Sign in
 
Home2012Previous VersionsLibraryForumsGallery
System Center TechCenter >
Cannot Activate Domain Group Policy

Unanswered Cannot Activate Domain Group Policy

  • Thursday, September 09, 2010 9:32 AM
     
     
    Sign In to Vote
    0

    I have installed System Center Essentials 2010 on a hyper-v VM, everything went fine and there were no errors.

    I am going through the initial configuration wizard and trying to create a domain-level Group Policy. I try and use the logged in account but it states that it does not have domain admin privileges, it does.

    When I specify a different user account, I receive the error AD DS cannot be contacted, credentials  do not have sufficient privileges in the domain or must have credentials to edit gpos. I have checked all these and none seem to apply.

    I do receive a failure audit in the event log of my 2003 R2 domain controller that is below:

    Service Ticket Request:
         User Name:        <User Account>@<domain>
         User Domain:        <Domain>
         Service Name:        <User Account>@<domain>
         Service ID:        -
         Ticket Options:        0x40810000
         Ticket Encryption Type:    -
         Client Address:        <Server IP>
         Failure Code:        0x1B
         Logon GUID:        -
         Transited Services:    -

    We currently have a domain and forest functional level of 2003, but I have looked at the system requirements and it doesn't state that it has to be higher.

    If anyone can shed any light on my issue, it would be greatly appreciated.

    Garrath

     

All Replies

  • Thursday, September 09, 2010 1:14 PM
     
     
    Sign In to Vote
    0

    2003 functional level is fine.   what AD groups is the user account you're using in?

    Ok, so I changed my name...you can still call me Tom if you like. It's a...jump...to conclusions...mat.
     
  • Thursday, September 09, 2010 1:46 PM
     
     
    Sign In to Vote
    0
    I have tried multiple account that are in the Domain Admins and I have created/modified group policy objects with all of them.
     
  • Friday, September 10, 2010 9:58 AM
    Moderator
     
     
    Sign In to Vote
    0

    Hello Garrath,

    I would suggest the following thread:

    Initial configuration
    http://social.technet.microsoft.com/Forums/en-US/systemcenteressentials/thread/9ec628d0-47e5-43fc-9883-8e09703d78dd

    It disscussed a same issue. Please check to see if it helps.

    Thanks,

    Yog Li -- Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
     
  • Friday, September 10, 2010 4:02 PM
     
     
    Sign In to Vote
    0

    Hi,

    I have tried everything in the thread provided, it also seems to be dead as it hasn't been updated in 8 months.

    Following the last bit of advice in the thread I ran SCECertPolicyConfigUtil.exe /ManagementGroup <management group name> /SceServer <FQDN of SCE server> /PolicyType domain and it outputted lots of errors but they all seem to be very similar to:

    [09-10-2010 11:16:24] FindObject: GetADRoot failed with error:  0x8007054b The specified domain either does not exist or could not be contacted.


    But the event log message I posted earlier seems to link to being able to contact the domain but getting access denied.

    Garrath

     
  • Monday, September 13, 2010 10:27 AM
    Moderator
     
     
    Sign In to Vote
    0

    Hi Garrath,

    0x8007054b may occur if the SCE server cannot reach an Active Directory domain controller. This problem may be caused by a DNS name resolution or by network connectivity issue.

    Make sure that the SCE server has network connectivity with at least one domain controller.

    After you have determined that you have good Internet Protocol (IP) connectivity between the SCE server and a domain controller, correct the DNS address in the IP properties of the workstation. To do this, follow these steps:

    1. Start the Network Connections tool in Control Panel.
    2. Right-click Local Area Connection, and then click Properties.
    3. Click Internet Protocol (TCP/IP), and then click Properties.
    4. Type the correct DNS address in the Preferred DNS server box.
    5. Click OK.

    Hope it helps,

    Yog Li -- Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
     
  • Monday, September 13, 2010 12:25 PM
     
     
    Sign In to Vote
    0

    I have checked that there is good communication between domain controllers and server by:

    1. Pinging domain
    2. pinging domain controller/s
    3. running cmd as a completely different user to check it is not using cached credentials

    All work fine, I did change the dns settings (although I don't know why you would do this after confirming that you can communicate with the domain controller) and it didn't make a difference.

    As stated above, I am recieving the following messages in the event log of the domain controllers:

    ----------Event ID 4769----------
    A Kerberos service ticket was requested.

    Account Information:
        Account Name:        <Username>@<Domain>
        Account Domain:        <Domain>
        Logon GUID:        {00000000-0000-0000-0000-000000000000}

    Service Information:
        Service Name:        <Username> (without Domain)
        Service ID:        NULL SID

    Network Information:
        Client Address:        ::ffff:<IP Address>
        Client Port:        54152

    Additional Information:
        Ticket Options:        0x40810000
        Ticket Encryption Type:    0xffffffff
        Failure Code:        0x1b
        Transited Services:    -

    This event is generated every time access is requested to a resource such as a computer or a Windows service.  The service name indicates the resource to which access was requested.

    This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event.  The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.

    Ticket options, encryption types, and failure codes are defined in RFC 4120.

    ----------End Event Log----------

    Wouldn't it not be able to log an error in the event log of the DC's if it couldn't contact the DC's?

    I think the problem is occurring because the user is being denied access for some reason, does this make sense?

     
  • Monday, September 13, 2010 9:40 PM
     
     
    Sign In to Vote
    0
    kerberos tickets are often used with computer account authentication.   The DC's have their own audit system that document authentication failures.  This VM that you're using, the virtual network adapters have been setup correctly to talk to the physical network correct?
    Ok, so I changed my name...you can still call me Tom if you like. It's a...jump...to conclusions...mat.
     
  • Wednesday, September 15, 2010 10:12 AM
     
     
    Sign In to Vote
    0
    Yep, I can ping the domain and access files across the network, ect.. so its not a connectivity issue.
     
  • Tuesday, July 26, 2011 9:37 PM
     
     
    Sign In to Vote
    0

    Garrath1,

    Did you ever resolve this issue? I'm going through a similar issue.

    http://social.technet.microsoft.com/Forums/en-US/systemcenteressentials/thread/e6bc23a8-17a7-4d3a-a190-7dfc2da3c09d

     

    Dan Foxley