Solved

1058 & 1030 UserEnv Errors

Posted on 2007-11-27
4
1,558 Views
Last Modified: 2008-05-31
I've been experiencing a lot of 1058 and 1030 errors with USERENV as the source in the event logs of two servers.  They just started to appear at random, about a week apart from each other. There have been no changes that have been made that I am aware of.

Im running a Win2k3 R2 environment with 5 DC.  They are all connected via a MPLS network.  All 3 of the other DCs are not having any issues in the event logs.  The clients appear to be working fine without any issues.

After a fresh restart I am able to access both \\domain\sysvol and \\server\sysvol of both servers without any issues.  After they have been up and running for approximately 15-20 minutes I can no longer access the \\domain\sysvol share.  This is when the errors in the eventlog  show up.

On either server having issues when I ping the domain it resolves the IP address of the local DC. If I ping the server it resolves to the same address.  

If I open Default Domain Controller Security Settings within the first 15-20 minutes it opens properly.  After that it will come up with an error saying, 'Failed to open Group Policy object. You may not have appropriate permissions.'

I have no idea where to go from here; any help would be greatly appreciated.

Thanks,
Joe
0
Comment
Question by:DCTIT
  • 2
  • 2
4 Comments
 
LVL 3

Accepted Solution

by:
l84work earned 500 total points
Comment Utility
These are difficult to troubleshoot because they could be caused by a lot of things.

1.  Are you experiencing any replication problem?  
     a. Run Repadmin /replsum to see if there are any replication issues.
     b. Run FRSDIAG on each DC.  It should tell you if the sysvol is healthy or not.  
     c. Test your NIC card and/or patch cable.  Run netdiag and dcdiag.

2.  You may need to do a D2 SYSVOL restore.  This procedure is very simple to do, and it will replicate everything from the SYSVOL of a known good DC to the problem DC.  You should try this first.  However, it should be done during off peak hours and make sure no one is making changes to the GPOs.

http://technet2.microsoft.com/windowsserver/en/library/58e20fae-0a9a-4563-bed8-5a8e570432d71033.mspx?mfr=true
**  You need to make sure the source DC is one of the DCs that is not experiencing any problem.
**  I would do this anyway, just to make sure SYSVOL is healthy.

3.  Check for Duplicate NTFRS subscriber object under the computer object of the problem domain controller.  This is rare, but it does happen if the DC was demoted and re-promoted again.  To find the subscriber object, open dsa.msc, enable "view objects as folders".  Then browse to the domain controller container, and expanded the problem DC's computer object.  
!!!  If there are duplicates, don't just delete one of them.  Make sure you identify the one that's being used by the DC (object modification date stamp).  

4.  'Failed to open Group Policy object. You may not have appropriate permissions.'  
  Does this happen on all DCs?  are you using GPMC from your workstation?  Point your GPMC to a different DC.  This maybe related to the SYSVOL not available after 15-20 minutes issue.  This message does not indicate you don't have right (almost never does).  It usually means your GPMC can't open the policy.

5.  Did you run disk frag (not AD online/offline defrag) on any DCs?  this is not recommended.  

6.  Lastly, can you demote and promote the problem DCs (make sure to delete the subscriber object after demote).  
0
 

Author Comment

by:DCTIT
Comment Utility
I84,

Thanks for your reply,

I went through and tried the repadmin /replsummary and it showed that there were no fails with any of the servers. I also ran the FRSdiag and it found a few errors. I posted the summary below.

I haven't got a chance to try the D2 SYSVOL restore.  I'm going to wait for after hours for that.

I checked all of the DCs and non of them have duplicate NTFRS Subscriptions. That appears fine and none of them have been demoted and repromoted recently.

When I try to open the Domain Controller Security Policy it is from the DC itself. If I open it within 15-20 minutes of the server being restarted it opens just fine but afterwards it will give me the permissions error.
If I do open Group Policy Management Console form the server it can see all of the policies and I'm able to view the settings on them, it does seem to take quite awhile to open them up though (as if it might be pulling them from another DC).

I have not ran any disk defrag on any of the DCs.

I will be able to do a demote/promote this weekend on the servers.  Do you know of by chance a place for best practices on that, i.e. times to wait before removing the subscriber object after demote, how long to wait before promoting the server again,etc).

