Solved

Group Policy error on one DC after a failed DC was removed and another one added

Posted on 2008-10-21
7
886 Views
Last Modified: 2012-06-22
I have a domain with only 2 DC's in it. The main DC holding all the roles died suddenly the other day so I quickly seized the roles to the other DC, made it a GC and installed DNS which populated itself. I had numerous dcdiag errors which I have managed to fix now. I ran the meta clean up too. The only issues I have now is the domain controller that holds all 5 roles is reporting this error

Source: Userenv
Event ID: 1058
User NT Authority\system

Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=domain,DC=co,DC=uk. The file must be present at the location <\\mydomain.domain.co.uk\sysvol\mydomain.domain.co.uk\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (Logon Failure: The target account name is incorrect. ). Group Policy processing aborted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I cannot figure it out.

I read some where that the roles should ideally be spread out among the DC's is this correct and I read about an issue if the infrastructure master is on the same machine as one of the other roles (which i cant remeber which one it is)

Any ideas on how to solve this?

Thanks

Catherine
0
Comment
Question by:3tproductions
  • 4
  • 3
7 Comments
 

Author Comment

by:3tproductions
Comment Utility
I noticed that if I try to access

\\mydomain.domain.co.uk\sysvol\

using start run it says the same error Logon Failure: The target account name is incorrect


Any ideas?
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
Run a DCDIAG /v > C:\dcdiag.txt on the server that now holds the roles.  Scrub anything you don't want public, but leave the log intact.

Post it here.
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
You may have to restart the Netlogon service now on that DC to properly register the new SRV records in DNS.

Just an after thought while I wait for the log.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:3tproductions
Comment Utility
Will run this now, noticed these in the event log too

Kerberos errors

The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/server.mydomain.3t.co.uk.  The target name used was cifs/server2.mydomain.3t.co.uk. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (myDOMAIN.domain.CO.UK), and the client realm.   Please contact your system administrator.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Right the log


Domain Controller Diagnosis

Performing initial setup:
   * Verifying that the local machine SERVER, is a DC.
   * Connecting to directory service on server SERVER.
   * Collecting site info.
   * Identifying all servers.
   * Identifying all NC cross-refs.
   * Found 2 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests
   
   Testing server: MYDOMAIN\SERVER
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         * Active Directory RPC Services Check
         ......................... SERVER passed test Connectivity

