| Author |
 Topic  |
|
zavigil
Welcome Newcomer
4 Posts
Status: offline |
 Posted - 01/25/2010 : 2:02:25 PM
|
Ok, update on my issue with this problem… let me see if I can make this as clear as mud...
After finding out that there were remnants of the old IP scheme (The Company moved from a 192.168.x.x to a 10.x.x.x prior to my arrival) still in existence in my current DNS records I had to do some spring cleaning so-to-speak. Removed all of the old records, re-registered my domain servers DNS records (which caused havoc as stated in my first post with my users connecting to the \\servername\sharename) and rebooted my domain server on Friday night.
After that server came back up I tested my XP machine to see if I could read inside of my sysvol and viola… IT WORKED! I can see and read inside of my sysvol folder and my netlogon folder as it should be both via the \\domainname\sysvol and \\servername\sysvol... I was getting my Group policies applied and drive mappings!!! Because it was late on Friday night I tested it on Saturday morning again to ensure I wasn’t dreaming. And to my surprise I wasn’t in Kansas anymore Toto, it actually worked.
So I think I am golden my weekend wasn’t going to be as long as I thought it was going to be and my users would be able to login, get their scripts and GPO’s applied and have their drive mappings…
Well as it goes, I come into the office on Monday and I have the same problem as I did in my first post. My XP users can’t get their mapped drives and we can’t see inside of the sysvol or netlogon shares. So what has changed between Friday night and now…? Heck if I know…
So as per Mark’s troubleshooting steps (BTW, thanks for replying Mark)
I pinged the server (My DC) and I get back a different IP address (well not really, it is the NIC that is configured as the RAS, but it answers to the DNS queries for the DC's server name) and not the actual servers IP configured to the NIC. (Guys is this one of those DUH!!! Moments where I need reconfigure the dual identity of my server??)
I typed net share and I gives me back my sysvol and netlogon shares, my file replication service is running, my drive space shows 8+ gb free.
I ran dcdiag, I received mixed responses. I get a servername failed test NCSecDesc. (Only because my forest isn’t configured for a RODC. Not too concerned with that error. Or should I be?)
Here is where it gets weird; I received failures with the netlogon test of the dcdiag and the services test (probably because of the netlogon service test failure.)
So seeing this message I checked on my vista machine to see if I could read inside of my sysvol and I could without issues. So the next time I run the dcdiag I get everything passed except the NCSecDesc. So I check my XP machine to see if I could read inside my sysvol and still no dice.
Then later on I get the netlogon failures again. Test it again and everything passes.
Dcdiag /test:dns and I get back warnings about my AAAA record for for the DC was not found.
I’m not running IPv6, so I hope that this missing AAAA record for my DC isn’t causing this issue…
Any other trees I need to bark-up… Not having fun with this anymore… starting to feel like I’m in way over my head. Again all help is much appreciated. |
 |
|
|
zavigil
Welcome Newcomer
4 Posts
Status: offline |
Posted - 01/25/2010 : 5:23:57 PM
|
Ok, update to my update… I went into my DNS manager and disabled the configuration on my DNS for the RAS server’s IP address. Registered and Flushed the DNS and tried to access my sysvol folder along with my \\servername\share from my XP machine and BAMM! I am in like Flynn! 
So I go to some of my users who were experiencing this issue and after doing a quick flush of the DNS, they too were cooking with Crisco!
Now, I have to figure out how much damage I created for my remote users by turning off this DNS setting. Anyone wanna place any bets? Hehehe! |
|
|
|
wkasdo
Administrator
Netherlands
7405 Posts
Status: offline |
Posted - 01/26/2010 : 02:17:28 AM
|
| Multihomed DNS servers are always a lot of fun. |
Make it as simple as you can, but not simpler -- Albert Einstein |
|
|
|
jbrabham
Welcome Newcomer
USA
2 Posts
Status: offline |
Posted - 02/28/2010 : 2:36:30 PM
|
Hi everybody,
I've been pulling my hair out on this issue for a while and I've tried some crazy things and every time I think I may have solved it, I sit there restarting a computer time and time again and then finally, I get the 1030 and 1058 errors again.
