troubleshooting Question

Windows 2008 DC Group Policy computer settings do not apply to Windows 2008 domain member

Avatar of FractalPat
FractalPat asked on
Active Directory
9 Comments1 Solution2327 ViewsLast Modified:
I am having an issue with applying GPO settings with a Windows 2008 domain member .

When I run gpupdate /force I am presented with the following error:

The processing of Group Policy failed. Windows attempted to read the file \\Domain.local\sysvol\Domain.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.

This is event 1058 and it's error code is 5.

I have followed the steps in the following  MS KB article about this and it is very weak:

http://technet.microsoft.com/en-us/library/cc727259(WS.10).aspx 

The user polices apply with no problems so I can rule out networking/DNS issues.  I also have a Windows 2003 server that is a domain member and this receives it's settings with no problems.  I have run Process Monitor to see what is happening with the file system and the account the computer is using to access the following location it coming up with Access Denied:

\\Domain.local\sysvol\Domain.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini

I have given the SYSVOL folder Everyone Full control permissions for testing purposes and it still fails.  The computer account is using the NT AUTHORITY/SYSTEM account to try to access this share according to Process Monitor.  Incidently the Windows 2003 machine also uses this account but does not receive an Access Denied error.

Further info:

The DC is running on Windows 2008 Domain functional level

The MS KB article suggests that the DFS Client should be enabled.  The link MS provide in the KB article applies to Windows XP and not Windows 2008.  

So far I have not tried resetting the computer account in Active Directory as I believe I will need to rejoin the computer to the domain.  As this is a web server in a production environment I need to limit the downtime on this server to a bare minimum.

Please help me solve this - will be much appreciated!

Thanks.
ASKER CERTIFIED SOLUTION
moodjbow

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 9 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 9 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros