chmilhouse
asked on
Group Policy Application Failure
Hello Everyone,
I am really hoping that someone can help me out with an issue that I am having, as I am at my wits end and don't know what else to do.
Setup::
- Windows Server 2008 Domain running 2 Domain Controllers and 1 member server (also Windows Server 2008).
- DNS Installed and functioning properly from all 3 machine
The problem is that group policy is not being applied at all to my Windows 2008 Member server. When I perform a 'gpupdate' (normal or forced) on that server, I get the following error:
The processing of Group Policy failed. Windows attempted to read the file \\sage
.wdk\sysvol\sage.wdk\Polic
m a domain controller and was not successful. Group Policy settings may not be a
pplied until this event is resolved. This issue may be transient and could be ca
used by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller
has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
To diagnose the failure, review the event log or invoke gpmc.msc to access infor
mation about Group Policy results.
The GPO in question is the Default Domain Policy (which I have not altered in any way). As it is the first policy to be applied, none of my other policies get applied due to the error.
Using the GPO results wizard from the domain controllers, I get the following error under 'Component Services' when I execute GPO results against the member server (using any user):
Group Policy Infrastructure failed due to the error listed below.
Access is denied.
Note: Due to the GP Core failure, none of the other Group Policy components processed their policy. Consequently, status information for the other components is not available.
Additional information may have been logged. Review the Policy Events tab in the console or the application event log for events between 11/14/2009 10:54:47 AM and 11/14/2009 10:54:49 AM.
I have tried everything I can think of to figure out this error including the following:
- Removed member server from domain and re-joined
- Verified that the member server has the appropriate permissions on the SYSVOL share on both Domain Controllers
- Verified DNS functionality via NSLOOKUP and review of the DNS server logs on the DCs
- Installed the DFS Replication Service on the member server
- Followed the suggestions from multiple sites recommending to use the DFSutil /PurgeMupCache to fix the problem
- Ran DCDIAG on both domain controllers to look for errors (all tests passed on both)
I have been fighting with this issue for a couple days now and I have not made any headway... PLEASE, if someone has experienced these problems before, you advice and suggestions are greatly appreciated!
Thank you!
I am really hoping that someone can help me out with an issue that I am having, as I am at my wits end and don't know what else to do.
Setup::
- Windows Server 2008 Domain running 2 Domain Controllers and 1 member server (also Windows Server 2008).
- DNS Installed and functioning properly from all 3 machine
The problem is that group policy is not being applied at all to my Windows 2008 Member server. When I perform a 'gpupdate' (normal or forced) on that server, I get the following error:
The processing of Group Policy failed. Windows attempted to read the file \\sage
.wdk\sysvol\sage.wdk\Polic
m a domain controller and was not successful. Group Policy settings may not be a
pplied until this event is resolved. This issue may be transient and could be ca
used by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller
has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
To diagnose the failure, review the event log or invoke gpmc.msc to access infor
mation about Group Policy results.
The GPO in question is the Default Domain Policy (which I have not altered in any way). As it is the first policy to be applied, none of my other policies get applied due to the error.
Using the GPO results wizard from the domain controllers, I get the following error under 'Component Services' when I execute GPO results against the member server (using any user):
Group Policy Infrastructure failed due to the error listed below.
Access is denied.
Note: Due to the GP Core failure, none of the other Group Policy components processed their policy. Consequently, status information for the other components is not available.
Additional information may have been logged. Review the Policy Events tab in the console or the application event log for events between 11/14/2009 10:54:47 AM and 11/14/2009 10:54:49 AM.
I have tried everything I can think of to figure out this error including the following:
- Removed member server from domain and re-joined
- Verified that the member server has the appropriate permissions on the SYSVOL share on both Domain Controllers
- Verified DNS functionality via NSLOOKUP and review of the DNS server logs on the DCs
- Installed the DFS Replication Service on the member server
- Followed the suggestions from multiple sites recommending to use the DFSutil /PurgeMupCache to fix the problem
- Ran DCDIAG on both domain controllers to look for errors (all tests passed on both)
I have been fighting with this issue for a couple days now and I have not made any headway... PLEASE, if someone has experienced these problems before, you advice and suggestions are greatly appreciated!
Thank you!
This KB will resolve your problem.
http://support.microsoft.c
Run this command to reset the security database on member server.
secedit /configure /cfg %windir%\inf\defltbase.inf
Unjoin an rejoin the machine to the domain.
http://support.microsoft.c
Run this command to reset the security database on member server.
secedit /configure /cfg %windir%\inf\defltbase.inf
Unjoin an rejoin the machine to the domain.
