Group policy error - cannot access the file gpt.ini

I have a similar problem and it is definitely related to
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_22833654.html?sfQueryTermInfo=1+error+group+polici

When I check here:
http://support.microsoft.com/kb/314494

The resolution is to set :
1.      Click Start, and then click Run.
2.      In the Open box, type regedt32, and then click OK.
3.      In the Registry Editor window, locate the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mup
4.      In the right details pane, double-click DisableDFS.

The DFS client is turned off if the value in the Value data box is 1.
The DFS client is turned on if the value in the Value data box is 0.
5.      In the Edit DWORD Value dialog box that appears, type 0 in the Value data box, and then click OK.

My problem is that their is no such entry for 'DisableDFS'. The DFS service is started as is the TCP/IP netbios helper

May also be relevant:See attachment when I try to run Domain controller security policy from administrative tools.

any suggestions?

Also: I have 2 domain controllers 1, W2000 and 1, W2003. Problem existed prior to introduction of W2003 DC.

Tks, Owen

gponotfound.bmp
OwenMoriartyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ChiefITCommented:
OK, so where are you finding these errors and how often are they happening?

Every 15 min?

Every 5 min?

Also, with the problem child domain controllers, look into the FRS event logs for errors in the 13000's. Like 13508 and 13565, or 13516 that elude to journal wrap.
0
OwenMoriartyAuthor Commented:
On W2000 DC two events every 5 mins, both event id 1000.
##
First message
Windows cannot query for the list of Group Policy objects . A message that describes the reason for this was previously logged by this policy engine.
##
Second message:
Windows cannot access the file gpt.ini for GPO  The file must be present at the location <>. (). Group Policy processing aborted.
##
On W2003 DC two events every 5 mins event Id 1030 and 1058
##
First message:
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.
##
Second message:
Windows cannot access the file gpt.ini for GPO CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=lmkzr-zone,DC=rdsas,DC=com. The file must be present at the location <\\lmmmr-zone.rdyey.com\sysvol\lmmmr-zone.rdyey.com\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\gpt.ini>. (The system cannot find the path specified. ). Group Policy processing aborted.
##
I have no errors in the FRS logs at all since 24/06/2008. Only events are a long list of 13501 and 13516.

I do notice that the path after Policies in:
<\\lmmmr-zone.rdyey.com\sysvol\lmmmr-zone.rdyey.com\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\gpt.ini>.
does not exits, is this the root of it and how do I fix?


Tks,
Owen.
0
Henrik JohanssonSystems engineerCommented:
Run the command
C:\>dfsutil /PurgeMupCache
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

ChiefITCommented:
Owen, it sounds like you have a partial replication set between the two domain controllers. FRS replicates the Sysvol and netlogon sharese between the domain controllers. Then, DFS shares these files out. You had a replication problem five months ago and currently have a partial replication set. So, this leads me to the conclusion, you may have one tombstoned DC (2000 server). So, we may have to:

1) demote DC2 (the 2000 DC)
2) perfom a metadata cleanup on the 2003 DC,
3) register the DNS records of DC1 (the 2003 DC)
4) bring DC2 back into the domain under mixed mode and replicate between the DCs
5) if that doesn't work, maybe use the Burflag method to rebuild sysvol and netlogon shares.

If your DC2 is not tombstoned, then ALL we may have to do is fix your sysvol and netlogon by using the burflag method to rebuild them:

Most replication problems are a result of DNS issues. Since Sysvol and netlogon shares are replicated between domain controllers, then shared out via DFS (which uses netbios), you are looking at MANY services that have work together in order to function right.