First, the problem: Sporadically, but often enough to cause problems, you log on to the computer and it doesn't load computer policies. In the event log you get error 1030 and 1058 which says that it cannot access gpt.ini for a given policy because the user has not been granted the requested logon type at this computer. However, in that session, I can access that folder while going out to all our DCs.
Secondly, our network: Domain has been upgraded to Server 2008 R2 level which means all our DCs our running Server 2008 R2 (The problems started though when we were running just 2008 functional level). We have 3 domains, an empty root level, and 2 user domains. However, the errors occur using our primary domain (which contains the user account I'm using, the computer I'm using and all the policies) or using an account that resides on the student domain. 95% of our clients are Windows XP with SP2 / SP3 (the test machine I'm using is SP3).
Any help would be greatly appreciated. |
|
|
|
Mark Minasi
Chief cook and bottle washer
USA
10658 Posts
Status: offline |
Posted - 03/01/2010 : 08:40:36 AM
|
Hey Jonathan --
For a 1030/1058 I find the dfsutil command (it's in the thread, sorry I don't recall the syntax) usually does the job. If it does NOT, then it's typically a DNS trouble.
As to your second point... HMMMM.
When you went to 2008 DFL, did you run dfsmig? Or are you still running FRS on your SYSVOL? (An answer of "did I run WHAT and am I still running WHAT?" is a perfectly valid answer.<g>)
Sysvol replication problems are unusual but not unheard-of and would DEFINITELY be a possible source of 1030/1058 problems. |
Mark
tweetin' at mminasi |
|
|
|
jbrabham
Welcome Newcomer
USA
2 Posts
Status: offline |
Posted - 03/02/2010 : 12:37:43 AM
|
We're still running FRS; however, we're actually planning on converting to DFS-R this upcoming weekend, in hopes that it helps. I had high hopes for that but I've been testing this weekend using the GPExpert kit and what I'm getting from that is that it is not a sysvol issue. Primarily, when using the up-to-dateness test, it shows the registry value being older than the DC and PDC values on a handful of policies but nothing different beyond that. On a side note, even when I disable all the policies that are throwing flags, I'll still eventually get the 1030/1058 errors.
I have not ran dfsutil, I'll have to try that.
As for it being a DNS issue, are there any specific logs I could post that might be helpful for you to look at. The 3 of us involved in this have looked over DNS again and again and can't find anything that we think could cause this. We've ran DCDiag and had it show a few things but again, nothing that seemed to link it to this issue.
|
|
|
|
Mark Minasi
Chief cook and bottle washer
USA
10658 Posts
Status: offline |
Posted - 03/02/2010 : 09:30:17 AM
|
DNS: just the basics:
- is there even the slightest chance that the client's pointed to an external DNS server?
- is there a GUID CNAME record in the root of _msdcs for all DCs?
- are there SRV records for each DC in their site folder?
That sort of thing. You can download dnslint from microsoft.com/downloads and use the /s switch to check it out.
I haven't played with Darren's GPExpert tool but if it says it can't be Sysvol then it's almost certainly right. |
Mark
tweetin' at mminasi |
|
|
|
jjj0923
Welcome Newcomer
11 Posts
Status: offline |
Posted - 05/15/2010 : 08:06:48 AM
|
quote:
Originally posted by jmrllc
I think Mark is saying go where you would typically administer your GPO (Group Policy Object). If the object is set up on a particular Group or OU, then for example go to Admin Tools then click on Active Directory Users and Computers and drill down to the group or OU in question. Right click on the Group or OU and select properties then proceed to the Group Policy tab. There you will find the individual GPOs (Group Policy Objects) linked to that particular object.
(How did I do Mark?)
