Solved

error 1030 1058 unable to edit group policies

Posted on 2014-10-21
25
128 Views
Last Modified: 2014-11-24
I am getting these error in the log files,

1058
Windows cannot access the file gpt.ini for GPO CN={AD69A682-8F27-4FD4-BC23-D23EE6C147AC},CN=Policies,CN=System,DC=company,DC=ad1. The file must be present at the location <\\conrad.ad1\SysVol\conrad.ad1\Policies\{AD69A682-8F27-4FD4-BC23-D23EE6C147AC}\gpt.ini>. (Access is denied. ). Group Policy processing aborted.

1030

Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.

I am able to view the policies under

\\company.ad1\SysVol\company.ad1\Policies\{AD69A682-8F27-4FD4-BC23-D23EE6C147AC}\

on both the server and a workstation.

I cannot edit the GPO get the error that I do not have access to rights to view the policy.

error i get when trying to edit a policy
now the weird thing is that if a use nslookup on company.ad1, there are 4 ip's 2 domain servers and 2 that are workstations.
on the dns, there are 2 workstatons with parent a record.
that cant be right? I assume i need to delete these 2 a records. this issue with editing GPO's is intermittent, sometimes I can edit the GPO, while other times I can not.

thanks

Joe
0
Comment
Question by:tjguy
  • 16
  • 9
25 Comments
 
LVL 24

Expert Comment

by:VB ITS
ID: 40395918
Yes that will definitely cause problems if those IPs belong to workstations. I'd get rid of them as a first step.
0
 
LVL 1

Author Comment

by:tjguy
ID: 40395927
deleted the 2 bogus A records. I'll check the logs and see what happens.
0
 
LVL 1

Author Comment

by:tjguy
ID: 40395954
still coming up with the error 1058 and 1030. I flushed/re-registered the DNS. anything else I can check?
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40395964
Check DNS on your servers and see if those workstation IP addresses (.102 and .104) are still there.
0
 
LVL 1

Author Comment

by:tjguy
ID: 40395999
yes they are still there, but the A record has the name of the workstation there.
error3.JPG
0
 
LVL 1

Author Comment

by:tjguy
ID: 40396013
I am able to edit the GPO but still getting these errors, and always the same folder,
\\conrad.ad1\SysVol\company.ad1\Policies\{AD69A682-8F27-4FD4-BC23-D23EE6C147AC}\gpt.ini>

looking at the permissions on that policy

administrators - full
authenticated users - read execute, list contents, read
creator owner - none
domian admins - full
enterprise admins- full
enterprise domain controllers - read execute, list contents, read
system - full

I am able to bring it up on both the server and workstation.

reboot?
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40396034
I wouldn't reboot the server just yet - have a look at your event logs. Look specifically for anything related to AD replication or DNS. I have a feeling there's a larger issue at play here.
0
 
LVL 1

Author Comment

by:tjguy
ID: 40397231
That workstation .124 came back as an A record last night. I do recall trying to test 'server 2008' and never could get it joined to the domain, I had to prep the 2003 domain and bailed out of it. Could that be the underlying issue?
error4.JPG
0
 
LVL 1

Author Comment

by:tjguy
ID: 40397324
this showed up in the 'Directory Service' tab, looks bad.

NTDS (464) NTDSA: A request to write to the file "C:\WINDOWS\NTDS\edb.log" at offset 640000 (0x000000000009c400) for 512 (0x00000200) bytes succeeded, but took an abnormally long time (143 seconds) to be serviced by the OS. This problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance diagnosing the problem.

For more information, see Help and Support Center at
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40398151
That warning log isn't too bad. Any other errors or warnings? Try using the dcdiag and repadmin command line tools to verify the health of your AD forest. You can have a look at this article which has a bit more info on these tools: https://servergeeks.wordpress.com/2013/05/27/tools-to-troubleshoot-dc-issues/

As for when you were testing out 2008, it depends on where you bailed in the process. Did this issue with editing GPOs appear after you performed the testing?
0
 
LVL 1

Author Comment

by:tjguy
ID: 40398182
this error seems to have been going on for some time. I cannot verify when it had started so I cannot say it started when testing with 2008. the .124 address is coming from the other domain server hosting pptp, since shutting down routing and remote services. the DNS has stopped populating the A record with that address. But still getting 1030/1058 errors. I also was able to find a GPO that seems to be duplicated, I can edit one, just not the other. error5.JPG
0
 
LVL 1

Author Comment

by:tjguy
ID: 40398240
results of dcdiag.exe. error6.JPG
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40398414
When that test fails, it means it has picked up an error in your event log which could be hours, days, or weeks old depending on how far back your logs go. It does not necessarily mean there is a problem right now. Were there any other errors when you ran dcdiag or repadmin?
0
 
LVL 1

Author Comment

by:tjguy
ID: 40399861
yes there was also netdiag, despite this error, nslookup resolves the correct names.

