite Topology Generator (ISTG) ...
               *Warning: ISTG time stamp is 26660 minutes old on DC03.  Looking

               for a new ISTG.
               *Warning: The next ISTG could not be authoratively determined

               for site Seattle.  A DC should make an ISTG failover attempt in

               25 minutes.
               * Warning: Current ISTG failed, ISTG role should be taken by

               DATA03  in 25 minutes.
            Checking for down bridgeheads ...
               Bridghead Brisbane\ERNIE is up and replicating fine.
               Bridghead Seattle\DC03 is up and replicating fine.
            Doing in depth site analysis ...
               All expected sites and bridgeheads are replicating into site

         Doing intersite inbound replication test on site Brisbane:
            Locating & Contacting Intersite Topology Generator (ISTG) ...
               *Warning: ISTG time stamp is 27878 minutes old on ERNIE.

               Looking for a new ISTG.
               ***Error: The current ISTG is down in site Brisbane and further

               dcdiag could not contact any other servers in the site that

               could take the ISTG role.  Ensure there is at least one up DC.

               Must abandon inbound intersite replication test for this site.
               *Warning: Could not locate the next ISTG or site Brisbane.

               Using the last known  ISTG ERNIE as the ISTG.
               The ISTG for site Brisbane is: ERNIE.
            Checking for down bridgeheads ...
               Bridghead Seattle\DC03 is up and replicating fine.
               Bridghead Brisbane\ERNIE is up and replicating fine.
            Doing in depth site analysis ...
               All expected sites and bridgeheads are replicating into site

         ......................... passed test Intersite

One other thing that some KB articles make reference to are the DNS settings on the NICs in the servers. At this stage, ERNIE has itself as the primary DNS and DC03 as the secondary. Vice versa for DC03 (itself as primary, ERNIE as secondary.) DATA03 has DC03 as primary and itself as secondary. None of them have any external DNS servers entered in their NIC settings.

The FSMO roles are as follows:

Schema owner      

Domain role owner 

PDC role          

RID pool manager  

Infrastructure owner

DC03 and ERNIE are Global Catalog servers.

The replication is set up to happen between DC03 and ERNIE and DC03 and DATA03.

All of the servers are Windows 2003.

I am sure I've forgotten something, but if you need any more info, please let me know. I am hoping someone can point me in the right direction, because I've been fighting with this for a day and a half now.

Question by:btechsyd
    LVL 13

    Expert Comment

    by:Kini pradeep
    after using the domain rename tool, were these servers dc03 and data servers in the same forest and what level (another domain in same forest/child domain) and did you run gpfixup after completing the rendom

    Author Comment

    Hey kprad, the servers were both on the same level before and after the rename. Both of them are at the top level of the domain. Just to give you some more info, the way we did the rename was to rename the domain to following the MS document step-by-step. Once the rename was complete, then ERNIE (in Australia) was joined to the domain and made a DC. We did run gpfixup and there were no errors. In fact, there were no errors or issues during the whole process. It was almost too easy.

    Accepted Solution

    PAQed with points refunded (500)

    Community Support Moderator

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
    Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now