Event ID 1058

Archived from groups: microsoft.public.win2000.dns (More info?)

Hi

Environment: Windows 2003 DC. This server has two NIC's which uses Routing
and Remote Access. This server has not been in service long. In the process
of setting up exchange on another Windows 2003 DC. When I try to open
Domian Cotrolller Security Policy, I recieve the following error:

Failed to open group policy object. You may not have appropriate rights.

Located at the event viewer "Application Log" on both the server and the
clients, the following message is displayed:

Windows cannot access the file gpt.ini for GPO
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=bytron,DC=local.
The file must be present at the location
<\\bytron.local\sysvol\bytron.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>.
(Configuration information could not be read from the domain controller,
either because the machine is unavailable, or access has been denied. ).
Group Policy processing aborted.


On the server inside event viewer "DNS", the following message:

The DNS server was unable to open zone _msdcs.bytron-hq.matthew.bytron.local
in the Active Directory from the application directory partition
ForestDnsZones.bytron-hq.matthew.bytron.local. This DNS server is configured
to obtain and use information from the directory for this zone and is unable
to load the zone without it. Check that the Active Directory is functioning
properly and reload the zone. The event data is the error code.

I have tried to source answer for this problem but can not find the
solution. Can anyone please help.


--
Thanks

Matthew
15 answers Last reply
More about event 1058
  1. Archived from groups: microsoft.public.win2000.dns (More info?)

    This is always a permissions problem - either somewhere in sysvol or AD. Unfortunately that covers a lot of territory, and you may
    end up seeing more of it than you want before you find the cause.

    But you might get lucky - as a first attack, I'd recommend a dcdiag /fix and netdiag /fix (I sound like a broken record today), make
    sure that sysvol is being shared out at all, and check the domain admins permissions as described here:
    http://support.microsoft.com/?id=294257

    Steve Duff, MCSE, MVP
    Ergodic Systems, Inc.

    "Matthew" <Matthew@discussions.microsoft.com> wrote in message news:7EF242D4-28E2-4BF2-AFC4-5308B1DD3256@microsoft.com...
    > Hi
    >
    > Environment: Windows 2003 DC. This server has two NIC's which uses Routing
    > and Remote Access. This server has not been in service long. In the process
    > of setting up exchange on another Windows 2003 DC. When I try to open
    > Domian Cotrolller Security Policy, I recieve the following error:
    >
    > Failed to open group policy object. You may not have appropriate rights.
    >
    > Located at the event viewer "Application Log" on both the server and the
    > clients, the following message is displayed:
    >
    > Windows cannot access the file gpt.ini for GPO
    > CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=bytron,DC=local.
    > The file must be present at the location
    > <\\bytron.local\sysvol\bytron.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>.
    > (Configuration information could not be read from the domain controller,
    > either because the machine is unavailable, or access has been denied. ).
    > Group Policy processing aborted.
    >
    >
    >
    >
    > On the server inside event viewer "DNS", the following message:
    >
    > The DNS server was unable to open zone _msdcs.bytron-hq.matthew.bytron.local
    > in the Active Directory from the application directory partition
    > ForestDnsZones.bytron-hq.matthew.bytron.local. This DNS server is configured
    > to obtain and use information from the directory for this zone and is unable
    > to load the zone without it. Check that the Active Directory is functioning
    > properly and reload the zone. The event data is the error code.
    >
    > I have tried to source answer for this problem but can not find the
    > solution. Can anyone please help.
    >
    >
    >
    >
    >
    >
    > --
    > Thanks
    >
    > Matthew
    >
  2. Archived from groups: microsoft.public.win2000.dns (More info?)

    Hi Steve

    I have run the dcdiag command. Initial errors show that replication is
    trying to take place to another DC which no longer exists. This was just an
    additional DC on the domain for test purposes. I believe I should of demoted
    the server so that the rest of the network knows the DC no longer exists. Is
    there an alternative method to stop replication attempts to a DC which does
    not exist on the network.

    bytron.local
    is not registered on one or more DNS servers.
    [Replications Check,MATTHEW] A recent replication attempt failed:
    From PAT to MATTHEW
    Naming Context: DC=bytron,DC=local
    The replication generated an error (8524):
    Win32 Error 8524
    The failure occurred at 2005-07-01 08:47:04.
    The last success occurred at 2005-05-04 14:29:57.
    1360 failures have occurred since the last success.
    The guid-based DNS name
    a4161860-3f0c-4385-905f-dbecc51061cc._msdcs.
    bytron.local

    Starting test: frsevent
    There are warning or error events within the last 24 hours after the
    SYSVOL has been shared. Failing SYSVOL replication problems may cause
    Group Policy problems.
    ......................... MATTHEW failed test frsevent


    As above shows, this can cause Group Policy probs. Do you have any ideas to
    fix this replication problem?

    Regards

    Matthew


    "Steve Duff [MVP]" wrote:

    > This is always a permissions problem - either somewhere in sysvol or AD. Unfortunately that covers a lot of territory, and you may
    > end up seeing more of it than you want before you find the cause.
    >
    > But you might get lucky - as a first attack, I'd recommend a dcdiag /fix and netdiag /fix (I sound like a broken record today), make
    > sure that sysvol is being shared out at all, and check the domain admins permissions as described here:
    > http://support.microsoft.com/?id=294257
    >
    > Steve Duff, MCSE, MVP
    > Ergodic Systems, Inc.
    >
    > "Matthew" <Matthew@discussions.microsoft.com> wrote in message news:7EF242D4-28E2-4BF2-AFC4-5308B1DD3256@microsoft.com...
    > > Hi
    > >
    > > Environment: Windows 2003 DC. This server has two NIC's which uses Routing
    > > and Remote Access. This server has not been in service long. In the process
    > > of setting up exchange on another Windows 2003 DC. When I try to open
    > > Domian Cotrolller Security Policy, I recieve the following error:
    > >
    > > Failed to open group policy object. You may not have appropriate rights.
    > >
    > > Located at the event viewer "Application Log" on both the server and the
    > > clients, the following message is displayed:
    > >
    > > Windows cannot access the file gpt.ini for GPO
    > > CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=bytron,DC=local.
    > > The file must be present at the location
    > > <\\bytron.local\sysvol\bytron.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>.
    > > (Configuration information could not be read from the domain controller,
    > > either because the machine is unavailable, or access has been denied. ).
    > > Group Policy processing aborted.
    > >
    > >
    > >
    > >
    > > On the server inside event viewer "DNS", the following message:
    > >
    > > The DNS server was unable to open zone _msdcs.bytron-hq.matthew.bytron.local
    > > in the Active Directory from the application directory partition
    > > ForestDnsZones.bytron-hq.matthew.bytron.local. This DNS server is configured
    > > to obtain and use information from the directory for this zone and is unable
    > > to load the zone without it. Check that the Active Directory is functioning
    > > properly and reload the zone. The event data is the error code.
    > >
    > > I have tried to source answer for this problem but can not find the
    > > solution. Can anyone please help.
    > >
    > >
    > >
    > >
    > >
    > >
    > > --
    > > Thanks
    > >
    > > Matthew
    > >
    >
    >
    >
  3. Archived from groups: microsoft.public.win2000.dns (More info?)

    If it doesn't simply show in AD Sites snap-in where you can remove it, then there is a process for manually removing a DC from AD.
    This is spelled out in a KB article. I don't have the number handy as I'm out of the office. If you can't locate it at
    support.microsoft.com, then post back and I'll find it for you.

    You want especially to be sure that there are no FSMO roles still believed to be held by the phantom DC. This can cause important
    things to break badly and inexplicably after days, weeks or months. Check the RID, PDC and Infrastructure roles by right-clicking
    the domain in AD Users and Computers and selecting "Operations Masters". The Naming role is in the AD Trusts snap-in
    (right-click...operations master). The Schema role is in the schema snap-in (you'll have to use add/remove snap-in to get to this
    one), right-click schema..."operations master" to check that.

    Steve Duff, MCSE, MVP
    Ergodic Systems, Inc.

    "Matthew" <Matthew@discussions.microsoft.com> wrote in message news:FCE7A7BA-2149-47FF-ACD4-6BF710BF40EA@microsoft.com...
    > Hi Steve
    >
    > I have run the dcdiag command. Initial errors show that replication is
    > trying to take place to another DC which no longer exists. This was just an
    > additional DC on the domain for test purposes. I believe I should of demoted
    > the server so that the rest of the network knows the DC no longer exists. Is
    > there an alternative method to stop replication attempts to a DC which does
    > not exist on the network.
    >
    > bytron.local
    > is not registered on one or more DNS servers.
    > [Replications Check,MATTHEW] A recent replication attempt failed:
    > From PAT to MATTHEW
    > Naming Context: DC=bytron,DC=local
    > The replication generated an error (8524):
    > Win32 Error 8524
    > The failure occurred at 2005-07-01 08:47:04.
    > The last success occurred at 2005-05-04 14:29:57.
    > 1360 failures have occurred since the last success.
    > The guid-based DNS name
    > a4161860-3f0c-4385-905f-dbecc51061cc._msdcs.
    > bytron.local
    >
    > Starting test: frsevent
    > There are warning or error events within the last 24 hours after the
    > SYSVOL has been shared. Failing SYSVOL replication problems may cause
    > Group Policy problems.
    > ......................... MATTHEW failed test frsevent
    >
    >
    >
    > As above shows, this can cause Group Policy probs. Do you have any ideas to
    > fix this replication problem?
    >
    > Regards
    >
    > Matthew
    >
    >
    >
    >
    >
    >
    >
    >
    > "Steve Duff [MVP]" wrote:
    >
    >> This is always a permissions problem - either somewhere in sysvol or AD. Unfortunately that covers a lot of territory, and you
    >> may
    >> end up seeing more of it than you want before you find the cause.
    >>
    >> But you might get lucky - as a first attack, I'd recommend a dcdiag /fix and netdiag /fix (I sound like a broken record today),
    >> make
    >> sure that sysvol is being shared out at all, and check the domain admins permissions as described here:
    >> http://support.microsoft.com/?id=294257
    >>
    >> Steve Duff, MCSE, MVP
    >> Ergodic Systems, Inc.
    >>
    >> "Matthew" <Matthew@discussions.microsoft.com> wrote in message news:7EF242D4-28E2-4BF2-AFC4-5308B1DD3256@microsoft.com...
    >> > Hi
    >> >
    >> > Environment: Windows 2003 DC. This server has two NIC's which uses Routing
    >> > and Remote Access. This server has not been in service long. In the process
    >> > of setting up exchange on another Windows 2003 DC. When I try to open
    >> > Domian Cotrolller Security Policy, I recieve the following error:
    >> >
    >> > Failed to open group policy object. You may not have appropriate rights.
    >> >
    >> > Located at the event viewer "Application Log" on both the server and the
    >> > clients, the following message is displayed:
    >> >
    >> > Windows cannot access the file gpt.ini for GPO
    >> > CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=bytron,DC=local.
    >> > The file must be present at the location
    >> > <\\bytron.local\sysvol\bytron.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>.
    >> > (Configuration information could not be read from the domain controller,
    >> > either because the machine is unavailable, or access has been denied. ).
    >> > Group Policy processing aborted.
    >> >
    >> >
    >> >
    >> >
    >> > On the server inside event viewer "DNS", the following message:
    >> >
    >> > The DNS server was unable to open zone _msdcs.bytron-hq.matthew.bytron.local
    >> > in the Active Directory from the application directory partition
    >> > ForestDnsZones.bytron-hq.matthew.bytron.local. This DNS server is configured
    >> > to obtain and use information from the directory for this zone and is unable
    >> > to load the zone without it. Check that the Active Directory is functioning
    >> > properly and reload the zone. The event data is the error code.
    >> >
    >> > I have tried to source answer for this problem but can not find the
    >> > solution. Can anyone please help.
    >> >
    >> >
    >> >
    >> >
    >> >
    >> >
    >> > --
    >> > Thanks
    >> >
    >> > Matthew
    >> >
    >>
    >>
    >>
  4. Archived from groups: microsoft.public.win2000.dns (More info?)

