Link to home
Start Free TrialLog in
Avatar of jflynt
jflyntFlag for United States of America

asked on

Access is denied when editing group policy on windows 2003 server running exchange 2003

i am attempting to edit an existing group policy. i have never done this and need to make a few minor changes. i am an administrator of the system with full rights. i am using the group policy object editor. i attempt to make a change to the policy and i get  Access is denied/failed to save \\domain\***\gpttmpl.inf  make sure you have right permissions. I have permissions as best i can tell and i am not sure about shares? can someone help me out concerning what may be causing this and how to check shares, including what particular file? folder? etc to check.
Avatar of Netman66
Netman66
Flag of Canada image

Find the SYSVOL shared folder (c:\Windows\SYSVOL\sysvol).
Open up the properties of it.
Under Sharing tab, select the Permission button.
Administrators have Full Control
Authenticated Users has Read.

The NTFS permissions on this folder:

All inherited from  the parent (C:\Windows\SYSVOL)

Administrators and SYSTEM (Full Control)
Authenticated Users & Server Operators - Read and Execute, List folder contents, Read.
Creator Owner - Full Contol (Subfolders and Files only).
Avatar of jflynt

ASKER

i verified this but still states access is denied/failed to save. do these shares take place immediately or do i have to reboot or anything? etc???
It should work immediately (if that was the issue).

Open up DSA.msc.
Change the View to Advanced.
Drill into System\Policies.
Find the GUID that represents the GPO (it should match the folder name in sysvol).
Right click it and check the Properties>Security.

My bet is the Domain Admins and/or Administrators group is not listed.  Add whatever is missing (you can check permissions against another policy).

Avatar of jflynt

ASKER

if this should take effect immediately, it is not working. i still get access is denied/failed to save. make sure you have rights to this object. i am at a total loss on this one. i am logged into server through terminal services, this shouldnt cause any problems should it? i really appreciate your help.
How did the Security entries appear on the policy in ADUC?

If you can't add the correct entries, then you'll need to take ownership of the folder, rewrite ownership on subfolders and files then make the necessary adjustments.  Remember to put the Administrators group as owner when your done.

For a TS connection run (from the Run box): mstsc -console

Log in normally - you'll be on the console session.
Avatar of jflynt

ASKER

the security entries were correct as you stated above. the adminstrators group is the owner. i am using the console run of TS. i checked shares, security entries and everything you have mentioned twice but still it will not let me save. i could create a new GP with no problem but cannot apply anything inside that group. i am just bumfuddled.
Do you have Exchange in the domain?

If not, then do this:

1)  Use GPMC and backup this GPO.
2)  If it's the Default Domain policy then run DCGPOFIX.exe /domain - goto step 5.  If not, proceed to step 3 and 4.
3)  Delete the policy and allow time for replication.
4)  Recreate it (with a slightly different name).
5)  Restore the backup (if there's anything in there worth saving rather than resetting manually).

Avatar of jflynt

ASKER

Exchange is on this server and this is a domain controller, the PDC. Incidently, the default policy isnt linked or enforced, if that matters. should i proceed with what you suggest? How often is replication? it doesnt appear to me that the default is actually doing anything on the server? what would happen if i just start over fresh is there a procedure for that? i appreciate your help and guidance. This problem has just whipped me.  also, today on dcdiag i get a failed due to changes made to the sysvol regarding security? i dont see anything wrong.
Avatar of jflynt

ASKER

also, since i changed sysvol last night i am getting errors on dcdiag. is this a problem?

