Solved

Windows cannot query for the list of Group Policy Objects Event ID Errors: 1030, 1058

Posted on 2008-06-19
14
1,148 Views
Last Modified: 2008-06-26
We have three DCs, and on one of the domain controllers, we are getting two Event ID Errors: 1058 and 1030 which I presume is why the group policy I created is not getting applied to my test machine.  When I run the Group Policy Results for this machine, I see the policy, but it says: AD (9), Sysvol (0).  In the event logs it says the policy is not there.  

Event Type:      Error
Event Source:      Userenv
Event Category:      None
Event ID:      1058
Date:            6/19/2008
Time:            12:05:55 PM
User:            NT AUTHORITY\SYSTEM
Computer:      DC1
Description:
Windows cannot access the file gpt.ini for GPO cn={68A7C905-519C-4229-8D31-28836C168708},cn=policies,cn=system,DC=.... The file must be present at the location <\\...\SysVol\...\Policies\{68A7C905-519C-4229-8D31-28836C168708}\gpt.ini>. (The system cannot find the path specified. ). Group Policy processing aborted.

68A7C905-519C-4229-8D31-28836C168708 does exist on one of the three DC's, but it is not present on the other two DCs.  

Hence, I get this 1030 error:
Description:
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.



0
Comment
Question by:rose6060
  • 8
  • 5
14 Comments
 
LVL 83

Expert Comment

by:oBdA
ID: 21826634
Every 5 minutes, I assum? If you haven't done so yet, install the support tools, open a command prompt, and run
dfsutil /purgemupcache
The current version of the support tools is here:
Windows Server 2003 Service Pack 2 32-bit Support Tools
http://www.microsoft.com/downloads/details.aspx?FamilyID=96a35011-fd83-419d-939b-9a772ea2df90&displaylang=en

If that didn't help, continue here:
Applying Group Policy causes Userenv errors and events to occur on your computers that are running Windows Server 2003, Windows XP, or Windows 2000
http://support.microsoft.com/?kbid=887303
0
 

Author Comment

by:rose6060
ID: 21827077
It's actually not occuring every five minutes, I only have two instances of it, and it may happen when I reboot the target XP machine that I'm trying to apply the GPO policy.  I did try your first suggestion and then went to the document link.  It had two ideas that seemed promising:

1. Use the dcgpofix.exe.  I was afraid to use that as it says it will restore the default policies.  But, the problem where one of the Group Policy objects is missing from the Sysvol folder is relevant.

2. Antivirus exclusions to the SYSVOL folder. This was not done, so I have implemented that. So far no change.
.
.
.
If one or more Group Policy objects are missing from the Sysvol folder , run the Windows Server 2003 Default Group Policy Restore Utility (Dcgpofix.exe), or the Windows 2000 Default Group Policy Restore Tool (Recreatedefpol.exe), to re-create the default Group Policy objects.

The Dcgpofix.exe program is included with Windows Server 2003. For additional information about the Dcgpofix.exe program, run the dcgpofix /? command at a command prompt.

For information about the Recreatedefpol.exe program, visit the following Microsoft Windows 2000 Default Group Policy Restore Tool Web site:
http://www.microsoft.com/downloads/details.aspx?familyid=b5b685ae-b7dd-4bb5-ab2a-976d6873129d&displaylang=en (http://www.microsoft.com/downloads/details.aspx?familyid=b5b685ae-b7dd-4bb5-ab2a-976d6873129d&displaylang=en)
Make sure to set the recommended exclusions when you are scanning the Sysvol drive with antivirus software.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 21827348
dcgpofix.exe   -resets the default domain policy and default domain controller policy, depending on how you use it. Do you wan't to delete all of your policies on either the domain or domain controller policies and go back to an unconfigured state?

Let's look up the ID of that policy and rebuild just that policy.

Upon logon, you could see these errors because they are trying to find these gpo prior to the netlogon service starting.
http://support.microsoft.com/kb/842804
0
 

Author Comment

by:rose6060
ID: 21827491
I do not want to delete any of our policies.  When I try to create a new policy through group policy management, I got an error the first time that said it could not write.  I have not seen any more errors in the event log, but clearly the policy is not getting created on two of our domain controllers.  the article you referenced said to install SP2.  One of our DC's is on SP1 and the other is on SP2.  The one that seems to work is running R2 SP2.  I plan on installing SP2 on the DC that is running SP2.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 21834137
How did SP2 come out?