    In news:FCE7A7BA-2149-47FF-ACD4-6BF710BF40EA@microsoft.com,
    Matthew <Matthew@discussions.microsoft.com> posted this:
    > Hi Steve
    >
    > I have run the dcdiag command. Initial errors show that replication
    > is
    > trying to take place to another DC which no longer exists. This was
    > just an
    > additional DC on the domain for test purposes. I believe I should of
    > demoted
    > the server so that the rest of the network knows the DC no longer
    > exists. Is
    > there an alternative method to stop replication attempts to a DC
    > which does
    > not exist on the network.
    >
    > bytron.local
    > is not registered on one or more DNS servers.
    > [Replications Check,MATTHEW] A recent replication attempt
    > failed:
    > From PAT to MATTHEW
    > Naming Context: DC=bytron,DC=local
    > The replication generated an error (8524):
    > Win32 Error 8524
    > The failure occurred at 2005-07-01 08:47:04.
    > The last success occurred at 2005-05-04 14:29:57.
    > 1360 failures have occurred since the last success.
    > The guid-based DNS name
    > a4161860-3f0c-4385-905f-dbecc51061cc._msdcs.
    > bytron.local
    >
    > Starting test: frsevent
    > There are warning or error events within the last 24 hours after
    > the
    > SYSVOL has been shared. Failing SYSVOL replication problems may
    > cause
    > Group Policy problems.
    > ......................... MATTHEW failed test frsevent
    >
    >
    >
    > As above shows, this can cause Group Policy probs. Do you have any
    > ideas to
    > fix this replication problem?

    If it is trying to replicate with a DC that no longer exists, then I have to
    assume you did not DC promo it out of the domain, meaning it possibly still
    holds one or more of five FSMO roles.
    You will have to seize the FSMO roles with ntdsutil then use ntdsutil to run
    a metadata cleanup to remove the other DC from AD.

    255504 - Using Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain
    Controller:
    http://support.microsoft.com/default.aspx?scid=kb;en-us;255504

    How to remove data in Active Directory after an unsuccessful domain
    controller demotion:
    http://support.microsoft.com/default.aspx?scid=kb;en-us;216498


    --?
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
  5. Archived from groups: microsoft.public.win2000.dns (More info?)

    "" wrote:
    > Hi
    >
    > Environment: Windows 2003 DC. This server has two NIC's which
    > uses Routing
    > and Remote Access. This server has not been in service long.
    > In the process
    > of setting up exchange on another Windows 2003 DC. When I try
    > to open
    > Domian Cotrolller Security Policy, I recieve the following
    > error:
    >
    > Failed to open group policy object. You may not have
    > appropriate rights.
    >
    > Located at the event viewer "Application Log" on both the
    > server and the
    > clients, the following message is displayed:
    >
    > Windows cannot access the file gpt.ini for GPO
    > CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=Syste
    > m,DC=bytron,DC=local.
    >
    > The file must be present at the location
    > <\bytron.localsysvolbytron.localPolicies{31B2F340-016D-11
    > D2-945F-00C04FB984F9}gpt.ini>.
    >
    > (Configuration information could not be read from the domain
    > controller,
    > either because the machine is unavailable, or access has been
    > denied. ).
    > Group Policy processing aborted.
    >
    >
    >
    >
    > On the server inside event viewer "DNS", the following
    > message:
    >
    > The DNS server was unable to open zone
    > _msdcs.bytron-hq.matthew.bytron.local
    > in the Active Directory from the application directory
    > partition
    > ForestDnsZones.bytron-hq.matthew.bytron.local. This DNS server
    > is configured
    > to obtain and use information from the directory for this zone
    > and is unable
    > to load the zone without it. Check that the Active Directory
    > is functioning
    > properly and reload the zone. The event data is the error
    > code.
    >
    > I have tried to source answer for this problem but can not
    > find the
    > solution. Can anyone please help.
    >
    >
    >
    >
    >
    >
    > --
    > Thanks
    >
    > Matthew

    see:
    http://www.eventid.net/display.asp?eventid=1058&eventno=1752&source=Userenv&phase=1

    cheers,

    --
    Posted using the http://www.windowsforumz.com interface, at author's request
    Articles individually checked for conformance to usenet standards
    Topic URL: http://www.windowsforumz.com/DNS-Event-ID-1058-ftopict551795.html
    Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1748619
  6. Archived from groups: microsoft.public.win2000.dns (More info?)

    "" wrote:
    > Hi Steve
    >
    > I have run the dcdiag command. Initial errors show that
    > replication is
    > trying to take place to another DC which no longer exists.
    > This was just an
    > additional DC on the domain for test purposes. I believe I
    > should of demoted
    > the server so that the rest of the network knows the DC no
    > longer exists. Is
    > there an alternative method to stop replication attempts to a
    > DC which does
    > not exist on the network.
    >
    > bytron.local
    > is not registered on one or more DNS servers.
    > [Replications Check,MATTHEW] A recent replication
    > attempt failed:
    > From PAT to MATTHEW
    > Naming Context: DC=bytron,DC=local
    > The replication generated an error (8524):
    > Win32 Error 8524
    > The failure occurred at 2005-07-01 08:47:04.
    > The last success occurred at 2005-05-04 14:29:57.
    > 1360 failures have occurred since the last
    > success.
    > The guid-based DNS name
    > a4161860-3f0c-4385-905f-dbecc51061cc._msdcs.
    > bytron.local
    >
    > Starting test: frsevent
    > There are warning or error events within the last 24 hours
    > after the
    > SYSVOL has been shared. Failing SYSVOL replication
    > problems may cause
    > Group Policy problems.
    > ......................... MATTHEW failed test frsevent
    >
    >
    >
    > As above shows, this can cause Group Policy probs. Do you
    > have any ideas to
    > fix this replication problem?
    >
    > Regards
    >
    > Matthew
    >
    >
    >
    >
    >
    >
    >
    >
    > "Steve Duff [MVP]" wrote:
    >
    > > This is always a permissions problem - either somewhere in
    > sysvol or AD. Unfortunately that covers a lot of territory,
    > and you may
    > > end up seeing more of it than you want before you find the
    > cause.
    > >
    > > But you might get lucky - as a first attack, I'd recommend a
    > dcdiag /fix and netdiag /fix (I sound like a broken record
    > today), make
    > > sure that sysvol is being shared out at all, and check the
    > domain admins permissions as described here:
    > > http://support.microsoft.com/?id=294257
    > >
    > > Steve Duff, MCSE, MVP
    > > Ergodic Systems, Inc.
    > >
    > > "Matthew" <Matthew@discussions.microsoft.com> wrote in message news:7EF242D4-28E2-4BF2-AFC4-5308B1DD3256@microsoft.com...
    > > > Hi
    > > >
    > > > Environment: Windows 2003 DC. This server has two NIC's
    > which uses Routing
    > > > and Remote Access. This server has not been in service
    > long. In the process
    > > > of setting up exchange on another Windows 2003 DC. When I
    > try to open
    > > > Domian Cotrolller Security Policy, I recieve the following
    > error:
    > > >
    > > > Failed to open group policy object. You may not have
    > appropriate rights.
    > > >
    > > > Located at the event viewer "Application Log" on both the
    > server and the
    > > > clients, the following message is displayed:
    > > >
    > > > Windows cannot access the file gpt.ini for GPO
    > > >
    > CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=Syste
    > m,DC=bytron,DC=local.
    > > > The file must be present at the location
    > > >
    > <\bytron.localsysvolbytron.localPolicies{31B2F340-016D-11
    > D2-945F-00C04FB984F9}gpt.ini>.
    > > > (Configuration information could not be read from the
    > domain controller,
    > > > either because the machine is unavailable, or access has
    > been denied. ).
    > > > Group Policy processing aborted.
    > > >
    > > >
    > > >
    > > >
    > > > On the server inside event viewer "DNS", the following
    > message:
    > > >
    > > > The DNS server was unable to open zone
    > _msdcs.bytron-hq.matthew.bytron.local
    > > > in the Active Directory from the application directory
    > partition
    > > > ForestDnsZones.bytron-hq.matthew.bytron.local. This DNS
    > server is configured
    > > > to obtain and use information from the directory for this
    > zone and is unable
    > > > to load the zone without it. Check that the Active
    > Directory is functioning
    > > > properly and reload the zone. The event data is the error
    > code.
    > > >
    > > > I have tried to source answer for this problem but can not
    > find the
    > > > solution. Can anyone please help.
    > > >
    > > >
    > > >
    > > >
    > > >
    > > >
    > > > --
    > > > Thanks
    > > >
    > > > Matthew
    > > >
    > >
    > >
    > >