Unjoin & rejoin only if problem doesn't resolves post following KB if not reset security permission & lastly unjoin & rejoin problem computer.
ASKER
Hi Awinish,
Thanks for the reply. Here is the output of both RSOP and gpresult:
RSOP:
- RSOP executed the query successfully and shows that the User configuration has been applied but there is a red X over the computer configuration (it was not applied). I have attached an image to this comment to show the results.
GPRESULT: (One thing I notice is that gpresult reports that the domain type is Windows 2000, yet the domain functional level is set to Windows 2008 on both DCs)
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.
Copyright (C) Microsoft Corp. 1981-2001
Created On 11/14/2009 at 1:30:22 PM
RSOP data for SAGE-WDK\SageAdmin on WDKSGEW03VZ : Logging Mode
--------------------------
OS Configuration: Member Server
OS Version: 6.0.6001
Site Name: wdk
Roaming Profile: N/A
Local Profile: C:\Users\SageAdmin
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=WDKSGEW03VZ,CN=Computer
Last time Group Policy was applied: 11/14/2009 at 12:39:59 PM
Group Policy was applied from: WDKSGEW02VZ.sage.wdk
Group Policy slow link threshold: 500 kbps
Domain Name: SAGE-WDK
Domain Type: Windows 2000
Applied Group Policy Objects
--------------------------
N/A
The following GPOs were not applied because they were filtered out
--------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The computer is a part of the following security groups
--------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
System Mandatory Level
USER SETTINGS
--------------
CN=SAGE Admin,OU=Admin,DC=sage,DC=
Last time Group Policy was applied: 11/14/2009 at 12:39:59 PM
Group Policy was applied from: WDKSGEW02VZ.sage.wdk
Group Policy slow link threshold: 500 kbps
Domain Name: SAGE-WDK
Domain Type: Windows 2000
Applied Group Policy Objects
--------------------------
Default Domain Policy
The following GPOs were not applied because they were filtered out
--------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups
--------------------------
None
Everyone
BUILTIN\Users
BUILTIN\Administrators
Remote Desktop Users
REMOTE INTERACTIVE LOGON
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
High Mandatory Level
GPUPDATE /FORCE:
Running a gpupdate /force produces the same error in the SYSTEM event log as was described in the original posting... Event ID: 1058, Source: Group Policy
TIME ISSUES
I have verified that time between member and DC are synchronized correctly.
DCDIAG /FIX
both Domain controllers pass all tests successfully.
RSOP.bmp
Thanks for the reply. Here is the output of both RSOP and gpresult:
RSOP:
- RSOP executed the query successfully and shows that the User configuration has been applied but there is a red X over the computer configuration (it was not applied). I have attached an image to this comment to show the results.
GPRESULT: (One thing I notice is that gpresult reports that the domain type is Windows 2000, yet the domain functional level is set to Windows 2008 on both DCs)
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.
Copyright (C) Microsoft Corp. 1981-2001
Created On 11/14/2009 at 1:30:22 PM
RSOP data for SAGE-WDK\SageAdmin on WDKSGEW03VZ : Logging Mode
--------------------------
OS Configuration: Member Server
OS Version: 6.0.6001
Site Name: wdk
Roaming Profile: N/A
Local Profile: C:\Users\SageAdmin
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=WDKSGEW03VZ,CN=Computer
Last time Group Policy was applied: 11/14/2009 at 12:39:59 PM
Group Policy was applied from: WDKSGEW02VZ.sage.wdk
Group Policy slow link threshold: 500 kbps
Domain Name: SAGE-WDK
Domain Type: Windows 2000
Applied Group Policy Objects
--------------------------
N/A
The following GPOs were not applied because they were filtered out
--------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The computer is a part of the following security groups
--------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
System Mandatory Level
USER SETTINGS
--------------
CN=SAGE Admin,OU=Admin,DC=sage,DC=
Last time Group Policy was applied: 11/14/2009 at 12:39:59 PM
Group Policy was applied from: WDKSGEW02VZ.sage.wdk
Group Policy slow link threshold: 500 kbps
Domain Name: SAGE-WDK
Domain Type: Windows 2000
Applied Group Policy Objects
--------------------------
Default Domain Policy
The following GPOs were not applied because they were filtered out
--------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups
--------------------------
None
Everyone
BUILTIN\Users
BUILTIN\Administrators
Remote Desktop Users
REMOTE INTERACTIVE LOGON
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
High Mandatory Level
GPUPDATE /FORCE:
Running a gpupdate /force produces the same error in the SYSTEM event log as was described in the original posting... Event ID: 1058, Source: Group Policy
TIME ISSUES
I have verified that time between member and DC are synchronized correctly.
