Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Machine not getting group policy updates

Posted on 2010-08-31
45
Medium Priority
?
717 Views
Last Modified: 2012-05-10
This is the error that I am getting.

The processing of Group Policy failed. Windows attempted to read the file \\kba.local\SysVol\kba.local\Policies\{15884B1E-7640-4172-975A-6F0DC37F2F10}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.


I have recently created a virtual DC and then gave it 10 days to replicate with the original 2 physical DC's. I then took one off line this morning with the plans to move it to our off site back-up facility for disaster recovery reasons. I do have one machine that is running a little slow and the network drivers will not map. So I went out to update the Group policy and that is when I got this error message. I can ping by name from the DC's to the machine and also the machine to the DC's. Any help would be great.
0
Comment
Question by:Kelly-Brady
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 25
  • 18
  • +1
45 Comments
 
LVL 22

Expert Comment

by:Matt V
ID: 33572582
You mention the network is slow from this PC, when you do a ping, do a ping -t and watch it for a few minutes to see if it is dropping packets.
0
 
LVL 2

Expert Comment

by:ozboing
ID: 33572594
Can you open \\kba.local\SysVol\kba.local\Policies\ from the pc?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33576368
You need run dcdiag then post results. Make sure you are only pointing to internal DNS servers only
0
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

 

Author Comment

by:Kelly-Brady
ID: 33577932
Which machine should I run this on? And I can open that location from my machine but when I go to her machine I can not ge to it, and that is logged in as her and as me.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33578302
Dcdiag needs to be run on server.

Again sure make server that the clients only point to the DC for DNS in their TCP\IP properties and the DC points it other DCs only
0
 

Author Comment

by:Kelly-Brady
ID: 33578392
Ok I need a little clarification, you ar saying that my clients should only point to one of my DC's for DNS, and then that DC should point to the other one?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33578427
No, what I am saying is clients should only be pointing to your DCs for DNS (internal DNS servers) and your DC should be pointing to other DCs for DNS only (internal DNS servers). There should be no external DNS servers listed
0
 

Author Comment

by:Kelly-Brady
ID: 33578458
Ok here it is and I see where it is having the replication issue, the thing is then how would I proceed to move this domain controller off site if I can not even turn it off?



Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

C:\Users\Joe.Sparks>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = dc01
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\DC01
      Starting test: Connectivity
         ......................... DC01 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\DC01
      Starting test: Advertising
         ......................... DC01 passed test Advertising
      Starting test: FrsEvent
         ......................... DC01 passed test FrsEvent
      Starting test: DFSREvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... DC01 failed test DFSREvent
      Starting test: SysVolCheck
         ......................... DC01 passed test SysVolCheck
      Starting test: KccEvent
         ......................... DC01 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... DC01 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... DC01 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... DC01 passed test NCSecDesc
      Starting test: NetLogons
         ......................... DC01 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... DC01 passed test ObjectsReplicated
      Starting test: Replications
         [Replications Check,DC01] A recent replication attempt failed:
            From DC02 to DC01
            Naming Context: DC=ForestDnsZones,DC=kba,DC=local
            The replication generated an error (1256):
            The remote system is not available. For information about network tr
oubleshooting, see Windows Help.

            The failure occurred at 2010-09-01 07:51:15.
            The last success occurred at 2010-08-31 08:50:35.
            23 failures have occurred since the last success.
         [DC02] DsBindWithSpnEx() failed with error 1722,
         The RPC server is unavailable..
         [Replications Check,DC01] A recent replication attempt failed:
            From DC02 to DC01
            Naming Context: DC=DomainDnsZones,DC=kba,DC=local
            The replication generated an error (1256):
            The remote system is not available. For information about network tr
oubleshooting, see Windows Help.

            The failure occurred at 2010-09-01 07:51:15.
            The last success occurred at 2010-08-31 08:50:35.
            23 failures have occurred since the last success.
         [Replications Check,DC01] A recent replication attempt failed:
            From DC02 to DC01
            Naming Context: CN=Schema,CN=Configuration,DC=kba,DC=local
            The replication generated an error (1722):
            The RPC server is unavailable.
            The failure occurred at 2010-09-01 07:52:09.
            The last success occurred at 2010-08-31 08:50:35.
            23 failures have occurred since the last success.
            The source remains down. Please check the machine.
         [Replications Check,DC01] A recent replication attempt failed:
            From DC02 to DC01
            Naming Context: CN=Configuration,DC=kba,DC=local
            The replication generated an error (1722):
            The RPC server is unavailable.
            The failure occurred at 2010-09-01 07:51:42.
            The last success occurred at 2010-08-31 08:50:35.
            23 failures have occurred since the last success.
            The source remains down. Please check the machine.
         [Replications Check,DC01] A recent replication attempt failed:
            From DC02 to DC01
            Naming Context: DC=kba,DC=local
            The replication generated an error (1722):
            The RPC server is unavailable.
            The failure occurred at 2010-09-01 07:51:15.
            The last success occurred at 2010-08-31 08:51:12.
            23 failures have occurred since the last success.
            The source remains down. Please check the machine.
         ......................... DC01 failed test Replications
      Starting test: RidManager
         ......................... DC01 passed test RidManager
      Starting test: Services
         ......................... DC01 passed test Services
      Starting test: SystemLog
         ......................... DC01 passed test SystemLog
      Starting test: VerifyReferences
         ......................... DC01 passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : kba
      Starting test: CheckSDRefDom
         ......................... kba passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... kba passed test CrossRefValidation