    Do a metadata cleanup for the old DC that does not exist anymore
    See the following for this

    How to remove data in Active Directory after an unsuccessful domain
    controller demotion
    http://support.microsoft.com/default.aspx?scid=kb;en-us;216498

    How can I manually delete a server object from the Active Directory
    database in case of a bad DCPROMO procedure?
    http://www.petri.co.il/fix_unsuccessful_demotion.htm

    How can I delete a failed Domain Controller object from Active
    Directory?
    http://www.petri.co.il/delete_failed_dcs_from_ad.htm

    Cheers

    --
    Posted using the http://www.windowsforumz.com interface, at author's request
    Articles individually checked for conformance to usenet standards
    Topic URL: http://www.windowsforumz.com/DNS-Event-ID-1058-ftopict551795.html
    Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1750008
  7. Archived from groups: microsoft.public.win2000.dns (More info?)

    Hi Steve.

    I have removed the DC manually from AD. This is the result from the dcdiag
    after removing.

    C:\Program Files\Support Tools>dcdiag

    Domain Controller Diagnosis

    Performing initial setup:
    Done gathering initial info.

    Doing initial required tests

    Testing server: Default-First-Site-Name\MATTHEW
    Starting test: Connectivity
    ......................... MATTHEW passed test Connectivity

    Doing primary tests

    Testing server: Default-First-Site-Name\MATTHEW
    Starting test: Replications
    ......................... MATTHEW passed test Replications
    Starting test: NCSecDesc
    ......................... MATTHEW passed test NCSecDesc
    Starting test: NetLogons
    ......................... MATTHEW passed test NetLogons
    Starting test: Advertising
    ......................... MATTHEW passed test Advertising
    Starting test: KnowsOfRoleHolders
    ......................... MATTHEW passed test KnowsOfRoleHolders
    Starting test: RidManager
    ......................... MATTHEW passed test RidManager
    Starting test: MachineAccount
    ......................... MATTHEW passed test MachineAccount
    Starting test: Services
    ......................... MATTHEW passed test Services
    Starting test: ObjectsReplicated
    ......................... MATTHEW passed test ObjectsReplicated
    Starting test: frssysvol
    ......................... MATTHEW passed test frssysvol
    Starting test: frsevent
    ......................... MATTHEW passed test frsevent
    Starting test: kccevent
    ......................... MATTHEW passed test kccevent
    Starting test: systemlog
    ......................... MATTHEW passed test systemlog
    Starting test: VerifyReferences
    ......................... MATTHEW passed test VerifyReferences

    Running partition tests on : ForestDnsZones
    Starting test: CrossRefValidation
    ......................... ForestDnsZones passed test
    CrossRefValidation

    Starting test: CheckSDRefDom
    ......................... ForestDnsZones passed test CheckSDRefDom

    Running partition tests on : DomainDnsZones
    Starting test: CrossRefValidation
    ......................... DomainDnsZones passed test
    CrossRefValidation

    Starting test: CheckSDRefDom
    ......................... DomainDnsZones passed test CheckSDRefDom

    Running partition tests on : Schema
    Starting test: CrossRefValidation
    ......................... Schema passed test CrossRefValidation
    Starting test: CheckSDRefDom
    ......................... Schema passed test CheckSDRefDom

    Running partition tests on : Configuration
    Starting test: CrossRefValidation
    ......................... Configuration passed test
    CrossRefValidation
    Starting test: CheckSDRefDom
    ......................... Configuration passed test CheckSDRefDom

    Running partition tests on : bytron
    Starting test: CrossRefValidation
    ......................... bytron passed test CrossRefValidation
    Starting test: CheckSDRefDom
    ......................... bytron passed test CheckSDRefDom

    Running enterprise tests on : bytron.local
    Starting test: Intersite
    ......................... bytron.local passed test Intersite
    Starting test: FsmoCheck
    ......................... bytron.local passed test FsmoCheck

    C:\Program Files\Support Tools>

    All seems good.


    I have also checked that there are no FSMO on the phantom DC. Appears ok.
    The only problem I have is that I can not locate the schema role in
    add/remove snapin. I am sure I have looked in the correct location by using
    the following command in a run box "mmc".

