Solved

How do I get fix Event ID: 1097 and 1030 on Windows Server 2003 Domain Controllers

Posted on 2007-12-06
23
1,507 Views
Last Modified: 2008-11-01
I have a parent domain with 2 child domains.  I ran Forest Prep and Domain Prep.  Everything was fine.  I promoted a Windows Server 2003 to become the first Windows 2003 Domain Controller in the Parent Domain and installed DNS on it.  I did the same for the 2 child domains.  I notice that the event id: 1097 and 1030 with Source: Userenv keep popping up in the event log whenever I rebooted these 3 Windows 2003 Domain Controllers.
Event id 1097: Windows cannot find the machine account, The Local Security Authority cannot be contacted.
Event id 1030: Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.
There is no error running dcdiag, netdiag, repadmin...
0
Comment
Question by:contactmetoo
  • 11
  • 10
23 Comments
 

Author Comment

by:contactmetoo
ID: 20421826
I wonder whether this error is due to the difference between the two group policies (Windows 2000 and 2003)???  It might go away after all the Domain Controllers are upgraded to Windows 2003???
0
 

Author Comment

by:contactmetoo
ID: 20421899
Well, I just checked my test environment with similar setup, and the same error shows up even though all the Domain Controllers are running Windows 2003 SP1.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 20425854
brining a new server on board requires you register the DNS Host A record with the local machine and force replicate that to other DCs on the local domain.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 20425858
With that said, a network diag or DCdiag report should show you some errors on that machine. If you see something like DCgetDCname error on the domain controller, then most likely the above fix applies.
0
 

Author Comment

by:contactmetoo
ID: 20449663
It doesn't show any errors in Netdiag and DCDiag.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 20450059
Can you replicate between DCs?
0
 

Author Comment

by:contactmetoo
ID: 20450768
Yes!  No replication error when running repadmin /replsum /bysrc /bydest /sort:delta
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 20454050
After replication, are you still having issues?
0
 

Author Comment

by:contactmetoo
ID: 20454844
Yes!  This is no error in the event log on all the domain controllers except event id 1030 and 1097 (only when they are rebooted).
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 20455422
OK have you viewed this article?

http://support.microsoft.com/?id=832215
0
 

Author Comment

by:contactmetoo
ID: 20471226
I did view this article before putting my question on this site.  It does not apply to us.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 38

Expert Comment

by:ChiefIT
ID: 20472149
Have you registered the server's IP in DNS and replicated that data to the other servers. If you have not, your DCdiag reports should look pretty clean with the exception of two error. One will say something like DCgetDCname failure, the other I think is a replication error.

Try to register your DNS setting with the local server and replicate from that server to the other servers.

Go into the command prompt, type ipconfig /registerdns. That will register it locally. type net stop netlogon, then type net start netlogon. After resetting netlogon, force replicate from that server to the other one.

Sometimes communications between DC's need a little kick start.
0
 

Author Comment

by:contactmetoo
ID: 20475381
There is no DNS errors.  The servers ip are in all DNS.  There is no replication error or issue.  I don't think it has to do with DNS.  I think it has to do with group policy.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 20476098
Yet another article on this error:
http://www.jsifaq.com/SF/Tips/Tip.aspx?id=7561

0
 

Author Comment

by:contactmetoo
ID: 20477917
I rebooted only one domain controller at a time.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 20507537
Hmm, no errors reported, yet you can't see the servers.

This sounds like a temporary pause of the Netlogon service. But, there will be File Replication Errors, when this happens unless you are not catching the pause in time.

Netlogon will pause if there is an overload on the NIC. Sometimes improperly configured dual NICS will cause this. Sometimes, a software firewall, like ISA will not allow two way communications and block important netlogon functions.

Let me see what I can find that will pause the netlogon service in 2003 server:

I don't think this is your issue:
http://support.microsoft.com/kb/889655

Maybe concentrating efforts on the server is not focusing on the broad issue. Have you looked for netlogon service errors on the clients that are having difficulties? Maybe the clients are having Netlogon issues.