I'm having this problem on my DC and when I go to the GPO there are no policies listed to even edit.
what now? |
Edited by - jjj0923 on 05/15/2010 08:07:36 AM |
|
|
|
wkasdo
Administrator
Netherlands
7405 Posts
Status: offline |
Posted - 05/15/2010 : 11:19:41 AM
|
Do you mean that this particular OU has no GPO's? That's always possible of course.
Tell us a bit more. What are the exact errors you have, and what did you try already to resolve them? |
Make it as simple as you can, but not simpler -- Albert Einstein |
|
|
|
jjj0923
Welcome Newcomer
11 Posts
Status: offline |
Posted - 05/15/2010 : 2:27:05 PM
|
quote:
Originally posted by wkasdo
Do you mean that this particular OU has no GPO's? That's always possible of course.
Tell us a bit more. What are the exact errors you have, and what did you try already to resolve them?
I gets a Userenv errors, event IDs 1030 and 1058 every 5 minutes on my only DC.
The error text refers to not being able to read a gpt.ini file in Sysvol.
when I right click on the name of my domain in the Users and Computers snap-in and then select the group policy tab, I get:
Domain Controller not found for xxx.xxxxxx.com with three choices listed below:
* The one with the Oparations Master token for the PDC Emulator
* The one used by the Active Directory Snap-ins
* Use any available Domain Controller
I've tried all three to no avail.
any ideas? |
|
|
|
wkasdo
Administrator
Netherlands
7405 Posts
Status: offline |
Posted - 05/15/2010 : 3:37:54 PM
|
And this is done on a DC? Something is completely broken. Probably your DNS setup, but maybe something else as well. Are there other errors in the event log, such as the Directory Services log?
- check that it's pointing to itself for DNS
- run DCDIAG, check it for errors. On W2003: install support tools first.
|
Make it as simple as you can, but not simpler -- Albert Einstein |
|
|
|
jjj0923
Welcome Newcomer
11 Posts
Status: offline |
Posted - 05/15/2010 : 4:25:04 PM
|
quote:
Originally posted by wkasdo
And this is done on a DC? Something is completely broken. Probably your DNS setup, but maybe something else as well. Are there other errors in the event log, such as the Directory Services log?
- check that it's pointing to itself for DNS
- run DCDIAG, check it for errors. On W2003: install support tools first.
yes this is done on a DC.
dns is working fine - tested it.
no other errors in any of the log files including the dns log
dcdiag output:
-----------------------------
quote:
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\DCUPGRADE1
Starting test: Connectivity
......................... DCUPGRADE1 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\DCUPGRADE1
Starting test: Replications
......................... DCUPGRADE1 passed test Replications
Starting test: NCSecDesc
......................... DCUPGRADE1 passed test NCSecDesc
Starting test: NetLogons
......................... DCUPGRADE1 passed test NetLogons
Starting test: Advertising
......................... DCUPGRADE1 passed test Advertising
Starting test: KnowsOfRoleHolders
......................... DCUPGRADE1 passed test KnowsOfRoleHolders
Starting test: RidManager
......................... DCUPGRADE1 passed test RidManager
Starting test: MachineAccount
......................... DCUPGRADE1 passed test MachineAccount
Starting test: Services
......................... DCUPGRADE1 passed test Services
Starting test: ObjectsReplicated
......................... DCUPGRADE1 passed test ObjectsReplicated
Starting test: frssysvol
......................... DCUPGRADE1 passed test frssysvol
Starting test: frsevent
......................... DCUPGRADE1 passed test frsevent
Starting test: kccevent
......................... DCUPGRADE1 passed test kccevent
Starting test: systemlog
......................... DCUPGRADE1 passed test systemlog
Starting test: VerifyReferences
......................... DCUPGRADE1 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : themill
Starting test: CrossRefValidation
......................... themill passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... themill passed test CheckSDRefDom
Running enterprise tests on : themill.mydomain.com
Starting test: Intersite
......................... themill.mydomain.com passed test Intersite
Starting test: FsmoCheck
......................... themill.mydomain.com passed test FsmoCheck
|
|
|
|
wkasdo
Administrator
Netherlands
7405 Posts
Status: offline |
Posted - 05/15/2010 : 5:27:05 PM
|
Well, this looks fine -- obviously. This is all on the same DC, right?
