| T O P I C R E V I E W |
| Mark Minasi |
Posted - 10/15/2005 : 09:00:43 AM
Hi all --
I believe I've already ranted a bit about the x64 version of Server so I won't recapitulate it, but I ran into and solved a problem that may be of value to others.
Problem: Windows Server 2003, x64 standard edition gets a constant stream of Userenv errors, event IDs 1030 and 1058. The error text refers to not being able to read a gpt.ini file in Sysvol.
So it looks like a permission problem. I try to DIR the file via sysvol, and all's well. I check the NTFS, share and GPO permissions on the particular GPO, and they all look good.
There are a number of pages on the Internet about this -- the eventid.net writeup on 1058 is very good -- but none of it worked for me. So I figured, "configuration error on the permissions." I went to each GPO, brought up its Security settings, checked a box, un-checked the box, clicked Apply and moved on to the next one. In other words, I just forced the Security tab to re-write the ACL on the GPO.
Problem went away.
Hope it helps someone. |
| 30 L A T E S T R E P L I E S (Newest First) |
| wkasdo |
Posted - 02/07/2013 : 11:19:27 AM
That's one way to fix it. Not one I've seen before, but it makes sense.
Keep an eye on that server. Journal wraps usually have a reason.
Thx for the update! |
| anthony |
Posted - 02/07/2013 : 10:21:04 AM
So I got FRS working today as well. Thanks for the help!
Narrowed it down to this event:
Event ID: 13568
Source: NtFrs
This is what solved my particular issue which I found on EventID.net:
Performing the steps below solved my problem:
1. Expand "HKLM\System\CurrentControlSet\Services\NtFrs\Parameters"
2. Change value for "Enable Journal Wrap Automatic Restore" from 0 to 1. If the DWORD Value does not exist, create a new one with the exact spelling as above, including spaces but without the quotes.
3. Stop the NTFRS Service (open a command prompt and type "net stop ntfrs")
4. Start the NTFRS Service (net start ntfrs)
5. Monitor the File Replication Service Event Logs for events:
• 13553 – The DC is performing the recovery process
• 13554 – The DC is ready to pull the replica from another DC.
• 13516 - At this point go to step 6. (the problem is resolved if you receive this event)
6. Using a command prompt type: "net share" and look for the Netlogon and Sysvol Shares to appear. The Journal Wrap error is only fixed after the Domain Controller receives the new SYSVOL replica from a peer Domain Controller. This may take a period of time depending on where your peer DC is located and on bandwidth.
7. Change value for "Enable Journal Wrap Automatic Restore" from 1 to 0. |
| anthony |
Posted - 02/06/2013 : 3:55:35 PM
Well it was on one of the servers' SYSVOL. I started down the road of troubleshooting FRS but damn..... it's a lot. I just don't have it in me today. I followed your directions and found the GP that coincided with that folder. It was something that only had one setting in it that we don't even use. So I deleted it. No more events in the log...
I'm going to look at FRS later this week... |
| wkasdo |
Posted - 02/06/2013 : 11:29:36 AM
You may want to check more than one DC for that folder. If you don't use policies much, FRS replication may be broken without you being aware of it!
If you are sure it's gone, one way to fix it goes like this:
- open Group Policy Management Console
- navigate to Group Policy Objects
- right-click this, backup all (just to be sure)
- check the details Tab for each policy, look for the field "Unique ID". Find the one that matches FB25...
- delete it.
|
| anthony |
Posted - 02/06/2013 : 11:03:41 AM
I am seeing this issue as well - however, I think my situation is different. I am getting this in DCDIAG as well as the 1058 errors:
Windows attempted to read the file \\mydomain.local\SysVol\mydomain.local\Policies\{FB25751A-177F-46B4-9333-B9C4603ADE71}\gpt.ini from a domain controller and was not successful.
If I browse to \\mydomain.local\SysVol\mydomain.local\Policies
That folder for {FB2575.... is not even there...
The problem is, this could have been this way for quite some time - I'm not sure. We don't really use Group Policies too much because we use ScriptLogic for all that stuff.
It seems that a group policy may have been deleted? I don't know... clearly it's looking for something that is not there. How can I make it STOP looking for that policy? |
| jonathan185 |
Posted - 01/24/2013 : 4:52:05 PM
Thanks, I'll go ahead and start a new thread in the AD forum. |
| wkasdo |
Posted - 01/23/2013 : 04:46:32 AM
Welcome to the forum!
> Here's my main question. Would it be difficult to upgrade from FRS to DFSR?
In your case, it is. You need:
- All DC's to be 2008 or higher
- Domain level must be 2008
- FRS must be in working order.
We can help with troubleshooting FRS if you want. What troubleshooting have you done sofar?
Please start a new thread for your issue, preferably in the AD forum.
|
| jonathan185 |
Posted - 01/22/2013 : 3:45:32 PM
Ok, so here goes. I'm not a replication genius bhy any means. We have about 10 DCs running 2003, all of them started throwing up sporadic 1058 1030 errors. I've read these forums up and down, here's what I've found.
-Sysvol permissions are set to everyone
-Some days the 1058/130 errors come up, some days they do not.
-I pinged domain name from DCs and they respond with correct IP. However, upon checking sysvol folders on different DCs, I noticed the GUIDs within the policies folder do not match.
-I believe all the DCs are using FRS, and I'm guessing it's a replication issue.
-I'm getting this error in Event Viewer FRS, "The File Replication Service is having trouble enabling replication from DC2 to DC1"
Here's my main question. Would it be difficult to upgrade from FRS to DFSR? |
| ShadowT |
Posted - 08/16/2011 : 9:49:24 PM
I wanted to share our solution to the "Event ID: 1058" issue that started happening on a computer when attempting to refresh the machine group policy.
Description: Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=[DOMAIN],DC=[COM/ORG/LOCAL]. The file must be present at the location <\\domain\sysvol\[DOMAIN]\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>
The user policy would refresh fine, but the computer would fail reading the {31B2F...} policy, which is the Default Domain Policy. Other computers in the same OU were refreshing the computer policy fine so, though we checked the basic settings on the domain controllers (DFS, permissions, etc.), we figured it had something to do with the specific machine that was having issues and not the servers or AD. If we logged in to the computer with a domain account, we could open the gpt.ini fine from all DCs, so it was confusing as to why we couldn't get access.
It turns out that somehow a password to the domain share (e.g., \\DOMAIN.com) was saved in the credential manager. What gave it away was I noticed an odd Kerberos error in the event log as well. Unfortunately, the saved credentials weren't for any USER accounts on the machine, but for the SYSTEM account. Since you can't easily open the credential manager for a non-user account, we used the PsExec Windows Sysinternals (http://technet.microsoft.com/en-us/sysinternals/bb897553) to load the command prompt running in the SYSTEM context.
psexec -i -s -d cmd.exe
Then, we loaded the old password manager GUI that was still available using the Keymanager DLL.
rundll32 keymgr.dll,KRShowKeyMgr
In the list was saved credentials for the domain share, which failed and caused the issue of the machine policy not being able to be downloaded. Removing it solved our issues. Hope this helps someone in the future. |
| wkasdo |
Posted - 04/28/2011 : 2:54:17 PM
Well, yes. That sounds familiar. I did one project with the Cisco version. We ended up excluding all DC's from the accelerators. There isn't much point anyway to caching DC traffic. |
| mtisdale |
Posted - 04/28/2011 : 1:45:20 PM
I started encountering issues with computer accounts not being able to process the default domain policy with "Access Denied" errors a short time back. After checking many different avenues (including some found on this thread) we were still encountering the issue. We have not found the final resolution yet, but we have been able to isolate it to Riverbed WAN accelerators being in-line on WAN connection for sites experiencing the issue. I will do my best to post again when we have a final resolution. If anyone has seen this behavior with WAN accelerators before pelase post your comments.
Thank you |
| wkasdo |
Posted - 03/31/2011 : 02:21:38 AM
Ok. Could you please start a new thread for this? It looks like another type of problem. Looks like we ought to be able to sort this. |
| NickSec |
Posted - 03/30/2011 : 6:40:47 PM
I have checked this by creating a new user and logging in, i logged in without any errors showing in event viewer, and can access the sysvol from this new user. However the policies aren't applying. So obviously what i did yesterday was just a work around, and will allow existing users to log in. The real problem will come when i have to create a new user.
The GPO still looks to be linked to the OU, so i am starting to feel a little lost.
*CORRECTION* the default policy is applying, but the policies linked to the individual OU's aren't. i.e. for sales staff, technician staff... |
| NickSec |
Posted - 03/30/2011 : 6:06:11 PM
I just removed the auth users part from security filtering for the default policy. Should this suffice? (and yes i re-added auth users)
|
| wkasdo |
Posted - 03/30/2011 : 02:24:11 AM
Try resetting security through GPMC. Setting permissions on SYSVOL is only half the story. The other half is in the AD database.
> éveryone'
never heard of ;-)
The default is Authenticated User: Read & Apply Policy |
| NickSec |
Posted - 03/30/2011 : 01:59:53 AM
Hey All,
I have been having these same issues this week. Tried everything as far as I could tell with no luck.
The last stage I got to this afternoon, with my login, i could get to the sysvol fine.
