Avatar of irc-corp
 asked on

Event ID 1058 — Group Policy Preprocessing error

Three domain controllers on network, all Windows 2008 R2

Note: (perhaps unrelated) Recently all the Administrative Templates and language files vanished on one of the DCs. These have now been restored.

Getting 1058 errors on all DCs in the Event Viewer:

"The processing of Group Policy failed. Windows attempted to read the file \\domain.local\SysVol\domain.local\Policies\{XXXXXXXXXXXXXXXXXX}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled."

I've checked and the specified policy folder does not exist on two of the serrvers, it is a different folder than DC1 is missing:

On DC1 : {718264B5-D936-4E4A-8FF3-C112E23DDF32} << VALID
On DC2 and DC3 : {C041889B-39EA-4614-A954-9333DFDBEC4F} < NOT VALID

I've also attempted to recreate the folder by making a new folder and copying the old but in both cases permission is denied when using a domain admin account.

Is there a way to 'clear' the incorrect folders from DC2/3 and force replication to rebuild the working structure.

There are no problems with Name Resolution or Network Connectivity.
Microsoft SQL ServerMicrosoft Legacy OSMicrosoft Server OS

Avatar of undefined
Last Comment

8/22/2022 - Mon

Are you replicating with FRS or DFSR? If using FRS, try stopping that service on DC2 and 3, then removing the bad folders. When you restart FRS, it should replicate the DC1 over to it.

On a side note, if that fails, and you know DC1 is good, I would move all FSMO roles to DC1, demote the other two boxes, reboot them, and then dcpromo them back as domain controllers. That is the cleanest way to ensure everything is accurately replicated from DC1.  Keep in mind, anyone currently using DC2 or DC3 for authentication will need to log out and back in after the demotion.

Steps for transferring FSMO roles can be found here:

Thanks @GusGallows

The 'bad' folders are not actually present - that's why there are problems connecting to them.

I thought it might be a case of demoting/promoting the two site DCs - nobody actually uses them for authenication regularly (the only other servers on those networks are servers).

Is there any other records or the bad configuration that should be cleaned up at the same time?
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question