To fix your issues, you have to take a systematic approach:
1) Fix a tombstoned DC
```A) remove DC2 by DCPromo
```B) perform a metadata cleanup on DC1
```C) promote DC2 back into the domain under mixed mode
2) Fix any DNS issues, (if found)
```A) Rund DCdiag and Netdiag to see if you can locate any DNS issues. These issues are so abundant that we will need to determine what the cause of DNS, (if any), we might find.
3) rebuild the replication set
```A) use the D2 burflag method to rebuild the PDCe (2003 server, I assume)
```B) use the D4 burflag method to rebuild the sysvol and netlogon for DC2 (2000 server, I assume)


@Henjo:
We worked on a similar issue a couple times over: (What do you think of the above advice?)
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23779315.html
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Henrik JohanssonSystems engineerCommented:
Yes, but as he got the 1030/1058 logging I'll give dfsutil a try before beginning to cleanup AD/DNS. Also see if netdiag/fix and dcdiag/fix solves anything.
If that doesn't help, it's as said a cleaning job...
0
OwenMoriartyAuthor Commented:
I plan to retire the W2000DC in the next 4-5 months anyway so if dfsutil doesn't do the trick I can live without Group policy until then.

Appreciate the effort that went into the replies and I will update whether dfsutil has any impact.

Tks,
Owen.
0
ChiefITCommented:
Owen, if you have a tombstoned DC, you will run into a lot more problems along the way. So, if the DFSutil doesn't work, I recommend a cleanup even if you plan on removing the DC in 4 to 5.
0
OwenMoriartyAuthor Commented:
The W2000DC is still the operations master, could it be tombstoned in this case? I note that dfsutil is for W2003 only, can I run it still?

Tks,
Owen.
0
Henrik JohanssonSystems engineerCommented:
dfsutil.exe is included in support tools.

Troubleshooting steps copied from http://support.microsoft.com/kb/887303
1. Examine the DNS settings and network properties on the servers and client computers.
2. Examine the Server Message Block signing settings on the client computers.
3. Make sure that the TCP/IP NetBIOS Helper service, the Net Logon service, and the Remote Procedure Call (RPC) service are started on all computers.
4. Make sure that Distributed File System (DFS) is enabled on all computers.
5. Examine the contents and the permissions of the Sysvol folder.
6. Make sure that the Bypass traverse checking right is granted to the required groups.
7. Make sure that the domain controllers are not in a journal wrap state.
8. Run the dfsutil /purgemupcache command.


0
OwenMoriartyAuthor Commented:
I ran dcdiag /a and have attached the results, both DC's failed for:
Unable to connect to the NETLOGON share! (\\server\netlogon)
slashresult.txt
0
ChiefITCommented:
I believe this is the root of your problem:

In DNS, you have some records that point to your AD domain controller: These are called SRV records (SeRVice records). When restarting the netlogon service these records should register themselves within their own DNS, (assuming both DCs are DNS servers as well). To verify the existance of your SRV records please see the following:

http://support.microsoft.com/?kbid=241515

So, you have a DNS issue.

@Henjo:
You and I have been here before. He is not getting a full replication set because of DNS.
0
ChiefITCommented:
@Henjo:
The problem I am starting to see is, this has not replicated in so many weeks. It might be past the tombstoned lifetime for the 2000 DC.
0
Henrik JohanssonSystems engineerCommented:
Yes, dejavu...

DNS is essential for AD.
Check that DNS-zone allows dynamic updates.
Check that DCs use correct DNS servers and run netdiag/fix or restart netlogon service to register its SRV-records.
DC shall use itself for DNS-lookup and also another DC/DNS for secondary lookup to avoid errors when restarting DCs.

Owen: Have you seen the steps and KB I posted above? The KB includes detailed step-by-step instructions and some links for additional troubleshooting including missing NETLOGON.
0
OwenMoriartyAuthor Commented:
Hi all,
All fixed now, unfortunately it got a bit more complicated after a few power and UPS failures, when the DC came back up I also now had journal wrap errors.

The fix in the end was achieved by
1. Setting the "Enable Journal Wrap Automatic Restore" registry parameter to 1, this worked for journal wrap.


2. Creating a virtual DC on my desktop and comparing the files under sysvol. The folder {6AC1786C-016F-11D2-945F-00C04fB984F9} was missing on my DC's so I copied it over and the 1030/1058 events stopped. {6AC1786C-016F-11D2-945F-00C04fB984F9} seems to be a kind of default domain policy, even if nothing  is defined in it it is required and I have no idea why it was missing.


Many thanks for the effort by all of you, any suggestions on how I should award points?

Tks,
Owen.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.