FractalPat
asked on
Windows 2008 DC Group Policy computer settings do not apply to Windows 2008 domain member
I am having an issue with applying GPO settings with a Windows 2008 domain member .
When I run gpupdate /force I am presented with the following error:
The processing of Group Policy failed. Windows attempted to read the file \\Domain.local\sysvol\Doma
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
This is event 1058 and it's error code is 5.
I have followed the steps in the following MS KB article about this and it is very weak:
http://technet.microsoft.com/en-us/library/cc727259(WS.10).aspx
The user polices apply with no problems so I can rule out networking/DNS issues. I also have a Windows 2003 server that is a domain member and this receives it's settings with no problems. I have run Process Monitor to see what is happening with the file system and the account the computer is using to access the following location it coming up with Access Denied:
\\Domain.local\sysvol\Doma
I have given the SYSVOL folder Everyone Full control permissions for testing purposes and it still fails. The computer account is using the NT AUTHORITY/SYSTEM account to try to access this share according to Process Monitor. Incidently the Windows 2003 machine also uses this account but does not receive an Access Denied error.
Further info:
The DC is running on Windows 2008 Domain functional level
The MS KB article suggests that the DFS Client should be enabled. The link MS provide in the KB article applies to Windows XP and not Windows 2008.
So far I have not tried resetting the computer account in Active Directory as I believe I will need to rejoin the computer to the domain. As this is a web server in a production environment I need to limit the downtime on this server to a bare minimum.
Please help me solve this - will be much appreciated!
Thanks.
When I run gpupdate /force I am presented with the following error:
The processing of Group Policy failed. Windows attempted to read the file \\Domain.local\sysvol\Doma
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
This is event 1058 and it's error code is 5.
I have followed the steps in the following MS KB article about this and it is very weak:
http://technet.microsoft.com/en-us/library/cc727259(WS.10).aspx
The user polices apply with no problems so I can rule out networking/DNS issues. I also have a Windows 2003 server that is a domain member and this receives it's settings with no problems. I have run Process Monitor to see what is happening with the file system and the account the computer is using to access the following location it coming up with Access Denied:
\\Domain.local\sysvol\Doma
I have given the SYSVOL folder Everyone Full control permissions for testing purposes and it still fails. The computer account is using the NT AUTHORITY/SYSTEM account to try to access this share according to Process Monitor. Incidently the Windows 2003 machine also uses this account but does not receive an Access Denied error.
Further info:
The DC is running on Windows 2008 Domain functional level
The MS KB article suggests that the DFS Client should be enabled. The link MS provide in the KB article applies to Windows XP and not Windows 2008.
So far I have not tried resetting the computer account in Active Directory as I believe I will need to rejoin the computer to the domain. As this is a web server in a production environment I need to limit the downtime on this server to a bare minimum.
Please help me solve this - will be much appreciated!
Thanks.
Brian Pierce
Check DNS, does the DC point to itself as the only DNS server
Hi!
The SID string after Policies that you provide matches the one from tis article. I thought SIDs are universally unique. Oh, well. Back to issue:
http://support.microsoft.com/kb/842804
Don't read the standby issue, skip to CAUSE: there are 4 possible causes listed.
If this article does not apply do you have a reference from other srv 2008? Is this policy applied there? If yes, you are right to have a look at the copmuter account under ADUC: is it disabled or are there other warnings? Is it member of local users group? After you logon on this machine as domain user can you access the gpt.ini? If yes there is no network / DNS problem so far. But also check the permissions on the file itself, not only on SYSVOL.
PS: Also be careful with gpupdate /force - this has been changed under Svr 2008. Better read the help output there.
The SID string after Policies that you provide matches the one from tis article. I thought SIDs are universally unique. Oh, well. Back to issue:
http://support.microsoft.com/kb/842804
Don't read the standby issue, skip to CAUSE: there are 4 possible causes listed.
If this article does not apply do you have a reference from other srv 2008? Is this policy applied there? If yes, you are right to have a look at the copmuter account under ADUC: is it disabled or are there other warnings? Is it member of local users group? After you logon on this machine as domain user can you access the gpt.ini? If yes there is no network / DNS problem so far. But also check the permissions on the file itself, not only on SYSVOL.
PS: Also be careful with gpupdate /force - this has been changed under Svr 2008. Better read the help output there.
ASKER
Hi moodjbow,
Thanks for the response. I've done some further tests after reading your reply and when I login using a domain account from the 2008 server that's failing, when I try and open the share:
\\KSSharepoint.local\sysvo
It opens without prompting for a username and password. I can also read the GPT.INI file without issues so doesn't appear to be a permissions based issue. The machine in AD is a member of the domain\users group, as is the DC and the Win 2k3 machine that works without problems. There is no AD difference between the working 2k3 machine compared to the failing win2k8 machine.
Any other things you can think of to check?
Thanks for the response. I've done some further tests after reading your reply and when I login using a domain account from the 2008 server that's failing, when I try and open the share:
\\KSSharepoint.local\sysvo
It opens without prompting for a username and password. I can also read the GPT.INI file without issues so doesn't appear to be a permissions based issue. The machine in AD is a member of the domain\users group, as is the DC and the Win 2k3 machine that works without problems. There is no AD difference between the working 2k3 machine compared to the failing win2k8 machine.
Any other things you can think of to check?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
1) I modified the default domain policy (which is linked to the ID) and it updated the gp.ini file but same error. It didn't create a new folder it simply updated the current gp.ini. The 2k3 server is pulling from the same gp.ini file in the same folder.
2) It's a production machine and therefore uptime is important however the server has been rebooted previously as part of the troubleshooting process.
3) RSOP gives the following response, which is no real help:
==========================
Saturday, October 24, 2009 3:54:42 PM
Group Policy Infrastructure failed due to the error listed below.
Access is denied.
Note: Due to the GP Core failure, none of the other Group Policy components processed their policy. Consequently, status information for the other components is not available.
==========================
4) I'm slowly going through that link so will let you know if anything there helps.
Out of interest, as my AD knowledge isn't great can I apply the policy 'from' the DC? E.g. is there a gpupdate command to target a remote computer or similar?
2) It's a production machine and therefore uptime is important however the server has been rebooted previously as part of the troubleshooting process.
3) RSOP gives the following response, which is no real help:
==========================
Saturday, October 24, 2009 3:54:42 PM
Group Policy Infrastructure failed due to the error listed below.
Access is denied.
Note: Due to the GP Core failure, none of the other Group Policy components processed their policy. Consequently, status information for the other components is not available.
==========================
4) I'm slowly going through that link so will let you know if anything there helps.
Out of interest, as my AD knowledge isn't great can I apply the policy 'from' the DC? E.g. is there a gpupdate command to target a remote computer or similar?
Hi!
Sorry - it was my mistake to think that the path-ID changes.
to your last point: actually you can create your own or use already preconfigured group policies - under administrative templates there are some like "secure server" etc. and actually apply them locally. using gpedit. this solves the problem of bringing the machine security to the desired level, simply does not find the cause of the error message.
Sorry - it was my mistake to think that the path-ID changes.
to your last point: actually you can create your own or use already preconfigured group policies - under administrative templates there are some like "secure server" etc. and actually apply them locally. using gpedit. this solves the problem of bringing the machine security to the desired level, simply does not find the cause of the error message.
If 4.) does not provide the answer then we will have to do some debugging using
%windir%\debug\usermode\Us
activated via HKEY_LOCAL_MACHINE\Softwar
Link: http://technet.microsoft.com/en-us/library/cc775423(WS.10).aspx
Is there something like: "ProcessGPOs: The DC for domain <Domain_Name> is not available. aborting"?
If you are hesitant to post the result you can look for the codes under:
http://technet.microsoft.com/en-us/library/cc786775(WS.10).aspx
"Interpreting Userenv log files".
But in such case we will have here "help for self-help" :)
%windir%\debug\usermode\Us
activated via HKEY_LOCAL_MACHINE\Softwar
Link: http://technet.microsoft.com/en-us/library/cc775423(WS.10).aspx
Is there something like: "ProcessGPOs: The DC for domain <Domain_Name> is not available. aborting"?
If you are hesitant to post the result you can look for the codes under:
http://technet.microsoft.com/en-us/library/cc786775(WS.10).aspx
"Interpreting Userenv log files".
But in such case we will have here "help for self-help" :)
ASKER
I won't be able to further troubleshoot this till Monday. I'll let you know then if any progress has been made. I do appreciate the help and time you're putting into this.
ASKER
Where as we weren't able to get to the bottom of the issue as the person who had this problem wasn't able to allow us complete control to solve. Your tips throughout the thread and also links to external sites very much helped the troubleshooting process.