?
Solved

The GPO of the domain send me an error

Posted on 2007-07-23
13
Medium Priority
?
236 Views
Last Modified: 2010-05-18
Hello


When i wan to open th GPO
I have 3 Domain controllers, (jademxprnt,jademxdom,jademxappl ) I can  see and make  changes in the GPO of the jademxdom, but if i want to see or make change in the others domain controllers show me the next messages

Failed to open the GPO you may have not the appropiate rights

Later appears other message like this
the system ca not find the path especified

And finally open the GPO but with error (Red X )
If i make changes in the Active Directory the others equipments can take inmediatly but no with GPO i can modify the Domain GPO in any DC but other show the error
i do not why this happend
Regards
0
Comment
Question by:jmsienrique
  • 7
  • 6
13 Comments
 
LVL 13

Expert Comment

by:ocon827679
ID: 19549732
Use replmon to determine if you have a replication error with the other DC's.  If you do, you will need to fix the connectivity.  Check the FRS event log on each DC.  Ensure that you are not having a problem with replication from the DC where you can make the changes.  You should see an event 13516 in the FRS log if your file replication system is working corectly.  (If you don't see the 13516 abd you don't have any other errors, then restart the FRS service and check the log again.)
0
 

Author Comment

by:jmsienrique
ID: 19550038
Thanks

In the jademxdom I can run the replmon but in the other server there is not the file
I checked the FRS log in the other to DC there is the event 13562 but in the jademxdom ther is the event 13516, in adittion I erease the FRS log, stopped the service and restarted in the the DC at the same time,

Do you think that the problem could be the DNS service

Because i found the IP of the DNS server in the secondary instead of the primary, the primary IP DNS i don know it, probably belongs to Internet
What do you think
0
 
LVL 13

Expert Comment

by:ocon827679
ID: 19550209
It might be but it looks like you have a file system replication problem at this point.  FRS is responsible for keeping Sysvol current amongst domain controllers.  

Ensure that you have good connectivity between the DC's that give you the 13562 and the DC that gives you the 13516.  Then do a non-authoritative restore of Sysvol on the problem servers (13562) by setting the registry key HKLM - System - CurrentControlSet - Services - NtFrs - Parameters - Backup/Restore - Process at Startup - BurFlags  to a DWordvalue of D2.  Once you set the key, restart the File Replication Service on the server.  You should see the D2 be replaced by a 0x0.  Then watch the FRS event log.  If connectivity is good then replication should proceed normally and once completed with no errors, you should see the 13516.

If you have connectivity issues you will see a different event stating that there is a problem and the file replication system will continue trying to replicate.  Of course, replmon should show a connectivy issue as should using ping.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:jmsienrique
ID: 19550434
Ok i made that on the server jademxdom that has the error 13562, and change it as you told me when i restarted the service still showing the error 1562, in the other server now is appearing the error 13508 and 13509

What can i DO
0
 
LVL 13

Expert Comment

by:ocon827679
ID: 19550922
13508 and 13509 are telling you that there is a communication problem netween the domain controllers.  You have to fix the communications problem.  Can you ping between the servers with no problems?  Are you using "teamed" NICs?  If so, break the team and use only one to see if you can get good connectivity.  
From one of the problem servers try mapping a drive to the server that you know works.  If the mapping fails due to the server is unavailable, try mapping by the IP address.  If the IP address works then you might have the DNS issue that you stated above, if it doesn't then you have a network connectivity issue.  
In your DNS do you have SRV records for all of the domain controllers?  If one is missing, restart the NetLogon service for the missing DC, that should register the SRV records in DNS for that server.  
0
 

Author Comment

by:jmsienrique
ID: 19551381
Yes I can send ping between them, I can map a drive to the server both name and IP ,but i am realize something, in the DC jademxdom share the folder sysvol on this path  %systemroot%sysvol%sysvol and in the others server are not sharing this folders, do you think that this could be the problem
0
 

Author Comment

by:jmsienrique
ID: 19552133
or do you think that if a Demote the server Dcpromo again could be works ?
0
 
LVL 13

Expert Comment

by:ocon827679
ID: 19555544
When file replication completes successfully you will receive the 13516 event in the FRS log.  This event basically states that the replication is complete and that there is nothing preventing this computer from becoming a domain controller.  At this point Sysvol is shared.  The sharing of Sysvol is the last step in becoming a domain controller.  Sysvol is not shared in your case because file replication of the sysvol data is not complete.

I don't understand why FRS is not working if you are not having problems with ping (ICMP) or setting a share (RPC).  (Your 13508 and 13509 are RPC communication errors)  You could try demoting.  If you decide to do this run dcpromo first.  If dcpromo fails, then you can run dcpromo /forceremoval.  

If you have to use the forceremoval switch, then you will need to do a metadata cleanup of the problem dc on jademxdom to flush out the metadata associated with the problem computer being a domain controller in AD.  After running the metadata cleanup you can dcpromo back in to AD.
0
 

Author Comment

by:jmsienrique
ID: 19558056
Finally I decided to demote the server rebooted and try to add the domain again , but now i can not add it, in the screeen where ask the username,password and domain, I type and later send an error, that the domain can not reach it, probably there is a DNS problem, so i decided to format the server and I am reinstalling the operating system again,  now the question is there is way where i can force this computer to add the domain, or how coul i know where is the DNS problem exactly

Regards
0
 
LVL 13

Expert Comment

by:ocon827679
ID: 19558180
Run the metadata cleanup tp ensure that the domain controller has been properly removed from AD.  Just follow the steps in http://support.microsoft.com/kb/216498/en-us.  If the DC was properly removed you will not see it in the step where you select the number of the comuter.

Use ADUC to ensure that there is no server name that corresponds to the server that you are rebuilding.  If it is there, then delete it.

Ensure that the host record for the server that you are rebuilding has been removed from DNS.

Sorry that you had to go this way, but sometimes a rebuild is faster and easier than busting your head against the wall.
0
 

Author Comment

by:jmsienrique
ID: 19558703
you know, you are a nice person and thanks for your help

Now i reinstalled the operating system Windows 2003 Server R2 and I could add to the domain with out problem, but I have other dought, in the FRS log there is a warning event 13565 where talks about that the  Sysvol folders will be sharing up to the replication was succesfull,
Is it ok,

0
 
LVL 13

Accepted Solution

by:
ocon827679 earned 2000 total points
ID: 19558802
13565 states that FRS is replicating with another domain controller. When the replication is complete you should get the 13516 and you should see that Sysvol is now shared.
0
 

Author Comment

by:jmsienrique
ID: 19559674
thanks.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question