DCDIAG /FIX
both Domain controllers pass all tests successfully.
RSOP.bmp
Hi,
If you have not already applied; there is a hotfix available for your problem: http://support.microsoft.com/kb/950876/en-us
this will also help you: http://episteme.arstechnica.com/eve/forums/a/tpc/f/12009443/m/300000628931
Regards,
Faraz H. Khan
If you have not already applied; there is a hotfix available for your problem: http://support.microsoft.com/kb/950876/en-us
this will also help you: http://episteme.arstechnica.com/eve/forums/a/tpc/f/12009443/m/300000628931
Regards,
Faraz H. Khan
ASKER
Hi Faraz and Awinish,
Awinish, I will try the command that you sent as part of your original post:
secedit /configure /cfg %windir%\inf\defltbase.inf
Faraz and Awinish,
Do either of you know HOW I actually contact MS to get this hotfix? When I click on the obtain hotfix link in the upper left hand corner, it only gives me the ability to request the hotfix related to Windows VIsta and not Server 2008. When I attempt to navigate through their support site, I always seem to end up at a page that asks me to pay for support.
Any guidance is appreciated.
Thanks
Awinish, I will try the command that you sent as part of your original post:
secedit /configure /cfg %windir%\inf\defltbase.inf
Faraz and Awinish,
Do either of you know HOW I actually contact MS to get this hotfix? When I click on the obtain hotfix link in the upper left hand corner, it only gives me the ability to request the hotfix related to Windows VIsta and not Server 2008. When I attempt to navigate through their support site, I always seem to end up at a page that asks me to pay for support.
Any guidance is appreciated.
Thanks
ASKER
Hello Again,
In addition to what was described above, when I view the Operation Log for Group Policy on the affected machine I see the following two errors:
Error #1 (Event ID: 7017, Source: Group Policy)
The system calls to access specified file completed:
\\sage.wdk\sysvol\sage.wdk
The call failed after 62 milliseconds
Error #2 (Event ID: 7004, Source: Group Policy
Manual processing of policy failed for computer SAGE-WDK\WDKSGEW03VZ$ in 2 seconds
{31B2F340-016D-11D2-945F-0
In addition to what was described above, when I view the Operation Log for Group Policy on the affected machine I see the following two errors:
Error #1 (Event ID: 7017, Source: Group Policy)
The system calls to access specified file completed:
\\sage.wdk\sysvol\sage.wdk
The call failed after 62 milliseconds
Error #2 (Event ID: 7004, Source: Group Policy
Manual processing of policy failed for computer SAGE-WDK\WDKSGEW03VZ$ in 2 seconds
{31B2F340-016D-11D2-945F-0
ASKER
Hi Awinish,
I tried your procedure of cleaning out the security database. It did not solve the problem. I re-joined the computer to the domain as well. Still the same issue.
The command executed with errors however and I have attached them to this comment.
scesrv.log
I tried your procedure of cleaning out the security database. It did not solve the problem. I re-joined the computer to the domain as well. Still the same issue.
The command executed with errors however and I have attached them to this comment.
scesrv.log
Hi,
Well, If you run the Microsoft updates on your system you should get the update, anyways, have you followed any of the methods in that article? try one by one and if any one resolved your problem do not try others
Method 1
Disable the following policy on the member computers that are running Windows Server 2008 or Windows Vista SP1:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network client: Digitally sign communications (always)
Method 2
On the member computers that are running Windows Server 2008 or Windows Vista SP1, follow these steps:
Click Start, type regedit in the Start Search box, and then press ENTER.
Locate the RequireSecuritySignature registry entry under the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\
Right-click RequireSecuritySignature, and then click Modify.
In the Value data box, type 0, and then click OK.
Exit Registry Editor.
Method 3
On the member computers that are running Windows Server 2008 or Windows Vista Service Pack 1, follow these steps:
Click Start, type regedit in the Start Search box, and then press ENTER.
Locate the AllowGuestAuthWhenSigningR
HKEY_LOCAL_MACHINE\SYSTEM\
Right-click AllowGuestAuthWhenSigningR
In the Value data box, type 1, and then click OK.
Exit Registry Editor.
Regards,
Faraz H. Khan
Well, If you run the Microsoft updates on your system you should get the update, anyways, have you followed any of the methods in that article? try one by one and if any one resolved your problem do not try others
Method 1
Disable the following policy on the member computers that are running Windows Server 2008 or Windows Vista SP1:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network client: Digitally sign communications (always)
Method 2
On the member computers that are running Windows Server 2008 or Windows Vista SP1, follow these steps:
Click Start, type regedit in the Start Search box, and then press ENTER.
