[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Failed to open group policy object

Posted on 2006-06-08
6
Medium Priority
?
881 Views
Last Modified: 2009-03-28
I have been given the task of fixing this issue and I dont know the events that let up to this.  The problem is that I am getting the following error when I try to open up the Group Policy Object:

Failed to open the group policy object.  You may not have appropriate rights.
Details: The system cannot find the path specified.

This domain is running two Win2k domain controllers, which from what I gather one was recently added and one was recently removed to replace an older server.  I have checked all the FSMO roles and they are fine.  However when I browse to WINNT/SYSVOL/SYSVOL/DOMAINNAME, the only folder in there is "DO_NOT_REMOVE_NtFrs_PreInstall_Directory" and nothing else.  So I am pretty sure that this is the problem.  How do I go about rebuilding the default domain controller policy with the minimal amout of impact on the domain.

Thanks
0
Comment
Question by:brennon
  • 3
  • 3
6 Comments
 
LVL 13

Expert Comment

by:Kini pradeep
ID: 16861427
that would depend now on how many Dc's do you have in the domain,
was the Dc removed gracefully ?
and the Dc which was added had it replicated with the other DC's.

1. how many Dc's currently in the domain, if more than one do any of the other have sysvol intact with all the folders.

2. on the Dc under c:\winnt\sysvol do you see the following

domain
staging
staging area and sysvol.
under domain there would be policies and script and under policies are there the 31b and 6AC.
what do you see under the DO_NOT_REMOVE_NtFrs_PreInstall_Directory

3. type net share on cmd and does it show netlogon and sysvol.
can you also run a Dcdiag /v on that dc and paste the errors.

and if you need to recreate the policies then do you you certificate services or file encryptions in the domain?
0
 

Author Comment

by:brennon
ID: 16861616
There are currently 2 DC in the domain.  Yes the controller was gracefully removed.  I have checked both controllers and they are both showing the same thing, I do not see anything folders/files under the c:\winnt\sysvol\domain and there is nothing under DO_NOT_REMOVE_NtFrs_PreInstall_Directory.

When i run net share I see the sysvol folder being shared but not netlogon.

DC Diagnosis

Performing initial setup:
   * Verifing that the local machine server11, is a DC.
   * Connecting to directory service on server server11.
   * Collecting site info.
   * Identifying all servers.
   * Found 2 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial non skippeable tests

   Testing server: MyDomain\Server11
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         * Active Directory RPC Services Check
         ......................... Server 11 passed test Connectivity

