Start Free Trial

asked on

Mapped drives inaccessible, Group policy not updating. \\Sysvol unreachable - not sure what to ask actually

OS = Win2008 server standard

I have a new situation where my workstation drives, mapped to a NAS, are becoming unreachable. When I try to open them it says something like that network name is in use. Figuring it would resolve with a reboot, I did to find I had 2 servers (both the DC's) return the following error message upon reboot and attempt to logon.
"the trust relationship between this workstation and the primary domain failed"

Game on! I located a Netdom command that restored the trust credential so I can logon again. But I found that group policy was not being done. none of the mapped drives showed up on these servers.

Typing \\sysvol fails, typing \\servername\sysvol works to show the files within.
Net Share shows NETLOGON and SYSVOL

Opening \windows\Sysvol\sysvol on the 2 DC's showed that there was a file missing from one of them, so I copied it there and ran GPupdate /force - this restored the mapped drives after a logon cycle

DCDIAG

Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set access rights for the naming context:
DC=DomainDnsZones,DC=MyDomain
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set access rights for the naming context:
DC=ForestDnsZones,DC=MyDomain
.........................DC2 failed test NCSecDesc

and several instances of this

An error event occurred. EventID: 0x00000422
Time Generated: 11/10/2016 13:19:04
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\MyDomain\SysVol\MyDomain\Policies\{A10EF782-04C8-4AD7-B796-A527A4FABF12}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:

I'm not sure where to go with this, All the solutions I look up don't have Netlogon and Sysvol showing under net share and I have those.
I also changed a registry parameter for BurFlag to d4 and that made no difference either.

After coping the files to make Sysvol the same on both DC's my mapped drives appeared on logon and are are there a couple hours later, but I don't think I can count on this staying this way. There seems to be something lurking
What am I looking for in a case like this?

Could you run DFSDIAG /testdcs

Repadmin /showrepl

It looks like replication issue between DC's

Also, I would point to DNS for being possible problem of this

ASKER

Ran DFSDIAG on one DC and all the results came back OK, showed both machines and each was compared to the other and OK

on the second machine, DFSDIAG was not recognized as a valid exe, ???

SOLUTION

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

ASKER

DNS I saw a lot in my search, but nothing I can see is wrong with DNS. no weird or duplicate IP's.
The machine that ran DFSDIAG has entries saying the DNS updated its own records while the second says DNS is waiting for AD DS signal that sync has completed.

SOLUTION

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

ASKER

DFSRDIAG Results
DC2 has all zeros
DC1 doesn't recognize the argument ReplicationState

(I thought these were the same OS, but DC2 is Server 2008 R2 and DC1 is not R2)

attached is the DCDiag /e from each machine
DC1.txt
DC2.txt

You know what i get the feeling that DC1is using FSR and DC2 is using DFS

ASKER

Because of the OS difference? or is there something I can do to make them both DFS. Its a Dell 2950 so its more than due fro replacement, but I'd like to get it stable first.

Check this out:

https://mpgnotes.wordpress.com/tag/error-nt-authorityenterprise-domain-controllers-doesnt-have-replicating-directory-changes-in-filtered-set-access-rights-for-the-naming-context-dcforestdnszonesdcdomainxxxdcxxx-security-permi/

ASKER

The Article says its not important if you don't want to implement an RODC, which I don't. But doing so made those 2 errors go away
I found that DC2 does not have File services Role enabled. Thats DFS right?

File services Role includes multiple different services and also DFS

What errors are you getting now ?

ASKER

Event log entries of 1058 Group policy attempted to read the file . . . . on both machines

Could you post whole error from event log ???

ASKER

Log Name:      System
Source:        Microsoft-Windows-GroupPolicy
Date:          11/10/2016 5:01:25 PM
Event ID:      1058
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Computer:      DC1.MyDomain
Description:
The processing of Group Policy failed. Windows attempted to read the file \\MyDomain\SysVol\MyDomain\Policies\{A10EF782-04C8-4AD7-B796-A527A4FABF12}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: 
a) Name Resolution/Network Connectivity to the current domain controller. 
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). 
c) The Distributed File System (DFS) client has been disabled.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{aea1b4fa-97d1-45f2-a64c-4d69fffd92c9}" />
    <EventID>1058</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>1</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2016-11-11T01:01:25.044Z" />
    <EventRecordID>19448</EventRecordID>
    <Correlation ActivityID="{DC480DAD-1A4E-4746-956A-2B3D486E858E}" />
    <Execution ProcessID="1024" ThreadID="3100" />
    <Channel>System</Channel>
    <Computer>DC1.MyDomain</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="SupportInfo1">4</Data>
    <Data Name="SupportInfo2">840</Data>
    <Data Name="ProcessingMode">0</Data>
    <Data Name="ProcessingTimeInMilliseconds">2184</Data>
    <Data Name="ErrorCode">2</Data>
    <Data Name="ErrorDescription">The system cannot find the file specified. </Data>
    <Data Name="DCName">DC1</Data>
    <Data Name="GPOCNName">cn={A10EF782-04C8-4AD7-B796-A527A4FABF12},cn=policies,cn=system,DC=MyDomain</Data>
    <Data Name="FilePath">\\MyDomain\SysVol\MyDomain\Policies\{A10EF782-04C8-4AD7-B796-A527A4FABF12}\gpt.ini</Data>
  </EventData>
</Event>

Open in new window

ASKER

I am under the impression I should be able to type \\sysvol into explorer and have that folder open up. Am I wrong?

Have you been doing any changes to Default Domain Policy GPO ?

Run this on DC1
dcgpofix /target:Domain

ASKER

Yes, but not recently and certainly nothing I cant reimplement
Ran the command and it threw the error

The AD Schema version for this domain and the version supported by this tool do not match...

Open in new window

Gave a /ignoreschema workaround but didnt recommend it.

SOLUTION

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

ASKER

Is there a risk here?

ASKER

If I run this on DC2 I get no such error. There is a version difference. What kind of failure can I expect if this goes bad?

No

Why did you run it on DC2 ? Just correct me if I'm wrong DC1 is your primary DC ? which is 2008, DC2 is 2008r2

https://technet.microsoft.com/en-us/library/hh875588.aspx

ASKER

I ran it on DC2 to the Y/N point to see if it would complain, I didn't execute it completely on DC2.
I just now ran it on DC1

run gpupdate and tell me if you get any error

ASKER

Same Error - - - Shoot, I was hopeful.

NET STOP NTFRS

NET START NTFRS

And wait for error in event log for File Replication Service

ASKER

On DC1 right?
Stopped, started and Event log says "... no longer preventing DC1 from becoming a Domain Controller...."

but it has several entries like that prior to this one.
I'm watching it for a new entry.

ASKER

GPupdate still failed BTW

SOLUTION

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

ASKER

C:\Windows\System32>repadmin /showreps
Default-First-Site-Name\DC1
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 86dda898-7ce5-4cb5-b092-2f7faf0c37bb
DSA invocationID: 86dda898-7ce5-4cb5-b092-2f7faf0c37bb

==== INBOUND NEIGHBORS ======================================

DC=MyDomain
    Default-First-Site-Name\DC2 via RPC
        DSA object GUID: b7ed0490-cbad-4829-9b6c-552e54d3a66f
        Last attempt @ 2016-11-10 18:00:18 was successful.

CN=Configuration,DC=MyDomain
    Default-First-Site-Name\DC2 via RPC
        DSA object GUID: b7ed0490-cbad-4829-9b6c-552e54d3a66f
        Last attempt @ 2016-11-10 18:04:15 was successful.

CN=Schema,CN=Configuration,DC=MyDomain
    Default-First-Site-Name\DC2 via RPC
        DSA object GUID: b7ed0490-cbad-4829-9b6c-552e54d3a66f
        Last attempt @ 2016-11-10 17:50:53 was successful.

DC=DomainDnsZones,DC=MyDomain
    Default-First-Site-Name\DC2 via RPC
        DSA object GUID: b7ed0490-cbad-4829-9b6c-552e54d3a66f
        Last attempt @ 2016-11-10 17:50:53 was successful.

DC=ForestDnsZones,DC=MyDomain
    Default-First-Site-Name\DC2 via RPC
        DSA object GUID: b7ed0490-cbad-4829-9b6c-552e54d3a66f
        Last attempt @ 2016-11-10 17:50:53 was successful.

C:\Windows\System32>

Open in new window

BTW was it:

Event ID 13515

The File Replication Service is no longer preventing the computer DC1 from becoming a domain controller ?

Type "net share" to check for the SYSVOL share

ASKER

Log Name:      File Replication Service
Source:        NtFrs
Date:          11/10/2016 5:50:28 PM
Event ID:      13516
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      DC1.MyDomain
Description:
The File Replication Service is no longer preventing the computer DC1 from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL. 
 
Type "net share" to check for the SYSVOL share.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="NtFrs" />
    <EventID Qualifiers="16384">13516</EventID>
    <Level>4</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2016-11-11T01:50:28.000Z" />
    <EventRecordID>28</EventRecordID>
    <Channel>File Replication Service</Channel>
    <Computer>DC1.MyDomain</Computer>
    <Security />
  </System>
  <EventData>
    <Data>DC1</Data>
  </EventData>
</Event>

Open in new window

ASKER

C:\Windows\System32>net share

Share name   Resource                        Remark

-----------------------------------------------------------------------
C$           C:\                             Default share
D$           D:\                             Default share
print$       C:\WINDOWS\system32\spool\drivers
                                             Printer Drivers
IPC$                                         Remote IPC
ADMIN$       C:\Windows                      Remote Admin
iFIX         C:\Program Files\GE Fanuc\Proficy iFIX

NETLOGON     C:\WINDOWS\SYSVOL\sysvol\MyDomain\SCRIPTS
                                             Logon server share
SCADA        D:\SCADA                        Shared SCADA Directory
ScadaFiles   D:\SCADA
SYSVOL       C:\WINDOWS\SYSVOL\sysvol        Logon server share
The command completed successfully.

Open in new window

Just a quick question do you have "BurFlags" set to D4 ?

ASKER

Yes.

ASKER

I stand corrected - I set it there previously but it is currently set to Zero

Have you any problems accessing sysvol or netlogon share, are there any new errors in event log ?

ASKER

typing "\\sysvol" in explorer fails to list contents
typing "\\DC1\sysvol" shows folder contents
typing "\\DC2\sysvol" shows folder contents
But GPupdate fails
I think I should be able to type simply "\\sysvol" and have it show the contents of the folder. Am I right?
I also think thats what GPupdate is looking for..."\\sysvol". Which is why I keep bringing it up.

BTW I appreciate you hanging with me this long. I'm gone the next 4 days and it would be great to put this behind me.

SOLUTION

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

ASKER

C:\Windows\System32>gpupdate
Updating Policy...

User policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed. Windows attempted to read the file \\MyDomain\SysVol\MyDomain\Policies\{A10EF782-04C8-4AD7-B796-A527A4FABF12}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated
to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
Computer policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed. Windows attempted to read the file \\MyDomain\SysVol\MyDomain\Policies\{A10EF782-04C8-4AD7-B796-A527A4FABF12}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated
to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.

To diagnose the failure, review the event log or invoke gpmc.msc to access information about Group Policy results.

Open in new window

C:\Windows\System32>Dcdiag /e /test:sysvolcheck /test:advertising

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = DC1
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\DC1
      Starting test: Connectivity
         ......................... DC1 passed test Connectivity

   Testing server: Default-First-Site-Name\DC2
      Starting test: Connectivity
         ......................... DC2 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\DC1
      Starting test: Advertising
         ......................... DC1 passed test Advertising
      Starting test: SysVolCheck
         ......................... DC1 passed test SysVolCheck

   Testing server: Default-First-Site-Name\DC2
      Starting test: Advertising
         ......................... DC2 passed test Advertising
      Starting test: SysVolCheck
         ......................... DC2 passed test SysVolCheck



   Running partition tests on : ForestDnsZones

   Running partition tests on : DomainDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : MyDomain

   Running enterprise tests on : MyDomain

C:\Windows\System32>

Open in new window

Log Name:      System
Source:        Microsoft-Windows-GroupPolicy
Date:          11/10/2016 6:39:06 PM
Event ID:      1058
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Computer:      DC1.MyDomain
Description:
The processing of Group Policy failed. Windows attempted to read the file \\MyDomain\SysVol\MyDomain\Policies\{A10EF782-04C8-4AD7-B796-A527A4FABF12}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: 
a) Name Resolution/Network Connectivity to the current domain controller. 
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). 
c) The Distributed File System (DFS) client has been disabled.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{aea1b4fa-97d1-45f2-a64c-4d69fffd92c9}" />
    <EventID>1058</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>1</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2016-11-11T02:39:06.786Z" />
    <EventRecordID>19492</EventRecordID>
    <Correlation ActivityID="{2888186F-0506-4AC1-99A7-DE56A77C709A}" />
    <Execution ProcessID="1024" ThreadID="3100" />
    <Channel>System</Channel>
    <Computer>DC1.MyDomain</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="SupportInfo1">4</Data>
    <Data Name="SupportInfo2">840</Data>
    <Data Name="ProcessingMode">0</Data>
    <Data Name="ProcessingTimeInMilliseconds">2184</Data>
    <Data Name="ErrorCode">2</Data>
    <Data Name="ErrorDescription">The system cannot find the file specified. </Data>
    <Data Name="DCName">DC1</Data>
    <Data Name="GPOCNName">cn={A10EF782-04C8-4AD7-B796-A527A4FABF12},cn=policies,cn=system,DC=MyDomain</Data>
    <Data Name="FilePath">\\MyDomain\SysVol\MyDomain\Policies\{A10EF782-04C8-4AD7-B796-A527A4FABF12}\gpt.ini</Data>
  </EventData>
</Event>

Open in new window

SOLUTION

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

ASKER

It ran, what should I look for as a result?
No errors thrown, but GPUPDATE still fails with the same error message

LocalComputerName = contosodc1
ReplicaSetGuid = (null)
CxtionGuid = (null)
ReplicaSetName = domain system volume (sysvol share)
PartnerDnsName = ContosoDC2.Contoso.com

DC2 do

NET STOP NTFRS

NET START NTFRS

and check event log there

ASKER

The error message is looking for a GPT.ini ? I went to the folder its references and there are templates, but no GPT.ini. There isn't one in several I looked at but there are in others

File Replication Service event

Which of DC's doesn't have gpt.ini ?

ASKER

Same 13516 as before... What about the missing GPT.INI file?

Does it says DC1 in event log on DC2 ?

Check for missing gpt.ini on domain controllers using his path C:\Windows\SYSVOL\domain\Policies

SOLUTION

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

ASKER CERTIFIED SOLUTION

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Epic 3:24am, glad it's fixed

ASKER

I really appreciate your help.

ASKER

Dumb luck on my part that I stumbled onto it, but David kept trying new things and stuck with me the whole time so he gets the points.
I learned a lot on this one.