Doing primary tests
   
   Testing server: MYDOMAIN\SERVER
      Starting test: Replications
         * Replications Check
         * Replication Latency Check
            CN=Schema,CN=Configuration,DC=MYDOMAIN,DC=domain,DC=co,DC=uk
               Latency information for 3 entries in the vector were ignored.
                  3 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            CN=Configuration,DC=MYDOMAIN,DC=domain,DC=co,DC=uk
               Latency information for 3 entries in the vector were ignored.
                  3 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=MYDOMAIN,DC=domain,DC=co,DC=uk
               Latency information for 3 entries in the vector were ignored.
                  3 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
         * Replication Site Latency Check
         ......................... SERVER passed test Replications
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Starting test: NCSecDesc
         * Security Permissions check for all NC's on DC SERVER.
         * Security Permissions Check for
           DC=ForestDnsZones,DC=MYDOMAIN,DC=domain,DC=co,DC=uk
            (NDNC,Version 2)
         * Security Permissions Check for
           DC=DomainDnsZones,DC=MYDOMAIN,DC=domain,DC=co,DC=uk
            (NDNC,Version 2)
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=MYDOMAIN,DC=domain,DC=co,DC=uk
            (Schema,Version 2)
         * Security Permissions Check for
           CN=Configuration,DC=MYDOMAIN,DC=domain,DC=co,DC=uk
            (Configuration,Version 2)
         * Security Permissions Check for
           DC=MYDOMAIN,DC=domain,DC=co,DC=uk
            (Domain,Version 2)
         ......................... SERVER passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         Verified share \\SERVER\netlogon
         Verified share \\SERVER\sysvol
         ......................... SERVER passed test NetLogons
      Starting test: Advertising
         The DC SERVER is advertising itself as a DC and having a DS.
         The DC SERVER is advertising as an LDAP server
         The DC SERVER is advertising as having a writeable directory
         The DC SERVER is advertising as a Key Distribution Center
         The DC SERVER is advertising as a time server
         The DS SERVER is advertising as a GC.
         ......................... SERVER passed test Advertising
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=SERVER,CN=Servers,CN=MYDOMAIN,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=domain,DC=co,DC=uk
         Role Domain Owner = CN=NTDS Settings,CN=SERVER,CN=Servers,CN=MYDOMAIN,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=domain,DC=co,DC=uk
         Role PDC Owner = CN=NTDS Settings,CN=SERVER,CN=Servers,CN=MYDOMAIN,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=domain,DC=co,DC=uk
         Role Rid Owner = CN=NTDS Settings,CN=SERVER,CN=Servers,CN=MYDOMAIN,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=domain,DC=co,DC=uk
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=SERVER,CN=Servers,CN=MYDOMAIN,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=domain,DC=co,DC=uk
         ......................... SERVER passed test KnowsOfRoleHolders
      Starting test: RidManager
         * Available RID Pool for the Domain is 5116 to 1073741823
         * SERVER.MYDOMAIN.domain.co.uk is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 3616 to 4115
         * rIDPreviousAllocationPool is 3616 to 4115
         * rIDNextRID: 3761
         ......................... SERVER passed test RidManager
      Starting test: MachineAccount
         Checking machine account for DC SERVER on DC SERVER.
         * SPN found :LDAP/SERVER.MYDOMAIN.domain.co.uk/MYDOMAIN.domain.co.uk
         * SPN found :LDAP/SERVER.MYDOMAIN.domain.co.uk
         * SPN found :LDAP/SERVER
         * SPN found :LDAP/SERVER.MYDOMAIN.domain.co.uk/MYDOMAIN
         * SPN found :LDAP/935b7ae2-9360-4025-987f-6a5ab1758dca._msdcs.MYDOMAIN.domain.co.uk
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/935b7ae2-9360-4025-987f-6a5ab1758dca/MYDOMAIN.domain.co.uk
         * SPN found :HOST/SERVER.MYDOMAIN.domain.co.uk/MYDOMAIN.domain.co.uk
         * SPN found :HOST/SERVER.MYDOMAIN.domain.co.uk
         * SPN found :HOST/SERVER
         * SPN found :HOST/SERVER.MYDOMAIN.domain.co.uk/MYDOMAIN
         * SPN found :GC/SERVER.MYDOMAIN.domain.co.uk/MYDOMAIN.domain.co.uk
         ......................... SERVER passed test MachineAccount
      Starting test: Services
         * Checking Service: Dnscache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: RpcSs
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... SERVER passed test Services
      Test omitted by user request: OutboundSecureChannels
      Starting test: ObjectsReplicated
         SERVER is in domain DC=MYDOMAIN,DC=domain,DC=co,DC=uk
         Checking for CN=SERVER,OU=Domain Controllers,DC=MYDOMAIN,DC=domain,DC=co,DC=uk in domain DC=MYDOMAIN,DC=domain,DC=co,DC=uk on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=SERVER,CN=Servers,CN=MYDOMAIN,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=domain,DC=co,DC=uk in domain CN=Configuration,DC=MYDOMAIN,DC=domain,DC=co,DC=uk on 1 servers
            Object is up-to-date on all servers.
         ......................... SERVER passed test ObjectsReplicated
      Starting test: frssysvol
         * The File Replication Service SYSVOL ready test
         File Replication Service's SYSVOL is ready
         ......................... SERVER passed test frssysvol
      Starting test: frsevent
         * The File Replication Service Event log test
         ......................... SERVER passed test frsevent
      Starting test: kccevent
         * The KCC Event log test
         Found no KCC errors in Directory Service Event log in the last 15 minutes.
         ......................... SERVER passed test kccevent
      Starting test: systemlog
         * The System Event log test
         An Error Event occured.  EventID: 0x40000004
            Time Generated: 10/23/2008   09:03:11
            Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/SERVER.MYDOMAIN.domain.co.uk.  The target name
used was cifs/demoweb.MYDOMAIN.domain.co.uk. This
indicates that the password used to encrypt the
kerberos service ticket is different than that on
the target server. Commonly, this is due to
identically named  machine accounts in the target
realm (MYDOMAIN.domain.CO.UK), and the client
realm.   Please contact your system
administrator.
         ......................... SERVER failed test systemlog
      Test omitted by user request: VerifyReplicas
      Starting test: VerifyReferences
         The system object reference (serverReference)
         CN=SERVER,OU=Domain Controllers,DC=MYDOMAIN,DC=domain,DC=co,DC=uk and
         backlink on
         CN=SERVER,CN=Servers,CN=MYDOMAIN,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=domain,DC=co,DC=uk
         are correct.
         The system object reference (frsComputerReferenceBL)
         CN=SERVER,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=MYDOMAIN,DC=domain,DC=co,DC=uk
         and backlink on
         CN=SERVER,OU=Domain Controllers,DC=MYDOMAIN,DC=domain,DC=co,DC=uk are
         correct.
         The system object reference (serverReferenceBL)
         CN=SERVER,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=MYDOMAIN,DC=domain,DC=co,DC=uk
         and backlink on
         CN=NTDS Settings,CN=SERVER,CN=Servers,CN=MYDOMAIN,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=domain,DC=co,DC=uk
         are correct.
         ......................... SERVER passed test VerifyReferences
      Test omitted by user request: VerifyEnterpriseReferences
      Test omitted by user request: CheckSecurityError
   
