none
Error in process GPO

    Question

  •  
    Hi
                I have a problem with the GPO’s in my domain. Recently we lost the AD that housed the FSMO’s functions; we restored in another DC and corrected the replication mistakes between them. However, all DC’s of the domain are presenting these events. These that I will describe below are of a DC to another DC using the GPO tool.
                When rsop.msc is executed, displays a yellow exclamation mark in the computer node, when I click on the right button and then properties on the "error information" guide, the item Security has a warning message and on the field bellow the following description
    terça-feira, 22 de março de 2011 13:13:08

    Security has requested to process its policy settings again.  This can be due to non-critical errors occurring during the previous processing of policy.

    ==========================Error Eventviewer===================================================

    Event Type:    Warning
    Event Source:    SceCli
    Event Category:    None
    Event ID:    1202
    Date:        22/3/2011
    Time:        08:22:54
    User:        N/A
    Computer:    DASVUDEN
    Description:
    Security policies were propagated with warning. 0x4b8 : An extended error has occurred.

    Advanced help for this problem is available on http://support.microsoft.com. Query for "troubleshooting 1202 events".

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

     

    ========================================GPOTOOL==============================

     

    Policy {8556915F-2F5A-4420-A101-63774A045917}
    Error: Version mismatch on amazonas, DS=524288, sysvol=393216
    Friendly name: Proxy e papel de parede 13 de maio
    Details:
    ------------------------------------------------------------
    DC: amazonas
    Friendly name: Proxy e papel de parede 13 de maio
    Created: 30/3/2010 18:08:53
    Changed: 21/2/2011 20:50:40
    DS version:     8(user) 0(machine)aaa
    Sysvol version: 6(user) 0(machine)
    Flags: 0 (user side enabled; machine side enabled)
    User extensions: [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC
    -0000F87571E3}][{A2E30F80-D7DE-11D2-BBDE-00C04F86AE3B}{FC715823-C5FB-11D1-9EEF-0
    0A0C90347FF}]
    Machine extensions: not found
    Functionality version: 2
    ------------------------------------------------------------

     

    Friday, March 25, 2011 11:50 AM

Answers

  • Hello,

    your domain is messed up through seizing and restoring from the old backup.

    If you check with "netdom query fsmo" on each DC you should see now that the DC where you have seized the FSMOs too will be shown and also the restored one, whcih still is FSMO roles holder(from the backup restored).

    In your case spend the money and call Microsoft PSS to get the correct options in detail to restore your domain complete. This will be to risky for all this to do it without having a look into the system, which Microsoft PSS will do.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Friday, March 25, 2011 1:03 PM

All replies

  • For troubleshooting SCECLI event ID 1202 events, refer to this Microsoft artucle:

    http://support.microsoft.com/kb/324383/en

    Also, have a look to this link:

    http://www.eventid.net/display.asp?eventid=1202&eventno=348&source=scecli&phase=1

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.Microsoft Student Partner
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration

    Friday, March 25, 2011 11:59 AM
  • Hello,

    please describe more details about the restore part you have done. Where the FSMO roles seized to another DC or did you restore the DC from system state backup?

    What replication mistakes did you had and how where they corrected?

    Also see: http://support.microsoft.com/kb/324383


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Friday, March 25, 2011 12:00 PM
  • Hi Menolf

           Restore the system state from 7 months ago. After performing this restore all DC `s lost the secure channel of communication. The problem was solved by using the netdom reset computer on all DC `s domain. FSMO roles were moved to another using dc SEIZE. No event is being registered in eventviwer DCs in the domain-related problem such as replication.
           I realized one thing today NETLOGON and SYSVOL folders are with different size in all DCs and when I try to open the Group Policy editor at some DC 'and displayed a message saying unable to locate the DC in my domain
    Friday, March 25, 2011 12:28 PM
  • Another problem I checked


     Winlogon.txt

     

