Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 528
  • Last Modified:

Group Policy being ignores

I have a wierd situation.  When I make adjustments to Group Policy and then perform a gpupdate /force the changes are not in place.  I take a gpresults report and it claims it recieved the GP settings from the domain controller at the time I performed the gpupdate but the changes are not listed.  This is specifically affecting the folder redirection.  I have the My Doc's and Application Data folder redirected to a DFS namespace.  When I make adjustments it might take days for the changes to take true effect.  Any ideas ladies and gentlemen?

Thanks
0
219com
Asked:
219com
  • 14
  • 10
  • 2
  • +2
1 Solution
 
th3elfCommented:
Some policies require a reboot or a user to logon again
0
 
Shift-3Commented:
Make sure that the old folder locations still exist and that users have Full Control of both the old folders and the new folders.

I've run into issues where Windows can't switch to the new location if the user can't access the old one.
0
 
219comAuthor Commented:
gpupdate requires the user to logoff and logon again.  This makes no difference.  i have done total shut down and still no change.  When I pull a gpresult /Z report it claims the redirection is the old location yet when I go to the domain controller it has the redirection as the new location.  This is not a permissions issue because the folder has not changed it is just not being redirected to the namespace anymore I am redirecting it right to the file server.  It appears as if the machine is using cached group policy settings but claiming witht he gpresult report to be getting a fresh GPO.  This is the same with the logon scripts.  The .bat scripts should change the mapped networked drives but it still points to the old location.

If I go to a machine that I have never logged onto before it still shows the old redirection.  I have checked the other domain controllers and the new GPO settings are being replicated as they should but it seems for some reason the domain controller is getting stuck on old GPO settings and not distributing the new ones.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
AwinishCommented:
Take backup of anyone user profile, delete the old profile of user on machine & ask user to login again.
Run RSOP.MSC to check what is the policy its getting, run userenv to enable diagnostic logging on machine.
Check event viewer on dc as well as anyone client machine to resolve the issue.
Post the event viewer of dc,also dcdiag result.
http://support.microsoft.com/kb/221833 
0
 
ChiefITCommented:
Check the event logs, under the FRS section, for errors or warnings in the 13000's.

Also look for events 1030 and 1058.

You might have a problem with group policy replication. That has to do with FRS and DNS problems.
0
 
219comAuthor Commented:
I am getting the 1030 and 1058 errors in the event viewer.  I saw a Microsoft KB article on it, but it did not seem to help.  I am having some FRS issues.  This is how I discovered the GPO issue.  I was trying to remove the redirection from the namespace to the file server directly so I can do some work on the namespace and DFS-R.  DNS seems to be doing just fine.  I logged on to a client machine I have never been on before to run a gpresult report and it said I have no RSOP data.  It showed no Group Policy settings.  When I go to the GPMC it has everything correct but It is not getting out to the clients that way.  Could the system be pulling information off an incorrect gpt.ini file that might be floating around the DC somewhere?
0
 
ChiefITCommented:
Please perform a self-diagnosis and familiarize yourself with how group policies are replicated, then shared out using netbios broadcasts.

http://www.experts-exchange.com/articles/OS/Microsoft_Operating_Systems/Server/2003_Server/Diagnosing-and-repairing-Events-1030-and-1058.html

Most likely you have a DNS issue that is the ROOT of all your problems. So, also check your DNS snapin, under the forward lookup zone for any greyed out MSDCS file folders.
0
 
219comAuthor Commented:
I have gone through DNS top to bottom and it seems to be just fine.  I just figured out something odd.  When I fo into GPMC and make a change in the group policy editor the changes do not show up in the SYSVOL folder with the gpt.ini file.  The same in regards to changes in the .bat files.  It is like there are two sysvol folders and one is set correct and the other is an old replication or something.  I am doubting it is a NetBIOS issue or a SYSVOL replication error because I should be able to access GP with logged on the domain controller.  When I perform gpupdate on the DC I get the same errors.
0
 
ChiefITCommented:
You stated that you had FRS problems, (warmomgs in event logs>>FRS events>> events in the 13000s).

Can you list these.

--And yes, if you did a restore from backup your sysvol will not work right for some objects. I had to do through that with someone not long ago.

Let's make sure file replicaion is working excatly as it should. Also let's make sure DNS is not the issue by going to the command prompt and typing:

DCDiag /v

That will perform a verbose diagnostics of your domain controllers, so you have to perform this on both. Copy/paste any failed events on either DC.

So we need a list to see what's really going on here:
1) DCDiag /v   (list the discrepancies)
2) Event logs>>FRS logs>>any events in the 13000s
0
 
219comAuthor Commented:
I have a bunch of 13508's where I can't seem to replicate to other servers located in other facilities.  But I can  use ntfrsutl version <FQDN of remote domain controller> to pull a report off them.  I am not sure but it might be and issue with RPC traffic.  I am currently looking into that.  I also have a couple of 13552 errors where the domain controller cannot replicate to an old namespace that has been retired.  I have checked all my DC's and that old namespace is not present in DFS.  I am not sure why it is still tyring to talk to it.  I also have a couple of 13544 where it is saying it is overlapping a directory.  I have not yet began to investigate that issue.

I actually have a total of 5 DC's.  Two are in my main facility and they seem to be speaking with the least amount of issues and I have one at three seperate facilities.  They (the remote machines) are all getting the 13508 Error.

Here are the errors or failures on the DCDiag tests for 4 of the 5 servers (the last one is not operating properly and is in the process of being diagnosed by other staff and is unavailible)

 Starting test: frsevent
         * The File Replication Service Event log test
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         An Warning Event occured.  EventID: 0x800034C4
            Time Generated: 12/23/2009   12:40:01
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800034C4
            Time Generated: 12/23/2009   12:40:01
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800034C4
            Time Generated: 12/23/2009   12:47:01
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800034C4
            Time Generated: 12/23/2009   12:47:01
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800034C4
            Time Generated: 12/23/2009   12:47:01
            (Event String could not be retrieved)
         ......................... DC001 failed test frsevent

      Starting test: NetLogons
         * Network Logons Privileges Check
         Unable to connect to the NETLOGON share! (\\DC002\netlogon)
         [DC002] An net use or LsaPolicy operation failed with error 1203, No ne
twork provider accepted the given network path..
         ......................... DC002 failed test NetLogons

Starting test: frsevent
   * The File Replication Service Event log test
   There are warning or error events within the last 24 hours after the
   SYSVOL has been shared.  Failing SYSVOL replication problems may cause
   Group Policy problems.
   An Error Event occured.  EventID: 0xC00034E8
      Time Generated: 12/23/2009   08:47:23
      (Event String could not be retrieved)
   An Error Event occured.  EventID: 0xC00034F0
      Time Generated: 12/23/2009   08:47:24
      (Event String could not be retrieved)
   An Warning Event occured.  EventID: 0x800034C4
      Time Generated: 12/23/2009   10:08:52
      (Event String could not be retrieved)
   An Warning Event occured.  EventID: 0x800034C4
      Time Generated: 12/23/2009   10:21:41
      (Event String could not be retrieved)
   An Warning Event occured.  EventID: 0x800034C4
      Time Generated: 12/23/2009   10:42:19
      (Event String could not be retrieved)
   An Warning Event occured.  EventID: 0x800034C4
      Time Generated: 12/23/2009   10:47:30
      (Event String could not be retrieved)
   ......................... DC002 failed test frsevent

Starting test: systemlog
   * The System Event log test
   An Error Event occured.  EventID: 0x00000457
      Time Generated: 12/23/2009   13:25:21
      (Event String could not be retrieved)
   An Error Event occured.  EventID: 0x00000457
      Time Generated: 12/23/2009   13:25:23
      (Event String could not be retrieved)
   An Error Event occured.  EventID: 0x00000457
      Time Generated: 12/23/2009   13:25:23
      (Event String could not be retrieved)
   An Error Event occured.  EventID: 0x00000457
      Time Generated: 12/23/2009   14:01:11
      (Event String could not be retrieved)
   An Error Event occured.  EventID: 0x00000457
      Time Generated: 12/23/2009   14:01:11
      (Event String could not be retrieved)
   An Error Event occured.  EventID: 0x00000457
      Time Generated: 12/23/2009   14:01:12
      (Event String could not be retrieved)
   ......................... DC002 failed test systemlog

      Starting test: VerifyReferences
         The system object reference (serverReference)
         CN=DC002,OU=Domain Controllers,DC=gary,DC=in,DC=us and backlink on
         CN=DC002,CN=Servers,CN=City-Hall,CN=Sites,CN=Configuration,DC=gary,DC=i
n,DC=us
         are correct.
         Some objects relating to the DC DC002 have problems:
            [1] Problem: Conflict Mangled Value
            Base Object: CN=DC002,OU=Domain Controllers,DC=gary,DC=in,DC=us
             Base Object Description: "DC Account Object"
             Value Object Attribute: frsComputerReferenceBL
             Value Object Description: "SYSVOL FRS Member Object"
             Mangled Value:
            CN={9e18f189-774c-48cf-a011-bc5683e042f5},CN=AD.replication,CN=AD.re
plication,CN=DFS Volumes,CN=File Replication Service,CN=System,DC=gary,DC=in,DC=
us
             Recommended Action: Check that there is not more than one SYSVOL
            FRS Member Object for this DC, and if so clean up the older
            duplicates.

            The system object reference (serverReferenceBL)
            CN=DC002,CN=Domain System Volume (SYSVOL share),CN=File Replication
Service,CN=System,DC=gary,DC=in,DC=us
            and backlink on
            CN=NTDS Settings,CN=DC002,CN=Servers,CN=City-Hall,CN=Sites,CN=Config
uration,DC=gary,DC=in,DC=us
            are correct.
         ......................... DC002 failed test VerifyReferences


Starting test: Replications
         * Replications Check
       
         [Replications Check,GENESIS01] A recent replication attempt failed:
            From DC02 to GENESIS01
            Naming Context: DC=gary,DC=in,DC=us
            The replication generated an error (1753):
            There are no more endpoints available from the endpoint mapper.
            The failure occurred at 2009-12-23 14:07:07.
            The last success occurred at 2009-11-25 10:22:50.
            2703 failures have occurred since the last success.
            The directory on DC02 is in the process.
            of starting up or shutting down, and is not available.
            Verify machine is not hung during boot.
         * Replication Latency Check
         REPLICATION-RECEIVED LATENCY WARNING
         GENESIS01:  Current time is 2009-12-23 14:18:41.
         