C:\Documents and Settings\Administrator>dcdiag

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\EXCH2K3
      Starting test: Connectivity
         ......................... EXCH2K3 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\EXCH2K3
      Starting test: Replications
         ......................... EXCH2K3 passed test Replications
      Starting test: NCSecDesc
         ......................... EXCH2K3 passed test NCSecDesc
      Starting test: NetLogons
         ......................... EXCH2K3 passed test NetLogons
      Starting test: Advertising
         ......................... EXCH2K3 passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... EXCH2K3 passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... EXCH2K3 passed test RidManager
      Starting test: MachineAccount
         ......................... EXCH2K3 passed test MachineAccount
      Starting test: Services
         ......................... EXCH2K3 passed test Services
      Starting test: ObjectsReplicated
         ......................... EXCH2K3 passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... EXCH2K3 passed test frssysvol
      Starting test: frsevent
         There are warning or error events within the last 24 hours after the SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... EXCH2K3 failed test frsevent
      Starting test: kccevent
         ......................... EXCH2K3 passed test kccevent
      Starting test: systemlog
         An Error Event occured.  EventID: 0x40000005
            Time Generated: 10/05/2007   09:38:41
            Event String: The kerberos client received a KRB_AP_ERR_TKT_NYV
         An Error Event occured.  EventID: 0x40000005
            Time Generated: 10/05/2007   09:38:48
            Event String: The kerberos client received a KRB_AP_ERR_TKT_NYV
         An Error Event occured.  EventID: 0x40000005
            Time Generated: 10/05/2007   09:38:52
            Event String: The kerberos client received a KRB_AP_ERR_TKT_NYV
         An Error Event occured.  EventID: 0x40000005
            Time Generated: 10/05/2007   09:38:53
            Event String: The kerberos client received a KRB_AP_ERR_TKT_NYV
         An Error Event occured.  EventID: 0x40000005
            Time Generated: 10/05/2007   09:38:55
            Event String: The kerberos client received a KRB_AP_ERR_TKT_NYV
         An Error Event occured.  EventID: 0x40000005
            Time Generated: 10/05/2007   09:38:58
            Event String: The kerberos client received a KRB_AP_ERR_TKT_NYV
         An Error Event occured.  EventID: 0x40000005
            Time Generated: 10/05/2007   09:39:00
            Event String: The kerberos client received a KRB_AP_ERR_TKT_NYV
         ......................... EXCH2K3 failed test systemlog
      Starting test: VerifyReferences
         ......................... EXCH2K3 passed test VerifyReferences

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : tiftcounty
      Starting test: CrossRefValidation
         ......................... tiftcounty passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... tiftcounty passed test CheckSDRefDom

   Running enterprise tests on : tiftcounty.org
      Starting test: Intersite
         ......................... tiftcounty.org passed test Intersite
      Starting test: FsmoCheck
         ......................... tiftcounty.org passed test FsmoCheck
Check the time on the server - it appears it's not correct.

Ensure the time, time zone and daylight savings settings are correct on all your servers and workstations.

Let me know.
Avatar of jflynt

ASKER

checked all servers and time was right except for this server, it showed 1:00AM at the time it was 9:00AM.  it appears to be correct now by checking would you suggest proceeding with what you recommended above?
Wait for awhile before you change anything now.

Attempt to run DCDIAG again, then try to make your changes to that GPO.

Let me know.
Avatar of jflynt

ASKER

i just ran dcdiag and still getting the same as above wiht respect to the failed frseven
Avatar of jflynt

ASKER

also ran the group policy check and got this response. this makes me MORE lost. what is the difference between default domain controllers policy and default domain policy. am i mixing something up?

Incorrect permissions on Default Domain Controllers Policy  Domain Controller: Default GPO's Check
Enterprise Domain Controllers does not have Read permission on Default Domain Controllers Policy

Incorrect permissions on Default Domain Controllers Policy  Domain Controller: Default GPO's Check
Enterprise Domain Controllers does not have apply permission on Default Domain Controllers Policy



Incorrect permissions on Default Domain Policy              Domain Controller: Default GPO's Check
EXCH2K3$ does not have Apply Group Policy permission on Default Domain Policy
Avatar of jflynt

ASKER

i also evidently by some means dont have access. i tried to look over backing up the GPo and i dont have an option for backup?  i have gone over and over everything as best i know how to do. I had another person look and nothing. Everything you suggested was covered. Dont have a clue what is blocking my access. if anymore ideas i will try anything.
Default Domain Controller policy affects the DCs locally.

Default Domain Policy affects all computer accounts in the domain.

Find the Default Domain Controller Policy and add the Enterprise Domain Controllers group with Read pemission.

Find the Default Domain Policy and add the EXCH2K3$ account with Apply group policy.