> Domain Controller not found for xxx.xxxxxx.com with three choices listed below:
This becomes hard to explain. It's a disastrous error which should have really obvious explanation. I'd expect this error if I logged on using a local account (which is not possible on a DC), if DNS were messed up, or the AD really in deep trouble.
Darren, any idea's? |
Make it as simple as you can, but not simpler -- Albert Einstein |
|
|
|
MRD001
Welcome Newcomer
1 Posts
Status: offline |
Posted - 07/27/2010 : 7:15:12 PM
|
It seems there are several potential solutions depending on the way the problem manifests itself. In my case, I was getting 1058 and 1030 errors on client PCs (XP Pro to a W2K8 Std Server). The event error noted the path that could not be found as \\domain_name.local\sysvol\... rather than \\server_name.domain_name.local\sysvol\... I entered a DNS entry mapping domain_name.local to the server IP and the problem went away.
I hope this helps.
Surge |
|
|
|
jnokes
Welcome Newcomer
USA
1 Posts
Status: offline |
|
|
NickSec
Welcome Newcomer
Australia
3 Posts
Status: offline |
Posted - 03/30/2011 : 01:59:53 AM
|
Hey All,
I have been having these same issues this week. Tried everything as far as I could tell with no luck.
The last stage I got to this afternoon, with my login, i could get to the sysvol fine.
With one of the login's that was failing, I could get to the server, but got a permission denied error when trying to access the sysvol.
I then added éveryone' with permissions, and also restarted license logging. And was then able to access sysvol, though appears as though the GPO still isn't applying policy, which makes me think i've just worked around getting access to the folder.
Thoughts? |
|
|
|
wkasdo
Administrator
Netherlands
7405 Posts
Status: offline |
Posted - 03/30/2011 : 02:24:11 AM
|
Try resetting security through GPMC. Setting permissions on SYSVOL is only half the story. The other half is in the AD database.
> éveryone'
never heard of ;-)
The default is Authenticated User: Read & Apply Policy |
Make it as simple as you can, but not simpler -- Albert Einstein |
|
|
|
NickSec
Welcome Newcomer
Australia
3 Posts
Status: offline |
Posted - 03/30/2011 : 6:06:11 PM
|
I just removed the auth users part from security filtering for the default policy. Should this suffice? (and yes i re-added auth users)
|
|
|
|
NickSec
Welcome Newcomer
Australia
3 Posts
Status: offline |
Posted - 03/30/2011 : 6:40:47 PM
|
I have checked this by creating a new user and logging in, i logged in without any errors showing in event viewer, and can access the sysvol from this new user. However the policies aren't applying. So obviously what i did yesterday was just a work around, and will allow existing users to log in. The real problem will come when i have to create a new user.
The GPO still looks to be linked to the OU, so i am starting to feel a little lost.
*CORRECTION* the default policy is applying, but the policies linked to the individual OU's aren't. i.e. for sales staff, technician staff... |
Edited by - NickSec on 03/30/2011 6:53:29 PM |
|
|
|
wkasdo
Administrator
Netherlands
7405 Posts
Status: offline |
Posted - 03/31/2011 : 02:21:38 AM
|
| Ok. Could you please start a new thread for this? It looks like another type of problem. Looks like we ought to be able to sort this. |
Make it as simple as you can, but not simpler -- Albert Einstein |
|
|
|
mtisdale
Welcome Newcomer
USA
1 Posts
Status: offline |
Posted - 04/28/2011 : 1:45:20 PM
|
I started encountering issues with computer accounts not being able to process the default domain policy with "Access Denied" errors a short time back. After checking many different avenues (including some found on this thread) we were still encountering the issue. We have not found the final resolution yet, but we have been able to isolate it to Riverbed WAN accelerators being in-line on WAN connection for sites experiencing the issue. I will do my best to post again when we have a final resolution. If anyone has seen this behavior with WAN accelerators before pelase post your comments.
