?
Solved

GPT.ini Error in Application Log

Posted on 2012-08-30
14
Medium Priority
?
860 Views
Last Modified: 2012-08-30
Want to preface this question with a little pre-information. I figure too much info is better than too little.

10 months ago we had our PDC Domain Controller lose 2 hard drives at the same time. One of our Admins forcibly seized control of all th FSMO Schemas from this machine before trying to bring the PDC back online.
We had 2 other DCs on the domain at the time. One which took on all roles but infrastructure, and then our Exchange Server which holds the infrastructure role.

Since this time, the old PDC was brought back online, none the wiser for having its roles seized. We then proceeded to go thru the act of moving the FSMO roles normally from that machine, in hopes that there would be no conflicts.

For the sake of simplicity, we will call the Machines DC1 (the old PDC), DC2 (The New PDC) , DCE3 (With Exchange).

DC1 was never re-given the FSMO roles it had before. Its only domain function is BDC, and Backup Browser.
DC2 has all Roles including GC except for Infrastructure
DCE3 has only the Infrastructure, BDC and Backup Browser.

Every server in this Domain (except for DC2 and DCE3) gets an error Event ID 1058 and 1030 on login or an RDP Login, and on my TS machines with 50+ users logging off and on multiple times daily the application log on those machines gets long quickly.
Event ID 1058 is Windows cannot access file gpt.in for GPO cn={XXXXXXXXXX}
Event ID 1030 is Windows cannot query for the list of Group Policy objects.

I have tried numerous patches and hotfixes from Microsoft (I even have an open ticket with them on it, and they cannot seem to find the issue) and nothing has fixed it.
I sat down today to dig deeper.

I have gone throught the permission fix of the folders in the SYSVOL as well.
While doing this I noticed that DC1 had 20 folders inside the Policies Folder, while DC2 and DCE3 had 23. I looked in the logs of the member servers, and noticed the GPOs causing the errors were not on DC1, So I decided to force replication between the 3 of them.

DC2 can force replication to DC1 and DCE3, and DC1 and DCE3 can force replication back to DC2. DC1 and DCE3 cannot replicate to each other. They get a "The naming context specified for this replication operation is invalid" when I try. It also did not replicate the folders missing on DC1 after the forced replication.
Also the NTDS Setting names for DC2 and DCE3 say "<automatically generated>", while DC1 has long hexadecimal names (example - dfb1edda-2695-4cd2-9b79-c5d01 488f040).
Also in the security tab for all 3 DCs, the is an Account Unknown (S1-xxxxxxxxxxxx) listed. That account has no permissions except special rights, which is grey checked.

So knowing the above information, how can I fix 1030 and 1058 Event ID errors?
0
Comment
Question by:Moordoom
  • 9
  • 5
14 Comments
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 38350995
Event 1030 and event 1058 may be logged, and you may not be able to start the Group Policy snap-in on your Windows Small Business Server 2003 computer
http://support.microsoft.com/kb/888943

- Rancy
0
 

Author Comment

by:Moordoom
ID: 38351026
I am able to replicate (sync) using "repadmin /replicate dest-dc01 source-dc01 DC=domainname,DC=com" between all 3, but it still did not get rid of the errors or replicate the 3 missing folders to DC1.
0
 

Author Comment

by:Moordoom
ID: 38351049
@Rancy
This is not a SBS Server.
DC1 is x86 2003 Enterprise, DC2 is x86 2003 R2 Enterprise, and DCE3 is x64 2008 R2 Enterprise.
Would the same apply?
Also, which DC would I run it from if so?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 38351072
Which DC is showing these alerts ?

- Rancy
0
 

Author Comment

by:Moordoom
ID: 38351122
I ran the ADSIEDIT.MSC from DC2 and DC1, and there appears to be nothing wrong with the domain name. It appears correct. But is shows all 23 policy folders.
DC 1 still only shows 20 policies in C:\WINDOWS\SYSVOL\domain\Policies and C:\WINDOWS\SYSVOL\sysvol\southernweaving.com\Policies
0
 

Author Comment

by:Moordoom
ID: 38351139
None of the DCs show the alert. It is on all the member servers.
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 38351157
What is the logon server for the Member server ?
Hope the time sync is perfect and no difference ?
Also the member server can check the Sysvol folder on the DC's ?

- Rancy
0
 

Author Comment

by:Moordoom
ID: 38351225
The member server can see the SysVol on all 3 DCs.
The logon server for the member server I would assume is the PDC which is DC2, but with it giving the error on policy that is not showing up on DC1, I cannot be sure.
Doing an echo %logonserve% tells me DC2, which is the current PDC.
The time is the same, they all use the same time server, and I did a w32tm /resync just to be sure on a member server.
0
 

Author Comment

by:Moordoom
ID: 38351282
What would be an issue if I copied the folders that are missing on DC1 from DC2 ?
Both are x86 2003 Ent Servers
0
 
LVL 52

Accepted Solution

by:
Manpreet SIngh Khatra earned 2000 total points
ID: 38351457
Ideally you dont need to copy it should be synced between the 2 .... i am not sure what will happen if we manually copy as you say no error even in Replication or on the DC1 .....

Run a DCDIAG from the Member server to DC1

- Rancy
0
 

Author Comment

by:Moordoom
ID: 38351554
dcdiag /s:DC2 passed all test.
dcdiag /s:DC1 failed frsevent (event in log passed 24 hours), VerifyingReference (recommends KB312862 to fix).

Copying the file folders from DC2 ro DC1 and then doing a gpupdate /force on a member server did stop the 1058 and 1030 event codes, but I am under the belief that if I can another GPO I will be doing ihese again.
Going to looking in KB312862 and follow what it says to do.
0
 

Author Comment

by:Moordoom
ID: 38351698
Did a ADSIEDIT.msc
under the cn=system\cn=file replication service, it had a corrputed cn name for the new PDC on DC1. Corrected the name and it is now able to replicate.
0
 

Author Closing Comment

by:Moordoom
ID: 38351706
Rancy's questioning lead me in the right direction to solve the issue myself.
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 38351708
Wow .... good man !! so everything working fine :)

- Rancy
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes clients can lose connectivity with the Lotus Notes Domino Server, but there's not always an obvious answer as to why it happens.   Read this article to follow one of the first experiences I had with Lotus Notes on a client's machine, my…
IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question