Avatar of jflynt

ASKER

i cannot locate a EXCH2K3$ account?
Avatar of jflynt

ASKER

i got those corrected and i still cannot save. i ran a gpotool and this is what came out. i see the errors on two servers and i am not sure about this being the problem or how to correct. thanks for your help. I am giving you the points either way for sticking with me.

EAGLEAD-2.tiftcounty.org
eaglead_1.tiftcounty.org
archive.tiftcounty.org
finance.tiftcounty.org
Searching for policies...
Found 3 policies
============================================================
Policy {31B2F340-016D-11D2-945F-00C04FB984F9}
Friendly name: Default Domain Policy
Error: Version mismatch on EAGLEAD-2.tiftcounty.org, DS=4456483, sysvol=3014691
Details:
------------------------------------------------------------
DC: EXCH2K3.tiftcounty.org
Friendly name: Default Domain Policy
Created: 3/15/2006 1:15:37 PM
Changed: 10/7/2007 2:54:46 AM
DS version:     68(user) 35(machine)
Sysvol version: 68(user) 35(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: [{25537BA6-77A8-11D2-9B6C-0000F8080861}{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}][{3060E8D0-7020-11D2-842D-00C04FA372D4}{3060E8CE-7020-1
1D2-842D-00C04FA372D4}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}][{A2E30F80-
D7DE-11D2-BBDE-00C04F86AE3B}{FC715823-C5FB-11D1-9EEF-00A0C90347FF}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}]
Machine extensions: [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A7CC-0000F87571E3}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EA
C-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: EXCH2K3FO.tiftcounty.org
Friendly name: Default Domain Policy
Created: 3/15/2006 1:15:37 PM
Changed: 10/7/2007 2:55:22 AM
DS version:     68(user) 35(machine)
Sysvol version: 68(user) 35(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: [{25537BA6-77A8-11D2-9B6C-0000F8080861}{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}][{3060E8D0-7020-11D2-842D-00C04FA372D4}{3060E8CE-7020-1
1D2-842D-00C04FA372D4}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}][{A2E30F80-
D7DE-11D2-BBDE-00C04F86AE3B}{FC715823-C5FB-11D1-9EEF-00A0C90347FF}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}]
Machine extensions: [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A7CC-0000F87571E3}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EA
C-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: recreation.tiftcounty.org
Friendly name: Default Domain Policy
Created: 3/15/2006 1:15:37 PM
Changed: 10/7/2007 2:55:06 AM
DS version:     68(user) 35(machine)
Sysvol version: 68(user) 35(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: [{25537BA6-77A8-11D2-9B6C-0000F8080861}{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}][{3060E8D0-7020-11D2-842D-00C04FA372D4}{3060E8CE-7020-1
1D2-842D-00C04FA372D4}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}][{A2E30F80-
D7DE-11D2-BBDE-00C04F86AE3B}{FC715823-C5FB-11D1-9EEF-00A0C90347FF}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}]
Machine extensions: [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A7CC-0000F87571E3}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EA
C-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: EAGLEAD-2.tiftcounty.org
Friendly name: Default Domain Policy
Created: 3/15/2006 1:15:37 PM
Changed: 10/7/2007 2:56:01 AM
DS version:     68(user) 35(machine)
Sysvol version: 46(user) 35(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: [{25537BA6-77A8-11D2-9B6C-0000F8080861}{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}][{3060E8D0-7020-11D2-842D-00C04FA372D4}{3060E8CE-7020-1
1D2-842D-00C04FA372D4}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}][{A2E30F80-
D7DE-11D2-BBDE-00C04F86AE3B}{FC715823-C5FB-11D1-9EEF-00A0C90347FF}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}]
Machine extensions: [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A7CC-0000F87571E3}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EA
C-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: eaglead_1.tiftcounty.org
Friendly name: Default Domain Policy
Created: 3/15/2006 1:15:37 PM
Changed: 10/7/2007 2:54:50 AM
DS version:     68(user) 35(machine)
Sysvol version: 68(user) 35(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: [{25537BA6-77A8-11D2-9B6C-0000F8080861}{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}][{3060E8D0-7020-11D2-842D-00C04FA372D4}{3060E8CE-7020-1
1D2-842D-00C04FA372D4}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}][{A2E30F80-
D7DE-11D2-BBDE-00C04F86AE3B}{FC715823-C5FB-11D1-9EEF-00A0C90347FF}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}]
Machine extensions: [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A7CC-0000F87571E3}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EA
C-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: archive.tiftcounty.org
Friendly name: Default Domain Policy
Created: 3/15/2006 1:15:37 PM
Changed: 10/7/2007 2:55:10 AM
DS version:     68(user) 35(machine)
Sysvol version: 68(user) 35(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: [{25537BA6-77A8-11D2-9B6C-0000F8080861}{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}][{3060E8D0-7020-11D2-842D-00C04FA372D4}{3060E8CE-7020-1
1D2-842D-00C04FA372D4}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}][{A2E30F80-
D7DE-11D2-BBDE-00C04F86AE3B}{FC715823-C5FB-11D1-9EEF-00A0C90347FF}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}]