   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
   
   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
   
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
   
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
   
   Running partition tests on : MYDOMAIN
      Starting test: CrossRefValidation
         ......................... MYDOMAIN passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... MYDOMAIN passed test CheckSDRefDom
   
   Running enterprise tests on : MYDOMAIN.domain.co.uk
      Starting test: Intersite
         Skipping site MYDOMAIN, this site is outside the scope provided by
         the command line arguments provided.
         ......................... MYDOMAIN.domain.co.uk passed test Intersite
      Starting test: FsmoCheck
         GC Name: \\SERVER.MYDOMAIN.domain.co.uk
         Locator Flags: 0xe00003fd
         PDC Name: \\SERVER.MYDOMAIN.domain.co.uk
         Locator Flags: 0xe00003fd
         Time Server Name: \\SERVER.MYDOMAIN.domain.co.uk
         Locator Flags: 0xe00003fd
         Preferred Time Server Name: \\SERVER.MYDOMAIN.domain.co.uk
         Locator Flags: 0xe00003fd
         KDC Name: \\SERVER.MYDOMAIN.domain.co.uk
         Locator Flags: 0xe00003fd
         ......................... MYDOMAIN.domain.co.uk passed test FsmoCheck
      Test omitted by user request: DNS
      Test omitted by user request: DNS
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
This new server, did you name it the same as the old one?

If so, you need to run DCPROMO on it and demote if to a member server - uninstall DNS from it first if you have it.
Next, place it into a Workgroup, then delete all references to it in AD and from AD Sites and Services.
You may also (at this point) do a metadata cleanup using this article: http://support.microsoft.com/kb/216498

Once this has an hour or so to settle down, rerun DCPROMO to bring the new server back into AD.

Let us know.


0
 

Author Comment

by:3tproductions
Comment Utility
No what happened was we had 2 DCs, the one that died held all the roles so I just seized them with the other one and installed a fresh DC so we would still have 2.

The DC that took all the roles through the seize has not changed names etc as it runs tons of client web sites so I cant do anything to it really.

I have also just realised that I cannot access this machine from my internal domain (this machine is in the DMZ). We normally access a share called websites using a batch file which runs a net use command. After the reboot the other day (after the server taking all the roles) i get

System Error 64 has occurred.

Also when i try to access the C$ share it opens sooooo slow then it will just close on me.

I can RDC no problems and ping it, just access shares is a no no.

Arghhh
0
 

Accepted Solution

by:
3tproductions earned 0 total points
Comment Utility
Interesting!

Whether this is coincidental or not I found that a script was running on another server which was opening a share on this server. Every time I killed the session it opened again. Some one managed to track it down and we killed the script. This cleared up the issue of not being able to access the shares on the machine.

I rebooted the server and this didnt at first fix the error appearing in the logs about group policy.

Rebooted again and it seems to have fixed itself. I was later informed that the machine had been reinstalled with a bigger hard disk and its name changed slightly - its old name is still in the AD sites and services listed as a DC however there is no NTDS settings etc.  I am wondering if I should delete this or not.

For now it is fixed - the reboot seemed to have done it plus deleting a few lingering objects in dns.

Catherine
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
This video discusses moving either the default database or any database to a new volume.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now