Group Policy / AD Errors

Posted on 2007-08-10
Last Modified: 2008-05-31
Windows Server 2003 AD Controller
XP Clients on Domain

We have started to get the below errors in the application and system log of our clients DC's event Viewer. Are they something to be worried about:

Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=********,DC=local. The file must be present at the location <\\***********.local\sysvol\**********.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (Access is denied. ). Group Policy processing aborted.

Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.

The kerberos client received a KRB_AP_ERR_MODIFIED error from the server ********$.  The target name used was cifs/*******.*********.local. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (*********.LOCAL), and the client realm.   Please contact your system administrator.



Question by:YellowbusTeam
    LVL 5

    Expert Comment

    check your replication...

    in worst case you will need to do a D2/D4 on the domain.. we had this a while back....

    LVL 32

    Accepted Solution

    LVL 13

    Expert Comment

    Is sysvol shared on the dc in question?  Open Computer Management (right click on My computer and pick Manage) - Look at System Tools - Shared Folders - Shares.  

    If it is not shared look at the File Replication System Event log.  Do you see any errors or warnings?  The easiest thing to do here is to restart the File Replication Service, then watch the events that pop up in the event log.  You are looking for the event 13516 which basically states that the DC has completed file replication, which is the last thing that needs to happen for it to be a true domain controller, and sysvol is now shared.

    If you get an event that states that replication is occurring slowly or could not be completed and will try again later, then look for a connectivity problem between that DC and others.  Specifically look for RPC problems.  Ping might work, but setting a mapped drive might have problems, or might appear to be excrutiatingly slow.  In which case you have to fix the connectivity problem.

    That 3rd error looks like a naming conflict.  Did somone put up a server with the same name, or change the IP address and move the computer?
    LVL 5

    Expert Comment

    why don't you install the resource kit and run replmon. there you can see your replication.

    also run dcdiag to see if there are any errors.
    LVL 32

    Expert Comment

    Hope that you got to the bottom of it.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found here: http://www.experts-exchang…
    A quick step-by-step overview of installing and configuring Carbonite Server Backup.
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now