            CN=Configuration,DC=gary,DC=in,DC=us
               Last replication recieved from DC002 at 2009-11-25 10:19:49.
               Last replication recieved from DC001 at 2009-11-25 10:19:32.
               Last replication recieved from COURT01 at 2009-11-25 10:14:13.
               Last replication recieved from DC02 at 2009-11-25 10:23:12.
               Last replication recieved from CH-ANNEX at 2009-11-25 10:14:14.
               Latency information for 7 entries in the vector were ignored.
                  7 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
           
         * Replication Site Latency Check
         
         REPLICATION-RECEIVED LATENCY WARNING

          Source site:

         CN=NTDS Site Settings,CN=Gary-City-Court,CN=Sites,CN=Configuration,DC=gary,DC=in,DC=us

          Current time: 2009-12-23 14:18:41

          Last update time: 2009-11-25 10:11:04

          Check if source site has an elected ISTG running.

          Check replication from source site to this server.
         ......................... GENESIS01 passed test Replications

Directory partition:

DC=gary,DC=in,DC=us

 

There is insufficient site connectivity

information in Active Directory Sites and

Services for the KCC to create a spanning tree

replication topology. Or, one or more domain

controllers with this directory partition are

unable to replicate the directory partition

information. This is probably due to inaccessible

domain controllers.

 

User Action

Use Active Directory Sites and Services to

perform one of the following actions:

- Publish sufficient site connectivity

information so that the KCC can determine a route

by which this directory partition can reach this

site. This is the preferred option.

- Add a Connection object to a domain controller

that contains the directory partition in this

site from a domain controller that contains the

same directory partition in another site.

 

If neither of the Active Directory Sites and

Services tasks correct this condition, see

previous events logged by the KCC that identify

the inaccessible domain controllers.
         An Warning Event occured.  EventID: 0x80000749
            Time Generated: 12/23/2009   14:14:53
            Event String: The Knowledge Consistency Checker (KCC) was

unable to form a complete spanning tree network

topology. As a result, the following list of

sites cannot be reached from the local site.

 

Sites:

CN=Gary-City-Court,CN=Sites,CN=Configuration,DC=gary,DC=in,DC=us

 

CN=City-Hall,CN=Sites,CN=Configuration,DC=gary,DC=in,DC=us

 

CN=City-Hall-Annex,CN=Sites,CN=Configuration,DC=gary,DC=in,DC=us

 

         
         
         An Warning Event occured.  EventID: 0x8000061E
            Time Generated: 12/23/2009   14:14:53
            Event String: All domain controllers in the following site that

can replicate the directory partition over this

transport are currently unavailable.

 

Site:

CN=City-Hall-Annex,CN=Sites,CN=Configuration,DC=gary,DC=in,DC=us

 

Directory partition:

DC=ForestDnsZones,DC=gary,DC=in,DC=us

Transport:

CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=gary,DC=in,DC=us

 
         An Error Event occured.  EventID: 0xC000051F
            Time Generated: 12/23/2009   14:14:53
            Event String: The Knowledge Consistency Checker (KCC) has

detected problems with the following directory

partition.

 

Directory partition:

DC=ForestDnsZones,DC=gary,DC=in,DC=us

 

There is insufficient site connectivity

information in Active Directory Sites and

Services for the KCC to create a spanning tree

replication topology. Or, one or more domain

controllers with this directory partition are

unable to replicate the directory partition

information. This is probably due to inaccessible

domain controllers.

 

User Action

Use Active Directory Sites and Services to

perform one of the following actions:

- Publish sufficient site connectivity

information so that the KCC can determine a route

by which this directory partition can reach this

site. This is the preferred option.

- Add a Connection object to a domain controller

that contains the directory partition in this

site from a domain controller that contains the

same directory partition in another site.

 

If neither of the Active Directory Sites and

Services tasks correct this condition, see

previous events logged by the KCC that identify

the inaccessible domain controllers.
         An Warning Event occured.  EventID: 0x80000749
            Time Generated: 12/23/2009   14:14:53
            Event String: The Knowledge Consistency Checker (KCC) was

unable to form a complete spanning tree network

topology. As a result, the following list of

sites cannot be reached from the local site.

 

Sites:

CN=Gary-City-Court,CN=Sites,CN=Configuration,DC=gary,DC=in,DC=us

 

CN=City-Hall,CN=Sites,CN=Configuration,DC=gary,DC=in,DC=us

 

CN=City-Hall-Annex,CN=Sites,CN=Configuration,DC=gary,DC=in,DC=us

     

 
       

          An Warning Event occured.  EventID: 0x80000785
            Time Generated: 12/23/2009   14:15:14
            Event String: The attempt to establish a replication link for

the following writable directory partition

failed.

