GPO object missing - how do I clean up ?


W2k3 server problem at login - apparently there is something wrong with the GPOs (missing one or more GPO objects)

(sorry the server in in French locale but I'm sure you get the gist of it
Type de l'événement :	Erreur
Source de l'événement :	Userenv
Catégorie de l'événement :	Aucun
ID de l'événement :	1058
Date :		06.01.2013
Heure :		19:08:06
Ordinateur :	MY-PDC
Description :
Windows ne peut pas accéder au fichier gpt.ini pour l'objet Stratégie de groupes CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=mydomain,DC=local. Le fichier doit être présent à l'emplacement <\\mydomain.local\sysvol\mydomain.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\gpt.ini>. (Le fichier spécifié est introuvable. ).  Le traitement de la stratégie de groupe est interrompu

Open in new window

Basically it would seem some of the gpt.ini files are missing and as such the processing of the GPO can not take place.
My question is what is the best way to solve this ? I can't really locate the offending GPO in the the MMC editor as far as I can tell....
Alexandre TakacsCTOAsked:
Who is Participating?
Sarang TinguriaConnect With a Mentor Sr EngineerCommented:
Before performing below steps run
dcgpofix /ignoreschema if this works then thats great if doesn't you will have to follow output of below technet forum

Output of Technet Forum:-

1. Launch LDP.exe and bind to the DS server you want to modify. Make sure you are
 schema admin.
 2. After connecting and binding navigate to the browse menu and select the "Modify" option.
 3. Leave the DN blank, type 'schemaUpgradeInProgress' into the Attribute field and in the values field type 1.
 4. Click the Add operation and then click the enter button. This will add this command to the entry list.
 5. Click the Run button. If you are successful you should see a successful modify message.
 6. Go to View -> Tree. Connect to the appropriate base DN.
 7. Find the mangled {31B2F340-016D-11D2-945F-00C04FB984F9}, group policy object, right click and select modify
 8. In the attribute field, type "systemflags"
 9. In the Values field, leave it blank
 10. In the operation radio options, select delete
 11. Then click Enter, then click Run to remove the system flags values
 12. Once the systemflags value is removed, we can rename the {31B2F340-016D-11D2-945F-00C04FB984F9}, object using LDAP and create another groupPolicyContainer Object using ADSIEdit and create User and Machine Container objects within it.
 13. Run dcgpofix /target:domain.
 14. Now we can restore the value of systemflags to the default value for a system owned object.
 15. Using LDP, restore the value of 'schemaUpgradeInProgress' value back to the default of 0.
++After that we were able to link the restore the default domain policy to the domain.

Referred from
Sarang TinguriaSr EngineerCommented:
If you have valid sysvol backup the restore the folder named {6AC1786C-016F-11D2-945F-00C04fB984F9} to C:\windows\sysvol\domain.local\policies to same location

How many DC's do you have ?
If only one then follow above method
If multiple then check other DC's sysvol folders if above folder stored on anyother DC if yes then copy the same to culprit server
Alexandre TakacsCTOAuthor Commented:

Having two DC (PDC and BDC).

Actually both have the "missing" folder in SYSVOL and it does contains a GPT.INI file...

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Sarang TinguriaSr EngineerCommented:
restore from backup

BTW GPT.ini file reside under GUID folder if the GUID folder is missing then you won't get gpt.ini too..where are you looking at can you provide the path...... also let me know how many GPO's you have configured and how many GUID folders you can see?
Alexandre TakacsCTOAuthor Commented:
I have 3 GPOs and 3 GUID folders:
 Le volume dans le lecteur C s'appelle PDC-System
 Le numéro de série du volume est CC56-7B44

 Répertoire de C:\WINDOWS\SYSVOL\domain\Policies

06.01.2013  22:31    <REP>          .
06.01.2013  22:31    <REP>          ..
02.07.2006  22:28    <REP>          {31B2F340-016D-11D2-945F-00C04FB984F9}
02.07.2006  20:26    <REP>          {6AC1786C-016F-11D2-945F-00C04fB984F9}
06.01.2013  13:06    <REP>          {DB7AC36A-A2C6-4937-B8F4-43F4D0F752A4}
               0 fichier(s)                0 octets
               5 Rép(s)  33'718'280'192 octets libres


Open in new window

Note the presence of the supposedly missing GUID...

The bad news is that it seems that this issue is not new and that there is no readily available valid backup for this folder. Will have to dig into offsite archived tapes... Is there any alternative here (I'm happy to ditch that GPO and restart from scratch) ?
Sarang TinguriaSr EngineerCommented:

Above two folders represents Default Domain policy and default Domain controllers policy and can be recreated with default settings .....using dcgpofix a last sort

Do you have any events in File replication logs I would ask you first perform authoritative restore using below steps if it resolves your issue then its good ...if it doesn't then just run dcgpofix from command line and your DDP and DDCP will be created with default settings

Restore steps:-

first check that you have proper Connection objects has been created in Sites and Services

Browse \\WorkingDC.domain.local copy sysvol & netlogon and keep backup on ProblemDC &  WorkingDC (If can not browse check network connectivity/Port and don't proceed further)

Go to PDC  stop NTFRS service open regedit and go to "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup" change the burflag value to D4 Start NTFRS(File Replication service) service and wait for File Replication event ID 13516 now Go to BDC  stop NTFRS service open regedit go to "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at <samp>Startup" change the burflag value to D2 -> Start NTFRS(File Replication service) service and wait for File Replication event ID 13516 now

Check Now your sysvol and netlogon shares are available

Above is called Authoritive(D4) and non-Authoritive Restore (D2)

Refer for more info
Alexandre TakacsCTOAuthor Commented:
Thanks - learning more than I expected on NTFRS.

I have decided to go nuclear and to use dcgpofix. However it wont work...


Vous êtes sur le point de restaurer la stratégie de domaine par défaut et la st
atégie par défaut des contrôleurs de domaine du domaine suivant
Voulez-vous continuer: <O/N>? o
AVERTISSEMENT : Cette opération remplacera toutes les "attributions de droits u
ilisateur" exécutées dans les objets de stratégie de groupe choisis. Cela peut
ntraîner l'échec de certaines applications serveur. Voulez-vous continuer: <O/N
? O
Impossible d'ouvrir l'objet Active Directory LDAP://CN={31B2F340-016D-11D2-945F
La restauration a échoué. Consultez les messages précédents pour obtenir plus de


Open in new window

Not happy with the Default Domain policy apparently (can't open object {31B2F340-016D-11D2-945F00C04FB984F9}) ...

Any idea ?
Alexandre TakacsCTOAuthor Commented:
I finally managed to repair my AD by recreating some missing entries manually. Fortunately I had another very similar setup so I could infer the values to enter from it.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.