Machine extensions: [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A7CC-0000F87571E3}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EA
C-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: finance.tiftcounty.org
Friendly name: Default Domain Policy
Created: 3/15/2006 1:15:37 PM
Changed: 10/7/2007 2:55:01 AM
DS version:     68(user) 35(machine)
Sysvol version: 68(user) 35(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: [{25537BA6-77A8-11D2-9B6C-0000F8080861}{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}][{3060E8D0-7020-11D2-842D-00C04FA372D4}{3060E8CE-7020-1
1D2-842D-00C04FA372D4}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}][{A2E30F80-
D7DE-11D2-BBDE-00C04F86AE3B}{FC715823-C5FB-11D1-9EEF-00A0C90347FF}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}]
Machine extensions: [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A7CC-0000F87571E3}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EA
C-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}]
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {6AC1786C-016F-11D2-945F-00C04FB984F9}
Friendly name: Default Domain Controllers Policy
Error: Version mismatch on EAGLEAD-2.tiftcounty.org, DS=58, sysvol=44
Details:
------------------------------------------------------------
DC: EXCH2K3.tiftcounty.org
Friendly name: Default Domain Controllers Policy
Created: 3/15/2006 1:15:37 PM
Changed: 10/7/2007 2:52:58 AM
DS version:     0(user) 58(machine)
Sysvol version: 0(user) 58(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: [{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: EXCH2K3FO.tiftcounty.org
Friendly name: Default Domain Controllers Policy
Created: 3/15/2006 1:15:37 PM
Changed: 10/7/2007 2:53:30 AM
DS version:     0(user) 58(machine)
Sysvol version: 0(user) 58(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: [{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: recreation.tiftcounty.org
Friendly name: Default Domain Controllers Policy
Created: 3/15/2006 1:15:37 PM
Changed: 10/7/2007 2:53:19 AM
DS version:     0(user) 58(machine)
Sysvol version: 0(user) 58(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: [{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: EAGLEAD-2.tiftcounty.org
Friendly name: Default Domain Controllers Policy
Created: 3/15/2006 1:15:37 PM
Changed: 10/7/2007 2:53:27 AM
DS version:     0(user) 58(machine)
Sysvol version: 0(user) 44(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: [{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: eaglead_1.tiftcounty.org
Friendly name: Default Domain Controllers Policy
Created: 3/15/2006 1:15:37 PM
Changed: 10/7/2007 2:53:16 AM
DS version:     0(user) 58(machine)
Sysvol version: 0(user) 58(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: [{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: archive.tiftcounty.org
Friendly name: Default Domain Controllers Policy
Created: 3/15/2006 1:15:37 PM
Changed: 10/7/2007 2:53:22 AM
DS version:     0(user) 58(machine)
Sysvol version: 0(user) 58(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: [{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: finance.tiftcounty.org
Friendly name: Default Domain Controllers Policy
Created: 3/15/2006 1:15:37 PM
Changed: 10/7/2007 2:53:13 AM
DS version:     0(user) 58(machine)
Sysvol version: 0(user) 58(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: [{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {720C544F-8836-4DF8-B3C7-B99D533E015E}
Friendly name: New Group Policy Object
Error: EXCH2K3.tiftcounty.org - EAGLEAD-2.tiftcounty.org sysvol mismatch
Error: EXCH2K3.tiftcounty.org - finance.tiftcounty.org sysvol mismatch
Details:
------------------------------------------------------------
DC: EXCH2K3.tiftcounty.org
Friendly name: New Group Policy Object
Created: 4/26/2006 11:14:49 PM
Changed: 10/5/2007 3:35:57 AM
DS version:     0(user) 0(machine)
Sysvol version: 0(user) 0(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: EXCH2K3FO.tiftcounty.org
Friendly name: New Group Policy Object
Created: 4/26/2006 11:14:49 PM
Changed: 10/5/2007 3:33:23 AM
DS version:     0(user) 0(machine)
Sysvol version: 0(user) 0(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: recreation.tiftcounty.org
Friendly name: New Group Policy Object
Created: 4/26/2006 11:14:49 PM
Changed: 10/5/2007 3:36:17 AM
DS version:     0(user) 0(machine)
Sysvol version: 0(user) 0(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: EAGLEAD-2.tiftcounty.org
Friendly name: New Group Policy Object
Created: 4/26/2006 11:14:49 PM
Changed: 10/5/2007 3:33:29 AM
DS version:     0(user) 0(machine)
Sysvol version: 0(user) 0(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: eaglead_1.tiftcounty.org
Friendly name: New Group Policy Object
Created: 4/26/2006 11:14:49 PM
Changed: 10/5/2007 3:36:08 AM
DS version:     0(user) 0(machine)
Sysvol version: 0(user) 0(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: archive.tiftcounty.org
Friendly name: New Group Policy Object
Created: 4/26/2006 11:14:49 PM
Changed: 10/5/2007 3:36:14 AM
DS version:     0(user) 0(machine)
Sysvol version: 0(user) 0(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: finance.tiftcounty.org
Friendly name: New Group Policy Object
Created: 4/26/2006 11:14:49 PM
Changed: 10/5/2007 3:33:08 AM
DS version:     0(user) 0(machine)
Sysvol version: 0(user) 0(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
============================================================