 

Directory partition:

DC=gary,DC=in,DC=us

Source domain controller:

CN=NTDS Settings,CN=COURT01,CN=Servers,CN=Gary-City-Court,CN=Sites,CN=Configuration,DC=gary,DC=in,DC=us

 

Source domain controller address:

f6665223-ad81-4cd7-950f-47a2d4bbc06a._msdcs.gary.in.us

 

Intersite transport (if any):

CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=gary,DC=in,DC=us

 

 

This domain controller will be unable to

replicate with the source domain controller until

this problem is corrected.  

 

User Action

Verify if the source domain controller is

accessible or network connectivity is available.

 

Additional Data

Error value:

1722 The RPC server is unavailable.
         An Warning Event occured.  EventID: 0x80000785
            Time Generated: 12/23/2009   14:15:35
            Event String: The attempt to establish a replication link for

the following writable directory partition

failed.

 

Directory partition:

DC=gary,DC=in,DC=us

Source domain controller:

CN=NTDS Settings,CN=CH-ANNEX,CN=Servers,CN=City-Hall-Annex,CN=Sites,CN=Configuration,DC=gary,DC=in,DC=us

 

Source domain controller address:

054d1a83-3ec5-4c9d-a5a2-0bba3c470709._msdcs.gary.in.us

 

Intersite transport (if any):

CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=gary,DC=in,DC=us

 

 

This domain controller will be unable to

replicate with the source domain controller until

this problem is corrected.  

 

User Action

Verify if the source domain controller is

accessible or network connectivity is available.

 

Additional Data

Error value:

1722 The RPC server is unavailable.
         ......................... GENESIS01 failed test kccevent


Testing server: City-Hall-Annex\CH-ANNEX
      Starting test: Replications
         * Replications Check
          [Replications Check,CH-ANNEX] A recent replication attempt failed:
            From DC02 to CH-ANNEX
            Naming Context: DC=gary,DC=in,DC=us
            The replication generated an error (1753):
            There are no more endpoints available from the endpoint mapper.
            The failure occurred at 2009-12-23 14:12:48.
            The last success occurred at 2009-11-25 10:20:13.
            2702 failures have occurred since the last success.
            The directory on DC02 is in the process.
            of starting up or shutting down, and is not available.
            Verify machine is not hung during boot.
         * Replication Latency Check
         REPLICATION-RECEIVED LATENCY WARNING
         CH-ANNEX:  Current time is 2009-12-23 14:17:42.
            DC=ForestDnsZones,DC=gary,DC=in,DC=us
               Last replication recieved from DC002 at 2009-11-25 09:59:15.
               Last replication recieved from DC001 at 2009-11-25 09:59:15.
               Last replication recieved from COURT01 at 2009-11-25 10:14:15.
               Last replication recieved from GENESIS01 at 2009-11-25 10:14:15.
               Last replication recieved from DC02 at 2009-11-25 10:20:36.
               Latency information for 4 entries in the vector were ignored.
                  4 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=DomainDnsZones,DC=gary,DC=in,DC=us
               Last replication recieved from DC002 at 2009-11-25 09:59:15.
               Last replication recieved from DC001 at 2009-11-25 09:59:14.
               Last replication recieved from COURT01 at 2009-11-25 10:14:15.
               Last replication recieved from GENESIS01 at 2009-11-25 10:14:15.
               Last replication recieved from DC02 at 2009-11-25 10:20:36.
               Latency information for 4 entries in the vector were ignored.
                  4 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            CN=Schema,CN=Configuration,DC=gary,DC=in,DC=us
               Last replication recieved from DC002 at 2009-11-25 09:59:14.
               Last replication recieved from DC001 at 2009-11-25 09:59:14.
               Last replication recieved from COURT01 at 2009-11-25 10:14:14.
               Last replication recieved from GENESIS01 at 2009-11-25 10:14:14.
               Last replication recieved from DC02 at 2009-11-25 10:20:36.
               Latency information for 7 entries in the vector were ignored.
                  7 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            CN=Configuration,DC=gary,DC=in,DC=us
               Last replication recieved from DC002 at 2009-11-25 10:19:49.
               Last replication recieved from DC001 at 2009-11-25 10:19:32.
               Last replication recieved from COURT01 at 2009-11-25 10:14:13.
               Last replication recieved from GENESIS01 at 2009-11-25 10:14:14.
               Last replication recieved from DC02 at 2009-11-25 10:20:35.
               Latency information for 7 entries in the vector were ignored.
                  7 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=gary,DC=in,DC=us
               Last replication recieved from DC002 at 2009-11-25 10:20:00.
               Last replication recieved from DC001 at 2009-11-25 10:18:57.
               Last replication recieved from COURT01 at 2009-11-25 10:14:13.
               Last replication recieved from GENESIS01 at 2009-11-25 10:14:14.
               Last replication recieved from DC02 at 2009-11-25 10:20:35.
               Latency information for 7 entries in the vector were ignored.
                  7 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
         * Replication Site Latency Check
         REPLICATION-RECEIVED LATENCY WARNING

          Source site:

         CN=NTDS Site Settings,CN=City-Hall,CN=Sites,CN=Configuration,DC=gary,DC=in,DC=us

          Current time: 2009-12-23 14:17:42

          Last update time: 2009-11-25 10:08:22

          Check if source site has an elected ISTG running.

