amnewmancorporation
asked on
Problems with GPO on Terminal server
We are getting the following errors on a newly created Windows 2000 server.
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 1/23/2007
Time: 10:31:45 AM
User: LAFAYETTE\flschmidt
Computer: LCH01
Description:
Windows cannot query for the list of Group Policy objects . A message that describes the reason for this was previously logged by this policy engine.
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 1/23/2007
Time: 10:31:45 AM
User: LAFAYETTE\flschmidt
Computer: LCH01
Description:
Windows cannot access the file gpt.ini for GPO The file must be present at the location <>. (). Group Policy processing aborted.
*********************
I removed the GPO link to this particular user group and I still recieve the error. I ran GPRESULT and recieved the LookupAccountSid failed with 1789.
The new server (Win2000) didn't have a DNS entry (neither an A or a pointer record). I manually created these records but the error still shows up. I checked the security on the SYSVOL folders and made sure to follow MS's recommended security steps.
Some more information....
This server is a terminal server connecting two separate networks; one of which is a closed network.
One NIC is setup on the main domain and has IP, subne, gateway, and DNS. the other NIC only has IP, and subnet. This would normally be a problem but the 'old' terminal server functioned this way.
ALL OTHER SERVERS AND PCs ARE WORKING FINE. I have read that I should recreate the SYSVOL folders and all sorts of crazy stuff. I definitely do not want to do that unless Microsoft themselves tell me to. Any help is greatly appreciated!!!
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 1/23/2007
Time: 10:31:45 AM
User: LAFAYETTE\flschmidt
Computer: LCH01
Description:
Windows cannot query for the list of Group Policy objects . A message that describes the reason for this was previously logged by this policy engine.
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 1/23/2007
Time: 10:31:45 AM
User: LAFAYETTE\flschmidt
Computer: LCH01
Description:
Windows cannot access the file gpt.ini for GPO The file must be present at the location <>. (). Group Policy processing aborted.
*********************
I removed the GPO link to this particular user group and I still recieve the error. I ran GPRESULT and recieved the LookupAccountSid failed with 1789.
The new server (Win2000) didn't have a DNS entry (neither an A or a pointer record). I manually created these records but the error still shows up. I checked the security on the SYSVOL folders and made sure to follow MS's recommended security steps.
Some more information....
This server is a terminal server connecting two separate networks; one of which is a closed network.
One NIC is setup on the main domain and has IP, subne, gateway, and DNS. the other NIC only has IP, and subnet. This would normally be a problem but the 'old' terminal server functioned this way.
ALL OTHER SERVERS AND PCs ARE WORKING FINE. I have read that I should recreate the SYSVOL folders and all sorts of crazy stuff. I definitely do not want to do that unless Microsoft themselves tell me to. Any help is greatly appreciated!!!
One other thing... this server wasn't a DC at any time, was it? Any other recent changes to DCs?
ASKER
The time is correct on my domain (DOMAIN1); I have no way of checking the other domain, as I do not have access to it. Disabled the NICs and re-enabled...still receiving errors in Application log.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks SupportECI
I would prefer not to restore the Sysvol as no other servers or computers are experiencing any problems...I just dis-joined and rejoined but still receiving the errors. When I run GPRESULT, I get lots of LookupAccountSid failed with 1789 error
I would prefer not to restore the Sysvol as no other servers or computers are experiencing any problems...I just dis-joined and rejoined but still receiving the errors. When I run GPRESULT, I get lots of LookupAccountSid failed with 1789 error
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Doron,
he would also need insure that the computer is not going to get the GPO on next boot, correct? otherwise it will just make all the changes again (from default domain, and any others assigned to that OU).
amnewmancorporation,
I know you removed a link to that user, but what about the computer? If possible, put the server in a new OU assign a GPO with nothing set, and block inheritance (hopefully you don't have no override on any higher levels).
he would also need insure that the computer is not going to get the GPO on next boot, correct? otherwise it will just make all the changes again (from default domain, and any others assigned to that OU).
amnewmancorporation,
I know you removed a link to that user, but what about the computer? If possible, put the server in a new OU assign a GPO with nothing set, and block inheritance (hopefully you don't have no override on any higher levels).
ASKER
Thanks...I'll give both a try
If auto register of the server in DNS is not functioning this can cause a lot of different problems.
First troubleshoot you networkconnections and dns-registrations:
- only 1 nic with a default gateway
- only 1 nic with dns servers configured
- persistent routes for other routes
- auto register only 1 nic in dns (tcp/up properties)
- bind the microsoft client only to the internal nic (advanced settings)
- internal nic on top of the list in advanced settings
- delete the manual dns records on the dns server
- try autoregister the connection with ipconfig /registerdns
When this is functioning as it should be, i guess the gpo errors are gone after a reboot.
First troubleshoot you networkconnections and dns-registrations:
- only 1 nic with a default gateway
- only 1 nic with dns servers configured
- persistent routes for other routes
- auto register only 1 nic in dns (tcp/up properties)
- bind the microsoft client only to the internal nic (advanced settings)
- internal nic on top of the list in advanced settings
- delete the manual dns records on the dns server
- try autoregister the connection with ipconfig /registerdns
When this is functioning as it should be, i guess the gpo errors are gone after a reboot.
ASKER
Congrats Dorongol! It worked. Now I need to know what I just changed. I used the security setup.inf recommendation, but what actually happened? Do I need to recreate anything?
ASKER
I also gave ECI 50 points as the Workstation service wasn't running. Thanks a bunch!
When you ran the analysis you had all the changes listed,
setup security.inf template is used to reapply the default security settings of a freshly installed computer
This link will help you to understand the different security templates:
http://www.windowsecurity.com/articles/Understanding-Windows-Security-Templates.html
I am happy it helped.
Doron
setup security.inf template is used to reapply the default security settings of a freshly installed computer
This link will help you to understand the different security templates:
http://www.windowsecurity.com/articles/Understanding-Windows-Security-Templates.html
I am happy it helped.
Doron
2. reconfigure the nics. maybe remove (disable) the second and see if continues. if not, try adding dns and gateway.
let me know if either of these helps.