Solved

Server stops responding to GPO/ Active Directory Requests after 1030 1058

Posted on 2007-11-29
7
934 Views
Last Modified: 2008-05-31
After logging the errors below I was unable to log onto our server directly. This has happened twice in the last week. Users were not able to authenticate or log on to the domain. We did a force restart each time which corrected the problem.


Event Type:      Error
Event Source:      Userenv
Event Category:      None
Event ID:      1058
Date:            11/28/2007
Time:            11:29:40 AM
User:            NT AUTHORITY\SYSTEM
Computer:      SERVER
Description:
Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=SBV,DC=local. The file must be present at the location <\\SBV.local\sysvol\SBV.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied. ). Group Policy processing aborted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Event Type:      Error
Event Source:      Userenv
Event Category:      None
Event ID:      1030
Date:            11/28/2007
Time:            11:29:40 AM
User:            NT AUTHORITY\SYSTEM
Computer:      SERVER
Description:
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Open in new window

0
Comment
Question by:hw_tech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 38

Expert Comment

by:ChiefIT
ID: 20374691
This could be caused by a number of problems:

DFS problem:
http://support.microsoft.com/default.aspx?scid=kb;en-us;314494

DNS problem:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2000_Server/Q_22935596.html

Networking problem:
The DNS settings are not in the router or the TCP/IP stack of the domain controller becomes disabled.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 20374721
With that said:

I think there is more to this issue than this. Since you can't log onto the server remotely, it sounds like your TCP/IP stack is being interfered with or is shutting down. But you should see more problems than just events 1030 and 1058. I would look for more clues in event viewer and DCdiag reports to see if you can further pinpoint the issue.

One of the causes of yoru problem is when you use dual NICs. Dual NICS can give the appearance of working well for a while and then shut itself down, if not configured right. Are you using Dual NICS?
0
 

Author Comment

by:hw_tech
ID: 20375115
We do have dual NICs on the server. One NIC is setup as an outgoing WAN NIC and is connected to the firewall/router/internet. The other NIC is setup to face our internal network DNS requests from client computers are set to route through this server. We were able to access the internet during this time, but several computers appeared hung when using server products like Exchange, logging onto the Domain, etc.

The errors above were logged on the server, not on the client computers.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 38

Expert Comment

by:ChiefIT
ID: 20375487
I think that's your problem. It sounds like you are trying to use your dual NICS as sort of a router. What happens is the server looses track of who it is. Example: is it 10.11.12.13 or 10.11.12.14?

A server with dual nics is usually for Multi homed domains, or to act as a router. It is sometimes used for load balancing. But, unless you have 400 or more nodes on the network and use the dual nics for load balancing or something else, I recommend you disable NIC 2, and work off NIC 1.

Using the routers IP will transfer packets to the router and out to the Network. That's the decieving portion of a Dual NIC configuration. You don't need one nic for the clients and the other for the router.

So, you should assess the need for your second NIC before disabling the second NIC. These are the types of questions you should be asking yourself when assessing the need:

1) Do, I have a multi homed domain?
2) Do, I need to balance the load and have too many nodes on the network for a single NIC to work?
3) Do, I use the second NIC to make my server act as a router?
0
 

Author Comment

by:hw_tech
ID: 20402697
We are using our dual-NICs as a router. If we assume that we want to keep it that way, how should this be configured? What are the pitfalls with this? This problem just recently started happening even though we haven't changed the configuration, so what could have changed to make us start having this problem?
0
 
LVL 38

Accepted Solution

by:
ChiefIT earned 500 total points
ID: 20404072
As you are running into, dual NICs can tax a server and shut down the TCP/IP stacks on one or both NICs. NIC conflicts can do odd things to a server and its domain function. Even if configured correctly, It can provide a level of security that fall short of a Hardware Router. Hardware routers have a Network address translation, (NAT),  prior to getting to the server. That NAT closes ports that attackers can use to attack your server. Some will argue with me about this, but using two NICS as a router taxes the system and can subject your computer to attacks.

Taxing your server:
Routers are responsible for relaying DHCP from/to client and server.
Routers are responsible for relaying DNS from/to client and server
Routers are responsible fro relaying Outside DNS queries to websites.
Servers are responsible for doning out DHCP
Servers done out DNS
Server are sometimes used for mail and file servers.

All of this uses up system resources. Hopefully this gives you an idea of how much traffic your server is handling while configured as a router.

Security:
If you want to see what is open to the outside world, Google search "Shields Up". The GRC website offers a shields up and will tell you what outside attackers have access to on your server. In a few minutes you can see how many open ports two NICS will provide. A hardware router NAT will have all ports as stealth.

For about 40 dollars you can get a little Linksys router at the local computer store. It will take some pressure off your server and should resolve conflicts. Now, if you go this way, there will be metadata of the NIC card used for the WAN side of the server. I can help guide you through the metadata and removing int if you choose to go to a hardware router.

Bottom Line: I am a firm advocate of a hardware router.
___________________________________________________________________

If you choose to remain with a dual nic card as your router there are websites that tell you how to configure this to work. Now much of this will also depend on your topology. It sounds like you are trying to use dual NICS as a form of Network Address Translation to protect your clients from the Internet. So, a lot of things rely upon your software firewall on that server. Here are a couple links to help with using a 2003 server as a router.

2003 server as a router:
http://support.microsoft.com/kb/837453

2003 VPN server as a router:
http://support.microsoft.com/kb/816573

Other good resources would be found by Google searching: "Configuring RRAS for NAT"
0
 

Author Comment

by:hw_tech
ID: 20405014
I will read and follow up on this. Thanks for your help
0

Featured Post

MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question