Are any of these servers multihomed?
0
 

Author Comment

by:rose6060
ID: 21834281
I'm hoping to do that tonight.  We do have two IPs defined for the DC that is running SP1.  We do not have any reverse lookup zones defined yet either.  But, before I can do that, I want to use GPO to ensure workstations register DNS as they don't use DHCP... Anyway, I can't seem to get the GPO policy to work as the policy ID does not appear to populate the SYSVOL for all the DCs.
0
 

Author Comment

by:rose6060
ID: 21835774
Updating the DC that had SP1 on it to SP2 did not seem to help.  The SYSVOL share just does not update with any new GPO objects...
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 38

Expert Comment

by:ChiefIT
ID: 21836096
Consider this:

If you have two IPs that are not on the same subnet. Your computer may not be going to the wrong IP address and therefore not supplying the GPO to the sysvol in the other DCs.

Multihomed domain controllers can work, but are usually a bit tricky to configure. You may see all kinds of neet problems with multiple IPs on your server.

So, I need to ask, what is the second IP used for. Is it used for communicating with a different subnet, for a web page. If it is not really needed, maybe consider removing the second IP.

I think a multihomed server is your error, and here is an example:
 http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_2003_Active_Directory/Q_23347841.html

0
 

Author Comment

by:rose6060
ID: 21837722
I'll work on removing the second IP.  I don't know why it was configured, it was added to the IP addresses section on the network interface.  There isn't a second enabled NIC that has been configured.  We also have a third DC that does not have multiple IPs assigned that which doesn't GPO objects in SYSVOL either, but I'm less concerned about it as it is just a backup DC that was created.  Also, one other note, the DC that does get the GPO policies is running 2003 Std R2, the other two are running 2003.  

I'll try removing the other IP and see if that helps though.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 21839638
Once done figuring out the multihomed situation, you might consider OBDA's suggestion of purging the mup cache (this is similar to a DNS cache except it is designed for UNC paths).
0
 

Author Comment

by:rose6060
ID: 21852164
Thanks. I'll try removing the other IP on the DC and purge the mup cache.  I need to first go through who may be pointing to this second IP
0
 

Author Comment

by:rose6060
ID: 21868574
Two of the three DCs are still not getting any new policies in the \\dc1\SYSVOL\lan.com\Policies folder. I removed the second IP and purged the mup cache on the two DC's that are not updating.  When I create a group policy object, I see it show up immediately into dc0, but not in the other two.

In DNS, it shows under _msdcs\gc\_tcp all three DCs. However, dc1 is not a global catalog server.  Is that normal?  I was thinking of making it a global catalog server just to see if this would make any difference.
0
 
LVL 38

Accepted Solution

by:
ChiefIT earned 500 total points
ID: 21871126
DFS is the service that propogates the GPO to the clients and other servers. DFS uses netbios over TCP/IP. Netbios is not a routeable protocol. So, I have to know if this is a Single LAN or a LAN if VPN segments.

If it is a Single LAN, not separated by VPN, NAT or firewalls, you can just electe Netbios over TCP/IP in the network bindings to allow these GPOs to be passed down to clients and servers.
0
 

Author Comment

by:rose6060
ID: 21875772
The DCs sre on the same lan segment, so there are not any routing issues between them.  I also checked that the default setting under the WINS tab that Netbios over TCP/IP is used.  The servers have static IPs so they are not getting any settings from DHCP.  I do see on DC1 an event error that it cannot replicate FRS:

Event Type:      Warning
Event Source:      NtFrs
Event Category:      None
Event ID:      13508
Date:            6/25/2008
Time:            11:11:24 PM
User:            N/A
Computer:      DC1
Description:
The File Replication Service is having trouble enabling replication from DC0 to DC1 for c:\winnt\sysvol\domain using the DNS name dc0.lan.com. FRS will keep retrying.
 Following are some of the reasons you would see this warning.
 
 [1] FRS can not correctly resolve the DNS name dc0.lan.com from this computer.
 [2] FRS is not running on dc0.lan.com.
 [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and fi…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now