• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1313
  • Last Modified:

Group Policy Update Failed

Can anyone advise me how to resolve the issue below?

I have three DC's,

Server1 - Windows Server 2003 Standard Edition Service Pack 2 (also old Exchange server)
Server4 - Windows Server 2003 R2 Service Pack 2
Server6 - Windows Server 2008 Standard Service Pack 2 64bit (also new Exchange server but not a GC server)

I have recently DCPromo'd Server6 and transferred all FSMO roles to it as we will be soon be introducing remote site RODC's and I was advised this should be done before hand.

On Server6 (windows 2008) I have an event log full of Event ID:1058 Group Policy.

If I run gpupdate /force on Server1 and Server4 bot USer and Computer policeis complete successfully.

If I run gpupdate /force on Server6 it just returns the errors below.

Server6 error...

Log Name:      System
Source:        Microsoft-Windows-GroupPolicy
Date:          4/20/2011 12:23:37 PM
Event ID:      1058
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Computer:      server6.mydomain.org.uk.local
Description:
The processing of Group Policy failed. Windows attempted to read the file \\mydomain.org.uk.local\sysvol\mydomain.org.uk.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{aea1b4fa-97d1-45f2-a64c-4d69fffd92c9}" />
    <EventID>1058</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>1</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2011-04-20T11:23:37.488Z" />
    <EventRecordID>204692</EventRecordID>
    <Correlation ActivityID="{CC60A09C-35C9-49E1-A005-F868E5BD2257}" />
    <Execution ProcessID="388" ThreadID="1992" />
    <Channel>System</Channel>
    <Computer>server6.mydomain.org.uk.local</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="SupportInfo1">4</Data>
    <Data Name="SupportInfo2">840</Data>
    <Data Name="ProcessingMode">0</Data>
    <Data Name="ProcessingTimeInMilliseconds">3291</Data>
    <Data Name="ErrorCode">3</Data>
    <Data Name="ErrorDescription">The system cannot find the path specified. </Data>
    <Data Name="DCName">server6.mydomain.org.uk.local</Data>
    <Data Name="GPOCNName">CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=org,DC=uk,DC=local</Data>
    <Data Name="FilePath">\\mydomain.org.uk.local\sysvol\mydomain.org.uk.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini</Data>
  </EventData>
</Event>

On Server6 if I go to Start>Run and type in the following…
\\mydomain.org.uk.local\sysvol\mydomain.org.uk.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini
I just get and ‘windows cannot access’ error message ‘could not be found’
If I then type in…
\\wildlondon.org.uk.local\sysvol\wildlondon.org.uk.local

There is no Policies folder referred to in the error message but just a ‘Scripts’ folder.

If I then type in…

\\server1\sysvol\wildlondon.org.uk.local\

There is no Policies folder referred to in the error message but just a ‘Scripts’ folder.

If I then type in…

\\server4\sysvol\wildlondon.org.uk.local\

There is no Policies folder referred to in the error message but just a ‘Scripts’ folder and a folder called NtFrs_PreExisting___See_EventLog and inside this folder there is a Policies folder and a Scripts folder.  Inside the Scripts folder there are many folders with numbers and one of these is {31B2F340-016D-11D2-945F-00C04FB984F9} as mentioned in the error message. Within this folder are three more folders, Adm, Machine and User and a file called GPT


I hope this all makes sense.
0
jongrew
Asked:
jongrew
  • 6
  • 5
  • 4
  • +1
1 Solution
 
Tony MassaCommented:
Which of these computers are domain controllers?
0
 
jongrewAuthor Commented:
Its at the begining of my question...

I have three DC's,

Server1 - Windows Server 2003 Standard Edition Service Pack 2 (also old Exchange server)
Server4 - Windows Server 2003 R2 Service Pack 2
Server6 - Windows Server 2008 Standard Service Pack 2 64bit (also new Exchange server but not a GC server)

0
 
Tony MassaCommented:
Sorry...missed that 3 DCs part.