    Still reciening the original event ID.

    Here is the feed back from the netdiag command.


    C:\Program Files\Support Tools>netdiag

    .......................................

    Computer Name: MATTHEW
    DNS Host Name: matthew.bytron.local
    System info : Microsoft Windows Server 2003 (Build 3790)
    Processor : x86 Family 6 Model 8 Stepping 1, AuthenticAMD
    List of installed hotfixes :
    KB819696
    KB823182
    KB823353
    KB823559
    KB824105
    KB824141
    KB825119
    KB828035
    KB828741
    KB833987
    KB834707
    KB835732
    KB837001
    KB839643
    KB839645
    KB840315
    KB840374
    KB840987
    KB841356
    KB841533
    KB842773
    KB842933
    KB867282
    KB867460
    KB871250
    KB873333
    KB873376
    KB885250
    KB885834
    KB885835
    KB885836
    KB886903
    KB888113
    KB890047
    KB890175
    KB890859
    KB890923
    KB891711
    KB891781
    KB893066
    KB893086
    KB893803
    Q147222
    Q828026


    Netcard queries test . . . . . . . : Failed
    GetStats failed for 'Realtek RTL8139 Family PCI Fast Ethernet NIC #2'.
    [ERRO
    R_INVALID_FUNCTION]
    GetStats failed for 'Realtek RTL8139 Family PCI Fast Ethernet NIC'.
    [ERROR_I
    NVALID_FUNCTION]
    GetStats failed for '1394 Net Adapter'. [ERROR_INVALID_FUNCTION]
    [FATAL] - None of the netcard drivers provided satisfactory results.


    Per interface results:

    Adapter : Orange

    Netcard queries test . . . : Failed
    NetCard Status: UNKNOWN

    Host Name. . . . . . . . . : matthew
    IP Address . . . . . . . . : 192.0.1.236
    Subnet Mask. . . . . . . . : 255.255.255.0
    Default Gateway. . . . . . : 192.0.1.172
    Dns Servers. . . . . . . . : 192.168.1.3
    192.0.1.160


    AutoConfiguration results. . . . . . : Passed

    Default gateway test . . . : Passed

    NetBT name test. . . . . . : Passed
    [WARNING] At least one of the <00> 'WorkStation Service', <03>
    'Messenge
    r Service', <20> 'WINS' names is missing.
    No remote names have been found.

    WINS service test. . . . . : Skipped
    There are no WINS servers configured for this interface.

    Adapter : Green

    Netcard queries test . . . : Failed
    NetCard Status: UNKNOWN

    Host Name. . . . . . . . . : matthew
    IP Address . . . . . . . . : 192.168.1.3
    Subnet Mask. . . . . . . . : 255.255.255.0
    Default Gateway. . . . . . :
    Dns Servers. . . . . . . . : 192.168.1.3


    AutoConfiguration results. . . . . . : Passed

    Default gateway test . . . : Skipped
    [WARNING] No gateways defined for this adapter.

    NetBT name test. . . . . . : Passed
    [WARNING] At least one of the <00> 'WorkStation Service', <03>
    'Messenge
    r Service', <20> 'WINS' names is missing.
    No remote names have been found.

    WINS service test. . . . . : Skipped
    There are no WINS servers configured for this interface.


    Global results:


    Domain membership test . . . . . . : Passed


    NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
    NetBT_Tcpip_{D3DE0AE1-0748-4D0B-94CA-A113176629CB}
    NetBT_Tcpip_{21B4727C-4DCA-4978-8B2C-294F090C269C}
    2 NetBt transports currently configured.


    Autonet address test . . . . . . . : Passed


    IP loopback ping test. . . . . . . : Passed


    Default gateway test . . . . . . . : Passed


    NetBT name test. . . . . . . . . . : Passed
    [WARNING] You don't have a single interface with the <00> 'WorkStation
    Servi
    ce', <03> 'Messenger Service', <20> 'WINS' names defined.


    Winsock test . . . . . . . . . . . : Passed


    DNS test . . . . . . . . . . . . . : Passed
    PASS - All the DNS entries for DC are registered on DNS server
    '192.168.1.3'
    and other DCs also have some of the names registered.
    [WARNING] The DNS entries for this DC are not registered correctly on
    DNS se
    rver '192.0.1.160'. Please wait for 30 minutes for DNS server replication.


    Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
    NetBT_Tcpip_{D3DE0AE1-0748-4D0B-94CA-A113176629CB}
    NetBT_Tcpip_{21B4727C-4DCA-4978-8B2C-294F090C269C}
    The redir is bound to 2 NetBt transports.

    List of NetBt transports currently bound to the browser
    NetBT_Tcpip_{D3DE0AE1-0748-4D0B-94CA-A113176629CB}
    NetBT_Tcpip_{21B4727C-4DCA-4978-8B2C-294F090C269C}
    The browser is bound to 2 NetBt transports.


    DC discovery test. . . . . . . . . : Passed


    DC list test . . . . . . . . . . . : Passed


    Trust relationship test. . . . . . : Skipped


    Kerberos test. . . . . . . . . . . : Passed


    LDAP test. . . . . . . . . . . . . : Passed


    Bindings test. . . . . . . . . . . : Passed


    WAN configuration test . . . . . . : Skipped
    No active remote access connections.


    Modem diagnostics test . . . . . . : Passed

    IP Security test . . . . . . . . . : Skipped

    Note: run "netsh ipsec dynamic show /?" for more detailed information


    The command completed successfully


    Any ideas? Oh, from the netdiag results, the 192.0.1.160 DNS server is a
    linux platform on a different network IP range. Not sure why DNS replication
    would try and replicate with this DNS server.

    Regards

    Matthew
  8. Archived from groups: microsoft.public.win2000.dns (More info?)

    I checked my path to the GPI file and it does exist. I also tried the
    permissions on the file by adding the everyone container to the object.
    Still no joy.