   Running enterprise tests on : kba.local
      Starting test: LocatorCheck
         ......................... kba.local passed test LocatorCheck
      Starting test: Intersite
         ......................... kba.local passed test Intersite

C:\Users\Joe.Sparks>
0
 

Author Comment

by:Kelly-Brady
ID: 33578479
OK yes I have only internal DC's in the machine and the Server configs, no externals.
0
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 2000 total points
ID: 33578524
Well you can't because you are having replication errors.

You should not have a DC shutdown for long periods of time since this will cause corruption and replication errors which will then cause issues with your other DCs.
0
 

Author Comment

by:Kelly-Brady
ID: 33578572
So how would you propose for me to take one of the physical DC's offline and then also then move it to the off-site location? Would it be better to re-build it as a fresh domain controller at what will be our warm site.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33578701
So, the system would actually be running and connected to the other DCs when at the backup site?
0
 

Author Comment

by:Kelly-Brady
ID: 33578845
Yes we have a dedicated MPLS network between the two locations so it would actually see it as a local network.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33578868
Oh Ok then you should be good I thought you were saying it wasn't going to connect at all sorry should have not assumed.

When you shutdown a DC you can see issues like this because the clients are still trying to authenticate to the DC. Have you cut the DC back on?
0
 

Author Comment

by:Kelly-Brady
ID: 33578927
yes i just turned it back on.
0
 

Author Comment

by:Kelly-Brady
ID: 33579235
and now the drives remapped and I was able to updare group policy. So now the question remains on how do I remove this and get it moved to the off site location without causing this problem?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33579593
Make sure that no clients or domain controllers aren't pointing to this server for DNS. Make sure this server is not holding any fsmo roles.
0
 

Author Comment

by:Kelly-Brady
ID: 33588189
Ok I am goijg to check on this today and now I have anouther issue that I am not sure if it is related. I came in the this morning and my file and fax server were frozen and also several of my machines. Could this be connected to bringing the DC back online. When I did the research on this it seemed alot easier.
0
 

Author Comment

by:Kelly-Brady
ID: 33588643
I have two domain controllers that are not responding, and I am attaching some screen shots that i am getting from the one that is working.
dcPic1.PNG
dcpic2.PNG
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33589319
Please post ipconfig /all.

Dcdiag
0
 

Author Comment

by:Kelly-Brady
ID: 33589373
I ended up restarting the other DC01 and DC02 and it seems to have settled down for now. So I do not know what has blown up or even a close understading as to why. I am going to paste in the roles that are on DC02.

dcPic3.JPG
0
 

Author Comment

by:Kelly-Brady
ID: 33589474
Is there a way to see if this server has any FSMO roles assigned to it?
0
 

Author Comment

by:Kelly-Brady
ID: 33589692
Ok i have checked and there are no FSMO roles assigned to DC02, they are all on DC01
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33591874
So, when you run dcdiag what does it look like?
0
 

Author Comment

by:Kelly-Brady
ID: 33592165
This is DC01, do you want the results from all three DC's? I can run it and put it in a text file and attach it for you!

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = dc01
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\DC01
      Starting test: Connectivity
         ......................... DC01 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\DC01
      Starting test: Advertising
         ......................... DC01 passed test Advertising
      Starting test: FrsEvent
         ......................... DC01 passed test FrsEvent
      Starting test: DFSREvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... DC01 failed test DFSREvent
      Starting test: SysVolCheck
         ......................... DC01 passed test SysVolCheck
      Starting test: KccEvent
         ......................... DC01 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... DC01 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... DC01 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... DC01 passed test NCSecDesc
      Starting test: NetLogons
         ......................... DC01 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... DC01 passed test ObjectsReplicated
      Starting test: Replications
         ......................... DC01 passed test Replications
      Starting test: RidManager
         ......................... DC01 passed test RidManager
      Starting test: Services
         ......................... DC01 passed test Services
      Starting test: SystemLog
         ......................... DC01 passed test SystemLog
      Starting test: VerifyReferences
         ......................... DC01 passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : kba
      Starting test: CheckSDRefDom
         ......................... kba passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... kba passed test CrossRefValidation

