Solved

GPO object missing - how do I clean up ?

Posted on 2013-01-06
8
838 Views
Last Modified: 2013-01-29
Hi

W2k3 server problem at login - apparently there is something wrong with the GPOs (missing one or more GPO objects)

(sorry the server in in French locale but I'm sure you get the gist of it
Type de l'événement :	Erreur
Source de l'événement :	Userenv
Catégorie de l'événement :	Aucun
ID de l'événement :	1058
Date :		06.01.2013
Heure :		19:08:06
Utilisateur :	AUTORITE NT\SYSTEM
Ordinateur :	MY-PDC
Description :
Windows ne peut pas accéder au fichier gpt.ini pour l'objet Stratégie de groupes CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=mydomain,DC=local. Le fichier doit être présent à l'emplacement <\\mydomain.local\sysvol\mydomain.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\gpt.ini>. (Le fichier spécifié est introuvable. ).  Le traitement de la stratégie de groupe est interrompu

Open in new window

Basically it would seem some of the gpt.ini files are missing and as such the processing of the GPO can not take place.
My question is what is the best way to solve this ? I can't really locate the offending GPO in the the MMC editor as far as I can tell....
0
Comment
Question by:atak2983
  • 4
  • 4
8 Comments
 
LVL 18

Expert Comment

by:sarang_tinguria
Comment Utility
If you have valid sysvol backup the restore the folder named {6AC1786C-016F-11D2-945F-00C04fB984F9} to C:\windows\sysvol\domain.local\policies to same location

How many DC's do you have ?
If only one then follow above method
If multiple then check other DC's sysvol folders if above folder stored on anyother DC if yes then copy the same to culprit server
0
 
LVL 1

Author Comment

by:atak2983
Comment Utility
hmm...

Having two DC (PDC and BDC).

Actually both have the "missing" folder in SYSVOL and it does contains a GPT.INI file...

Strange...
0
 
LVL 18

Expert Comment

by:sarang_tinguria
Comment Utility
restore from backup

BTW GPT.ini file reside under GUID folder if the GUID folder is missing then you won't get gpt.ini too..where are you looking at can you provide the path...... also let me know how many GPO's you have configured and how many GUID folders you can see?
0
 
LVL 1

Author Comment

by:atak2983
Comment Utility
I have 3 GPOs and 3 GUID folders:
C:\WINDOWS\SYSVOL\domain\Policies>dir
 Le volume dans le lecteur C s'appelle PDC-System
 Le numéro de série du volume est CC56-7B44

 Répertoire de C:\WINDOWS\SYSVOL\domain\Policies

06.01.2013  22:31    <REP>          .
06.01.2013  22:31    <REP>          ..
02.07.2006  22:28    <REP>          {31B2F340-016D-11D2-945F-00C04FB984F9}
02.07.2006  20:26    <REP>          {6AC1786C-016F-11D2-945F-00C04fB984F9}
06.01.2013  13:06    <REP>          {DB7AC36A-A2C6-4937-B8F4-43F4D0F752A4}
               0 fichier(s)                0 octets
               5 Rép(s)  33'718'280'192 octets libres

C:\WINDOWS\SYSVOL\domain\Policies>

Open in new window

Note the presence of the supposedly missing GUID...

The bad news is that it seems that this issue is not new and that there is no readily available valid backup for this folder. Will have to dig into offsite archived tapes... Is there any alternative here (I'm happy to ditch that GPO and restart from scratch) ?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 18

Expert Comment

by:sarang_tinguria
Comment Utility
{31B2F340-016D-11D2-945F-00C04FB984F9}
{6AC1786C-016F-11D2-945F-00C04fB984F9}

Above two folders represents Default Domain policy and default Domain controllers policy and can be recreated with default settings .....using dcgpofix ...as a last sort

Do you have any events in File replication logs I would ask you first perform authoritative restore using below steps if it resolves your issue then its good ...if it doesn't then just run dcgpofix from command line and your DDP and DDCP will be created with default settings


Restore steps:-

first check that you have proper Connection objects has been created in Sites and Services