With one of the login's that was failing, I could get to the server, but got a permission denied error when trying to access the sysvol.
I then added éveryone' with permissions, and also restarted license logging. And was then able to access sysvol, though appears as though the GPO still isn't applying policy, which makes me think i've just worked around getting access to the folder.
Thoughts? |
| jnokes |
Posted - 11/01/2010 : 12:40:13 PM
Hey guys,
I have a new twist on this 1058 error. I have a thread already going on technet: http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/8c744c80-be75-404b-b8b1-4a7700ea0f05
Any help would be greatly appreciated. Incidentally, I did try all of the recommendations here (I think I did, I have done so many I don't remember).
Thanks!!
Jerry Nokes |
| MRD001 |
Posted - 07/27/2010 : 7:15:12 PM
It seems there are several potential solutions depending on the way the problem manifests itself. In my case, I was getting 1058 and 1030 errors on client PCs (XP Pro to a W2K8 Std Server). The event error noted the path that could not be found as \\domain_name.local\sysvol\... rather than \\server_name.domain_name.local\sysvol\... I entered a DNS entry mapping domain_name.local to the server IP and the problem went away.
I hope this helps.
Surge |
| wkasdo |
Posted - 05/15/2010 : 5:27:05 PM
Well, this looks fine -- obviously. This is all on the same DC, right?
> Domain Controller not found for xxx.xxxxxx.com with three choices listed below:
This becomes hard to explain. It's a disastrous error which should have really obvious explanation. I'd expect this error if I logged on using a local account (which is not possible on a DC), if DNS were messed up, or the AD really in deep trouble.
Darren, any idea's? |
| jjj0923 |
Posted - 05/15/2010 : 4:25:04 PM
quote:
Originally posted by wkasdo
And this is done on a DC? Something is completely broken. Probably your DNS setup, but maybe something else as well. Are there other errors in the event log, such as the Directory Services log?
- check that it's pointing to itself for DNS
- run DCDIAG, check it for errors. On W2003: install support tools first.
yes this is done on a DC.
dns is working fine - tested it.
no other errors in any of the log files including the dns log
dcdiag output:
-----------------------------
quote:
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\DCUPGRADE1
Starting test: Connectivity
......................... DCUPGRADE1 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\DCUPGRADE1
Starting test: Replications
......................... DCUPGRADE1 passed test Replications
Starting test: NCSecDesc
......................... DCUPGRADE1 passed test NCSecDesc
Starting test: NetLogons
......................... DCUPGRADE1 passed test NetLogons
Starting test: Advertising
......................... DCUPGRADE1 passed test Advertising
Starting test: KnowsOfRoleHolders
......................... DCUPGRADE1 passed test KnowsOfRoleHolders
Starting test: RidManager
......................... DCUPGRADE1 passed test RidManager
Starting test: MachineAccount
......................... DCUPGRADE1 passed test MachineAccount
Starting test: Services
......................... DCUPGRADE1 passed test Services
Starting test: ObjectsReplicated
......................... DCUPGRADE1 passed test ObjectsReplicated
Starting test: frssysvol
......................... DCUPGRADE1 passed test frssysvol
Starting test: frsevent
......................... DCUPGRADE1 passed test frsevent
Starting test: kccevent
......................... DCUPGRADE1 passed test kccevent
Starting test: systemlog
......................... DCUPGRADE1 passed test systemlog
Starting test: VerifyReferences
......................... DCUPGRADE1 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : themill
Starting test: CrossRefValidation
......................... themill passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... themill passed test CheckSDRefDom
Running enterprise tests on : themill.mydomain.com
Starting test: Intersite
......................... themill.mydomain.com passed test Intersite
Starting test: FsmoCheck
......................... themill.mydomain.com passed test FsmoCheck
|
| wkasdo |
Posted - 05/15/2010 : 3:37:54 PM
And this is done on a DC? Something is completely broken. Probably your DNS setup, but maybe something else as well. Are there other errors in the event log, such as the Directory Services log?
- check that it's pointing to itself for DNS
- run DCDIAG, check it for errors. On W2003: install support tools first.
|
| jjj0923 |
Posted - 05/15/2010 : 2:27:05 PM
quote:
Originally posted by wkasdo
Do you mean that this particular OU has no GPO's? That's always possible of course.
Tell us a bit more. What are the exact errors you have, and what did you try already to resolve them?
I gets a Userenv errors, event IDs 1030 and 1058 every 5 minutes on my only DC.