Check the contents of the following:

\\SERVER1\SYSVOL
\\SERVER4\SYSVOL
\\SERVER6\SYSVOL

They should be the same.  If one is missing contents, you should look to FRS on all of the servers and see if they are having problems replicating to SERVER6 or any others.  Check the same for NETLOGON shares on each.

You may have to demote/promote SERVER6, but we'll see what you come back with first.

The "SCRIPTS" folder could be an issue, but that contains the \\DOMAIN\NETLOGON\ information and won't affect GPOs as they are in the SYSVOL directory.

It would appear that SERVER6 is the most likely the problematic server...when you browse to \\domain\sysvol\ from that server, you really should be hitting the local DC shares.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
jongrewAuthor Commented:
I see that on the original Operations Master (server4) within the syvol\domain folder there is a folder called NtFrs_PreExisting___See_EventLog with all of the policies and scripts in it.  Outside of this folder there is nothing.

Does this mean anything to you?

Server6 is now the Big Daddy as it is the new Windows 2008 server.

0
 
jongrewAuthor Commented:
I have an update of this situation whereby this Server4 had previously had an issue as detailed below...

The File Replication Service has detected that the volume hosting the path C: is low on disk space. Files may not replicate until disk space is made available on this volume.  

And then…

The File Replication Service has detected that the replica set "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR.
 
 Replica set name is    : "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"
 Replica root path is   : "c:\windows\sysvol\domain"
 Replica root volume is : "\\.\C:"
 A Replica set hits JRNL_WRAP_ERROR when the record that it is trying to read from the NTFS USN journal is not found.  This can occur because of one of the following reasons.
 
 [1] Volume "\\.\C:" has been formatted.
 [2] The NTFS USN journal on volume "\\.\C:" has been deleted.
 [3] The NTFS USN journal on volume "\\.\C:" has been truncated. Chkdsk can truncate the journal if it finds corrupt entries at the end of the journal.
 [4] File Replication Service was not running on this computer for a long time.
 [5] File Replication Service could not keep up with the rate of Disk IO activity on "\\.\C:".
 Setting the "Enable Journal Wrap Automatic Restore" registry parameter to 1 will cause the following recovery steps to be taken to automatically recover from this error state.
 [1] At the first poll, which will occur in 5 minutes, this computer will be deleted from the replica set. If you do not want to wait 5 minutes, then run "net stop ntfrs" followed by "net start ntfrs" to restart the File Replication Service.
 [2] At the poll following the deletion this computer will be re-added to the replica set. The re-addition will trigger a full tree sync for the replica set.
 
WARNING: During the recovery process data in the replica tree may be unavailable. You should reset the registry parameter described above to 0 to prevent automatic recovery from making the data unexpectedly unavailable if this error condition occurs again.
 
To change this registry parameter, run regedit.
 
Click on Start, Run and type regedit.
 
Expand HKEY_LOCAL_MACHINE.
Click down the key path:
   "System\CurrentControlSet\Services\NtFrs\Parameters"
Double click on the value name
   "Enable Journal Wrap Automatic Restore"
and update the value.
 
If the value name is not present you may add it with the New->DWORD Value function under the Edit Menu item. Type the value name exactly as shown above.


I followed the procedure for the fix for this and the next event was...


The File Replication Service is deleting this computer from the replica set "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" as an attempt to recover from the error state,
 Error status = FrsErrorSuccess
 At the next poll, which will occur in 60 minutes, this computer will be re-added to the replica set. The re-addition will trigger a full tree sync for the replica set.


And then....


File Replication Service is scanning the data in the system volume. Computer SERVER4  cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL.
 
To check for the SYSVOL share, at the command prompt, type:
net share
 
When File Replication Service completes the scanning process, the SYSVOL share will appear.
 
The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume.


And then...


