Why do I need to run gpupdate /force after rebooting domain controller

I have a domain controller running windows server 2003 sp2.  After a reboot network shares are unavailable and I can't access active directory.  Event id 1030 and 1052 are logged in the application log.  Event id 4000 is logged in the dns events.  If I run gpupdate /force it resolves my issues.  Any idea why this is happening?
daslzAsked:
Who is Participating?
 
ChiefITCommented:
Event 1030 is a very generic event and indicates you can't find Group policies. this could be a problem with Netbios, FRS, or DNs Event 1052 indicates another machine on the network has the same Netbios name as your server.

FRS is having problems. Event ID 13508, says it can't find the servers to replicate to. Event 13509, says your server found its replicaton partner and is ready to replicate to it.

Event 4000 DNS means the server can't open AD.

Your saying GPupdate /force resolves your issues.

I am beginning to think you have a group policy to disable Windows firewall, and when you GPupdate, windows fiewall disables itself. I think windows firewall is running on your server upon bootup. Or you have a client with the same name as your server and on the same domain.

So, go to the command prompt of any computer or server and type:
NBTStat -a xxx.xxx.xxx.xxx

Where xxx.xxx.xxx.xxx is the IP of your server. That should resolve to netbios names of your servers IP. The one Netbios name that is NOT your server should be given another IP, and your server's IP should NOT be within the DHCP scope or address pool unless and exception has been made for that IP.

Put it all together and it looks like you have a problem with netbios and DNS protocols.

0
 
nappy_dThere are a 1000 ways to skin the technology cat.Commented:
You mean you have to run gpupdate on the workstations or on the server?

How often are you rebooting your server?

Can you give the full err message with those event id's?
0
 
DonNetwork AdministratorCommented:
This may be your issue.

Event ID 1030, 1052 is logged every five minutes in the Application event log    SYMPTOMS Group Policy settings are not replicated between domain controllers. Therefore, users do not receive Group Policy settings for computers. The following events appear in the Application log in Microsoft Windows Server 2003:Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1058
Description: Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domainname,DC=com . The file must be present at the location <\\domainname.com\sysvol\domainname.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984 F9}\gpt.ini>. (Error_Message). Group Policy processing aborted. For more information, see Help and Support Center at http://support.microsoft.com.

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1030
Description: Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine. For more information, see Help and Support Center at http://support.microsoft.com.
CAUSE This issue may occur if you assign incorrect permissions to the %SystemRoot%\Winnt\Sysvol folder or if you assign incorrect groups to Bypass Traverse Checking User Rights Assignment. Additionally, this issue may occur if the sysvol share permissions are too restrictive.

RESOLUTION Windows Server 2003

1.Set the folder security permissions. To do this, follow these steps:      a. In Windows Explorer, right-click the %SystemRoot%\Windows\Sysvol folder, and then click Properties.b. On the Security tab, click Advanced, click to clear the Allow inheritable permissions from parent       to propagate to this object check box, and then click OK. Make sure that the       security settings match the following settings, and then click OK:           Administrators: Full Control
        Authenticated Users: Read, Read & Execute, and List Folder          Contents
        Creator Owner: Nothing selected
        Server Operators: Read, Read & Execute, and List Folder          Contents
        System: Full Controlc. Right-click the %SystemRoot%\Windows\Sysvol\Sysvol folder, and then click Properties.d. On the Security tab, click Advanced, click to clear the Allow inheritable permissions from parent       to propagate to this object check box, and then click OK two times.e. Right-click the %SystemRoot%\Winnt\Sysvol\Sysvol\domain folder, and then click Properties.f. On the Security tab, click Advanced, click to clear the Allow inheritable permissions from parent       to propagate to this object check box, and then click OK two times.g. Right-click the %SystemRoot%\Winnt\Sysvol\Sysvol\domain\Policies folder, and then click Properties.h. On the Security tab, click Advanced, click to clear the Allow inheritable permissions from parent       to propagate to this object check box, and then click OK. Make sure that the       security settings match the following settings, and then click OK:           Administrators: Full Control
        Authenticated Users: Read, Read & Execute, and List Folder          Contents
        Creator Owner: Nothing selected
        Group Policy Creator Owners: Read, Read & Execute, List Folder          Contents, Modify, and Write
        Server Operators: Read, Read & Execute, and List Folder          Contents
        System: Full Control
i. For each file or folder that is located in the       %SystemRoot%\Winnt\Sysvol\Sysvol\domain\Policies       folder, right-click the file or folder, and then click Properties.j. On the Security tab, click Advanced, click to select the Allow inheritable permissions from parent       to propagate to this object check box, and then click OK two times.2.Open Active Directory Users and Computers. To do this, click Start, click All Programs, and then click Administrative Tools.3.Expand Active Directory Users and Computers, expand the domain name, right-click Domain Controllers, and then click Properties.4.On the Group Policy tab, click Default Domain Controllers Policy,     and then click Edit.

Note The Edit button is not available if the Group Policy Management Console is installed. In this scenario, click Open to start the Group Policy Management Console, expand domain name, expand Domain Controllers, right-click Default Domain Controllers Policy, and then click Edit.

For additional information about the Group Policy Management Console, visit the following Microsoft Web site:http://www.microsoft.com/windowsserver2003/gpmc/default.mspx (http://www.microsoft.com/windowsserver2003/gpmc/default.mspx)5.Expand the following folders:Computer Configuration
Windows Settings
Security Settings
Local Policies 6.Click User Rights Assignment, and then double-click Bypass traverse checking.     The following default settings should be present:  Authenticated Users
Everyone
Administrators  To add these groups if they are not present, click Add User or Group, and then click Browse.7.Click Start, click Run, type gpupdate, and then click OK.8.Verify that the sysvol share permissions are set     correctly, as follows: Administrators = Full Control
Authenticated Users = Full Control
Everyone = Read Note If this procedure does not resolve the issue, or if you have problems accessing the Global Policy, examine the binding order on the server to make sure the internal network adaptor is first in the binding order list. To examine the binding order, follow these steps:1.Right-click  My Network Places, and then  click Properties.2.On the Advanced menu, click  Advanced Settings.3.In the Connections box, make sure that the internal network adaptor is listed first. If it is not, use the arrows to move it to the top of the list.
0
Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

 
ChiefITCommented:
Your having both DNS and Netbios problems.

Please run a netdiag and DCdiag to look for errors.

In addition, look in event logs under the FRS log files for events in the 13000's. You may be in journal wrap.

One last thing, what service pack are you on?
0
 
daslzAuthor Commented:
I can't run netdiag or dcdiag - I get a message stating the command is not recognized as an internal or external command, operable program or batch file.

I am running sp2.

I am only seeing these events after I reboot my server.

Thanks
0
 
daslzAuthor Commented:
In the FRS I am seeing event 13058 before I run gpupdate /force and then I see event 13059 after the /force command.
0
 
ChiefITCommented:
Dcdiag and netdiag are a part of the 2003 server support tools. You should really have these, because you are showing signs of communications problems. Both tools are very helpful in tracking the issues down:

For a 32 bit system only:
http://www.microsoft.com/downloads/details.aspx?FamilyId=6EC50B78-8BE1-4E81-B3BE-4E7AC4F0912D&displaylang=en

You might also consider downloading some of the other tools and admin packs under the, "what others are downloading" section on that same link:
0
 
daslzAuthor Commented:
I found the tools and installed.  I ran dcdiag and found an issue the frsevent test.  Looks like I am having SYSVOL replication problems.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.