Browse \\WorkingDC.domain.local copy sysvol & netlogon and keep backup on ProblemDC &  WorkingDC (If can not browse check network connectivity/Port and don't proceed further)

Go to PDC  stop NTFRS service open regedit and go to "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup" change the burflag value to D4 Start NTFRS(File Replication service) service and wait for File Replication event ID 13516 now Go to BDC  stop NTFRS service open regedit go to "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at <samp>Startup" change the burflag value to D2 -> Start NTFRS(File Replication service) service and wait for File Replication event ID 13516 now

Check Now your sysvol and netlogon shares are available

Above is called Authoritive(D4) and non-Authoritive Restore (D2)

Refer http://support.microsoft.com/kb/257338 for more info
0
 
LVL 1

Author Comment

by:atak2983
Comment Utility
Thanks - learning more than I expected on NTFRS.

I have decided to go nuclear and to use dcgpofix. However it wont work...

AVERTISSEMENT : VOUS PERDREZ TOUTES LES MODIFICATIONS QUE VOUS AVEZ APPORTÉES À
CES OBJETS DE STRATÉGIE DE GROUPE. CET UTILITAIRE
S'UTILISE UNIQUEMENT À DES FINS DE RÉCUPÉRATION EN CAS D'URGENCE.

Vous êtes sur le point de restaurer la stratégie de domaine par défaut et la st
atégie par défaut des contrôleurs de domaine du domaine suivant
domain.local
Voulez-vous continuer: <O/N>? o
AVERTISSEMENT : Cette opération remplacera toutes les "attributions de droits u
ilisateur" exécutées dans les objets de stratégie de groupe choisis. Cela peut
ntraîner l'échec de certaines applications serveur. Voulez-vous continuer: <O/N
? O
Impossible d'ouvrir l'objet Active Directory LDAP://CN={31B2F340-016D-11D2-945F
00C04FB984F9},CN=Policies,CN=System,DC=domain,DC=local
La restauration a échoué. Consultez les messages précédents pour obtenir plus de
 détails

C:\WINDOWS\SYSVOL\domain\Policies>

Open in new window

Not happy with the Default Domain policy apparently (can't open object {31B2F340-016D-11D2-945F00C04FB984F9}) ...

Any idea ?
0
 
LVL 18

Accepted Solution

by:
sarang_tinguria earned 500 total points
Comment Utility
Before performing below steps run
dcgpofix /ignoreschema if this works then thats great if doesn't you will have to follow output of below technet forum



Output of Technet Forum:-

1. Launch LDP.exe and bind to the DS server you want to modify. Make sure you are
 schema admin.
 2. After connecting and binding navigate to the browse menu and select the "Modify" option.
 3. Leave the DN blank, type 'schemaUpgradeInProgress' into the Attribute field and in the values field type 1.
 4. Click the Add operation and then click the enter button. This will add this command to the entry list.
 5. Click the Run button. If you are successful you should see a successful modify message.
 6. Go to View -> Tree. Connect to the appropriate base DN.
 7. Find the mangled {31B2F340-016D-11D2-945F-00C04FB984F9}, group policy object, right click and select modify
 8. In the attribute field, type "systemflags"
 9. In the Values field, leave it blank
 10. In the operation radio options, select delete
 11. Then click Enter, then click Run to remove the system flags values
 12. Once the systemflags value is removed, we can rename the {31B2F340-016D-11D2-945F-00C04FB984F9}, object using LDAP and create another groupPolicyContainer Object using ADSIEdit and create User and Machine Container objects within it.
 13. Run dcgpofix /target:domain.
 14. Now we can restore the value of systemflags to the default value for a system owned object.
 15. Using LDP, restore the value of 'schemaUpgradeInProgress' value back to the default of 0.
 
++After that we were able to link the restore the default domain policy to the domain.


Referred from http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/83be0512-6163-4cd0-a676-9447afce6e77
0
 
LVL 1

Author Comment

by:atak2983
Comment Utility
I finally managed to repair my AD by recreating some missing entries manually. Fortunately I had another very similar setup so I could infer the values to enter from it.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now