DNS test . . . . . . . . . . . . . : Failed
          [WARNING] Cannot find a primary authoritative DNS server for the name
 
            The name 'serverfs1.company.ad1.' may not be registered in DNS.
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.company.ad1. re-registeration on DNS server '0.0.0.0' failed.
DNS Error code: 0x00002741
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.Default-First-Site-Name._sites.company.ad1. re-registeration on DNS server '0.0.0.0' failed.
DNS Error code: 0x00002741
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.0afc7275-8bf8-41e9-a8ef-f7354e713844.domains._msdcs.company.ad1. re-registeration on DNS server '0.0.0.0' failed.
DNS Error code: 0x00002741
    [FATAL] Failed to fix: DC DNS entry deaaf68b-f536-47a8-81fc-28c30edadcc7._msdcs.company.ad1. re-registeration on DNS server '0.0.0.0' failed.
DNS Error code: 0x00002741
    [FATAL] Failed to fix: DC DNS entry _kerberos._tcp.dc._msdcs.company.ad1. re-registeration on DNS server '0.0.0.0' failed.
DNS Error code: 0x00002741
    [FATAL] Failed to fix: DC DNS entry _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.company.ad1. re-registeration on DNS server '0.0.0.0' failed.
DNS Error code: 0x00002741
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.dc._msdcs.company.ad1. re-registeration on DNS server '0.0.0.0' failed.
DNS Error code: 0x00002741
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.company.ad1. re-registeration on DNS server '0.0.0.0' failed.
DNS Error code: 0x00002741
    [FATAL] Failed to fix: DC DNS entry _kerberos._tcp.company.ad1. re-registeration on DNS server '0.0.0.0' failed.
DNS Error code: 0x00002741
    [FATAL] Failed to fix: DC DNS entry _kerberos._tcp.Default-First-Site-Name._sites.company.ad1. re-registeration on DNS server '0.0.0.0' failed.
DNS Error code: 0x00002741
    [FATAL] Failed to fix: DC DNS entry _kerberos._udp.company.ad1. re-registeration on DNS server '0.0.0.0' failed.
DNS Error code: 0x00002741
    [FATAL] Failed to fix: DC DNS entry _kpasswd._tcp.company.ad1. re-registeration on DNS server '0.0.0.0' failed.
DNS Error code: 0x00002741
    [FATAL] Failed to fix: DC DNS entry _kpasswd._udp.company.ad1. re-registeration on DNS server '0.0.0.0' failed.
DNS Error code: 0x00002741
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.pdc._msdcs.company.ad1. re-registeration on DNS server '0.0.0.0' failed.
DNS Error code: 0x00002741
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.DomainDnsZones.company.ad1. re-registeration on DNS server '0.0.0.0' failed.
DNS Error code: 0x00002741
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.company.ad1. re-registeration on DNS server '0.0.0.0' failed.
DNS Error code: 0x00002741
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.ForestDnsZones.company.ad1. re-registeration on DNS server '0.0.0.0' failed.
DNS Error code: 0x00002741
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.company.ad1. re-registeration on DNS server '0.0.0.0' failed.
DNS Error code: 0x00002741
    [FATAL] Failed to fix: DC DNS entry company.ad1. re-registeration on DNS server '0.0.0.0' failed.
DNS Error code: 0x00002741
    [FATAL] Failed to fix: DC DNS entry DomainDnsZones.company.ad1. re-registeration on DNS server '0.0.0.0' failed.
DNS Error code: 0x00002741
    [FATAL] Failed to fix: DC DNS entry ForestDnsZones.company.ad1. re-registeration on DNS server '0.0.0.0' failed.
DNS Error code: 0x00002741
    [FATAL] Fix Failed: netdiag failed to re-register missing DNS entries for this DC on DNS server '0.0.0.0'.
    [FATAL] No DNS servers have the DNS records for this DC registered.
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40400887
0
 
LVL 1

Author Comment

by:tjguy
ID: 40402451
yes, I am getting errors when launching my backup software, I/O errors , seems like one of the drives is failing. Ran a backup, with system state included, will try and migrate to a new server.

PROGRAM-LAUNCH-ERROR.JPG
0
 
LVL 1

Author Comment

by:tjguy
ID: 40403380
get this error about enterprise admins, could this be an issue?
 error7.JPG
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40403469
You didn't happen to upgrade from 2000 to 2003 DCs did you?

