Link to home
Start Free TrialLog in
Avatar of irc-corp
irc-corp

asked on

Event ID 1058 — Group Policy Preprocessing error

Three domain controllers on network, all Windows 2008 R2

Note: (perhaps unrelated) Recently all the Administrative Templates and language files vanished on one of the DCs. These have now been restored.

Getting 1058 errors on all DCs in the Event Viewer:

"The processing of Group Policy failed. Windows attempted to read the file \\domain.local\SysVol\domain.local\Policies\{XXXXXXXXXXXXXXXXXX}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled."

I've checked and the specified policy folder does not exist on two of the serrvers, it is a different folder than DC1 is missing:

On DC1 : {718264B5-D936-4E4A-8FF3-C112E23DDF32} << VALID
On DC2 and DC3 : {C041889B-39EA-4614-A954-9333DFDBEC4F} < NOT VALID

I've also attempted to recreate the folder by making a new folder and copying the old but in both cases permission is denied when using a domain admin account.

Is there a way to 'clear' the incorrect folders from DC2/3 and force replication to rebuild the working structure.

There are no problems with Name Resolution or Network Connectivity.
Avatar of GusGallows
GusGallows
Flag of United States of America image

Are you replicating with FRS or DFSR? If using FRS, try stopping that service on DC2 and 3, then removing the bad folders. When you restart FRS, it should replicate the DC1 over to it.
On a side note, if that fails, and you know DC1 is good, I would move all FSMO roles to DC1, demote the other two boxes, reboot them, and then dcpromo them back as domain controllers. That is the cleanest way to ensure everything is accurately replicated from DC1.  Keep in mind, anyone currently using DC2 or DC3 for authentication will need to log out and back in after the demotion.

Steps for transferring FSMO roles can be found here:
http://technet.microsoft.com/en-us/library/cc816946(v=ws.10).aspx
Avatar of irc-corp
irc-corp

ASKER

Thanks @GusGallows

The 'bad' folders are not actually present - that's why there are problems connecting to them.

I thought it might be a case of demoting/promoting the two site DCs - nobody actually uses them for authenication regularly (the only other servers on those networks are servers).

Is there any other records or the bad configuration that should be cleaned up at the same time?
ASKER CERTIFIED SOLUTION
Avatar of GusGallows
GusGallows
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial