New DC win 08 question

Christopher Casey
Christopher Casey used Ask the Experts™
on
Greetings,
            I have set up a new FSMO DC in an existing AD domain. However I have been reciving the following error about group policy. Any thoughts on whats happening?

Thanks


The processing of Group Policy failed. Windows attempted to read the file \\lp.com\SysVol\lp.com\Policies\{BE0F2168-44F5-4287-92C9-2E89F73BA238}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Make sure you have the new DC network adapter configured to point to the other DCs.
1. First thing I would do is navigate to that exact path provided and verify the gpt.ini is there:
\\lp.com\SysVol\lp.com\Policies\{BE0F2168-44F5-4287-92C9-2E89F73BA238}\gpt.ini
How to Generate Services Revenue the Easiest Way

This Tuesday! Learn key insights about modern cyber protection services & gain practical strategies to skyrocket business:

- What it takes to build a cloud service portfolio
- How to determine which services will help your unique business grow
- Various use-cases and examples

Christopher CaseySr Systems Administrator

Author

Commented:
Thanks all for responding!
yes the adapter has the entries for the other DC's in it.
I can access the Sysvol path via UNC.
And unfortunately i'm getting a SQL error on the link provided :(

When I run dcdiag this is the output.
           
Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = LPDCM
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\LPDCM
      Starting test: Connectivity
         ......................... LPDCM passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\LPDCM
      Starting test: Advertising
         ......................... LPDCM passed test Advertising
      Starting test: FrsEvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... LPDCM passed test FrsEvent
      Starting test: DFSREvent
         ......................... LPDCM passed test DFSREvent
      Starting test: SysVolCheck
         ......................... LPDCM passed test SysVolCheck
      Starting test: KccEvent
         ......................... LPDCM passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... LPDCM passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... LPDCM passed test MachineAccount
      Starting test: NCSecDesc
         ......................... LPDCM passed test NCSecDesc
      Starting test: NetLogons
         [LPDCM] User credentials does not have permission to perform this
         operation.
         The account used for this test must have network logon privileges
         for this machine's domain.
         ......................... LPDCM failed test NetLogons
      Starting test: ObjectsReplicated
         ......................... LPDCM passed test ObjectsReplicated
      Starting test: Replications
         [Replications Check,LPDCM] DsReplicaGetInfo(PENDING_OPS, NULL) failed,
         error 0x2105 "Replication access was denied."
         ......................... LPDCM failed test Replications
      Starting test: RidManager
         ......................... LPDCM passed test RidManager
      Starting test: Services
            Could not open NTDS Service on LPDCM, error 0x5 "Access is denied."
         ......................... LPDCM failed test Services
      Starting test: SystemLog
         An error event occurred.  EventID: 0x00000422
            Time Generated: 05/25/2012   15:03:41
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\lp.com\SysVol\lp.com\Policies\{BE0F2168-44F5-4287-92C9-2E89F73BA238}\gpt
.ini from a domain controller and was not successful. Group Policy settings may
not be applied until this event is resolved. This issue may be transient and cou
ld be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 05/25/2012   15:08:44
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\lp.com\SysVol\lp.com\Policies\{BE0F2168-44F5-4287-92C9-2E89F73BA238}\gpt
.ini from a domain controller and was not successful. Group Policy settings may
not be applied until this event is resolved. This issue may be transient and cou
ld be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 05/25/2012   15:13:46
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\lp.com\SysVol\lp.com\Policies\{BE0F2168-44F5-4287-92C9-2E89F73BA238}\gpt
.ini from a domain controller and was not successful. Group Policy settings may
not be applied until this event is resolved. This issue may be transient and cou
ld be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 05/25/2012   15:18:49
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\lp.com\SysVol\lp.com\Policies\{BE0F2168-44F5-4287-92C9-2E89F73BA238}\gpt
.ini from a domain controller and was not successful. Group Policy settings may
not be applied until this event is resolved. This issue may be transient and cou
ld be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 05/25/2012   15:23:53
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\lp.com\SysVol\lp.com\Policies\{BE0F2168-44F5-4287-92C9-2E89F73BA238}\gpt
.ini from a domain controller and was not successful. Group Policy settings may
not be applied until this event is resolved. This issue may be transient and cou
ld be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 05/25/2012   15:28:56
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\lp.com\SysVol\lp.com\Policies\{BE0F2168-44F5-4287-92C9-2E89F73BA238}\gpt
.ini from a domain controller and was not successful. Group Policy settings may
not be applied until this event is resolved. This issue may be transient and cou
ld be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 05/25/2012   15:33:59
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\lp.com\SysVol\lp.com\Policies\{BE0F2168-44F5-4287-92C9-2E89F73BA238}\gpt
.ini from a domain controller and was not successful. Group Policy settings may
not be applied until this event is resolved. This issue may be transient and cou
ld be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 05/25/2012   15:39:01
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\lp.com\SysVol\lp.com\Policies\{BE0F2168-44F5-4287-92C9-2E89F73BA238}\gpt
.ini from a domain controller and was not successful. Group Policy settings may
not be applied until this event is resolved. This issue may be transient and cou
ld be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 05/25/2012   15:41:45
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\lp.com\SysVol\lp.com\Policies\{BE0F2168-44F5-4287-92C9-2E89F73BA238}\gpt
.ini from a domain controller and was not successful. Group Policy settings may
not be applied until this event is resolved. This issue may be transient and cou
ld be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 05/25/2012   15:44:04
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\lp.com\SysVol\lp.com\Policies\{BE0F2168-44F5-4287-92C9-2E89F73BA238}\gpt
.ini from a domain controller and was not successful. Group Policy settings may
not be applied until this event is resolved. This issue may be transient and cou
ld be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 05/25/2012   15:49:07
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\lp.com\SysVol\lp.com\Policies\{BE0F2168-44F5-4287-92C9-2E89F73BA238}\gpt
.ini from a domain controller and was not successful. Group Policy settings may
not be applied until this event is resolved. This issue may be transient and cou
ld be caused by one or more of the following:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 05/25/2012   15:54:10
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\lp.com\SysVol\lp.com\Policies\{BE0F2168-44F5-4287-92C9-2E89F73BA238}\gpt
.ini from a domain controller and was not successful. Group Policy settings may
not be applied until this event is resolved. This issue may be transient and cou
ld be caused by one or more of the following:
         An error event occurred.  EventID: 0x0000165B
            Time Generated: 05/25/2012   15:54:17
            Event String:
            The session setup from computer '02-105' failed because the security
 database does not contain a trust account '02-105$' referenced by the specified
 computer.
         An error event occurred.  EventID: 0x000016AD
            Time Generated: 05/25/2012   15:56:34
            Event String:
            The session setup from the computer 02-105 failed to authenticate. T
he following error occurred:
         An error event occurred.  EventID: 0x00000422
            Time Generated: 05/25/2012   15:59:13
            Event String:
            The processing of Group Policy failed. Windows attempted to read the
 file \\lp.com\SysVol\lp.com\Policies\{BE0F2168-44F5-4287-92C9-2E89F73BA238}\gpt
.ini from a domain controller and was not successful. Group Policy settings may
not be applied until this event is resolved. This issue may be transient and cou
ld be caused by one or more of the following:
         ......................... LPDCM failed test SystemLog
      Starting test: VerifyReferences
         ......................... LPDCM passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : lp
      Starting test: CheckSDRefDom
         ......................... lp passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... lp passed test CrossRefValidation

   Running enterprise tests on : lp.com
      Starting test: LocatorCheck
         ......................... lp.com passed test LocatorCheck
      Starting test: Intersite
         ......................... lp.com passed test Intersite
Christopher CaseySr Systems Administrator

Author

Commented:
To neilpage99,
      In further investigation no that file and ID folder are not there.
So where is it getting this link from?
Christopher CaseySr Systems Administrator

Author

Commented:
Or further how can i find the link and get rid of it :)
Christopher CaseySr Systems Administrator

Author

Commented:
More info...
The path is only on one of the DC's also it seems to have more polices than the other 2.
Mind i inherited this domain so...trying to undo what others have done...
Check Active Directory Sites and Services and see if there are any non-existent DCs in your replication topology.
Christopher CaseySr Systems Administrator

Author

Commented:
yes as a matter of fact there was a non existent DC in the list.
I have removed it..Anything/anywhere else i should look?
Error still appears when gpupdate is run...
Top Expert 2012

Commented:
Here we go this should fixed the replication issues but let us look at the ipconfig /all first.


Take backup of the policies and script folders from both the servers from c:\Windows\Sysvol\domain

Stop NTFRS service on both DCs.
Make one of the DC authoritative server by modifying registry setting : Navigate to registry HKLM\System\CCS\Services\NTFRS\Parameters\CumlativeReplicaSets and Set the Burflags value to D4. This should be done with server which has the Updated information available or correct data.

Go to other DC and make that Non-authoritative by navigating to same registry location HKLM\System\CCS\Services\NTFRS\Parameters\CumlativeReplicaSets and Set the Burflags value to D2.
Restart Ntfrs service on both servers and force replication to see event 13516 in event viewer for FRS.

Make sure you are running dcdiag with elevated permissions on command prompt
Good... run this to force replication:

repadmin /syncall

If all goes well, you should not have any errors.
Top Expert 2012

Commented:
I would check to make sure the DC was actually removed.

http://www.petri.co.il/delete_failed_dcs_from_ad.htm

If you are running Windows 2003 domain level you still have to run metadata cleanup the old way
Logs Clearly indicates that there is an issue with sysvol,

First try Forcing the sysvol replicaiton and check

http://www.windowstricks.in/2009/11/force-sysvol-replication.html 

If it does not help , then you can perfrom Restore of sysvol folder , by setting burfalg to D2 on problematic DC

http://blogs.dirteam.com/blogs/jorge/archive/2010/08/12/restoring-the-sysvol-non-authoritatively-when-either-using-ntfrs-or-dfs-r-part-1.aspx

By doing this , Problematic DC will conacting the other DC which has got healthy sysvol folder and start replicating from it/

additionally refer below techwiki article which explains about this in detail

http://social.technet.microsoft.com/wiki/contents/articles/8548.sysvol-and-netlogon-share-importance-in-active-directory.aspx

Regards,

_Prashant_
Christopher CaseySr Systems Administrator

Author

Commented:
Still receiving the same error after following the above steps.
Let me know any logs you may need if I'm missing something..
Christopher CaseySr Systems Administrator

Author

Commented:
Really at a loss here. I walked through the steps folks listed above and the error still shows.
the bad DC is completely gone no trace what so ever. the policy seems to be in the sysvol folder. Is there anything I can do? Can i delete the policy in question out of sysvol?
Sr Systems Administrator
Commented:
Ok, update. I found the offending policy and "Unlinked it" now GP flows as expected.
Christopher CaseySr Systems Administrator

Author

Commented:
After following the steps to remove the down DC the error still appeared as it was still linked in GP. after "unlink" the policy everything else functioned.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial