Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

GPO Errors

Posted on 2007-04-11
5
Medium Priority
?
1,236 Views
Last Modified: 2008-05-31
Windows 2003 AD - One Windows 2003 DC and one 2000 DC - all located at one site on same segment

I recently promoted a VMWare Windows 2003 server to a DC, demoted the Windows 2000 DC and upgraded the domain functional level to 2003.  After doing so, my XP SP2 workstations have been experiencing intermittent conncectivity issues.  Sometimes it happens as they log in and sometimes it happens after they have logged in. They seem so lose or can not obtain the GPO's.  I have since demoted the VMWare 2003 DC and now have just one 2003 DC.  The problems have continued.  In order to get the pc's online, we've been installing the MS Hive Cleaner and doing a gpupdate /force.  No events are being logged on the DC, only the workstations.

The events on the XP machines:

Event ID 1030
Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.

Event ID 1058
Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=<domain name>,DC=com. The file must be present at the location <\\<domain name>\sysvol\<domain name>\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (<error description>.). Group Policy processing aborted.

Event ID 1073
The attempt to unknown <machine name> failed.

Event ID 5719
No Windows NT Domain Controller is available for domain <domain name>. (This event is expected and can be ignored when booting with the 'No Net' Hardware Profile.) The following error occurred: <error description>

Event ID 7
The kerberos subsystem encountered a PAC verification failure. This indicates that the PAC from the client <client name> in realm <realm name> had a PAC which failed to verify or was modified. Contact your system administrator.
0
Comment
Question by:hbsr
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 13

Expert Comment

by:strongline
ID: 18891477
what is the "error description" in event id 1058? Access denied? "network path not found"?
This is most likely related to your network connectivity/DNS. Check your firewall, switchs, routers, tcp/ip stacks, etc.

eventid lists a bunch of causes you can check thru.:
http://www.eventid.net/display.asp?eventid=7&eventno=1870&source=Kerberos&phase=1

check the following 2 KBs if you have w2k3 sp1 installed recently

Q899148 Some firewalls may reject network traffic that originates from
Windows Server 2003 Service Pack 1-based computers
Q898060 Installing security update MS05-019 or Windows Server 2003
Service Pack 1 may cause network connectivity between clients and
servers to fail
0
 

Author Comment

by:hbsr
ID: 18891753
Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=hbsr,DC=internal. The file must be present at the location <\\hbsr.internal\sysvol\hbsr.internal\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (The network path was not found. ). Group Policy processing aborted.
0
 
LVL 1

Expert Comment

by:dredd0606
ID: 18891848
I had the exact same problem.  Check your time synchronization of the workstations with the DC, that is what my problem was.

Once the DC is set and all promotions/demotions are complete, run the following command on your workstations

net time /domain:domainname.com /set

This will set the time on the workstations to the time on whatever DC you have on the domain.  Once that is done, log off/log on, and run gpupdate /force.  This should force a reboot, and your GPO should push (if your issue is indeed a time sync issue).

Hope this helps.

Dredd
0
 

Author Comment

by:hbsr
ID: 18891904
I just tried pinging my_domain_name.my_domain_root and it was resolving to the old "demoted" Windows 2000 DC.  I have removed the (same as parent folder) record of this server in DNS and left just the one DC with this record.  I'm assuming this could cause the issue since the workstations could have been attempting to access the old DC as my_domain_name.my_domain_root?
0
 
LVL 1

Accepted Solution

by:
dredd0606 earned 1000 total points
ID: 18891933
It sounds like the demotion of your Win 2000 DC didn't go smoothly.  Check the following KB article.

http://support.microsoft.com/kb/216498/en-us

0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question