Security policies were propagated with warning. 0xd: The data is invalid.
I was going through some event logs on the domain controllers, and I noticed that I am getting an Event 1202 (SceCi) every 5 minutes, and/or upon gpupdate.
I have a parent domain, and 2 child domains. the issue is only happening on Domain Controllers on Child Domains.
I have followed KB250454 and KB256000, but I am not sure if these apply. I looked on DC from all 3 domains, and non of them have the basicdc.inf template in the C:\Windows\Security, and yet, the DCs in the parent domain are not getting this warning. From the articles, it sounds like the environment variables for SYSVOL, DSLOG and DSDIT are required because the basidc template refers to them.
At this point I'm at a loss as to what to try, or where to look to troubleshoot.
For the record, I do have a couple of accounts that are in the parent domain, that are currently pointing to the child domains in restricted groups, which cause the following warning in winlogon.log
----Configure Group Membership...
No system mapping was found for CVUSD\APP_Dameware_Viewer.
No system mapping was found for CVUSD\CMP_WSA_Access.
No system mapping was found for CVUSD\dAdmins.
No system mapping was found for CVUSD\Domain Admins.
Configure STUDENT\Administrator.
Group Membership configuration was completed with one or more errors.
I know how to fix this part, but I haven't yet, as it's going to require some work, to establish new ACLs to map these same groups within their own domain.
That said, i'm not sure that this is related to the other warnings.
rsop on the DCs is returning on the "Computer Configuration", with the same message as the one found in the eventviewer.
Any ideas to help resolve this problem? It doesn't seem to having any adverse effects on the functionality of AD or GPOs, but it sure is annoying in all the Application Event logs every 5 minutes.
Thanks!!
I have a parent domain, and 2 child domains. the issue is only happening on Domain Controllers on Child Domains.
I have followed KB250454 and KB256000, but I am not sure if these apply. I looked on DC from all 3 domains, and non of them have the basicdc.inf template in the C:\Windows\Security, and yet, the DCs in the parent domain are not getting this warning. From the articles, it sounds like the environment variables for SYSVOL, DSLOG and DSDIT are required because the basidc template refers to them.
At this point I'm at a loss as to what to try, or where to look to troubleshoot.
For the record, I do have a couple of accounts that are in the parent domain, that are currently pointing to the child domains in restricted groups, which cause the following warning in winlogon.log
----Configure Group Membership...
No system mapping was found for CVUSD\APP_Dameware_Viewer.
No system mapping was found for CVUSD\CMP_WSA_Access.
No system mapping was found for CVUSD\dAdmins.
No system mapping was found for CVUSD\Domain Admins.
Configure STUDENT\Administrator.
Group Membership configuration was completed with one or more errors.
I know how to fix this part, but I haven't yet, as it's going to require some work, to establish new ACLs to map these same groups within their own domain.
That said, i'm not sure that this is related to the other warnings.
rsop on the DCs is returning on the "Computer Configuration", with the same message as the one found in the eventviewer.
Any ideas to help resolve this problem? It doesn't seem to having any adverse effects on the functionality of AD or GPOs, but it sure is annoying in all the Application Event logs every 5 minutes.
Thanks!!
peblin
Can you please post the entire contents of this error.
ASKER
Sure:
Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Date: 7/1/2011
Time: 2:46:34 PM
User: N/A
Computer: DO-STUDC
Description:
Security policies were propagated with warning. 0xd : The data is invalid.
Advanced help for this problem is available on http://support.microsoft.com. Query for "troubleshooting 1202 events".
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Date: 7/1/2011
Time: 2:46:34 PM
User: N/A
Computer: DO-STUDC
Description:
Security policies were propagated with warning. 0xd : The data is invalid.
Advanced help for this problem is available on http://support.microsoft.com. Query for "troubleshooting 1202 events".
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Did you try adding those environment variable to the two child DCs? Also, try editing the GPO assigned to the DCs, right click on administrative templates under computer settings, is basicdc listed? Try removing this. I do not know for sure what will happen when you remove the template, so make a backup or create a new GPO before you do this.
I just re-read my last post, "Also, try editing the GPO assigned to the DCs, right click on administrative templates under computer settings, is basicdc listed?" shoudl read "...try editing the GPO assigned to the DCs, right click on administrative templates under computer settings AND SELECT ADD/REMOVE TEMPLATES, is basicdc listed?" Sorry about that
ASKER
the basicdc template does not exist in any of the Administrative Templates on any GPOs (direct or inherited) assigned to the DCs.
Other ideas?
Other ideas?
If this isn't adversely affecting your environment I would go ahead and set up the variables on the DCs, use this KB to do it with a script. http://support.microsoft.com/?id=259395
ASKER
I'll give that a shot. I did this on one server, but hadn't rebooted it yet, so I wonder whether that's the reason why the errors didn't go away. I read somewhere that the services.exe needs to reinitialize to read the new env vars.
