Solved

Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9}

Posted on 2010-08-27
13
1,370 Views
Last Modified: 2012-05-10
Hi,

I have one machine that won't log on to my profile and gives the following errors:

1058
1030

Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9}

I can access the .ini file in sysvol and this is only occurring on one machine. I can log into the same profile on any other machine.

Further to this I am also getting the same message on the DC

1058
Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=letterpart,DC=local. The file must be present at the location <\\letterpart.local\sysvol\letterpart.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (Access is denied. ). Group Policy processing aborted.

1030
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.

and again, I can access the .ini file in sysvol

Another problem I have is that when I try and edit any GPO in GPM, I sometimes can't edit them and I get an error message about permissions. It is working now so I can't replicate this and provide the error message.
0
Comment
Question by:Letterpart
13 Comments
 
LVL 3

Accepted Solution

by:
Jaoibh earned 350 total points
Comment Utility
if its one machine
I'd take it off the domain and put it back on again.
This will reset the permissions and hopefully resolve your problem
0
 
LVL 16

Assisted Solution

by:Carol Chisholm
Carol Chisholm earned 50 total points
Comment Utility
http://support.microsoft.com/kb/888943?

These are really fiddly ones to resolve.
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 50 total points
Comment Utility
Could be a lot of things GPO permissions, DNS, network, to name a few


Take a look at these two articles

http://support.microsoft.com/kb/887303

http://www.experts-exchange.com/articles/OS/Microsoft_Operating_Systems/Server/2003_Server/Diagnosing-and-repairing-Events-1030-and-1058.html
Good EE article by Chief IT

I'd try the dfsutil /purgemupcache first and see if that helps (i've had luck with it on a few boxes in the past)

Thanks

Mike
0
 
LVL 5

Assisted Solution

by:jlanderson1
jlanderson1 earned 50 total points
Comment Utility
Honestly, if you have more than one DC, the easiest thing to do is to copy the GPO from SYSVOL on one server to the other.  Just overwrite the GPO (31B2F340-016D-11D2-945F-00C04FB984F9).  This is the fastest easiest way.
0
 
LVL 1

Author Comment

by:Letterpart
Comment Utility
Have done a bit more digging.

Firstly, this one machine that is having problems will not connect to the domain so I changed its name and then re-joined and I can now see it in AD. I still can't load any profiles on that machine but I am not worried about that just now.

Secondly, my 1030 1058 errors are happening every 5 minutes which is pointing to a server-server issue rather than client.

Thirdly, I ran a dcdiag /test:netlogons and everything came back ok. But when I run a DCdiag /test:DNS I get a stack of errors with my DNS.

Testing server: Reigate\APPSERV1

DNS Tests are running and not hung. Please wait a few minutes...
   
   Running partition tests on : DomainDnsZones
   
   Running partition tests on : ForestDnsZones
   
   Running partition tests on : Schema
   
   Running partition tests on : Configuration
   
   Running partition tests on : letterpart
   
   Running enterprise tests on : letterpart.local
      Starting test: DNS
         Test results for domain controllers:
           
            DC: APPSERV1.letterpart.local
            Domain: letterpart.local

                 
               TEST: Basic (Basc)
                  Warning: adapter [00000007] Intel(R) PRO/1000 MT Server Adapter has invalid DNS server: 192.168.1.100 (<name unavailable>)                  Warning: adapter [00000007] Intel(R) PRO/1000 MT Server Adapter has invalid DNS server: 192.168.1.210 (<name unavailable>)
                  Error: all DNS servers are invalid
               
            TEST: Records registration (RReg)
               Error: Record registrations cannot be found for all the network adapters
         
         Summary of test results for DNS servers used by the above domain controllers:

            DNS server: 192.168.1.100 (<name unavailable>)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.168.1.100
               
            DNS server: 192.168.1.210 (<name unavailable>)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.168.1.210
               
         Summary of DNS test results:
         
                                            Auth Basc Forw Del  Dyn  RReg Ext  
               ________________________________________________________________
            Domain: letterpart.local
               APPSERV1                     PASS FAIL PASS PASS PASS FAIL n/a  
         
         ......................... letterpart.local failed test DNS


192.168.1.100 is APPSERV1 and has been my Domain Controller DNS Server for years now. DC1 is a fairly new VM Domain Controller and DNS server and has been fine for about 3 months.

##########################################################

Obviously I have some DNS issues here which require resolving


0
 
LVL 3

Expert Comment

by:Jaoibh
Comment Utility
Hey, DNS problems are fairly easy to fix.

At least you know this is more than likely the problem.

Firstly any Domain controller is a DNS server
so you to fix your problems first thing to do is make sure your DNS Servers point to themselves as the primary DNS server

Then go into DNS and setup your pointers and test them.







DNS-config.JPG
DNS-config1.JPG
DNS-config2.JPG
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 3

Expert Comment

by:Jaoibh
Comment Utility
I assume you use a DHCP for your Desktop machines.
Double check your DNS settings are as follows.
Your Primary domain controller should be the primary DNS server for your clients.
any other domain controller or DNS server should be the Alternate

DNS-config-client.JPG
0
 
LVL 1

Author Comment

by:Letterpart
Comment Utility
Hi Jaoibh,

my DNS settings are correct.

When I ran the simple and recursive test, the simple failed and recursive passed.
0
 
LVL 3

Expert Comment

by:Jaoibh
Comment Utility
I'd suggest making manual "New Host (A)" on the DNS server for
DNS server: 192.168.1.100 (<name unavailable>)
             
DNS server: 192.168.1.210 (<name unavailable>)

Perhaps this will clear the error. Although these should have been automatically generated.

D
0
 
LVL 1

Author Comment

by:Letterpart
Comment Utility
I already have A records for the DNS servers and NS records as well for both Appserv1 and dc1

Just out of interest...
I rebooted my DC1 and now when I run dcdiag /test:DNS it passes all tests. BUT when I run the test from monitoring in dnsmgmt it fails both tests.

0
 
LVL 3

Expert Comment

by:Jaoibh
Comment Utility
Strange one

Can you try and Ping both of the DNS IP forwarders you are using?
Anything else in your DNS Event Viewer?
0
 
LVL 1

Author Comment

by:Letterpart
Comment Utility
I can ping both servers ok and there is nothing else at all in my event logs.

BTW, I have reinstalled the computer that failed to load my profile and it is now working. So that is ok.

I'm now stuck on these very odd DNS dcdiag issues
0
 
LVL 1

Author Comment

by:Letterpart
Comment Utility
Fixed!

A reboot sorted this issue out. Very odd and will just put down to Windows.

We still have DNS issue for which I have another open question: http://www.experts-exchange.com/Software/Server_Software/Q_26443951.html

I'm going to award points to everyone that helped.

Thanks.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

I know all systems administrator at some time or another has had to create a script to copy file from a server share to a desktop. Well now there is an easy way to do this in Group Policy. Using Group policy preferences is not hard. The first thing …
Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now