The File Replication Service moved the preexisting files in c:\windows\sysvol\domain to c:\windows\sysvol\domain\NtFrs_PreExisting___See_EventLog.
 
The File Replication Service may delete the files in c:\windows\sysvol\domain\NtFrs_PreExisting___See_EventLog at any time. Files can be saved from deletion by copying them out of c:\windows\sysvol\domain\NtFrs_PreExisting___See_EventLog. Copying the files into c:\windows\sysvol\domain may lead to name conflicts if the files already exist on some other replicating partner.
 
In some cases, the File Replication Service may copy a file from c:\windows\sysvol\domain\NtFrs_PreExisting___See_EventLog into c:\windows\sysvol\domain instead of replicating the file from some other replicating partner.
 
Space can be recovered at any time by deleting the files in c:\windows\sysvol\domain\NtFrs_PreExisting___See_EventLog.



and then...



The File Replication Service is no longer preventing the computer SERVER4  from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL.


Lastly...

I did not copy the files back out of the folder NtFrs_PreExisting___See_EventLog on SERVER4 into the original folder.  I have done this now and my server is back in shape and all event errors to do with Group Policy have gone.

Does this all sound like it makes sense and that I am in a good place again.  I'm not sure why the Group Polices were not replicated back to the original folder from another server.  Should they have been?  I'm not too clear on how it all works or should work.

Is there a Group Policy master server so to speak and if so should it be the new Windows 2008 Server DC?
0
 
ChiefITCommented:
You are heading off a cliff, with this setup:

Prior to suggesting any advice, I will request the presence of a Microsoft Exchange expert. I use a different mail system.

Exchange is not recommended to go on a DC for many reasons. Please read up on this while you wait for me to assemble a team.

http://theessentialexchange.com/blogs/michael/archive/2008/03/29/exchange-server-2007-and-domain-controllers-a-summary.aspx

0
 
Glen KnightCommented:
OK, first of all as ChiefIT said, running Exchange on a Domain Controller is not recommended, although it is a supported configuration.

However, if Exchange is on a DC,  that server must also be a Global Catalog server.

There seems to be a problem with disk space? What is the available space on C Drive for all servers?

Which of your DC's are DNS servers? Can you post the IP Configuration of all 3 DC's please?
0
 
ChiefITCommented:
@ Demazter:

In addition to Exchange residing on a non-GC 2008 DC, we have hosed up DNS, Journal Wrap, FSMO roles on the 2008 server, and with journal wrap comes issues with AD.

In my opinion, we need to
salvage Exchange,
Force demote the 2008 server,
remove DNS role from 2008 server
metadata cleanup on the two 2003 servers
Seize the roles on one 2003 server,
Demote the other server and make it the exchange member server.
sysprep/domain prep the remaining DC,
Add the DNS service back onto the 2008 server,
promote the 2008 server
and transfer FSMO roles back to 2008 server.

In the end, you end up with a 2008 PDCe, and a 2003 domain server, with one 2003 member server with Exchange.

How can we gracefully salvage Exchange?

Author:
What do your imaged backups look like?
0
 
Glen KnightCommented:
Which version if Exchange are we talking about?

Can the DNS role be added to the new Exchange server, configure all 3 DC's to use this server.  

Check and move FSMO roles to DC that has Exchange on.

Demote the server without Exchange, leaving us with just 2 DC's both if which have Exchange on.

At least that only leaves us with 2 DC's to fix.

Is Exchange functioning at all? Can we expedite the migration to the new server?

If we cannot expedite how far down the migration have we got? If too far to go back then ignore what I have said above but do the following instead.

Still demote the DC that doesn't have Exchange on, then configure both remaining DC's to only use the old Exchange 2003 server for DNS.  Transfer all 5 FSMO roles to this server, seize them if you have to. See here: http://www.petri.co.il/transferring_fsmo_roles.htm

Then manually crash the Exchange 2010 server (assuming that's what version the new server is) by manually crash I mean, take a backup of the information store files to another server.