Thank you |
Active Directory is the oxygen all other services need to survive |
|
|
|
wkasdo
Administrator
Netherlands
7405 Posts
Status: offline |
Posted - 04/28/2011 : 2:54:17 PM
|
| Well, yes. That sounds familiar. I did one project with the Cisco version. We ended up excluding all DC's from the accelerators. There isn't much point anyway to caching DC traffic. |
Make it as simple as you can, but not simpler -- Albert Einstein |
|
|
|
ShadowT
Welcome Newcomer
USA
8 Posts
Status: offline |
Posted - 08/16/2011 : 9:49:24 PM
|
I wanted to share our solution to the "Event ID: 1058" issue that started happening on a computer when attempting to refresh the machine group policy.
Description: Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=[DOMAIN],DC=[COM/ORG/LOCAL]. The file must be present at the location <\\domain\sysvol\[DOMAIN]\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>
The user policy would refresh fine, but the computer would fail reading the {31B2F...} policy, which is the Default Domain Policy. Other computers in the same OU were refreshing the computer policy fine so, though we checked the basic settings on the domain controllers (DFS, permissions, etc.), we figured it had something to do with the specific machine that was having issues and not the servers or AD. If we logged in to the computer with a domain account, we could open the gpt.ini fine from all DCs, so it was confusing as to why we couldn't get access.
It turns out that somehow a password to the domain share (e.g., \\DOMAIN.com) was saved in the credential manager. What gave it away was I noticed an odd Kerberos error in the event log as well. Unfortunately, the saved credentials weren't for any USER accounts on the machine, but for the SYSTEM account. Since you can't easily open the credential manager for a non-user account, we used the PsExec Windows Sysinternals (http://technet.microsoft.com/en-us/sysinternals/bb897553) to load the command prompt running in the SYSTEM context.
psexec -i -s -d cmd.exe
Then, we loaded the old password manager GUI that was still available using the Keymanager DLL.
rundll32 keymgr.dll,KRShowKeyMgr
In the list was saved credentials for the domain share, which failed and caused the issue of the machine policy not being able to be downloaded. Removing it solved our issues. Hope this helps someone in the future. |
|
|
|
jonathan185
Welcome Newcomer
USA
10 Posts
Status: offline |
Posted - 01/22/2013 : 3:45:32 PM
|
Ok, so here goes. I'm not a replication genius bhy any means. We have about 10 DCs running 2003, all of them started throwing up sporadic 1058 1030 errors. I've read these forums up and down, here's what I've found.
-Sysvol permissions are set to everyone
-Some days the 1058/130 errors come up, some days they do not.
-I pinged domain name from DCs and they respond with correct IP. However, upon checking sysvol folders on different DCs, I noticed the GUIDs within the policies folder do not match.
-I believe all the DCs are using FRS, and I'm guessing it's a replication issue.
-I'm getting this error in Event Viewer FRS, "The File Replication Service is having trouble enabling replication from DC2 to DC1"
Here's my main question. Would it be difficult to upgrade from FRS to DFSR? |
|
|
|
wkasdo
Administrator
Netherlands
7405 Posts
Status: offline |
Posted - 01/23/2013 : 04:46:32 AM
|
Welcome to the forum!
> Here's my main question. Would it be difficult to upgrade from FRS to DFSR?
In your case, it is. You need:
- All DC's to be 2008 or higher
- Domain level must be 2008
- FRS must be in working order.
We can help with troubleshooting FRS if you want. What troubleshooting have you done sofar?