Doing primary tests

   Testing server: MyDomain\Server11
      Starting test: Replications
         * Replications Check
         ......................... Server11 passed test Replications
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Starting test: NCSecDesc
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=MyDomain,DC=com
         * Security Permissions Check for
           CN=Configuration,DC=MyDomain,DC=com
         * Security Permissions Check for
           DC=MyDomain,DC=com
         ......................... Server11 passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         ......................... Server11 passed test NetLogons
      Starting test: Advertising
         The DC Server11 is advertising itself as a DC and having a DS.
         The DC Server11 is advertising as an LDAP server
         The DC Server11 is advertising as having a writeable directory
         The DC Server11 is advertising as a Key Distribution Center
         The DC Server11 is advertising as a time server
         The DS Server11 is advertising as a GC.
         ......................... Server11 passed test Advertising
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=Server11,CN=Servers,CN=Syne
y,CN=Sites,CN=Configuration,DC=MyDomain,DC=com
         Role Domain Owner = CN=NTDS Settings,CN=Server11,CN=Servers,CN=Syne
y,CN=Sites,CN=Configuration,DC=MyDomain,DC=com
         Role PDC Owner = CN=NTDS Settings,CN=Server11,CN=Servers,CN=Synergy
N=Sites,CN=Configuration,DC=MyDomain,DC=com
         Role Rid Owner = CN=NTDS Settings,CN=Server11,CN=Servers,CN=Synergy
N=Sites,CN=Configuration,DC=MyDomain,DC=com
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=Server33,CN=
rvers,CN=Synergy,CN=Sites,CN=Configuration,DC=MyDomain,DC=com
         ......................... Server11 passed test KnowsOfRoleHolders
      Starting test: RidManager
         * Available RID Pool for the Domain is 10904 to 1073741823
         * Server11.MyDomain.com is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 8392 to 8891
         * rIDNextRID: 8527
         * rIDPreviousAllocationPool is 8392 to 8891
         ......................... Server11 passed test RidManager
      Starting test: MachineAccount
         * SPN found :LDAP/Server11.MyDomain/MyDomain
         * SPN found :LDAP/Server11.MyDomain
         * SPN found :LDAP/Server11
         * SPN found :LDAP/Server11.MyDomain/MyDomain
         * SPN found :LDAP/fa4335b1-89b5-4087-b518-093cb0034635._msdcs.MyDomain
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/fa4335b1-89b5-4087-
18-093cb0034635/MyDomain
         * SPN found :HOST/Server11.MyDomain/MyDomain
         * SPN found :HOST/Server11.MyDomain
         * SPN found :HOST/Server11
         * SPN found :HOST/Server11.MyDomain/MyDomain
         * SPN found :GC/Server11.MyDomain/MyDomain
         ......................... Server11 passed test MachineAccount
      Starting test: Services
         * Checking Service: Dnscache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: RpcSs
         * Checking Service: RPCLOCATOR
         * Checking Service: w32time
         * Checking Service: TrkWks
         * Checking Service: TrkSvr
         * Checking Service: NETLOGON
         * Checking Service: Dnscache
         * Checking Service: NtFrs
         ......................... Server11 passed test Services
      Test omitted by user request: OutboundSecureChannels
      Starting test: ObjectsReplicated
         Server11 is in domain DC=MyDomain,DC=com
         Checking for CN=Server11,OU=Domain Controllers,DC=MyDomain,
=com in domain DC=MyDomain,DC=com on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=Server11,CN=Servers,CN=MyDomain,CN=
tes,CN=Configuration,DC=MyDomain,DC=com in domain CN=Configuration,DC=
MyDomain,DC=com on 1 servers
            Object is up-to-date on all servers.
         ......................... Server11 passed test ObjectsReplicated
      Starting test: frssysvol
         * The File Replication Service Event log test
         Error: No record of File Replication System, SYSVOL started.
         The Active Directory may be prevented from starting.
         ......................... Server11 passed test frssysvol
      Starting test: kccevent
         * The KCC Event log test
         Found no KCC errors in Directory Service Event log in the last 15 min
es.
         ......................... Server11 passed test kccevent
      Starting test: systemlog
         * The System Event log test
         Found no errors in System Event log in the last 60 minutes.
         ......................... Server11 passed test systemlog

   Running enterprise tests on : MyDomain
      Starting test: Intersite
         Skipping site MyDomain, this site is outside the scope provided by the
         command line arguments provided.
         ......................... MyDomain passed test Intersite
      Starting test: FsmoCheck
         GC Name: \\Server11.MyDomain
         Locator Flags: 0xe00001fd
         PDC Name: \\Server11.MyDomain
         Locator Flags: 0xe00001fd
         Time Server Name: \\Server11.MyDomain
         Locator Flags: 0xe00001fd
         Preferred Time Server Name: \\Server11.MyDomain
         Locator Flags: 0xe00001fd
         KDC Name: \\Server11.MyDomain
         Locator Flags: 0xe00001fd
         ......................... MyDomain passed test FsmoCheck
0
 

Author Comment

by:brennon
ID: 16861683
One more thing, when I try to run DCdiag /v on the second DC i get the following error:
C:\>DCdiag /v
'DCdiag' is not recognized as an
operable program or batch file.
0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
LVL 13

Accepted Solution

by:
Kini pradeep earned 1500 total points
ID: 16862309
probably you do not have the support tools on the second DC.
do you have a healthy sysvol with all the folders and policies on the other Dc ?
so the policies and script folders are missing under the domain folder.
its actually the scripts which is shared as netlogon by the system.
can you stop and start the FRS on this machine and check for errors in the eventvwr.
if the other Dc has the folder intact then we can have them replicated from the other else there is a tool for windows 2000 called recreatedefpol to create the default domain and domain controllers policy which can be downloaded from MS. The policies can be recreated to the default, as long as no EFS is used in the domain because there would be NP with the recovery agent, also do you use any certificate services ?
0
 

Author Comment

by:brennon
ID: 16863344
Neither server has the sysvol folder intact.  I started and stopped the FRS service on both machines and came up with no errors.  I have run the recreatedefpol.exe and it has replaced the folders.  Everything seems to be working ok now.  I will give it a couple of days and then close out this question.

Thanks for the help
0
 
LVL 13

Expert Comment

by:Kini pradeep
ID: 16863499
seems like you have got things under control,

cheers,
kini
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
LinkedIn blogging is great for networking, building up an audience, and expanding your influence as well. However, if you want to achieve these results, you need to work really hard to make your post worth liking and sharing. Here are 4 tips that ca…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question