          Check replication from source site to this server.
         REPLICATION-RECEIVED LATENCY WARNING

          Source site:

         CN=NTDS Site Settings,CN=Gary-City-Court,CN=Sites,CN=Configuration,DC=gary,DC=in,DC=us

          Current time: 2009-12-23 14:17:42

          Last update time: 2009-11-25 10:11:04

          Check if source site has an elected ISTG running.

          Check replication from source site to this server.
         REPLICATION-RECEIVED LATENCY WARNING

          Source site:

         CN=NTDS Site Settings,CN=Genesis-Convention-Center,CN=Sites,CN=Configuration,DC=gary,DC=in,DC=us

          Current time: 2009-12-23 14:17:42

          Last update time: 2009-11-25 09:57:53

          Check if source site has an elected ISTG running.

          Check replication from source site to this server.
         ......................... CH-ANNEX passed test Replications

Starting test: frsevent
         * The File Replication Service Event log test
         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         An Warning Event occured.  EventID: 0x800034C4
            Time Generated: 12/22/2009   20:08:07
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800034C4
            Time Generated: 12/22/2009   21:34:17
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800034C4
            Time Generated: 12/23/2009   01:40:48
            (Event String could not be retrieved)
         ......................... CH-ANNEX failed test frsevent

Starting test: kccevent
         * The KCC Event log test
         An Warning Event occured.  EventID: 0x8000061E
            Time Generated: 12/23/2009   14:12:51
            Event String: All domain controllers in the following site that

can replicate the directory partition over this

transport are currently unavailable.

 

Site:

CN=City-Hall,CN=Sites,CN=Configuration,DC=gary,DC=in,DC=us

 

Directory partition:

DC=gary,DC=in,DC=us

Transport:

CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=gary,DC=in,DC=us

 
         An Warning Event occured.  EventID: 0x8000061E
            Time Generated: 12/23/2009   14:12:51
            Event String: All domain controllers in the following site that

can replicate the directory partition over this

transport are currently unavailable.

 

Site:

CN=Genesis-Convention-Center,CN=Sites,CN=Configuration,DC=gary,DC=in,DC=us

 

Directory partition:

DC=gary,DC=in,DC=us

Transport:

CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=gary,DC=in,DC=us

 
         An Warning Event occured.  EventID: 0x8000061E
            Time Generated: 12/23/2009   14:12:51
            Event String: All domain controllers in the following site that

can replicate the directory partition over this

transport are currently unavailable.

 

Site:

CN=Gary-City-Court,CN=Sites,CN=Configuration,DC=gary,DC=in,DC=us

 

Directory partition:

DC=gary,DC=in,DC=us

Transport:

CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=gary,DC=in,DC=us

 
         An Error Event occured.  EventID: 0xC000051F
            Time Generated: 12/23/2009   14:12:51
            Event String: The Knowledge Consistency Checker (KCC) has

detected problems with the following directory

partition.

 

Directory partition:

DC=gary,DC=in,DC=us

 

There is insufficient site connectivity

information in Active Directory Sites and

Services for the KCC to create a spanning tree

replication topology. Or, one or more domain

controllers with this directory partition are

unable to replicate the directory partition

information. This is probably due to inaccessible

domain controllers.

 

User Action

Use Active Directory Sites and Services to

perform one of the following actions:

- Publish sufficient site connectivity

information so that the KCC can determine a route

by which this directory partition can reach this

site. This is the preferred option.

- Add a Connection object to a domain controller

that contains the directory partition in this

site from a domain controller that contains the

same directory partition in another site.

 

If neither of the Active Directory Sites and

Services tasks correct this condition, see

previous events logged by the KCC that identify

the inaccessible domain controllers.
         An Warning Event occured.  EventID: 0x80000749
            Time Generated: 12/23/2009   14:12:51
            Event String: The Knowledge Consistency Checker (KCC) was

unable to form a complete spanning tree network

topology. As a result, the following list of

sites cannot be reached from the local site.

 

Sites:

CN=Gary-City-Court,CN=Sites,CN=Configuration,DC=gary,DC=in,DC=us

 

CN=Genesis-Convention-Center,CN=Sites,CN=Configuration,DC=gary,DC=in,DC=us

 

CN=City-Hall,CN=Sites,CN=Configuration,DC=gary,DC=in,DC=us

 

 

 

 

 

 
         An Warning Event occured.  EventID: 0x8000061E
            Time Generated: 12/23/2009   14:12:51
            Event String: All domain controllers in the following site that

can replicate the directory partition over this

transport are currently unavailable.

 

Site:

CN=City-Hall,CN=Sites,CN=Configuration,DC=gary,DC=in,DC=us

 

Directory partition:

DC=ForestDnsZones,DC=gary,DC=in,DC=us

Transport:

CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=gary,DC=in,DC=us

 
         An Warning Event occured.  EventID: 0x8000061E
            Time Generated: 12/23/2009   14:12:51
            Event String: All domain controllers in the following site that

can replicate the directory partition over this

transport are currently unavailable.

 

Site:

CN=Genesis-Convention-Center,CN=Sites,CN=Configuration,DC=gary,DC=in,DC=us

 

Directory partition:

DC=ForestDnsZones,DC=gary,DC=in,DC=us

Transport:

CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=gary,DC=in,DC=us

 
         An Warning Event occured.  EventID: 0x8000061E
            Time Generated: 12/23/2009   14:12:51
            Event String: All domain controllers in the following site that

can replicate the directory partition over this

transport are currently unavailable.