I mentioned above, Netlogon may be having difficulties communicating due to a firewall. Let's illiminate that possibility. Are you using ISA firewall for clients and servers? Let's illiminate the possibility of an undersized OS partition. Does your OS partition have more than 512 Mb left for Netlogon propagation. Let's also illiminate an overload of the NIC. How many nodes do  you have and what functions do the server provide to the client? example 150 nodes WSUS, AD, DNS, DHCP, File Server, Printing, Terminal server?

Once these have been illiminated, you may wish to look at networking. The server thinks everything is good. Otherwise you would be getting errors in event viewer, DCdiag and Netdiag. In your case, this doesn't seem to be the problem. Maybe you are using dumb switches and routers. Cisco routers and switches usually come unconfigured. Cisco has two quirks. One is the mode of operation and the second is Spanning Tree Portfast. Both of these can pose problems on your network and give the appearance that the DC is happy and running well. Let's illiminate these possibilities with a simple question. Are you using Cisco routers and Switches? NOTE: if this is in fact your problem, You will have intermittant problems with internet and contact with any computers inside or outside the domain.
0
 

Author Comment

by:contactmetoo
ID: 20508468
I can see all the servers, workstations and DCs.  There is no replication error.  I ran dcdiag, repadmin, netdiag.  There is no error.  There is no intermittent disconnection on any client(s).  There is no intermittant problems with internet and contact with any computers inside or outside the domain.  There is no error in the event log about replication or anything except these two errors (1097 and 1030).

I have setup similar environment in our lab (upgrading from Windows 2000 to Windows 2003 domain).  I experience the same error after upgrading the DCs.  The LAB environment does not have DHCP.  It does not connect to Router or Switches.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 20518893
Is the domain, (not the lab environment), a multihomed domain and/or using dual nics?
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 20519005
Group policy is handled by a template. The majority of the template are registry keys  that are passed down from server to client. So, there are not many pieces to the puzzle when troubleshooting GP.

The one piece you are having problems with is communicating with the server for the GP authority. Error 1097 says it cant find the GP authority.

1) This problem is usually caused by a non-registerd DNS address of the server. DCdiag, Netdiag and troubled replication would reveal this problem. We ruled this out.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_21125628.html?sfQueryTermInfo=1+1030+1097+dn+event

2) Another would be a dual nic configuration or multi homed domain. Dual NICS can confuse the server unless properly configured. But, you should see more DCdiag, Netdiag, and event errors than what you are seeing.
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_21795210.html?sfQueryTermInfo=1+1097+author+cannot+contact+local+secur

3) A third is the router's list of DNS servers. The router is the middle man between clients and servers. There are two basic options with the router. One is a hardware router and the other is dual NICS on the server to make the server act as a router.  As an example of the router being a middle man I am going to use DHCP> A client that is elected to receive DHCP will send out a broadcast to the IP of 0.0.0.0 and subnet of 255.255.255.255 to the router. The router sends that to the server. The server sends that address to the router and passes it back to the client. DNS is sort of the same way. When the client is elected to automatically discover DNS servers on the LAN, it will go to the router and look up the list of availabile LAN DNS servers. You could make sure the list of available DNS servers has only your LAN DNS servers in it. Otherwise, you may show a clean server but can't communicate with for DNS.

Since your clients are not experiencing intermittant comms, you have a relatively clean server of errors, and all you are having problems with are these two errors, I will have to research this a little further. YOU may be correct in thinking the teplates of 2000 server are not compatible with 2003 server. I do know that 2003 server templates have more settings to propogate to the clients. So, the server may be confused in thinking there is a 2000 server administering GP. Or it may be confused about the SMB.

http://www.experts-exchange.com/Networking/WinNT_Networking/Q_20741667.html
0
 

Author Comment

by:contactmetoo
ID: 20520343
The issue is fixed.  A few days, I disabled SMB in one of the child domain, and the error no longer poped up in that domain.  So, I did the same for the other child domain and parent domain, and the problem is fixed.  Thanks for all your inputs.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 20520815
Oh good deal.
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 22860053
PAQed with no points refunded (of 500)

Computer101
EE Admin
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now