Please start a new thread for your issue, preferably in the AD forum.
|
Make it as simple as you can, but not simpler -- Albert Einstein |
|
|
|
jonathan185
Welcome Newcomer
USA
10 Posts
Status: offline |
Posted - 01/24/2013 : 4:52:05 PM
|
| Thanks, I'll go ahead and start a new thread in the AD forum. |
|
|
|
anthony
Moderator
USA
2373 Posts
Status: offline |
Posted - 02/06/2013 : 11:03:41 AM
|
I am seeing this issue as well - however, I think my situation is different. I am getting this in DCDIAG as well as the 1058 errors:
Windows attempted to read the file \\mydomain.local\SysVol\mydomain.local\Policies\{FB25751A-177F-46B4-9333-B9C4603ADE71}\gpt.ini from a domain controller and was not successful.
If I browse to \\mydomain.local\SysVol\mydomain.local\Policies
That folder for {FB2575.... is not even there...
The problem is, this could have been this way for quite some time - I'm not sure. We don't really use Group Policies too much because we use ScriptLogic for all that stuff.
It seems that a group policy may have been deleted? I don't know... clearly it's looking for something that is not there. How can I make it STOP looking for that policy? |
anthony
There should be only one World's Greatest Dad shirt. And you should have to kill the previous owner to wear it.
|
|
|
|
wkasdo
Administrator
Netherlands
7405 Posts
Status: offline |
Posted - 02/06/2013 : 11:29:36 AM
|
You may want to check more than one DC for that folder. If you don't use policies much, FRS replication may be broken without you being aware of it!
If you are sure it's gone, one way to fix it goes like this:
- open Group Policy Management Console
- navigate to Group Policy Objects
- right-click this, backup all (just to be sure)
- check the details Tab for each policy, look for the field "Unique ID". Find the one that matches FB25...
- delete it.
|
Make it as simple as you can, but not simpler -- Albert Einstein |
|
|
|
anthony
Moderator
USA
2373 Posts
Status: offline |
Posted - 02/06/2013 : 3:55:35 PM
|
Well it was on one of the servers' SYSVOL. I started down the road of troubleshooting FRS but damn..... it's a lot. I just don't have it in me today. I followed your directions and found the GP that coincided with that folder. It was something that only had one setting in it that we don't even use. So I deleted it. No more events in the log...
I'm going to look at FRS later this week... |
|
|
|
anthony
Moderator
USA
2373 Posts
Status: offline |
Posted - 02/07/2013 : 10:21:04 AM
|
So I got FRS working today as well. Thanks for the help!
Narrowed it down to this event:
Event ID: 13568
Source: NtFrs
This is what solved my particular issue which I found on EventID.net:
Performing the steps below solved my problem:
1. Expand "HKLM\System\CurrentControlSet\Services\NtFrs\Parameters"
2. Change value for "Enable Journal Wrap Automatic Restore" from 0 to 1. If the DWORD Value does not exist, create a new one with the exact spelling as above, including spaces but without the quotes.
3. Stop the NTFRS Service (open a command prompt and type "net stop ntfrs")
4. Start the NTFRS Service (net start ntfrs)
5. Monitor the File Replication Service Event Logs for events:
• 13553 – The DC is performing the recovery process
• 13554 – The DC is ready to pull the replica from another DC.
• 13516 - At this point go to step 6. (the problem is resolved if you receive this event)
6. Using a command prompt type: "net share" and look for the Netlogon and Sysvol Shares to appear. The Journal Wrap error is only fixed after the Domain Controller receives the new SYSVOL replica from a peer Domain Controller. This may take a period of time depending on where your peer DC is located and on bandwidth.
7. Change value for "Enable Journal Wrap Automatic Restore" from 1 to 0. |
Edited by - anthony on 02/07/2013 10:23:04 AM |
|
|
|
Topic |
|
Solving event ID 1058 and 1030 userenv errors