   Running enterprise tests on : kba.local
      Starting test: LocatorCheck
         ......................... kba.local passed test LocatorCheck
      Starting test: Intersite
         ......................... kba.local passed test Intersite
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33596273
Well DC1 looks good there are still some replication errors but those could be old. What is the exact problem you are now having?
0
 

Author Comment

by:Kelly-Brady
ID: 33597817
I had half of my machines that needed hard restarts along with several of my servers and the only thing it could have been was bringing that DC02 back online. But that has seemed to be fixed. So now the question is how to fix the replication issue and I thinking that it would be better to just remove the DC completely then just rebuild it at the new location, just need to do research and find out what command you give to have it un-promote a DC. I have some issues with DC03 also, so I will need to fix these before I go any farther, I have attached a txt file with the DCDIAG from all three DC's.
DCDiag.txt
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33597883
DC3 is having issues I would run dcpromo to demote the DC then run metadata cleanup to make sure the DC fully removed from the domain.

If you can't demote gracefully run dcpromo /forceremoval. Run metadata cleanup.
0
 

Author Comment

by:Kelly-Brady
ID: 33597898
So I should do this on DC03, which is the new virtual one I just created.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33597969
Yes, DC3 looks like it is having some other issues.
0
 

Author Comment

by:Kelly-Brady
ID: 33598111
OK so what are the risks of doing this while users are on the network and almost definitely using this server as there login server. All my scopes have this DC listed as their secondary login server.
0
 

Author Comment

by:Kelly-Brady
ID: 33598353
This is the output of DC03 after I ran the command in an elevated command prompt, so the only issue is the replication issue. Any ideas on how to resolve that?






Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = DC03
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\DC03
      Starting test: Connectivity
         ......................... DC03 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\DC03
      Starting test: Advertising
         ......................... DC03 passed test Advertising
      Starting test: FrsEvent
         ......................... DC03 passed test FrsEvent
      Starting test: DFSREvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... DC03 failed test DFSREvent
      Starting test: SysVolCheck
         ......................... DC03 passed test SysVolCheck
      Starting test: KccEvent
         ......................... DC03 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... DC03 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... DC03 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... DC03 passed test NCSecDesc
      Starting test: NetLogons
         ......................... DC03 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... DC03 passed test ObjectsReplicated
      Starting test: Replications
         ......................... DC03 passed test Replications
      Starting test: RidManager
         ......................... DC03 passed test RidManager
      Starting test: Services
         ......................... DC03 passed test Services
      Starting test: SystemLog
         ......................... DC03 passed test SystemLog
      Starting test: VerifyReferences
         ......................... DC03 passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : kba
      Starting test: CheckSDRefDom
         ......................... kba passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... kba passed test CrossRefValidation

   Running enterprise tests on : kba.local
      Starting test: LocatorCheck
         ......................... kba.local passed test LocatorCheck
      Starting test: Intersite
         ......................... kba.local passed test Intersite

C:\Windows\system32>
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33599653
Those could be old replication issues they stay for 24 hours.

Run Repadmin /syncall
0
 

Author Comment

by:Kelly-Brady
ID: 33600113
Ok I ran that on all three and dc02 and 03 still show the replication but Dc01 does not, should I just give it time to wsh out from yesterdays upset?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33600146
When you run the above command do you get succesful?
0
 

Author Comment

by:Kelly-Brady
ID: 33600152
Yes on all the servers it said it was successful.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33600164
Then replication is taking place those errors in the dcdiag were old errors most likely.
0
 

Author Comment

by:Kelly-Brady
ID: 33600227
Ok I will check it on Monday to make sure so what would be the best way to go from here to get a DC out to my Off site recovery site?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33600238
Sounds good.
0
 

Author Comment

by:Kelly-Brady
ID: 33632484
Ok so it has setteled down but I am still getting the one error and it seems to be just around the same time every night. So is it safe to remove DC02 from the environment?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33636409
Yes, you should be good to go
0
 

Author Comment

by:Kelly-Brady
ID: 33638164
So just for me to be clear on this, should I have all my users log off for the weekend then run dcpromo on the machine to just make it a member server. It also is one of the RADIUS servers which I believe is where the role of "Network Policy and Access Services" come from, should I remove this before running dcpromo?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33638184
To be honest I am not for sure on the RADIUS it has been a long time since I worked with this technology
0
 

Author Comment

by:Kelly-Brady
ID: 33638205
Ok I will have to look into this before I go any farther.
0
 

Author Comment

by:Kelly-Brady
ID: 33824423
I removed RADIUS and all that is left is the DNS role. I am going to run DCPromo and then leave it as a member server for awhile. I hope that this will allow me to take it off line.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question