You can try and run the GrantPermissionOnAllGPOs.wsf that comes with theGroup Policy Management Console.
Ensure that you are logged in with an account that is either a Domain Admin or has permissions to modify the security on all GPOs in the domain.
Open Command Prompt and navigate to the GPMC scripts folder: cd "c:\program files\gpmc\scripts"
Type cscript GrantPermissionOnAllGPOs.wsf "Enterprise Domain Controllers" /Permission:Read /Domain:yourdomain.local - replace yourdomain.local with your domain name
Let me know how you go with the above.
0
 
LVL 1

Author Comment

by:tjguy
ID: 40406685
VB ITS,

Not a planned upgrade, came in and the server was down, lost the motherboard so I decided to upgrade to 2003. (back in 2006) The domain is running in 2000 mode. I will try the above and let you know.
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40407338
OK that explains the error message you posted earlier. When a server is upgraded from 2000 to 2003, the Enterprise Domain Controllers group is not granted Read access to existing GPOs created prior to the upgrade. Microsoft at it's best!

Let me know how you go with the above.
0
 
LVL 1

Author Comment

by:tjguy
ID: 40416738
I ran the command and it added the enterprise domain group, but still getting the 1058 and 1030 errors. Server seems stable, I was able to get BMR backup as well as a image backup. The applications log keeps filling up and I am not sure where to go from here.
0
 
LVL 24

Accepted Solution

by:
VB ITS earned 500 total points
ID: 40418554
What are the application logs filling up with?

Have you tried following the steps listed in this link?
http://networkdirection.net/index.php?option=com_content&view=article&id=51:active-directory-failed-dc-cleanup&catid=36:microsoft&Itemid=63
0
 
LVL 1

Author Comment

by:tjguy
ID: 40448821
yes I do recall having to do those steps you have outlined above.

I do recall doing a backup on the GPO's before all these errors started see..http://technet.microsoft.com/en-us/library/cc782589(v=WS.10).aspx

the backup finished but with errors (not sure if it kept a log). It seemed to backup most of the GPO's but I do recall seeing errors while it backed up.
backup-gpo.JPG
0
 
LVL 1

Author Comment

by:tjguy
ID: 40462775
I wanted to wrap this even up, and tanks to VB_ITS for walking me through the steps.

I had a power outage last Tuesday from a faulty circuit breaker, server went down after the UPS ran dry. The power supply also got taken out, but it could have been the power supply that tripped the circuit breaker? thinking it might have been the issue all along?  installed a new power supply, booted up without incident.
Noticed that I stopped getting the 1058 and 1030 errors on the log, but instead got a new error 1202. did these steps that was in the even ID, with no events on record yet with 1058, 1030 or 1202.

1.      Identify accounts that could not be resolved to a SID:

From the command prompt, type: FIND /I "Cannot find"  %SYSTEMROOT%\Security\Logs\winlogon.log

The string following "Cannot find" in the FIND output identifies the problem account names.

Example: Cannot find JohnDough.

In this case, the SID for username "JohnDough" could not be determined. This most likely occurs because the account was deleted, renamed, or is spelled differently (e.g. "JohnDoe").

2.      Use RSoP to identify the specific User Rights, Restricted Groups, and Source GPOs that contain the problem accounts:

a.      Start -> Run -> RSoP.msc
b.      Review the results for Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment and Computer Configuration\Windows Settings\Security Settings\Local Policies\Restricted Groups for any errors flagged with a red X.
c.      For any User Right or Restricted Group marked with a red X, the corresponding GPO that contains the problem policy setting is listed under the column entitled "Source GPO". Note the specific User Rights, Restricted Groups and containing Source GPOs that are generating errors.

3.      Remove unresolved accounts from Group Policy

a.      Start -> Run -> MMC.EXE
b.      From the File menu select "Add/Remove Snap-in..."
c.      From the "Add/Remove Snap-in" dialog box select "Add..."
d.      In the "Add Standalone Snap-in" dialog box select "Group Policy" and click "Add"
e.      In the "Select Group Policy Object" dialog box click the "Browse" button.
f.      On the "Browse for a Group Policy Object" dialog box choose the "All" tab
g.      For each source GPO identified in step 2, correct the specific User Rights or Restricted Groups that were flagged with a red X in step 2. These User Rights or Restricted Groups can be corrected by removing or correcting any references to the problem accounts that were identified in step 1.
0
 
LVL 1

Author Closing Comment

by:tjguy
ID: 40462785
Although I never really could figure out the issue with the 1030 1058 errors, having the system come up again seemed to resolve the errors, so everything that we have tried collectively might have corrected the issue.
0

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
automatic login 1 22
Authentication type 1 24
Folder NTFS Permissions 14 69
EXCHANGE: Extended schema in child domain 7 0
Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now