none
Event ID 7017 GPO issue and SYSVOL replication

    Question

  • So I have some policies set up under our default domain policy.  These policies have been applying fine to users across our network and in our remote offices.  I have set up 2 2008 R2 Terminal Servers and it seems that the policies are not applying to these.  Running gpresult I found that I am getting the following error

    "Group Policy Infrastructure failed due to the error listed below.

    The system cannot find the path specified.

    Note: Due to the GP Core failure, none of the other Group Policy components processed their policy. Consequently, status information for the other components is not available.

    Additional information may have been logged. Review the Policy Events tab in the console or the application event log for events between 1/22/2013 8:11:01 AM and 1/22/2013 8:11:03 AM"

    Well I was at least able to figure out why the polices aren't being applied.  So I dug into the event log for Group Policy on 1 of my terminal servers and found the following entry in there

    "

    The system calls to access specified file completed. 
    \\domain\SysVol\caep.circ9.dcn\Policies\{5E14BB84-7BFC-4C27-BDE4-7A5229900536}\gpt.ini
    The call failed after 1232 milliseconds."

    So I UNC out to //domain/sysvol/policies and sure enough I don't see that GUID number in there.  Next I jump onto my laptop and UNC to the same location and bam everything's there.  It would seem like depending on where I am accessing the sysvol from I am seeing different results.  I am kind of at a loss as to where to go next so any help or assistance would be appreciated.

    Thanks

    Tuesday, January 22, 2013 5:02 PM

Answers

All replies

  • If you see the policy in question from one machine when browsing \\domain\sysvol but not from another machine, this indicates that policy is missing from the SYSVOL on one or more domain controllers.  You can determine which domain controller is missing the policy by browsing as you did and using netstat to examine open connections.  See the following article to troubleshoot SYSVOL replication via FRS: http://technet.microsoft.com/en-us/library/bb727056.aspx

    Edit: If you are using DFS-R, troubleshooting is much easier.  Here is a short but good article on generating health reports: http://blog.powershell.no/2010/12/30/dfs-r-health-report-for-sysvol/

    • Edited by Neil Frick Tuesday, January 22, 2013 5:20 PM
    Tuesday, January 22, 2013 5:17 PM
  • If you see the policy in question from one machine when browsing \\domain\sysvol but not from another machine, this indicates that policy is missing from the SYSVOL on one or more domain controllers.  You can determine which domain controller is missing the policy by browsing as you did and using netstat to examine open connections.  See the following article to troubleshoot SYSVOL replication via FRS: http://technet.microsoft.com/en-us/library/bb727056.aspx

    Edit: If you are using DFS-R, troubleshooting is much easier.  Here is a short but good article on generating health reports: http://blog.powershell.no/2010/12/30/dfs-r-health-report-for-sysvol/

    In checking on both of my DC's \\servername\sysvol\polices folders they are identical.  I should probably mention that our DC's are Windows 2008 Standard so the domain is at the server 2008 functional level.  I will give the DFS-R report a go and post anything I find.
    Tuesday, January 22, 2013 5:52 PM
  • So I ran the DFS-r health report and included my 2 DC's and my 8 RODC's and I got zero errors/warnings back.  I am guessing replication is not the issue if this report is correct.  It seems to only be effecting my 2 terminal servers.  In checking the \\domainname\sysvoll directories on my 2 different computers I have found something peculiar, the date modified on machine where policies are being applied is the correct date, and check from the terminal server is shows 4/6/2011
    • Edited by Velocd Tuesday, January 22, 2013 6:00 PM
    Tuesday, January 22, 2013 5:55 PM
  • Can you verify in GPMC that the version matches between AD and Sysvol on both domain controllers?  Also, check the permissions on the group policy object in GPMC and Sysvol, use Effective Access under Advanced to confirm the machine accounts have read access and the user account you are using on the term server also has read access.  The fact that you cannot see that policy in the Sysvol when browsing from the term server indicates an access problem, if in fact the policy is present on all domain controllers (including your RODCs).
    Tuesday, January 22, 2013 6:21 PM
  • Surprisingly I just rebooted the servers at lunch and the problem has went away.  
    Tuesday, January 22, 2013 9:25 PM
  • Hi,

    Glad to know that your problem is solved. You can refer to below link:

    Troubleshooting Group Policy Using Event logs:

    http://blogs.technet.com/b/gpguru/archive/2008/08/29/troubleshooting-group-policy-using-event-logs.aspx

    Regards.


    Vivian Wang
    TechNet Community Support

    Wednesday, January 23, 2013 6:09 AM
    Moderator