Locate the RequireSecuritySignature registry entry under the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\
Right-click RequireSecuritySignature, and then click Modify.
In the Value data box, type 0, and then click OK.
Exit Registry Editor.
Method 3
On the member computers that are running Windows Server 2008 or Windows Vista Service Pack 1, follow these steps:
Click Start, type regedit in the Start Search box, and then press ENTER.
Locate the AllowGuestAuthWhenSigningR
HKEY_LOCAL_MACHINE\SYSTEM\
Right-click AllowGuestAuthWhenSigningR
In the Value data box, type 1, and then click OK.
Exit Registry Editor.
Regards,
Faraz H. Khan
http://support.microsoft.c
I have attached the hotfixes. Rename the hotfix with exe & as i was not sure whether you have x86 or x64 bit OS running, so i have attached both.
Apply the hotfix on wind 2k8 server & restart the server. Hope it works for you.
The hotfix is not AMD based process.
344780-intl-i386-zip.txt
344782-intl-x64-zip.txt
I have attached the hotfixes. Rename the hotfix with exe & as i was not sure whether you have x86 or x64 bit OS running, so i have attached both.
Apply the hotfix on wind 2k8 server & restart the server. Hope it works for you.
The hotfix is not AMD based process.
344780-intl-i386-zip.txt
344782-intl-x64-zip.txt
Domain Type: Windows 2000 is ok.
Change the permissions on the gpt.ini file to the same as the parent folder.
Change the permissions on the gpt.ini file to the same as the parent folder.
ASKER
Hello Faraz,
The scenarios that were described in the Microsoft support article did not apply to my situation as none of the registry keys referred to in the article are set to the values described so the situation does not apply here.
Awinish, thank you for the hotfix, I have copied it to the machine and installed it.
I wish I had good news for you but sadly, the hotfix has done nothing to solve my problem :( I am still failing to update the computer configuration settings in group policy.
I am going to connect the problem machine to the internet (it usually does not have an internet connection) and obtain the latest updates to see if that helps.
The scenarios that were described in the Microsoft support article did not apply to my situation as none of the registry keys referred to in the article are set to the values described so the situation does not apply here.
Awinish, thank you for the hotfix, I have copied it to the machine and installed it.
I wish I had good news for you but sadly, the hotfix has done nothing to solve my problem :( I am still failing to update the computer configuration settings in group policy.
I am going to connect the problem machine to the internet (it usually does not have an internet connection) and obtain the latest updates to see if that helps.
ASKER
Hello Gentlemen,
I have now updated all 3 servers (the member server and the 2 domain controllers) with all of the latest updates available from Microsoft (these included Windows Server 2008 SP 2) and I am still experiencing the same issue.
Faraz, I tried going through the registry just to have a look for any differences the keys contained in the parameters folder of the lanmanworkstation Reg. keys and they are already set to what they need to be.
I performed a diagnostic check on the DFS replication service as well to ensure that the DC's were replicating the SYSVOL share properly and the report returned no errors.
I really don't know what else to do. Because its the 'Computer Configuration' settings that are failing, is it possible that the member servers computer account needs to have access to the sysvol share??
Any other ideas are welcome.
Thanks
I have now updated all 3 servers (the member server and the 2 domain controllers) with all of the latest updates available from Microsoft (these included Windows Server 2008 SP 2) and I am still experiencing the same issue.
Faraz, I tried going through the registry just to have a look for any differences the keys contained in the parameters folder of the lanmanworkstation Reg. keys and they are already set to what they need to be.
I performed a diagnostic check on the DFS replication service as well to ensure that the DC's were replicating the SYSVOL share properly and the report returned no errors.
I really don't know what else to do. Because its the 'Computer Configuration' settings that are failing, is it possible that the member servers computer account needs to have access to the sysvol share??
Any other ideas are welcome.
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
@chmihouse
can you please update how eaxctly did you resolve this issue. i have the exact same issue and I have been trying to figure out for 2 days. Please update on how exactly did you resolve this issue.
"computer policy could not be updated successfully". I have same enviornment as you.
thank you for you help
mc.
can you please update how eaxctly did you resolve this issue. i have the exact same issue and I have been trying to figure out for 2 days. Please update on how exactly did you resolve this issue.
"computer policy could not be updated successfully". I have same enviornment as you.
thank you for you help
mc.
Also, run gpupdate /force & check event viewer.
See,there Is no time issue on problem server.
Also run dcdiag /fix