 

Site:

CN=Gary-City-Court,CN=Sites,CN=Configuration,DC=gary,DC=in,DC=us

 

Directory partition:

DC=ForestDnsZones,DC=gary,DC=in,DC=us

Transport:

CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=gary,DC=in,DC=us

 
         An Error Event occured.  EventID: 0xC000051F
            Time Generated: 12/23/2009   14:12:51
            Event String: The Knowledge Consistency Checker (KCC) has

detected problems with the following directory

partition.

 

Directory partition:

DC=ForestDnsZones,DC=gary,DC=in,DC=us

 

There is insufficient site connectivity

information in Active Directory Sites and

Services for the KCC to create a spanning tree

replication topology. Or, one or more domain

controllers with this directory partition are

unable to replicate the directory partition

information. This is probably due to inaccessible

domain controllers.

 

User Action

Use Active Directory Sites and Services to

perform one of the following actions:

- Publish sufficient site connectivity

information so that the KCC can determine a route

by which this directory partition can reach this

site. This is the preferred option.

- Add a Connection object to a domain controller

that contains the directory partition in this

site from a domain controller that contains the

same directory partition in another site.

 

If neither of the Active Directory Sites and

Services tasks correct this condition, see

previous events logged by the KCC that identify

the inaccessible domain controllers.
         An Warning Event occured.  EventID: 0x80000749
            Time Generated: 12/23/2009   14:12:51
            Event String: The Knowledge Consistency Checker (KCC) was

unable to form a complete spanning tree network

topology. As a result, the following list of

sites cannot be reached from the local site.

 

Sites:

CN=Gary-City-Court,CN=Sites,CN=Configuration,DC=gary,DC=in,DC=us

 

CN=Genesis-Convention-Center,CN=Sites,CN=Configuration,DC=gary,DC=in,DC=us

 

CN=City-Hall,CN=Sites,CN=Configuration,DC=gary,DC=in,DC=us

 

       

          An Error Event occured.  EventID: 0xC000051F
            Time Generated: 12/23/2009   14:12:51
            Event String: The Knowledge Consistency Checker (KCC) has

detected problems with the following directory

partition.

 

Directory partition:

DC=DomainDnsZones,DC=gary,DC=in,DC=us

 

There is insufficient site connectivity

information in Active Directory Sites and

Services for the KCC to create a spanning tree

replication topology. Or, one or more domain

controllers with this directory partition are

unable to replicate the directory partition

information. This is probably due to inaccessible

domain controllers.

 

User Action

Use Active Directory Sites and Services to

perform one of the following actions:

- Publish sufficient site connectivity

information so that the KCC can determine a route

by which this directory partition can reach this

site. This is the preferred option.

- Add a Connection object to a domain controller

that contains the directory partition in this

site from a domain controller that contains the

same directory partition in another site.

 

If neither of the Active Directory Sites and

Services tasks correct this condition, see

previous events logged by the KCC that identify

the inaccessible domain controllers.
         An Warning Event occured.  EventID: 0x80000749
            Time Generated: 12/23/2009   14:12:51
            Event String: The Knowledge Consistency Checker (KCC) was

unable to form a complete spanning tree network

topology. As a result, the following list of

sites cannot be reached from the local site.

 

Sites:

CN=Gary-City-Court,CN=Sites,CN=Configuration,DC=gary,DC=in,DC=us

 

CN=Genesis-Convention-Center,CN=Sites,CN=Configuration,DC=gary,DC=in,DC=us

 

CN=City-Hall,CN=Sites,CN=Configuration,DC=gary,DC=in,DC=us

 

 

 
         An Warning Event occured.  EventID: 0x80000785
            Time Generated: 12/23/2009   14:12:52
            Event String: The attempt to establish a replication link for

the following writable directory partition

failed.

 

Directory partition:

DC=gary,DC=in,DC=us

Source domain controller:

CN=NTDS Settings,CN=COURT01,CN=Servers,CN=Gary-City-Court,CN=Sites,CN=Configuration,DC=gary,DC=in,DC=us

 

Source domain controller address:

f6665223-ad81-4cd7-950f-47a2d4bbc06a._msdcs.gary.in.us

 

Intersite transport (if any):

CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=gary,DC=in,DC=us

 

 

This domain controller will be unable to

replicate with the source domain controller until

this problem is corrected.  

 

User Action

Verify if the source domain controller is

accessible or network connectivity is available.

 

Additional Data

Error value:

1722 The RPC server is unavailable.
         An Warning Event occured.  EventID: 0x80000785
            Time Generated: 12/23/2009   14:12:53
            Event String: The attempt to establish a replication link for

the following writable directory partition

failed.

 

Directory partition:

DC=gary,DC=in,DC=us

Source domain controller:

CN=NTDS Settings,CN=GENESIS01,CN=Servers,CN=Genesis-Convention-Center,CN=Sites,CN=Configuration,DC=gary,DC=in,DC=us

 

Source domain controller address:

ec5fc4d4-3583-414d-9897-470d53b4dd6b._msdcs.gary.in.us

 

Intersite transport (if any):

CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=gary,DC=in,DC=us

 

 

This domain controller will be unable to

replicate with the source domain controller until

this problem is corrected.  