    Configure Group Membership...
    Warning 2: The system cannot find the file specified.
         Cannot find Administrators.
        Configure Enterprise Admins.
        Configure CN=Enterprise Admins,CN=Users,DC=ctis,DC=local.
            Processing CN=SVC FIM CTIS,OU=VERIZ,OU=CTIS,DC=ctis,DC=local.
            Processing CN=Servico Senha,OU=VERIZ,OU=CTIS,DC=ctis,DC=local.
            Processing CN=ADM - Andre Pimentel Grell,OU=Admins,OU=DF,OU=CTIS,DC=ctis,DC=local.
            Processing CN=Andre Pimentel Grell,OU=Admins,OU=DF,OU=CTIS,DC=ctis,DC=local.
        Configure Schema Admins.
        Configure CN=Schema Admins,CN=Users,DC=ctis,DC=local.
            Processing CN=ADM - Andre Pimentel Grell,OU=Admins,OU=DF,OU=CTIS,DC=ctis,DC=local.
            Processing CN=Andre Pimentel Grell,OU=Admins,OU=DF,OU=CTIS,DC=ctis,DC=local.
        Configure Domain Admins.
        Configure CN=Domain Admins,CN=Users,DC=ctis,DC=local.
            Processing CN=User Bloqueio USB e CDROM,OU=Admins,OU=DF,OU=CTIS,DC=ctis,DC=local.
            Processing CN=SVC FIM CTIS,OU=VERIZ,OU=CTIS,DC=ctis,DC=local.
            Processing CN=Projeto Cacic,OU=Servicos,OU=DF,OU=CTIS,DC=ctis,DC=local.
            Processing CN=Servico Senha,OU=VERIZ,OU=CTIS,DC=ctis,DC=local.
            Processing CN=ADM - Rodrigo Gos da Costa,OU=Usuarios,OU=RJ,OU=CTIS,DC=ctis,DC=local.
            Processing CN=User UP. Proxy,OU=Servicos,OU=DF,OU=CTIS,DC=ctis,DC=local.
            Processing CN=ADM - Renato Santos Freitas,OU=Admins,OU=DF,OU=CTIS,DC=ctis,DC=local.
            Processing CN=ADM - Leonardo Mendes,OU=Admins,OU=DF,OU=CTIS,DC=ctis,DC=local.
            Processing CN=ADM - Marcelo Almeida Del Isola,OU=Admins,OU=DF,OU=CTIS,DC=ctis,DC=local.
            Processing CN=Get Conference,OU=Servicos,OU=DF,OU=CTIS,DC=ctis,DC=local.
            Processing CN=ADM - Andre Pimentel Grell,OU=Admins,OU=DF,OU=CTIS,DC=ctis,DC=local.
            Processing CN=ADM - Francisco Haly Batista Pinto,OU=Admins,OU=DF,OU=CTIS,DC=ctis,DC=local.
            Processing CN=ADM - Felipe Pereira,OU=Admins,OU=DF,OU=CTIS,DC=ctis,DC=local.
            Processing CN=EPO ADM,OU=Servicos,OU=DF,OU=CTIS,DC=ctis,DC=local.
            Processing CN=ADM- Denis Cleon,OU=Admins,OU=DF,OU=CTIS,DC=ctis,DC=local.
            Processing CN=Andre Pimentel Grell,OU=Admins,OU=DF,OU=CTIS,DC=ctis,DC=local.
            add CN=Get Conference,OU=Servicos,OU=DF,OU=CTIS,DC=ctis,DC=local.
        Configure Administrators.
    Match          - CTIS\admin-ctis.
    Match          - CTIS\andre.grell.
    Match          - CTIS\cleonadm.
    Match          - CTIS\docnix.
    Match          - CTIS\epo_adm.
    Match          - CTIS\felipeadm.
    Match          - CTIS\FranciscoADM.
    Match          - CTIS\grelladm.
    Match          - CTIS\joaocostaadm.
    Match          - CTIS\marcelaoadm.
    Match          - CTIS\mendesadm.
    Match          - CTIS\n37595.
    Match          - CTIS\rodrigogosadm.
    Match          - CTIS\servico_senha.
    Match          - CTIS\sic.
    Match          - CTIS\svc_fim_ctis.
    Match          - CTIS\userbloqueio.
    Match          - CTIS\xavieradm.
    Match          - SID: S-1-5-21-1357579247-1010124112-633983420-500.
    Match          - SID: S-1-5-21-1357579247-1010124112-633983420-4672.
    Match          - SID: S-1-5-21-1357579247-1010124112-633983420-4671.
    Match          - SID: S-1-5-21-1357579247-1010124112-633983420-2221.
    Match          - SID: S-1-5-21-1357579247-1010124112-633983420-27544.
    Match          - SID: S-1-5-21-1357579247-1010124112-633983420-19044.
    Match          - SID: S-1-5-21-1357579247-1010124112-633983420-22502.
    Match          - SID: S-1-5-21-1357579247-1010124112-633983420-19671.
            remove SID: S-1-5-21-3921883018-937171262-2899030645-500.
    Error 1377: The specified account name is not a member of the local group.
             error removing SID: S-1-5-21-3921883018-937171262-2899030645-500.
        Configure CTIS\Enterprise Admins.
        Configure CTIS\Schema Admins.
        Configure CTIS\Domain Admins.

        Group Membership configuration was completed with one or more errors.

     

     

    Friday, March 25, 2011 12:30 PM
  • Hello,

    7 month is too old, more details in: http://support.microsoft.com/kb/216993

    Seizing is only to use if a DC NEVER comes back from backup what you actually did.

    All errors you see belong to this wrong restore.

    Hoepfully you have a system state backup from another DC that is not too old. Kick out the restored DC complete and hopefully using the newer backup you can restore it back to a running state, definite an authoritative restore must be done, so the restored one push it's data to the others.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Friday, March 25, 2011 12:43 PM
  • Unfortunately I do not have the latest backup from another DC. That was the only one I had. But if the problem of being NETLOGON and SYSVOL folders with different size?
    Friday, March 25, 2011 12:54 PM
  • Hello,

    your domain is messed up through seizing and restoring from the old backup.

    If you check with "netdom query fsmo" on each DC you should see now that the DC where you have seized the FSMOs too will be shown and also the restored one, whcih still is FSMO roles holder(from the backup restored).

    In your case spend the money and call Microsoft PSS to get the correct options in detail to restore your domain complete. This will be to risky for all this to do it without having a look into the system, which Microsoft PSS will do.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Friday, March 25, 2011 1:03 PM