Group Policy / AD Errors

Posted on 2007-08-10
Medium Priority
Last Modified: 2008-05-31
Windows Server 2003 AD Controller
XP Clients on Domain

We have started to get the below errors in the application and system log of our clients DC's event Viewer. Are they something to be worried about:

Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=********,DC=local. The file must be present at the location <\\***********.local\sysvol\**********.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (Access is denied. ). Group Policy processing aborted.

Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.

The kerberos client received a KRB_AP_ERR_MODIFIED error from the server ********$.  The target name used was cifs/*******.*********.local. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (*********.LOCAL), and the client realm.   Please contact your system administrator.



Question by:YellowbusTeam
  • 2
  • 2

Expert Comment

ID: 19668530
check your replication...

in worst case you will need to do a D2/D4 on the domain.. we had this a while back....

LVL 32

Accepted Solution

and235100 earned 1500 total points
ID: 19668779
LVL 13

Expert Comment

ID: 19670340
Is sysvol shared on the dc in question?  Open Computer Management (right click on My computer and pick Manage) - Look at System Tools - Shared Folders - Shares.  

If it is not shared look at the File Replication System Event log.  Do you see any errors or warnings?  The easiest thing to do here is to restart the File Replication Service, then watch the events that pop up in the event log.  You are looking for the event 13516 which basically states that the DC has completed file replication, which is the last thing that needs to happen for it to be a true domain controller, and sysvol is now shared.

If you get an event that states that replication is occurring slowly or could not be completed and will try again later, then look for a connectivity problem between that DC and others.  Specifically look for RPC problems.  Ping might work, but setting a mapped drive might have problems, or might appear to be excrutiatingly slow.  In which case you have to fix the connectivity problem.

That 3rd error looks like a naming conflict.  Did somone put up a server with the same name, or change the IP address and move the computer?

Expert Comment

ID: 19671131
why don't you install the resource kit and run replmon. there you can see your replication.

also run dcdiag to see if there are any errors.
LVL 32

Expert Comment

ID: 20410131
Hope that you got to the bottom of it.

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question