    "Jorge_de_Almeida_Pinto" wrote:

    > "" wrote:
    > > Hi
    > >
    > > Environment: Windows 2003 DC. This server has two NIC's which
    > > uses Routing
    > > and Remote Access. This server has not been in service long.
    > > In the process
    > > of setting up exchange on another Windows 2003 DC. When I try
    > > to open
    > > Domian Cotrolller Security Policy, I recieve the following
    > > error:
    > >
    > > Failed to open group policy object. You may not have
    > > appropriate rights.
    > >
    > > Located at the event viewer "Application Log" on both the
    > > server and the
    > > clients, the following message is displayed:
    > >
    > > Windows cannot access the file gpt.ini for GPO
    > > CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=Syste
    > > m,DC=bytron,DC=local.
    > >
    > > The file must be present at the location
    > > <\bytron.localsysvolbytron.localPolicies{31B2F340-016D-11
    > > D2-945F-00C04FB984F9}gpt.ini>.
    > >
    > > (Configuration information could not be read from the domain
    > > controller,
    > > either because the machine is unavailable, or access has been
    > > denied. ).
    > > Group Policy processing aborted.
    > >
    > >
    > >
    > >
    > > On the server inside event viewer "DNS", the following
    > > message:
    > >
    > > The DNS server was unable to open zone
    > > _msdcs.bytron-hq.matthew.bytron.local
    > > in the Active Directory from the application directory
    > > partition
    > > ForestDnsZones.bytron-hq.matthew.bytron.local. This DNS server
    > > is configured
    > > to obtain and use information from the directory for this zone
    > > and is unable
    > > to load the zone without it. Check that the Active Directory
    > > is functioning
    > > properly and reload the zone. The event data is the error
    > > code.
    > >
    > > I have tried to source answer for this problem but can not
    > > find the
    > > solution. Can anyone please help.
    > >
    > >
    > >
    > >
    > >
    > >
    > > --
    > > Thanks
    > >
    > > Matthew
    >
    > see:
    > http://www.eventid.net/display.asp?eventid=1058&eventno=1752&source=Userenv&phase=1
    >
    > cheers,
    >
    > --
    > Posted using the http://www.windowsforumz.com interface, at author's request
    > Articles individually checked for conformance to usenet standards
    > Topic URL: http://www.windowsforumz.com/DNS-Event-ID-1058-ftopict551795.html
    > Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1748619
    >
  9. Archived from groups: microsoft.public.win2000.dns (More info?)

    In news:4BE21987-4F8A-4CDC-87D2-716703C6C23B@microsoft.com,
    Matthew <Matthew@discussions.microsoft.com> posted this:
    > Per interface results:
    >
    > Adapter : Orange
    >
    > Netcard queries test . . . : Failed
    > NetCard Status: UNKNOWN
    >
    > Host Name. . . . . . . . . : matthew
    > IP Address . . . . . . . . : 192.0.1.236
    > Subnet Mask. . . . . . . . : 255.255.255.0
    > Default Gateway. . . . . . : 192.0.1.172
    > Dns Servers. . . . . . . . : 192.168.1.3
    > 192.0.1.160<-----remove this address

    > DNS test . . . . . . . . . . . . . : Passed
    > PASS - All the DNS entries for DC are registered on DNS server
    > '192.168.1.3'
    > and other DCs also have some of the names registered.
    > [WARNING] The DNS entries for this DC are not registered
    > correctly on DNS se
    > rver '192.0.1.160'. Please wait for 30 minutes for DNS server
    > replication.

    > Any ideas? Oh, from the netdiag results, the 192.0.1.160 DNS server
    > is a linux platform on a different network IP range. Not sure why
    > DNS replication would try and replicate with this DNS server.

    It is not that DNS is trying to replicate to this DNS server, it is that the
    DC will attempt registration of its records in all DNS servers listed in
    TCP/IP properties, on all interfaces.

    If the Linux DNS does not have a copy of the AD domain zone, it cannot be
    used in TCP/IP properties, in any position, on any interface.

    BTW, 192.0.1.x is a reserved public IP address subnet, owned by Information
    Sciences Institute at USC, unless this address was assigned to you, change
    the subnet IP range.

    --?
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
  10. Archived from groups: microsoft.public.win2000.dns (More info?)

    In news:4BE21987-4F8A-4CDC-87D2-716703C6C23B@microsoft.com,
    Matthew <Matthew@discussions.microsoft.com> posted this:

    Mutihomed DCs require additional configuration,
    1. On the interfaces tab (DNS server properties) make sure only the internal
    IP is listed in the listen on addresses.
    2. Binding order: Right click on Network Places, choose properties, in the
    Advanced menu of the Window that opens choose Advanced settings. In Advanced
    settings, Connections pane, the internal interface should be at the top of
    the list. In the Bindings pane, Client for MS networks and file sharing
    should only be bound to the internal interface.


    --?
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
  11. Archived from groups: microsoft.public.win2000.dns (More info?)

    Hi Kevin

    I have carried out the advance settings in network properties and checked
    the DNS server properties. I have also removed the liux DNS servers. I have
    checked DNS event log and appears to be no more errors.

    However, I am still recieving Event ID 1058.

    Regards

    Matthew

    "Kevin D. Goodknecht Sr. [MVP]" wrote:

    > In news:4BE21987-4F8A-4CDC-87D2-716703C6C23B@microsoft.com,
    > Matthew <Matthew@discussions.microsoft.com> posted this:
    >
    > Mutihomed DCs require additional configuration,
    > 1. On the interfaces tab (DNS server properties) make sure only the internal
    > IP is listed in the listen on addresses.
    > 2. Binding order: Right click on Network Places, choose properties, in the
    > Advanced menu of the Window that opens choose Advanced settings. In Advanced
    > settings, Connections pane, the internal interface should be at the top of
    > the list. In the Bindings pane, Client for MS networks and file sharing
    > should only be bound to the internal interface.
    >
    >
    >
    > --Â?
    > Best regards,
    > Kevin D4 Dad Goodknecht Sr. [MVP]
    > Hope This Helps
    > ===================================
    > When responding to posts, please "Reply to Group"
    > via your newsreader so that others may learn and
    > benefit from your issue, to respond directly to
    > me remove the nospam. from my email address.
    > ===================================
    > http://www.lonestaramerica.com/
    > ===================================
    > Use Outlook Express?... Get OE_Quotefix:
    > It will strip signature out and more
    > http://home.in.tum.de/~jain/software/oe-quotefix/
    > ===================================
    > Keep a back up of your OE settings and folders
    > with OEBackup:
    > http://www.oehelp.com/OEBackup/Default.aspx
    > ===================================
    >
    >
    >
  12. Archived from groups: microsoft.public.win2000.dns (More info?)

    In news:AE5EC083-E5CE-4E81-93CA-7027FE7B2467@microsoft.com,
    Matthew <Matthew@discussions.microsoft.com> posted this:
    > Hi Kevin
    >
    > I have carried out the advance settings in network properties and
    > checked the DNS server properties. I have also removed the liux DNS
    > servers. I have checked DNS event log and appears to be no more
    > errors.
    >
    > However, I am still recieving Event ID 1058.

    Can you access \\bytron.local\sysvol?

    Does bytron.local resolve ONLY to the IP address on the DC that has File
    sharing enabled?


    --?
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
  13. Archived from groups: microsoft.public.win2000.dns (More info?)

    Steve,
    I am having a similar problem as Matthew. I however have only one DC. My
    error message from the dcdiag is the same
    > Starting test: frsevent
    > There are warning or error events within the last 24 hours after the
    > SYSVOL has been shared. Failing SYSVOL replication problems may cause
    > Group Policy problems.
    "
    I followed the instructions in the article you pointed to up through step 3.
    My adsiedit doesn't show the "problem" policy listed as a "notepad" icon. I
    know which policy is the problem. I've checked the permissions on it through
    adsiedit and exploere and on the "sysvol" share it self. I also get "domain
    controller not found for "mydomain.com" when trying to access group policies
    through "AD users and groups" when run from PDC. If I access GP through
    client machine's "AD users and groups" group policy comes up and I am able to
    modify it. Many of the policies within the group policy "computes" section
    are empty however.

    I've seen posts about directly modifiing gpt.ini within the problem policy,
    but I don't trust that. Especially after seeing what that file contains.

    more relevant info: every 5 minutes userenv logs 1030 and 1058
    errors started while I was making changes to GP policies for IE browser
    interface, GP refresh interval, and screen saver times to require user to
    reenter password to use client.

    I think if I can create a new, clean default group policy, it will fix the
    problem, but I'm not sure how to do it, or ever if it will work.
    David

    "Steve Duff [MVP]" wrote:

    > If it doesn't simply show in AD Sites snap-in where you can remove it, then there is a process for manually removing a DC from AD.
    > This is spelled out in a KB article. I don't have the number handy as I'm out of the office. If you can't locate it at
    > support.microsoft.com, then post back and I'll find it for you.
    >
    > You want especially to be sure that there are no FSMO roles still believed to be held by the phantom DC. This can cause important
    > things to break badly and inexplicably after days, weeks or months. Check the RID, PDC and Infrastructure roles by right-clicking
    > the domain in AD Users and Computers and selecting "Operations Masters". The Naming role is in the AD Trusts snap-in
    > (right-click...operations master). The Schema role is in the schema snap-in (you'll have to use add/remove snap-in to get to this
    > one), right-click schema..."operations master" to check that.
    >
    > Steve Duff, MCSE, MVP
    > Ergodic Systems, Inc.
    >
    > "Matthew" <Matthew@discussions.microsoft.com> wrote in message news:FCE7A7BA-2149-47FF-ACD4-6BF710BF40EA@microsoft.com...
    > > Hi Steve
    > >
    > > I have run the dcdiag command. Initial errors show that replication is
    > > trying to take place to another DC which no longer exists. This was just an
    > > additional DC on the domain for test purposes. I believe I should of demoted
    > > the server so that the rest of the network knows the DC no longer exists. Is
    > > there an alternative method to stop replication attempts to a DC which does
    > > not exist on the network.
    > >
    > > bytron.local
    > > is not registered on one or more DNS servers.
    > > [Replications Check,MATTHEW] A recent replication attempt failed:
    > > From PAT to MATTHEW
    > > Naming Context: DC=bytron,DC=local
    > > The replication generated an error (8524):
    > > Win32 Error 8524
    > > The failure occurred at 2005-07-01 08:47:04.
    > > The last success occurred at 2005-05-04 14:29:57.
    > > 1360 failures have occurred since the last success.
    > > The guid-based DNS name
    > > a4161860-3f0c-4385-905f-dbecc51061cc._msdcs.
    > > bytron.local
    > >
    > > Starting test: frsevent
    > > There are warning or error events within the last 24 hours after the
    > > SYSVOL has been shared. Failing SYSVOL replication problems may cause
    > > Group Policy problems.
    > > ......................... MATTHEW failed test frsevent
    > >
    > >
    > >
    > > As above shows, this can cause Group Policy probs. Do you have any ideas to
    > > fix this replication problem?
    > >
    > > Regards
    > >
    > > Matthew
    > >
    > >
    > >
    > >
    > >
    > >
    > >
    > >
    > > "Steve Duff [MVP]" wrote:
    > >
    > >> This is always a permissions problem - either somewhere in sysvol or AD. Unfortunately that covers a lot of territory, and you
    > >> may
    > >> end up seeing more of it than you want before you find the cause.
    > >>
    > >> But you might get lucky - as a first attack, I'd recommend a dcdiag /fix and netdiag /fix (I sound like a broken record today),
    > >> make
    > >> sure that sysvol is being shared out at all, and check the domain admins permissions as described here:
    > >> http://support.microsoft.com/?id=294257
    > >>
    > >> Steve Duff, MCSE, MVP
    > >> Ergodic Systems, Inc.
    > >>
    > >> "Matthew" <Matthew@discussions.microsoft.com> wrote in message news:7EF242D4-28E2-4BF2-AFC4-5308B1DD3256@microsoft.com...
    > >> > Hi
    > >> >
    > >> > Environment: Windows 2003 DC. This server has two NIC's which uses Routing
    > >> > and Remote Access. This server has not been in service long. In the process
    > >> > of setting up exchange on another Windows 2003 DC. When I try to open
    > >> > Domian Cotrolller Security Policy, I recieve the following error:
    > >> >
    > >> > Failed to open group policy object. You may not have appropriate rights.
    > >> >
    > >> > Located at the event viewer "Application Log" on both the server and the
    > >> > clients, the following message is displayed:
    > >> >
    > >> > Windows cannot access the file gpt.ini for GPO
    > >> > CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=bytron,DC=local.
    > >> > The file must be present at the location
    > >> > <\\bytron.local\sysvol\bytron.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>.
    > >> > (Configuration information could not be read from the domain controller,
    > >> > either because the machine is unavailable, or access has been denied. ).
    > >> > Group Policy processing aborted.
    > >> >
    > >> >
    > >> >
    > >> >
    > >> > On the server inside event viewer "DNS", the following message:
    > >> >
    > >> > The DNS server was unable to open zone _msdcs.bytron-hq.matthew.bytron.local
    > >> > in the Active Directory from the application directory partition
    > >> > ForestDnsZones.bytron-hq.matthew.bytron.local. This DNS server is configured
    > >> > to obtain and use information from the directory for this zone and is unable
    > >> > to load the zone without it. Check that the Active Directory is functioning
    > >> > properly and reload the zone. The event data is the error code.
    > >> >
    > >> > I have tried to source answer for this problem but can not find the
    > >> > solution. Can anyone please help.
    > >> >
    > >> >
    > >> >
    > >> >
    > >> >
    > >> >
    > >> > --
    > >> > Thanks
    > >> >
    > >> > Matthew
    > >> >
    > >>
    > >>
    > >>
    >
    >
    >
  14. Archived from groups: microsoft.public.win2000.dns (More info?)