 

User Action

Verify if the source domain controller is

accessible or network connectivity is available.

 

Additional Data

Error value:

1722 The RPC server is unavailable.
         ......................... CH-ANNEX failed test kccevent

Starting test: systemlog
         * The System Event log test
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 12/23/2009   13:19:43
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 12/23/2009   13:19:43
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 12/23/2009   13:19:48
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 12/23/2009   13:19:49
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 12/23/2009   13:19:49
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x0000165B
            Time Generated: 12/23/2009   13:32:42
            Event String: The session setup from computer '2Z3RC91A' failed

because the security database does not contain a

trust account '2Z3RC91A$' referenced by the

specified computer.  



USER ACTION  

If this is the first occurrence of this event for

the specified computer and account, this may be a

transient issue that doesn't require any action

at this time. Otherwise, the following steps may

be taken to resolve this problem:  



If '2Z3RC91A$' is a legitimate machine account

for the computer '2Z3RC91A', then '2Z3RC91A'

should be rejoined to the domain.  



If '2Z3RC91A$' is a legitimate interdomain trust

account, then the trust should be recreated.  



Otherwise, assuming that '2Z3RC91A$' is not a

legitimate account, the following action should

be taken on '2Z3RC91A':  



If '2Z3RC91A' is a Domain Controller, then the

trust associated with '2Z3RC91A$' should be

deleted.  



If '2Z3RC91A' is not a Domain Controller, it

should be disjoined from the domain.
         An Error Event occured.  EventID: 0x000016AD
            Time Generated: 12/23/2009   13:35:52
            Event String: The session setup from the computer 2Z3RC91A

failed to authenticate. The following error

occurred:

%%5
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 12/23/2009   14:15:39
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 12/23/2009   14:15:39
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 12/23/2009   14:15:40
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 12/23/2009   14:15:40
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 12/23/2009   14:15:43
            (Event String could not be retrieved)
         ......................... CH-ANNEX failed test systemlog

I know this is a lot to read, it is appearant this system is in worse shape than I estimated

Thank you for your assistance
0
 
219comAuthor Commented:
I think I have one more peice of the pie.  When I look at the 1058 error it is pointing to a GPO that is not in the sysvol file.  The GPO exists but it has a different hexidecimal number name.  This looks like it might be a huge part of the issue
0
 
ChiefITCommented:
OK, it appears like you have a couple problems.

1) One is your DCs are so far out of time synch that they don't want to replicate to one another. This is causing all the synchronization errors and KCC errors. It is also causing problems with replications.
________________________________________________________________________________
2 or 3)The other is, It appears like you either have metadata, OR a server called Gary.City.court.in.us has bad delegation records on it>>>

2) >>A bad DNS delegation record and its fix looks exactly like this:
http://www.experts-exchange.com/Networking/Protocols/DNS/Q_24349599.html

3) >>DOES Gary.City.court.in.us exist. If not,  you have FRS metadata and DNS metadata to rid yourself of. You may also have Active Directory metadata, but I don't see any tombstoned servers here. That's a good thing.
If Gary.City.Court.in.us does NOT exist. Then use this article to perform AD, DNS and FRS metadata cleanup.
http://www.petri.co.il/delete_failed_dcs_from_ad.htm

So:
1) Time synch your DCs
2) check for bad DNS delegation records
3) perform FRS, AD, and DNS metadata cleanup as needed.
0
 
219comAuthor Commented:
Thanks for all the help.  the time issue is being a bear, I can get all but one DC to sync jsut fine.  This is the court one that is being difficult.  It is so far out of wack that I cannot not even get it to sync.  It is so far out it won't communicate with the PDC at all for all practicle purposes.  i did have some old metatdata and got rid of that.  I don't beleive I have any bad DNS delegation records that I can find.  I will continue on this in the morning, but any advice on how to get a really stubborn DC to time sync is appreciated.  Like I said the other three synced fine and they are all good, it is just this one that is having all the issues.
0
 
ChiefITCommented:
Can you remote into it and set it manually. Then, try to resynch with it.
0
 
219comAuthor Commented:
I have all teh DC's synced and the DNS looks good.  Now back ot the GPO issue.  It appears as if the GPO hex. number in the sysvol file and the GPO hex. number in GPMC are different.  In the event log the server is looking for the GPO with the number that is in teh GPMC but when you go into the sysvol file it is not there.  The gpo.ini file for that specific object is under a different number.  I am not sure if this is a syncronization issue of if I need to recover GPO's again.
0
 
219comAuthor Commented:
OK, here is the solution to part of this problem.  The error 1058 refers to a GP that no longer exists.  It used to belong to Service Center Essentials which was being used on a test machine that somehow got replicated.  I have removed that GPO from GPMC.  I hope this solves the issue.
0
 
ChiefITCommented:
You are in Journal wrap:

Journal wrap is a partial replication set of data.

Let's say you have two or more replication partners, and ONE computer that was once a replication partner, and no longer exists.

What happens is this, If your server sees a server that no longer exists, it will stop replicating. You already mentioned there is a server that no longer exists, and it holds a GPO, that is NOT being replicated to all replication partners.

