none
GPupdate Failing on Member Servers

    Question

  • I have DC windows 2008 Enterprise and i have member servers as 2003 as ISA server also 2008 standard as AV server and 2008 Enterprise

    Currently GPupdate /Force command is giving error as below on all the member servers.

    I have also check that below path i.e. till *.gpt.ini is accessible from 2008 member server but not from 2003 member server.

    C:\>gpupdate /force
    Updating Policy...

    User Policy update has completed successfully.
    Computer policy could not be updated successfully. The following errors were enc
    ountered:

    The processing of Group Policy failed. Windows attempted to read the file \\DomainName.local\sysvol\DomainName.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may
    not be applied until this event is resolved. This issue may be transient and cou
    ld be caused by one or more of the following:
    a) Name Resolution/Network Connectivity to the current domain controller.
    b) File Replication Service Latency (a file created on another domain controller
     has not replicated to the current domain controller).
    c) The Distributed File System (DFS) client has been disabled.

    To diagnose the failure, review the event log or invoke gpmc.msc to access infor
    mation about Group Policy results.

    -------------------------

    But i can access with below path from run command on 2003 member server when i enter complete name as \\DCName.DomainName.local\SYSVOL\aoacrs.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\GPT.INI

    But from 2003 when i access from run command \\DomainName.local i can see NETLOGON & SYSVOL folder but i can't click on them as it gives error as "\\DomainName.local\Sysvol  is not accessible. You might not have permission to use this network resource"

    Dont know but previously Group Policy was working fine on 2003 member server but on 2008 Member it is not working from long time.

    ---------------------------

    Also NSLookup is working fine on 2008 member, it is pointing to DC properly with ip adddress.

    DCDiag on 2003 Member server is only giving error as below

          Starting test: frssysvol
             ......................... DCName failed test frssysvol

    DcDiag on 2008 Member server is only giving error as below

    Starting test: SysVolCheck
       ......................... DCName failed test SysVolCheck

    -------------------------------

    C:\>ipconfig /all

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : 2008MemberServer
       Primary Dns Suffix  . . . . . . . : DomainName.local
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : DomainName.local

    Ethernet adapter EPharm_AV_3682:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : BASP Virtual Adapter
       Physical Address. . . . . . . . . : 00-14-5E-3E-9E-67
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv4 Address. . . . . . . . . . . : 10.240.6.196(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.240
       Default Gateway . . . . . . . . . : 10.240.6.193
       DNS Servers . . . . . . . . . . . : 10.240.18.229
                                           10.240.18.226
                                           10.240.18.228
                                           194.72.7.142
                                           194.72.7.137
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Ethernet adapter EPharm_AV_925:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : BASP Virtual Adapter #2
       Physical Address. . . . . . . . . : 00-14-5E-3E-9E-67
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv4 Address. . . . . . . . . . . : 10.247.15.100(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.240
       Default Gateway . . . . . . . . . :
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Ethernet adapter EPharm_AV_3989:

       Connection-specific DNS Suffix  . : DomainName.local
       Description . . . . . . . . . . . : BASP Virtual Adapter #3
       Physical Address. . . . . . . . . : 00-14-5E-3E-9E-67
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv4 Address. . . . . . . . . . . : 10.240.18.237(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.240
       Default Gateway . . . . . . . . . :
       DNS Servers . . . . . . . . . . . : 10.240.18.229
                                           10.240.18.230
                                           194.72.7.137
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter Local Area Connection* 8:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : isatap.{247E9943-3A7F-4C76-9B9B-CAD8B7E09
    A9C}
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Local Area Connection* 12:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : isatap.{E84FD664-D357-4FA0-B7A7-7AFF627B3
    190}
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Local Area Connection* 13:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : isatap.DomainName.local
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    ---------------------------------------------------------

    GP log error are recorded as below

    GetDCNameFromGPTPath: NetDfsGetClientInfo() failed with error=0xa66 for GPT Path=\\DomainName.local\sysvol\DomainName.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini

    GPSVC(3f4.87c) 11:44:59:933 ProcessGPO:  Couldn't find the group policy template file <\\DmainName.local\sysvol\DomainName.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini >, error = 0x5. DC: <null>
    GPSVC(3f4.87c) 11:44:59:933 ProcessGPO:  ==============================
    GPSVC(3f4.87c) 11:44:59:948 EvalList:  ProcessGPO failed
    GPSVC(3f4.87c) 11:44:59:948 GetGPOInfo:  EvaluateDeferredGPOs failed. Exiting
    GPSVC(3f4.87c) 11:44:59:948 GetGPOInfo:  Leaving with 0
    GPSVC(3f4.87c) 11:44:59:948 GetGPOInfo:  ********************************
    GPSVC(3f4.87c) 11:44:59:948 ProcessGPOs: GetGPOInfo failed.
    GPSVC(3f4.87c) 11:44:59:948 ProcessGPOs: No WMI logging done in this policy cycle.
    GPSVC(3f4.87c) 11:44:59:964 ProcessGPOs: Processing failed with error 5.

     

    PLEASE HELP ME TO GET RID OF THIS ISSUE.

    Tuesday, July 30, 2013 12:40 PM

Answers

  • Hey Its a huge sucess for me. finally i have found the solution.

    After refering lots of articles and lots of research, it was just a small problem.

    I have opened ADSIEDIT.msc and done as below.

    1- Expand the first folder (domain)
    2- And the next one go to CN=SYSTEM expand it
    3- Go to CN=Policies expand it
    4- Right click each folder of the policies click properties and search for gPCFileSysPath press edit and add the server name before the domain name done it for the remaining policies folders.

    For example as \\DCName.DomainName.local\sysvol\DomainName.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}

    And i logged off and logged in on one of the member server and found that the issue has been resolved without rebooting any of the server.

    • Marked as answer by samsk Thursday, August 01, 2013 3:33 PM
    Thursday, August 01, 2013 3:33 PM

All replies

  • Let me start off with something real simple. If the GPO is something you created then can you delete it and recreate it as it may just be a corrupt GPO? If the GPO is system generated then please do not delete it as it will cause more issues (Never delete "Root Domain Policy"). Can you access other GPOs without any issues?

    This article explains how to resolve the GPO GUID to the normal name if you do not know it. http://support.microsoft.com/kb/216359.


    Thank you,

    Tuesday, July 30, 2013 1:11 PM
  • Actually i am editing the default domain policy under computer configuration --> windows settings --> security settings --> local policies --> security options --> interactive logon (message title for users attempting to logon) --> I am trying to change this messge but it is not reflecting on Members servers.

    I am have done gpupdate /force on member server then logoff and login but i don't get Security Message during startup.

    It means that gpupdate computer policy is not applying on server.

    Tuesday, July 30, 2013 1:38 PM
  • If you run the GPResults command do you see any errors? http://technet.microsoft.com/en-us/library/cc733160(v=WS.10).aspx

    If you run your username and the member server through Group Policy Modeling do you get any errors? http://technet.microsoft.com/en-us/library/cc781242(v=WS.10).aspx


    Thank you,

    Tuesday, July 30, 2013 1:51 PM
  • No i dont get any error when i execute gpresult with options as /r /v

    I have also checked group policy modeling, here also all seems to be fine.

    Only when i do Dcdiag /s:DCName on member server, all is showing passed except one below.

    Starting test: SysVolCheck

    ............................................... DCName failed test SysVolCheck

    Tuesday, July 30, 2013 2:29 PM
  • Please help still not able to diagnose the exact cause
    Tuesday, July 30, 2013 3:35 PM
  • If this is a ISA server and you have it set to deny everything expect what you told it to allow. Is it possible that you are preventing the GPO updates via the rules?

    Thank you,

    Tuesday, July 30, 2013 3:57 PM
  • I've always found that editing the default domain policy causes more problems.

    Perhaps it might be better to create a new GPO and apply the above settings.

    Also when you prompted your 2008 Server to a DC did you set it up to work in Windows 2003 Server compatibility mode?

    Tuesday, July 30, 2013 4:23 PM
  • Here is an article discussing the steps you may need if you think the ISA is blocking communications. http://blog.msfirewall.org.uk/2009/02/resource-guide-for-microsoft-active.html

    Thank you,

    Tuesday, July 30, 2013 11:19 PM
  • Hi samsk,

          According to my research, your issue occurs because the computers that are on your network cannot connect to certain Group Policy objects that reside in the Sysvol folders on your network's domain controllers.