Errors found

C:\Documents and Settings\Administrator>
ASKER CERTIFIED SOLUTION
Avatar of Netman66
Netman66
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of jflynt

ASKER

i have gone over everything with a fine tooth comb and everything is in order as suggested by you and what i have read. i didnt install this system and have not had to alter the policy so i am not sure if this existed or has cropped up so to speak. i am not sure what to do at this point but i cannot backup the Domain Controller Group Policy due to an "invalid pointer" but i have backed up the Domain Group Policy. There is nothing of value in the DGP but a good bit of entry used on the DCGP. any last thoughts? i wanted to thank you for your time since i have recieved no other help from any other site. Thanks!
Try running DCDIAG /fix and NETDIAG /fix.

I'd have to see this now to be of further use - we've covered everything I can think of without me trolling around the server myself.
Avatar of jflynt

ASKER

here it is. seems everything is correct i just cannot save changes to edits on default policies.


C:\>dcdiag /fix

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\EXCH2K3
      Starting test: Connectivity
         ......................... EXCH2K3 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\EXCH2K3
      Starting test: Replications
         ......................... EXCH2K3 passed test Replications
      Starting test: NCSecDesc
         ......................... EXCH2K3 passed test NCSecDesc
      Starting test: NetLogons
         ......................... EXCH2K3 passed test NetLogons
      Starting test: Advertising
         ......................... EXCH2K3 passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... EXCH2K3 passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... EXCH2K3 passed test RidManager
      Starting test: MachineAccount
         ......................... EXCH2K3 passed test MachineAccount
      Starting test: Services
         ......................... EXCH2K3 passed test Services
      Starting test: ObjectsReplicated
         ......................... EXCH2K3 passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... EXCH2K3 passed test frssysvol
      Starting test: frsevent
         ......................... EXCH2K3 passed test frsevent
      Starting test: kccevent
         ......................... EXCH2K3 passed test kccevent
      Starting test: systemlog
         ......................... EXCH2K3 passed test systemlog
      Starting test: VerifyReferences
         ......................... EXCH2K3 passed test VerifyReferences

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : tiftcounty
      Starting test: CrossRefValidation
         ......................... tiftcounty passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... tiftcounty passed test CheckSDRefDom

   Running enterprise tests on : tiftcounty.org
      Starting test: Intersite
         ......................... tiftcounty.org passed test Intersite
      Starting test: FsmoCheck
         ......................... tiftcounty.org passed test FsmoCheck

C:\>netdiag /fix

....................................

