[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Windows cannot access the file gpt.ini for GPO on workstations running on a domain using sbs 2011

Posted on 2013-12-05
9
Medium Priority
?
2,629 Views
Last Modified: 2013-12-20
Hi, I did a migration over a year ago from 2003 sbs to 2011 sbs.

I'm getting the following error, this could have been from day 1 on all workstations

event 1058 - windows xp
Windows cannot access the file gpt.ini for GPO cn={247FB84B-891B-4B09-9616-7C069C613612},cn=policies,cn=system,DC=mydomain,DC=local. The file must be present at the location <\\mydomain.local\SysVol\mydomain.local\Policies\{247FB84B-891B-4B09-9616-7C069C613612}\gpt.ini>. (Access is denied. ). Group Policy processing aborted.

i am getting on the server event 13568
The File Replication Service has detected that the replica set "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR.
 
 Replica set name is    : "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"
 Replica root path is   : "c:\windows\sysvol\domain"
 Replica root volume is : "\\.\C:"
 A Replica set hits JRNL_WRAP_ERROR when the record that it is trying to read from the NTFS USN journal is not found.  This can occur because of one of the following reasons.
0
Comment
Question by:total123
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 10

Expert Comment

by:ienaxxx
ID: 39697823
It's probably cause you did not complete a successful replication between the old DC and the new.

Check for the path you get in the error and see if it EXISTS.
If so:
 check authorization: should be read access for "authenticated users", that includes the computers account.

if not:
 you can choose to restart the old DC and try to resolve replication issues by using technet guides or whatever else.

OR

if you had no special GPO in place, you can choose to delete them and recereate, unless is the default domain policy, for which there's a special procedure to follow. (let me know if we're in that case).
0
 
LVL 10

Expert Comment

by:ienaxxx
ID: 39697825
Some other  clues and suggestions here:
http://support.microsoft.com/kb/294257/en-us
0
 
LVL 14

Accepted Solution

by:
Ram Balachandran earned 2000 total points
ID: 39697827
First we need to find the policy related with the give Sysvol entry

can you perform the following



Start > run > powershell

import-module grouppolicy

Get-GPO -Id 247FB84B-891B-4B09-9616-7C069C613612

---

Now you will get policy name

in GPMC search for that policy

if the contents are correct - take a backup - of note it

Make sure you take the GPMC report

--

now you can unlink that policy and recreate new with same content

delete the folder  from sysvol
\\mydomain.local\SysVol\mydomain.local\Policies\{247FB84B-891B-4B09-9616-7C069C613612}
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 

Author Comment

by:total123
ID: 39697838
Get-GPO : The specified directory service attribute or value does not exist. (Exception from HRESULT: 0x8007200A)
At line:1 char:8
+ Get-GPO <<<<  -Id 247FB84B-891B-4B09-9616-7C069C613612
    + CategoryInfo          : NotSpecified: (:) [Get-GPO], COMException
    + FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,Microsoft.GroupPolicy.Commands.GetGpoCommand
0
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39697850
can u paste the full command and error ?
0
 

Author Comment

by:total123
ID: 39697855
typical, it worked that time, I must have mistyped some thing, even thou i tried it 4 times, give me a sec to do the rest
0
 

Author Comment

by:total123
ID: 39697871
that policy has now been removed, it was for DisplayName      : Update Services Client Computers Policy

is there any point to reproduce this for the moment ?
0
 
LVL 14

Assisted Solution

by:Ram Balachandran
Ram Balachandran earned 2000 total points
ID: 39697976
open that policy in GPMC - if settings are available you resuse it, else i belive you can make use a  blog that creates same policy :
http://blogs.technet.com/b/sbs/archive/2009/09/03/how-to-manually-create-the-sbs-2008-and-wsus-group-policies-objects.aspx


But I will not recommend this until if you are aware of the Windows infrastructure of your orginaisation. I am not sure how windows is getting updates  - are you using WSUS

meanwhile, you can run a gpupdate on the client machines and verify if the current issue related to GPO is fixed
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39700240
Yuo need to first verify does this policy quid exist in sysvol folder 247FB84B-891B-4B09-9616-7C069C613612.check this path \\mydomain.local\SysVol\mydomain.local\Policies\ in sysvol folder.In GPMC console you also need to verify what is the name of this policy.Check GPMC and check the policy name and quid if the policy is missing or not required you need to delete the same from AD database if not required.You need to open adsiedit and check the Path=CN=Policies,CN=System,DC=DomainName,DC=com.

If the old DC is not demoted check the sysvol folder of old DC it could be that policies are not replicated to new DC.In this case case you need to perfrom d4 (authorative restore of sysvol)on old DC and d2(non authorative restore of sysvol) on new DC.

The event you mentioned indicates that server is Journal wrap error state.Your first step should be finding why JRNL_WRAP_ERROR error has occurred. Normally, JRNL_WRAP_ERROR occurs due to drive/partition being corrupted, antivirus locking and corrupting the file during sysvol scan, heavy size of the files inside sysvol and netlogon shares.http://support.microsoft.com/kb/290762

You need to exclude sysvol/netlogon from antvirus scan, check the drive for corruption or bad sector and also restore a sysvol using burflag key i. perform authorative and non authorative restore of sysvol.If you have single DC then you need to perfrom D4 or multiple then D2 only.Follow same link above.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question