    Matthew <Matthew@discussions.microsoft.com> wrote:
    > I checked my path to the GPI file and it does exist. I also tried the
    > permissions on the file by adding the everyone container to the
    > object.

    Is the TCP/IP NetBIOS helper service enabled and running?
    This service is required for DFS Shares.


    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
  15. Archived from groups: microsoft.public.win2000.dns (More info?)

    In news:07456077-D594-4BE4-BA62-85F4AE7B6484@microsoft.com,
    davidskd5 <davidskd5@discussions.microsoft.com> made this post, which I then
    commented about below:
    > Steve,
    > I am having a similar problem as Matthew. I however have only one
    > DC. My error message from the dcdiag is the same
    >> Starting test: frsevent
    >> There are warning or error events within the last 24 hours after the
    >> SYSVOL has been shared. Failing SYSVOL replication problems may
    >> cause Group Policy problems.
    > "
    > I followed the instructions in the article you pointed to up through
    > step 3. My adsiedit doesn't show the "problem" policy listed as a
    > "notepad" icon. I know which policy is the problem. I've checked the
    > permissions on it through adsiedit and exploere and on the "sysvol"
    > share it self. I also get "domain controller not found for
    > "mydomain.com" when trying to access group policies through "AD users
    > and groups" when run from PDC. If I access GP through client
    > machine's "AD users and groups" group policy comes up and I am able
    > to modify it. Many of the policies within the group policy "computes"
    > section are empty however.
    >
    > I've seen posts about directly modifiing gpt.ini within the problem
    > policy, but I don't trust that. Especially after seeing what that
    > file contains.
    >
    > more relevant info: every 5 minutes userenv logs 1030 and 1058
    > errors started while I was making changes to GP policies for IE
    > browser interface, GP refresh interval, and screen saver times to
    > require user to reenter password to use client.
    >
    > I think if I can create a new, clean default group policy, it will
    > fix the problem, but I'm not sure how to do it, or ever if it will
    > work.
    > David
    >


    David,


    GPOs rely on AD fully functioning. AD relies on DNS fully functioning and
    configured properlyt. Therefore, I usually look at the basics to make sure
    they are operational and configured properly before I ever attempt to alter
    any sort of permissions and/or registry entries.

    That said, here' some more info from a previous post I made for someone else
    that was GPO and other AD related issues:
    ----------------------------------
    AD & DNS basic rules of engagement:
    If you have your ISP's DNS addresses in your IP configuration (DCs and
    clients), they need to be REMOVED. This is what is
    causing the whole problem.

    Just a little background: AD uses DNS. DNS stores AD's resource and service
    locations in the form of SRV records, hence how everything that is part of
    the domain will find resources in the domain. If the ISP's DNS is configured
    in the any of the internal AD member machines' IP properties, (including all
    client machines and DCs), the machines will be asking the ISP's DNS 'where
    is the domain controller for my domain?", whenever it needs to perform a
    function, (such as a logon request, replication request, querying and
    applying GPOs, etc). Unfortunately, the ISP's DNS does not have that info
    and they reply with an "I dunno know", and things just fail.

    So you cannot use your ISP's DNS addresses anymore in your client or any
    other machines. You cannot use your router as a DNS or DHCP server either.
    If you are using your NT4 as a DNS server, that all needs to be changed over
    to Win2003 DNS. Same with DHCP. NT4 DNS cannot support AD's SRV requirements
    and dynamic updates.

    If your current scenario is using your NT4 DNS, your ISP's DNS or your
    router's DNS, it is strongly suggested and recommended to only use the
    internal DNS servers on the network that is hosting the AD zone name. This
    applies to all machines, (DCs and clients). Believe me, Internet resolution
    will still work with the use of the Root hints (as long as the root zone
    doesn't exist).

    However, for more effcient Internet resolution, it's HIGHLY recommended to
    configure a forwarder. If the forwarding option is grayed out, delete the
    Root zone (looks like a period). If not sure how to preform these two tasks,
    please follow one of the two articles listed below, depending on your
    operating system. They show a step by step on how to perform these tasks:

    323380 - HOW TO Configure DNS for Internet Access in Windows Server 2003 :
    http://support.microsoft.com/?id=323380

    300202 - HOW TO Configure DNS for Internet Access in Windows Server 2000 :
    http://support.microsoft.com/?id=300202

    291382 - Frequently asked questions about Windows 2000 DNS and Windows
    Server 2003 DNS
    http://support.microsoft.com/default.aspx?scid=kb;en-us;291382

    ---------------------------------


    If you feel this wasn't helpful, I think it's time to ask for more specific
    configuration information, such as:

    1. ipconfig /all from a client and from your DC(s)
    2. The DNS domain name of AD (found in ADUC)
    3. The zonename in your Forward Lookup Zones in DNS
    4. If updates are set to allow under zone properties
    5. If this machine has more than one NIC (multihomed)
    6. Do you have a firewall? If so, what brand?
    7. Is/are forwarder(s) configured?
    8. Do the SRV records exist under your zone name?
    9. Event ID errors?

    Thanks

    Ace
Ask a new question

Read More

Windows Server 2003 Servers Windows