Here is the summary from the FRSdiag utility.

Checking for errors/warnings in FRS Event Log .... passed
Checking for errors in Directory Service Event Log .... passed
Checking for minimum FRS version requirement ... passed
Checking for errors/warnings in ntfrsutl ds ... passed
Checking for Replica Set configuration triggers... passed
Checking for suspicious file Backlog size... passed
Checking Overall Disk Space and SYSVOL structure (note: integrity is not checked)... passed
Checking for suspicious inlog entries ... passed
Checking for suspicious outlog entries ...
      ERROR: 98.77% (80 out of 81) of your outlog contains Security ACL events.
      See KB articles below for further information:
            279156 - The Effects of Setting the File System Policy on a Disk Drive or Folder
            284947 - Antivirus Programs May Modify Security Descriptors and Cause Excessive Replication of FRS Data in Sysvol and DFS
 ......... failed
Checking for appropriate staging area size ... passed
Checking for errors in debug logs ...
      ERROR on NtFrs_0002.log : "EPT_S_NOT_REGISTERED(This may indicate that DNS returns the IP address of the wrong computer. Check DNS records being returned, Check if FRS is currently running on the target server. Check if Ntfrs is registered with the End-Point-Mapper on target server!)" : <SndCsMain:                     2120:   883: S0: 05:00:35> ++ ERROR - EXCEPTION (000006d9) :  WStatus: EPT_S_NOT_REGISTERED
      ERROR on NtFrs_0002.log : "EPT_S_NOT_REGISTERED(This may indicate that DNS returns the IP address of the wrong computer. Check DNS records being returned, Check if FRS is currently running on the target server. Check if Ntfrs is registered with the End-Point-Mapper on target server!)" : <SndCsMain:                     2120:   884: S0: 05:00:35> :SR: Cmd 03793fd0, CxtG ab42f06b, WS EPT_S_NOT_REGISTERED, To   server.domain Len:  (690) [SndFail - rpc exception]
      ERROR on NtFrs_0002.log : "EPT_S_NOT_REGISTERED(This may indicate that DNS returns the IP address of the wrong computer. Check DNS records being returned, Check if FRS is currently running on the target server. Check if Ntfrs is registered with the End-Point-Mapper on target server!)" : <SndCsMain:                     2120:   904: S0: 05:00:35> :SR: Cmd 03793fd0, CxtG ab42f06b, WS EPT_S_NOT_REGISTERED, To   server.domain Len:  (690) [SndFail - Send Penalty]

      Found 3 EPT_S_NOT_REGISTERED error(s)! Latest ones (up to 3) listed above

 ......... failed with 3 error entries
Checking NtFrs Service (and dependent services) state...
      ERROR : Required Service not Running : "Distributed File System" is currently "Stopped"
 ......... failed 1
Checking NtFrs related Registry Keys for possible problems...passed
Checking Repadmin Showreps for errors...passed


Final Result = failed with 5 error(s)

I really apprecaite your help with this issue.

Thanks,
Joe
0
 

Author Comment

by:DCTIT
Comment Utility
I went through and took a look at something and I can't believe I missed it but the distributed file system service was disabled.  (I must have mistaken that for the DFS service we have running).

As soon as I started the distributed file system service the errors went away.

Thanks I84 for taking the time for to reply. I'm going to award you the points for helping.

-Joe
0
 
LVL 3

Expert Comment

by:l84work
Comment Utility
What about the message "'Failed to open Group Policy object. You may not have appropriate permissions"?  This is a strange one.  Especially if you are running GPMC on the DC directly.  How many GPOs do you have?  Try to remove unused ADMs.   I am curious if this is causing slowness in your GPMC.  

*  As suggested by FRSDIAG report, make sure your antivirus program does not scan SYSVOL.  This is not something to be taken lightly, it will trigger replication.

*  Use SONAR to monitor your FRS.  It's a pretty good tool to have.  It's part of  the resource kit.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

My last post dealt with using group policy preferences to set file associations, a very handy usage for a GPP. Today I am going to share another cool GPP trick, this may be a specific scenario but I run into these situations frequently in my activit…
I know all systems administrator at some time or another has had to create a script to copy file from a server share to a desktop. Well now there is an easy way to do this in Group Policy. Using Group policy preferences is not hard. The first thing …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now