Solved

Server stops responding to GPO/ Active Directory Requests after 1030 1058

Posted on 2007-11-29
7
895 Views
Last Modified: 2008-05-31
After logging the errors below I was unable to log onto our server directly. This has happened twice in the last week. Users were not able to authenticate or log on to the domain. We did a force restart each time which corrected the problem.


Event Type:      Error
Event Source:      Userenv
Event Category:      None
Event ID:      1058
Date:            11/28/2007
Time:            11:29:40 AM
User:            NT AUTHORITY\SYSTEM
Computer:      SERVER
Description:
Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=SBV,DC=local. The file must be present at the location <\\SBV.local\sysvol\SBV.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied. ). Group Policy processing aborted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Event Type:      Error
Event Source:      Userenv
Event Category:      None
Event ID:      1030
Date:            11/28/2007
Time:            11:29:40 AM
User:            NT AUTHORITY\SYSTEM
Computer:      SERVER
Description:
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Open in new window

0
Comment
Question by:hw_tech
  • 4
  • 3
7 Comments
 
LVL 38

Expert Comment

by:ChiefIT
ID: 20374691
This could be caused by a number of problems:

DFS problem:
http://support.microsoft.com/default.aspx?scid=kb;en-us;314494

DNS problem:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2000_Server/Q_22935596.html

Networking problem:
The DNS settings are not in the router or the TCP/IP stack of the domain controller becomes disabled.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 20374721
With that said:

I think there is more to this issue than this. Since you can't log onto the server remotely, it sounds like your TCP/IP stack is being interfered with or is shutting down. But you should see more problems than just events 1030 and 1058. I would look for more clues in event viewer and DCdiag reports to see if you can further pinpoint the issue.

One of the causes of yoru problem is when you use dual NICs. Dual NICS can give the appearance of working well for a while and then shut itself down, if not configured right. Are you using Dual NICS?
0
 

Author Comment

by:hw_tech
ID: 20375115
We do have dual NICs on the server. One NIC is setup as an outgoing WAN NIC and is connected to the firewall/router/internet. The other NIC is setup to face our internal network DNS requests from client computers are set to route through this server. We were able to access the internet during this time, but several computers appeared hung when using server products like Exchange, logging onto the Domain, etc.

The errors above were logged on the server, not on the client computers.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 20375487
I think that's your problem. It sounds like you are trying to use your dual NICS as sort of a router. What happens is the server looses track of who it is. Example: is it 10.11.12.13 or 10.11.12.14?

A server with dual nics is usually for Multi homed domains, or to act as a router. It is sometimes used for load balancing. But, unless you have 400 or more nodes on the network and use the dual nics for load balancing or something else, I recommend you disable NIC 2, and work off NIC 1.

Using the routers IP will transfer packets to the router and out to the Network. That's the decieving portion of a Dual NIC configuration. You don't need one nic for the clients and the other for the router.

So, you should assess the need for your second NIC before disabling the second NIC. These are the types of questions you should be asking yourself when assessing the need:

1) Do, I have a multi homed domain?
2) Do, I need to balance the load and have too many nodes on the network for a single NIC to work?
3) Do, I use the second NIC to make my server act as a router?
0
 

Author Comment

by:hw_tech
ID: 20402697
We are using our dual-NICs as a router. If we assume that we want to keep it that way, how should this be configured? What are the pitfalls with this? This problem just recently started happening even though we haven't changed the configuration, so what could have changed to make us start having this problem?
0
 
LVL 38

Accepted Solution

by:
ChiefIT earned 500 total points
ID: 20404072
As you are running into, dual NICs can tax a server and shut down the TCP/IP stacks on one or both NICs. NIC conflicts can do odd things to a server and its domain function. Even if configured correctly, It can provide a level of security that fall short of a Hardware Router. Hardware routers have a Network address translation, (NAT),  prior to getting to the server. That NAT closes ports that attackers can use to attack your server. Some will argue with me about this, but using two NICS as a router taxes the system and can subject your computer to attacks.

Taxing your server:
Routers are responsible for relaying DHCP from/to client and server.
Routers are responsible for relaying DNS from/to client and server
Routers are responsible fro relaying Outside DNS queries to websites.
Servers are responsible for doning out DHCP
Servers done out DNS
Server are sometimes used for mail and file servers.

All of this uses up system resources. Hopefully this gives you an idea of how much traffic your server is handling while configured as a router.

Security:
If you want to see what is open to the outside world, Google search "Shields Up". The GRC website offers a shields up and will tell you what outside attackers have access to on your server. In a few minutes you can see how many open ports two NICS will provide. A hardware router NAT will have all ports as stealth.

For about 40 dollars you can get a little Linksys router at the local computer store. It will take some pressure off your server and should resolve conflicts. Now, if you go this way, there will be metadata of the NIC card used for the WAN side of the server. I can help guide you through the metadata and removing int if you choose to go to a hardware router.

Bottom Line: I am a firm advocate of a hardware router.
___________________________________________________________________

If you choose to remain with a dual nic card as your router there are websites that tell you how to configure this to work. Now much of this will also depend on your topology. It sounds like you are trying to use dual NICS as a form of Network Address Translation to protect your clients from the Internet. So, a lot of things rely upon your software firewall on that server. Here are a couple links to help with using a 2003 server as a router.

2003 server as a router:
http://support.microsoft.com/kb/837453

2003 VPN server as a router:
http://support.microsoft.com/kb/816573

Other good resources would be found by Google searching: "Configuring RRAS for NAT"
0
 

Author Comment

by:hw_tech
ID: 20405014
I will read and follow up on this. Thanks for your help
0

Join & Write a Comment

Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now