          As you already know, the causes of this problem could be from several aspects. So, to resolve this issue smoothly, let’s try the following steps to check where is the problem exactly originated from:

    1. Examine the DNS settings and network properties on the servers and client computers.
    2. Examine the Server Message Block signing settings on the member servers and client computers.
    3. Make sure that the TCP/IP NetBIOS Helper services is started on all computers.
    4. Make sure that Distributed File System (DFS) is enabled on all computers.
    5. Examine the contents and the permissions of the Sysvol folder
    6. Make sure that the Bypass traverse checking right is granted to the required groups.
    7. Make sure that the domain controllers are not in a journal wrap state.
    8. Run the Dfsutil /PurgeMupCache command to flush the local DFS/MUP cached information.

    To see more specific procedures, please view the following KB link:

    Userenv errors occur and events are logged after you apply Group Policy to computers that are running Windows Server 2003, Windows XP, or Windows 2000

    http://support.microsoft.com/kb/887303

    Here are more relative information may be useful for you:

    GPupdate fails with errors on Windows 2008 Servers

    http://social.technet.microsoft.com/Forums/windowsserver/en-US/bdfcaa8b-3f39-442a-b8d8-3558f6626c0e/gpupdate-fails-with-errors-on-windows-2008-servers

    sysvol not accessible

    http://social.technet.microsoft.com/Forums/windowsserver/en-US/d4b30503-9813-48f8-858d-4946c1cfa94d/sysvol-not-accessible

    Event ID 1058 — Group Policy Preprocessing (Networking)

    http://technet.microsoft.com/en-us/library/cc727259%28WS.10%29.aspx

    Please let me know if those methods still couldn’t  fix your problem.

    I hope this helps.

    Best Regards,

    Amy Wang

    Wednesday, July 31, 2013 8:01 AM
  • I have checked and everything is fine on DC and also on member server.

    I have created new GPO on DC and edited user configuration and then logged in to one of the member server and it was working as expected.

    Then i edited computer configuration in above GPO and logged off and logged in to member server also done gpupdate /force but the policy was not applied and gpupdate gives error for Computer Policy, the same error what i posted in start of this thread.

    Also when i open RSOP, under Computer Configuration there is Red Cross mark in all the Member servers.

     

    Dont know why only User Configuration policies works but not Computer Configuration policies.

     

    In the GPO log it gives error as

    Manual processing of policy failed for member server with error code 5

    The system calls to access specified file completed :- Event ID 7004, source :- Group Policy

    \\DomainName.local\SysVol\DomainName.local\Policies\{0B241D44-0F2E-497F-ACF5-FFBF2B2D9C8A}\gpt.ini

    The call failed after 78 milliseconds :- Event ID 7017, Soruce Group Policy

    Wednesday, July 31, 2013 12:53 PM
  • Hi samsk,

          The error code 5 means “Access is denied”. Therefore, the computer account does not have the appropriate permissions to access the specific path in your case.

          Please refer to the following link about this error code:

          Event ID 1058 — Group Policy Preprocessing (Networking)

          http://social.technet.microsoft.com/wiki/contents/articles/1456.event-id-1058-group-policy-preprocessing-networking.aspx

    I hope this helps.

    Best Regards,

    Amy Wang


    Thursday, August 01, 2013 9:19 AM
  • Hey Its a huge sucess for me. finally i have found the solution.

    After refering lots of articles and lots of research, it was just a small problem.

    I have opened ADSIEDIT.msc and done as below.

    1- Expand the first folder (domain)
    2- And the next one go to CN=SYSTEM expand it
    3- Go to CN=Policies expand it
    4- Right click each folder of the policies click properties and search for gPCFileSysPath press edit and add the server name before the domain name done it for the remaining policies folders.

    For example as \\DCName.DomainName.local\sysvol\DomainName.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}

    And i logged off and logged in on one of the member server and found that the issue has been resolved without rebooting any of the server.

    • Marked as answer by samsk Thursday, August 01, 2013 3:33 PM
    Thursday, August 01, 2013 3:33 PM
  • Glad it all worked out. Seems like it is a very odd problem.


    Thank you,

    Thursday, August 01, 2013 3:44 PM