Shutdown the new server and perform a METADATA cleanup to remove it from Active Directory as per: http://www.petri.co.il/delete_failed_dcs_from_ad.htm

In Active Directory Users and Computers, right click the computer account for the new exchange server and select reset.  

Then re-install Windows 2008, give the server the exact same name.

Join it to the domain.

Install all the exchange server pre-requisites and then from te exchange media run setup.com /recoverserver

This will install Exchange pulling all the details for the server we crashed from Active Directory.  We can then restore the mailbox databases.

Did I miss anything? It's still pretty early for me :-)

I've also assumed quite a lot.  If you are unsure of anything then please ask BEFORE you do it.  It's easier to prevent than to fix.
0
 
Glen KnightCommented:
Oh, and then we can start to fix the AD issues :-)
0
 
ChiefITCommented:
@Dmazter:

To Fix AD issues & DNS issues, we need to demote and properly repromote 2008. It's also easiest to remove and readd the DNS role.  However, Exchange is on the 2008 server.

What do we need to preserve Exchange as we fix AD? If all we need are mail boxes, let's transfer those to a 2003 server after we demote it and get AD on one 2003 box and Exchange on the other, as a member server. Then, we can fix the 2008 server and make it the PDCe.
0
 
Glen KnightCommented:
I think i've covered that above, we can just fix AD before re-installing Exchange on the new server, or at least install Exchange on a member server in recovery mode instead of on a DC after we manually crash it out.
0
 
ChiefITCommented:
We are going to have to wait for input from the Author.

I think your second suggestion would be the best approach.
0
 
jongrewAuthor Commented:
I made  mistake in my original post when I said...


I have three DC's,

Server1 - Windows Server 2003 Standard Edition Service Pack 2 (also old Exchange server)
Server4 - Windows Server 2003 R2 Service Pack 2
Server6 - Windows Server 2008 Standard Service Pack 2 64bit (also new Exchange server but not a GC server)

The bottom line was wrong - Server6 is not an Exchange server.  Exchange is on a member server called Server5.  I aopoligoise for that oversight.

MY AD is fine now GP is working...

Maybe some one could answer thse point I raised earlier...

 - I'm not sure why the Group Polices were not replicated back to the original folder from another server.  Should they have been?

 - Is there a Group Policy master server so to speak and if so should it be the new Windows 2008 Server DC?
0
 
ChiefITCommented:
Here is an article I wrote about Group Policy objects and 1030-1058 errors:

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/A_1073-Diagnosing-and-repairing-Events-1030-and-1058.html

There is no majic centralized server. The replication partners just take the latest edited version of GP ojbects within Sysvol.

In Journal Wrap, there also is no meraculous recovery. This has to be fixed manually.

So, I have a few questions for you. I don't like to see people leave a thread unhappy with the results. If you remain in Journal Wrap, you will be an unhappy camper....

Please go to the command prompt and type these two commands:

DCdiag /test:DNS
DCdiag /v

Do you see any errors or fails?  If so, you still have work to do.
0
 
jongrewAuthor Commented:
This question is not abandoned - I just havent been able to get to finish the testing described by ChiefIT - I will soon
0
 
jongrewAuthor Commented:
tmassa99: Date:20/04/11 02:25 PMExpert Comment was where the problem was...

Check the contents of the following:

\\SERVER1\SYSVOL
\\SERVER4\SYSVOL
\\SERVER6\SYSVOL

They should be the same.  If one is missing contents, you should look to FRS on all of the servers and see if they are having problems replicating to SERVER6 or any others.  Check the same for NETLOGON shares on each.


I have fixed the AD replication.

Apologies for the red herring further up - there were no Exchange issues.  I inadvertently gave the wrong information regarding one of the servers being an Exchange server.

I will be awarding the points to tmassa99 as that was spot on regarding the missing data in the Sysvol directory.

My thanks also to... ChiefIT and demazter for your input.

0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

  • 6
  • 5
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now