I'll give it a shot to see if that would resolve the issue.
though more importantly, I'm hoping that this solution would also start returning clean RSoPs again. as right now, the RSOP on the Computer Configuration returns that same warning in the Event Log.
I'll report back soon as soon as I try it out.
I'll give it a shot to see if that would resolve the issue.
though more importantly, I'm hoping that this solution would also start returning clean RSoPs again. as right now, the RSOP on the Computer Configuration returns that same warning in the Event Log.
I'll report back soon as soon as I try it out.
Also, the basicdc.inf could have been accidentally imported into the GPO being applied to these DCs, if you don't have too many customizations in your GPO try importing the 'setup security.inf' while choosing to 'Clear this Database before importing'. So in the GPO Editor, under computer settings, right click on security settings and select Import Policy. Navigate to C:\WINDOWS\Security\Templa
ASKER
When you say "Customizations", are you talking about a specific GPO? because I have 10s of GPOs in those domains , so I can't risk breaking anything by resetting the security. What does the setup security.inf reset?
ASKER
By the way, I have attempted to add the SYSVOL, DSDIT, and DSLOG environment variables, and rebooted the server, and it seems like they haven't helped in getting rid of the error. so I will need some other suggestions.
I'm reluctant to move forward with resetting any security, until I'm sure of what effect that would have on my other GPOs.
I'm reluctant to move forward with resetting any security, until I'm sure of what effect that would have on my other GPOs.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hmm.. ok ... I'd have to redo an inventory of my DC policy. I don't believe I have placed any customization in that. As a general rule, I usually create new policy to my customization in them.
let me go ahead and create a test OU and apply these policies to them, on by one. including inheritance, there are only about 10 policies that end up being applied to the Domain Controller OU. So hopefully that won't take forever.
I'll report back as soon as I get the results of that test.
Thanks @peblin!
let me go ahead and create a test OU and apply these policies to them, on by one. including inheritance, there are only about 10 policies that end up being applied to the Domain Controller OU. So hopefully that won't take forever.
I'll report back as soon as I get the results of that test.
Thanks @peblin!
ASKER
So I did some additional testing as you had suggested. and it looks like the issue is not with the "Default Domain Controller Policy", but with a "Restricted Groups" policy, which, I believe is indeed related to the initial snippet of the log that I mentioned in the beginning of the thread. So I guess what I have to do is find a way re-adjust these permissions. I guess cross domain memberships within restricted group GPOs isn't a good solution. I thought a Universal Group would take care of that, but perhaps there's another way that I need to do deal with this issue.
I'm going to keep testing on that particular group to see what exactly is causing the problem.
I'm going to keep testing on that particular group to see what exactly is causing the problem.
ASKER
Oh wait a sec. Is it possible that the issue is that there is a Restricted Group policy at all on the Domain Controllers? since there are no local groups on DCs, then Restricted Groups would be trying to do an impossible task when trying to apply. Perhaps I should filter out Domain Controller from this policy.
I think you are right, although, I would separate the Domain Controllers, Member Servers, and clients all into their own OUs, that way you can apply a 'restricted groups' policy to just member servers or clients and not need to filter anything.
ASKER
Ok ... it looks like things are working better now. The restricted groups filtered out on the domain controllers got rid of the error message.
I'll see about relocating that policy to target the OU only. (Unfortunately, I'm in the middle of a lot of reorg in AD, so scoping by OU at this point in time is quite hard, while staying accurate. So a WMI filter right now is better, once OUs are organized I'll switch them to regular OU / Security Group scopes.
Thanks for the assist peblin!
I'll see about relocating that policy to target the OU only. (Unfortunately, I'm in the middle of a lot of reorg in AD, so scoping by OU at this point in time is quite hard, while staying accurate. So a WMI filter right now is better, once OUs are organized I'll switch them to regular OU / Security Group scopes.
Thanks for the assist peblin!
ASKER
Glad I didn't mess with the security of the Default Domain Controller Policy.
I have to say that eventId isn't really the easiest to troubleshoot though. :)
Thanks for the assist.
Cheers,
I have to say that eventId isn't really the easiest to troubleshoot though. :)
Thanks for the assist.
Cheers,
Yes, I've struggled with these issues in the past, and trying to find good documentation on event IDs is a pain. Glad I could help in some way. Just out of curiosity (not sure if this is against any rules) but which cv school district are you working for? If it's Conejo, that's a crazy coincidence, I'm in TO
ASKER
haha , i'm not sure there are rules about that. I'm in Chino Valley USD. (San Bernardino)
Just thought I'd ask. Best of luck to you and thanks for the points.