none
The Permissions for This GPO in the SYSVOL Folder Are Inconsistent with Those in Active Directory

    Question

  • windows 2003 domain, 3 DCs: DC1 & DC3 running Win2003 and DC4 running Win2008. it has been working for over a year
    I noticed the problem when my backupexec 12.5 couldn't access DC4 (win 2008 server) for system state backup using the domain admin account to log on
    when I opened GPMC the following prompted
    "The Permissions for This GPO in the SYSVOL Folder Are Inconsistent with Those in Active Directory"
    than I found FRS event ID 13508
    this is the dcdiag run on DC1 (win2k3) and DC4 (win2k8)
    C:\>dcdiag
    
    Domain Controller Diagnosis
    
    Performing initial setup:
       Done gathering initial info.
    
    Doing initial required tests
    
       Testing server: HQ-SITE\DC1
          Starting test: Connectivity
             ......................... DC1 passed test Connectivity
    
    Doing primary tests
    
       Testing server: HQ-SITE\DC1
          Starting test: Replications
             ......................... DC1 passed test Replications
          Starting test: NCSecDesc
             ......................... DC1 passed test NCSecDesc
          Starting test: NetLogons
             ......................... DC1 passed test NetLogons
          Starting test: Advertising
             ......................... DC1 passed test Advertising
          Starting test: KnowsOfRoleHolders
             ......................... DC1 passed test KnowsOfRoleHolders
          Starting test: RidManager
             ......................... DC1 passed test RidManager
          Starting test: MachineAccount
             ......................... DC1 passed test MachineAccount
          Starting test: Services
             ......................... DC1 passed test Services
          Starting test: ObjectsReplicated
             ......................... DC1 passed test ObjectsReplicated
          Starting test: frssysvol
             ......................... DC1 passed test frssysvol
          Starting test: frsevent
             ......................... DC1 passed test frsevent
          Starting test: kccevent
             ......................... DC1 passed test kccevent
          Starting test: systemlog
             ......................... DC1 passed test systemlog
          Starting test: VerifyReferences
             ......................... DC1 passed test VerifyReferences
    
       Running partition tests on : ForestDnsZones
          Starting test: CrossRefValidation
             ......................... ForestDnsZones passed test CrossRefValidation
    
          Starting test: CheckSDRefDom
             ......................... ForestDnsZones passed test CheckSDRefDom
    
       Running partition tests on : DomainDnsZones
          Starting test: CrossRefValidation
             ......................... DomainDnsZones passed test CrossRefValidation
    
          Starting test: CheckSDRefDom
             ......................... DomainDnsZones passed test CheckSDRefDom
    
       Running partition tests on : Schema
          Starting test: CrossRefValidation
             ......................... Schema passed test CrossRefValidation
          Starting test: CheckSDRefDom
             ......................... Schema passed test CheckSDRefDom
    
       Running partition tests on : Configuration
          Starting test: CrossRefValidation
             ......................... Configuration passed test CrossRefValidation
          Starting test: CheckSDRefDom
             ......................... Configuration passed test CheckSDRefDom
    
       Running partition tests on : gox
          Starting test: CrossRefValidation
             ......................... gox passed test CrossRefValidation
          Starting test: CheckSDRefDom
             ......................... gox passed test CheckSDRefDom
    
       Running enterprise tests on : gox.com
          Starting test: Intersite
             ......................... gox.com passed test Intersite
          Starting test: FsmoCheck
             ......................... gox.com passed test FsmoCheck
    
    C:\>dcdiag
    
    Directory Server Diagnosis
    
    Performing initial setup:
       Trying to find home server...
       Home Server = DC4
       * Identified AD Forest.
       Done gathering initial info.
    
    Doing initial required tests
    
       Testing server: HQ-SITE\DC4
          Starting test: Connectivity
             ......................... DC4 passed test Connectivity
    
    Doing primary tests
    
       Testing server: HQ-SITE\DC4
          Starting test: Advertising
             Warning: DC4 is not advertising as a time server.
             ......................... DC4 failed test Advertising
          Starting test: FrsEvent
             ......................... DC4 passed test FrsEvent
          Starting test: DFSREvent
             ......................... DC4 passed test DFSREvent
          Starting test: SysVolCheck
             ......................... DC4 passed test SysVolCheck
          Starting test: KccEvent
             ......................... DC4 passed test KccEvent
          Starting test: KnowsOfRoleHolders
             ......................... DC4 passed test KnowsOfRoleHolders
          Starting test: MachineAccount
             ......................... DC4 passed test MachineAccount
          Starting test: NCSecDesc
             Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
                Replicating Directory Changes In Filtered Set
             access rights for the naming context:
             DC=ForestDnsZones,DC=gox,DC=com
             Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
                Replicating Directory Changes In Filtered Set
             access rights for the naming context:
             DC=DomainDnsZones,DC=gox,DC=com
             ......................... DC4 failed test NCSecDesc
          Starting test: NetLogons
             [DC4] User credentials does not have permission to perform this
             operation.
             The account used for this test must have network logon privileges
             for this machine's domain.
             ......................... DC4 failed test NetLogons
          Starting test: ObjectsReplicated
             ......................... DC4 passed test ObjectsReplicated
          Starting test: Replications
             [Replications Check,DC4] DsReplicaGetInfo(PENDING_OPS, NULL)
             failed, error 0x2105 "Replication access was denied."
             ......................... DC4 failed test Replications
          Starting test: RidManager
             ......................... DC4 passed test RidManager
          Starting test: Services
                Could not open NTDS Service on DC4, error 0x5
                "Access is denied."
             ......................... DC4 failed test Services
          Starting test: SystemLog
             An Warning Event occurred.  EventID: 0x8000001D
                Time Generated: 02/11/2010   08:03:47
                Event String:
                The Key Distribution Center (KDC) cannot find a suitable certificate
     to use for smart card logons, or the KDC certificate could not be verified. Sma
    rt card logon may not function correctly if this problem is not resolved. To cor
    rect this problem, either verify the existing KDC certificate using certutil.exe
     or enroll for a new KDC certificate.
             An Error Event occurred.  EventID: 0xC0001B58
                Time Generated: 02/11/2010   08:09:30
                Event String:
                The Microsoft IPv6 Protocol Driver service failed to start due to th
    e following error:
             An Error Event occurred.  EventID: 0xC0001B58
                Time Generated: 02/11/2010   08:11:32
                Event String:
                The Microsoft IPv6 Protocol Driver service failed to start due to th
    e following error:
             An Error Event occurred.  EventID: 0xC0001B58
                Time Generated: 02/11/2010   08:12:30
                Event String:
                The Microsoft IPv6 Protocol Driver service failed to start due to th
    e following error:
             An Error Event occurred.  EventID: 0xC0001B58
                Time Generated: 02/11/2010   08:43:52
                Event String:
                The Microsoft IPv6 Protocol Driver service failed to start due to th
    e following error:
             ......................... DC4 failed test SystemLog
          Starting test: VerifyReferences
             ......................... DC4 passed test VerifyReferences
    