What you have to do is remove metadata of THAT SERVER that no longer exists, from all other servers.

To do this, you need to go to ALL active directory servers and remove FRS, DNS, and AD metadata from these servers of that ONE server that no longer exists. Then, you need to reset the replication.

You stated that you have ONE server with these errors. I suspect that one server is the ONLY replication partner that you will need to do ANYTHING with. That server is the COURT server.

Remove metadata from the COURT server. Then, reset your replication set by trying a couple things. Here are the steps.

1) To remove FRS, DNS and AD metadata, follow the steps on this entire article:
http://www.petri.co.il/delete_failed_dcs_from_ad.htm
(MAKE sure none of your AD servers see that server that no longer exists)

2) To reset replication we are going to try this three ways, two non-evasive approaches, and one semi-invasive approach.
  a) Let's try to force replicate using Sites and services- http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003/AdminTips/ActiveDirectory/ForcingActiveDirectoryReplication.html
  b) If that doesn't work, lets move on to resetting FRS-
Go to the command prompt and type-Net stop NTFRS and then type  net start NTFRS
Here is an article to explain this:
http://www.eventid.net/display.asp?eventid=13555&eventno=572&source=NtFrs&phase=1
  c) Sometimes the above to least invasive approaches don't work and you need to resort to a more invasive approach. This is calle the Bur Flag method to reset replication. This is the most invasive approach, and I have used it many times with great success when helping people on EE.
  (((((((For a PDCe, you want to use the Authoritative method, for a non-PDCe you want to use the non-authoritative restore.))))))
http://support.microsoft.com/kb/290762
0
 
219comAuthor Commented:
OK, we'll let that run a while and see if there are any more issues.  One problem i have seen the last few days is the attempted replication of a retired namespace.  There was a previous namespace that has been retired for awhile now but I am gettiing aFRS event 13552 error.  it says FRS is unable to add this computer to the following replica set: "<namespace name>"

I have looked through each of the DC's and file server's DFSMC and cannot find any trace of it.  I imagine this is metadata floating around but I can't seem to find it.
0
 
ChiefITCommented:
That too will create a Journal Wrap and stop File replication:
0
 
219comAuthor Commented:
So when I fix the Journal Wrap that will solve that issue, or do i need to solve that issue before I fix the Journal Wrap.  I am about the use the BurFlag option, but need to know what the order of operation should be.
0
 
AwinishCommented:
Copy the complete sysvol from healthy dc with no FRS error & replace it on problem dc.
Restart the FRS.

The Good DC server will be D4 & on other ADC server will be D2.

Or simple copy the sysvol from healthy dc & do the below steps.

On problem DC,follow below steps.

-Stop the File Replication service on the domain controller.
-Start Registry Editor (Regedt32.exe).
-Locate and then click the BurFlags value under the following key in the registry:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
-On the Edit menu, click DWORD, click Hex, type D2, and then click OK.
-Quit Registry Editor.
-Move data out of the PreExisting folder.
-Restart the File Replication Service.



http://support.microsoft.com/kb/315457

http://support.microsoft.com/kb/316790
0
 
ChiefITCommented:
Prior to fixing journal wrap, you need to remove the AD, FRS, and DNS metadata. All has to be perfect before Journal wrap can be fixed.
0
 
219comAuthor Commented:
Everything is working great with one exception.  I am still getting an error where FRS is trying to replicate the retired namespace data.  I cannot find anything in the system regarding the namespace, I am sure it is some metadata floating around.  I have checked all servers that were involved with the namespace and the DFSMC is clear of anything.  I cannot find anything in the sysvol file (not that I thought I would) do yo have any ideas on how to clear this up.  Other than that everything looks to be replicating great.
0
 
ChiefITCommented:
Your going to have to remove FRS metadata and DNS metadata and AD metadata of the server and namespace that no longer exists:

http://www.petri.co.il/delete_failed_dcs_from_ad.htm
0
 
219comAuthor Commented:
The server still exists, the only server that is no longer online didn't have anything to do with this NameSpace.  It has been removed (I actually used the technique used in the article).  This is strictly a namespace reference.  The event 13552 does refer as the FRS is usable to add this computer to the following replica set: "blah blah blah".  It looks like it is the replica set I need to deep six.  Does this make sense to you?
0
 
ChiefITCommented:
No, there's no need. You can reset the replication set and rebuild the Sysvol and Netlogon shares using the burflag method, as Awnish was recommending. Rebuilding from backup is not an option as it will mess up the locations of the replication sets and mess up FRS further.

Is replication working?

Are you getting 1030 and 1058 errors in event logs on any machines.

Are there any other Events in the FRS event logs?

If negative on all of that, then you can follow Awnish's advice on resetting the replication set using Burflag.

0
 
219comAuthor Commented:
There are no other errors at all.  I tried the Burflag meathod and that stopped the original journal wrap but this one error is still being stubborn.  The issue is I may not have a 100% clear sysvol to copy.  If the all the sysvols in the network have tid bits of this old namespace it might just be re-populating everytime I try to clear it out.
0
 
219comAuthor Commented:
Thanks for all your help
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 14
  • 10
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now