The error text refers to not being able to read a gpt.ini file in Sysvol.
when I right click on the name of my domain in the Users and Computers snap-in and then select the group policy tab, I get:
Domain Controller not found for xxx.xxxxxx.com with three choices listed below:
* The one with the Oparations Master token for the PDC Emulator
* The one used by the Active Directory Snap-ins
* Use any available Domain Controller
I've tried all three to no avail.
any ideas? |
| wkasdo |
Posted - 05/15/2010 : 11:19:41 AM
Do you mean that this particular OU has no GPO's? That's always possible of course.
Tell us a bit more. What are the exact errors you have, and what did you try already to resolve them? |
| jjj0923 |
Posted - 05/15/2010 : 08:06:48 AM
quote:
Originally posted by jmrllc
I think Mark is saying go where you would typically administer your GPO (Group Policy Object). If the object is set up on a particular Group or OU, then for example go to Admin Tools then click on Active Directory Users and Computers and drill down to the group or OU in question. Right click on the Group or OU and select properties then proceed to the Group Policy tab. There you will find the individual GPOs (Group Policy Objects) linked to that particular object.
(How did I do Mark?)
I'm having this problem on my DC and when I go to the GPO there are no policies listed to even edit.
what now? |
| Mark Minasi |
Posted - 03/02/2010 : 09:30:17 AM
DNS: just the basics:
- is there even the slightest chance that the client's pointed to an external DNS server?
- is there a GUID CNAME record in the root of _msdcs for all DCs?
- are there SRV records for each DC in their site folder?
That sort of thing. You can download dnslint from microsoft.com/downloads and use the /s switch to check it out.
I haven't played with Darren's GPExpert tool but if it says it can't be Sysvol then it's almost certainly right. |
| jbrabham |
Posted - 03/02/2010 : 12:37:43 AM
We're still running FRS; however, we're actually planning on converting to DFS-R this upcoming weekend, in hopes that it helps. I had high hopes for that but I've been testing this weekend using the GPExpert kit and what I'm getting from that is that it is not a sysvol issue. Primarily, when using the up-to-dateness test, it shows the registry value being older than the DC and PDC values on a handful of policies but nothing different beyond that. On a side note, even when I disable all the policies that are throwing flags, I'll still eventually get the 1030/1058 errors.
I have not ran dfsutil, I'll have to try that.
As for it being a DNS issue, are there any specific logs I could post that might be helpful for you to look at. The 3 of us involved in this have looked over DNS again and again and can't find anything that we think could cause this. We've ran DCDiag and had it show a few things but again, nothing that seemed to link it to this issue.
|
| Mark Minasi |
Posted - 03/01/2010 : 08:40:36 AM
Hey Jonathan --
For a 1030/1058 I find the dfsutil command (it's in the thread, sorry I don't recall the syntax) usually does the job. If it does NOT, then it's typically a DNS trouble.
As to your second point... HMMMM.
When you went to 2008 DFL, did you run dfsmig? Or are you still running FRS on your SYSVOL? (An answer of "did I run WHAT and am I still running WHAT?" is a perfectly valid answer.<g>)
Sysvol replication problems are unusual but not unheard-of and would DEFINITELY be a possible source of 1030/1058 problems. |
| jbrabham |
Posted - 02/28/2010 : 2:36:30 PM
Hi everybody,
I've been pulling my hair out on this issue for a while and I've tried some crazy things and every time I think I may have solved it, I sit there restarting a computer time and time again and then finally, I get the 1030 and 1058 errors again.
First, the problem: Sporadically, but often enough to cause problems, you log on to the computer and it doesn't load computer policies. In the event log you get error 1030 and 1058 which says that it cannot access gpt.ini for a given policy because the user has not been granted the requested logon type at this computer. However, in that session, I can access that folder while going out to all our DCs.
Secondly, our network: Domain has been upgraded to Server 2008 R2 level which means all our DCs our running Server 2008 R2 (The problems started though when we were running just 2008 functional level). We have 3 domains, an empty root level, and 2 user domains. However, the errors occur using our primary domain (which contains the user account I'm using, the computer I'm using and all the policies) or using an account that resides on the student domain. 95% of our clients are Windows XP with SP2 / SP3 (the test machine I'm using is SP3).
Any help would be greatly appreciated. |
| wkasdo |
Posted - 01/26/2010 : 02:17:28 AM
Multihomed DNS servers are always a lot of fun. |
| zavigil |
Posted - 01/25/2010 : 5:23:57 PM
Ok, update to my update… I went into my DNS manager and disabled the configuration on my DNS for the RAS server’s IP address. Registered and Flushed the DNS and tried to access my sysvol folder along with my \\servername\share from my XP machine and BAMM! I am in like Flynn! 
So I go to some of my users who were experiencing this issue and after doing a quick flush of the DNS, they too were cooking with Crisco!
Now, I have to figure out how much damage I created for my remote users by turning off this DNS setting. Anyone wanna place any bets? Hehehe! |