    
       Running partition tests on : ForestDnsZones
          Starting test: CheckSDRefDom
             ......................... ForestDnsZones passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... ForestDnsZones passed test
             CrossRefValidation
    
       Running partition tests on : DomainDnsZones
          Starting test: CheckSDRefDom
             ......................... DomainDnsZones passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... DomainDnsZones passed test
             CrossRefValidation
    
       Running partition tests on : Schema
          Starting test: CheckSDRefDom
             ......................... Schema passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... Schema passed test CrossRefValidation
    
       Running partition tests on : Configuration
          Starting test: CheckSDRefDom
             ......................... Configuration passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... Configuration passed test CrossRefValidation
    
       Running partition tests on : gox
          Starting test: CheckSDRefDom
             ......................... gox passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... gox passed test CrossRefValidation
    
       Running enterprise tests on : gox.com
          Starting test: LocatorCheck
             ......................... gox.com passed test LocatorCheck
          Starting test: Intersite
             ......................... gox.com passed test Intersite
    
    kb828760 refer only to Windows 2000\2003 servers and same with kb315457

    one last thing, when I try to access DC4\SYSVOL from a remote machine I have no access issues
    what are my options?


    Rofi Neron my blog: http://ITDualism.wordpress.com
    Thursday, February 11, 2010 2:51 PM

Answers

  • Hello,

    there was no change in this part between Windows server 2008n and Windows server 2003, so you can follow the article. Of course you should have an up to date backup, at least of the system state of the DCs.
    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Wilson Jia Wednesday, February 24, 2010 3:14 AM
    Sunday, February 21, 2010 12:17 PM

All replies

  • Hi, Rofi.

    Let the GPMC fix the permissions. The only thing you need to be careful of is if you had filtered security in the Scope tab (ie, groups and users other than the default of Authenticated Users) you may have to restore that filtering (from memory).

    Cheers,
    Lain
    Thursday, February 11, 2010 3:05 PM
  • GPMC should give you an option to correct this issue (which will reset permissions automatically). You can also adjust permissions on the SYSVOL portion of the GPO and its AD object so they match...

    hth
    Marcin
    Thursday, February 11, 2010 3:13 PM
  • Lian & Marcin,
    thanks for your answers but unfortunately GPMC did not fix the problem.
    I still get the same dcdiag output
    I also found something interesting - when I change the login from backupexec to user@domain instead of domain\user it does connect. I don't get it but it is working and I was able to complete the SYSVOL backup job...
    Rofi Neron my blog: http://ITDualism.wordpress.com
    Thursday, February 11, 2010 8:33 PM
  • Hi Rofi,

     

    According to the error message, please check the following KB article to see if it helps.

     

    828760  "The Permissions for This GPO in the SYSVOL Folder Are Inconsistent with Those in Active Directory" Message When You Run GPMC

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;828760

     

    Sincerely,

    Wilson Jia


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Friday, February 12, 2010 6:40 AM
  • Wilson,
    check the bottom of my original message - I already found this KB but since it refer to 2003 servers and the problem is on my 2008 DC I'm not sure this solution fits.
    if you know it does, please refer me to a 2008 server supported document

    thanks,
    Rofi
    Rofi Neron my blog: http://ITDualism.wordpress.com
    Friday, February 12, 2010 4:56 PM
  • Hello,

    there was no change in this part between Windows server 2008n and Windows server 2003, so you can follow the article. Of course you should have an up to date backup, at least of the system state of the DCs.
    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Wilson Jia Wednesday, February 24, 2010 3:14 AM
    Sunday, February 21, 2010 12:17 PM
  • Meinolf, 

    Considering the fix it to download a specific 2000 or 2003 service pack, how is the link you provided a relevant fix for 2008?  Are you saying that a service pack is needed to correct the issue?

    Wednesday, June 13, 2012 8:26 PM
  • I have the same issue. Has this been solved? All of my DC's are 2008 and running SP1. Thanks!
    Thursday, June 28, 2012 8:13 PM
  • I have the same issue. Has this been solved? All of my DC's are 2008 and running SP1. Thanks!

    Hello,

    as this thread is from 2010 and marked as answered please describe your own environment and errors in detail in a NEW thread. Thank you for understanding.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Friday, June 29, 2012 6:19 AM