    Computer Name: EXCH2K3
    DNS Host Name: EXCH2K3.tiftcounty.org
    System info : Microsoft Windows Server 2003 R2 (Build 3790)
    Processor : x86 Family 15 Model 4 Stepping 3, GenuineIntel
    List of installed hotfixes :
        KB921503
        KB925398_WMP64
        KB925902
        KB926122
        KB927891
        KB928090-IE7
        KB929123
        KB929969
        KB930178
        KB931768-IE7
        KB931784
        KB931836
        KB932168
        KB933360
        KB933566-IE7
        KB933854
        KB935839
        KB935840
        KB935966
        KB936021
        KB936357
        KB936782
        KB937143-IE7
        KB938127-IE7
        KB940122
        Q147222


Netcard queries test . . . . . . . : Passed



Per interface results:

    Adapter : TIFT LAN PRIMARY

        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : EXCH2K3.tiftcounty.org
        IP Address . . . . . . . . : 172.16.0.23
        Subnet Mask. . . . . . . . : 255.255.240.0
        Default Gateway. . . . . . : 172.16.0.1
        Dns Servers. . . . . . . . : 172.16.0.23


        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Failed
            No gateway reachable for this adapter.

        NetBT name test. . . . . . : Passed
        [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.

        WINS service test. . . . . : Skipped
            There are no WINS servers configured for this interface.


Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
        NetBT_Tcpip_{3498DB73-AB23-4CAB-AAD4-4072BB03AE7B}
    1 NetBt transport currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Failed

    [FATAL] NO GATEWAYS ARE REACHABLE.
    You have no connectivity to other network segments.
    If you configured the IP protocol manually then
    you need to add at least one valid gateway.


NetBT name test. . . . . . . . . . : Passed
    [WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Passed
    PASS - All the DNS entries for DC are registered on DNS server '172.16.0.23' and other DCs also have some of the names registered.


Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
        NetBT_Tcpip_{3498DB73-AB23-4CAB-AAD4-4072BB03AE7B}
    The redir is bound to 1 NetBt transport.

    List of NetBt transports currently bound to the browser
        NetBT_Tcpip_{3498DB73-AB23-4CAB-AAD4-4072BB03AE7B}
    The browser is bound to 1 NetBt transport.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Skipped


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
    No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

    Note: run "netsh ipsec dynamic show /?" for more detailed information


The command completed successfully

C:\>
[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.
[WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.

Those errors tell me that you have 2 NICs in this server and the LAN-facing NIC is not at the top of the binding order.

Place this inside NIC at the top of the binding order and reboot.
Avatar of jflynt

ASKER

binding order looks correet. one off is 1 one on is 0? does 0 not count?
Avatar of jflynt

ASKER

i have that corrected. i was thinking of something else. it was not in first place as you indicated. i am to the point if you want to look i will let you. i had no errors except for one server on gpotool and now all of the servers show a mismatch on the domain controller policy and still only the one of domain policy. both policies are linked as i assume they should be and nothing has changed to my knowledge. i can look at gpo i can add and delete gpo but i cannot save changes to any gpo. do i need to call microsoft or just start over.
I can take a look tonight.

If you'd prefer, you can call MS PSS - it's $249 for one incident and they'll work it to completion.

I wouldn't start over - this should be fixable.

Avatar of jflynt

ASKER

i wanted to thank you for your time. i understand how valuable someones time is and i want you to know i appreciate this. It seems lately the little problems take all the time but thats the nature of the beast. Thank you.
Avatar of jflynt

ASKER

Just FYI. Microsoft couldnt fix this either. They ended up demoting the machine, transfering the PDC functions to another machine and only after promoting this machine back were we able to edit GPO. He worked on it for two days and 15 hours before giving up. Thanks!
I'm glad to hear they were as stumped as I was.

Also glad to hear it's fixed.