none
I have a GPO viewing/applying/replication issue and I cannot find a solution match for my issue

    Question

  • I need some help along these lines but I am not sure exactly what is going on.  I have a lot of custom GPOs that I cannot lose and need to recover.  We had some kind of catastrophic failure that caused the DCs to enter AD recovery mode.  I was gone over the weekend and another administrator recovered one of the DCs, built another, and demoted the other.  Everything seems to work fin now except group policy.  I am very knowledgeable in AD but for the life of me, I cannot find a way to fix this.  Here are the details:

    MSP-DC00 - Windows Server 2008R2 Standard

    MSP-DC01 - Windows Server 2008R2 Standard 

    MSP-DC02 - Windows Server 2012R2 Standard

    DC00 was the FSMO and all of the other roles holder.  The other administrator demoted DC01, built DC02 and transferred all roles.

    DCDIAG on both servers shows:

            * The current DC is not in the domain controller's OU

            ......................... MSP-DC00 failed test MachineAccount

            Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

                Replicating Directory Changes In Filtered Set
            access rights for the naming context:

            DC=ForestDnsZones,DC=analytics,DC=local
            Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

                Replicating Directory Changes In Filtered Set
            access rights for the naming context:

            DC=DomainDnsZones,DC=analytics,DC=local
            ......................... MSP-DC00 failed test NCSecDesc

            Unable to connect to the NETLOGON share! (\\MSP-DC00\netlogon)

            [MSP-DC00] An net use or LsaPolicy operation failed with error 67,

            The network name cannot be found..

            ......................... MSP-DC00 failed test NetLogons

    The new DC02 also shows:

    Several of these:

            An error event occurred. EventID: 0x00000422

                Time Generated: 01/26/2017 11:45:12

                Event String:

                The processing of Group Policy failed. Windows attempted to read the file \\analytics.local\sysvol\analytics.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:


            ......................... MSP-DC02 failed test SystemLog

    I can also provide screenshots of the error when I try to expand the settings within each GPO.  Any help is appreciated!
    Thursday, January 26, 2017 7:29 PM

All replies

  • Hi,

    It sounds like the MSP-DC00 may not actually be registered as a DC anymore. From a client workstation please run the following 2 commands & then run them from all DCs and compare for any disparity:

    >netdom query dc
    (this command queries AD for all known domain controllers)

    >netdom query fsmo
    (this command queries for the known FSMO role holders)

    are you getting any errors relating in the directory services event log on the servers? (you may need to drill down into application an service logs container in event viewer to find them)

    Thanks
    Daniel

    Thursday, January 26, 2017 7:53 PM
  • I would recommend starting with the basics which is to make sure that all your DCs are properly registered in DNS. You can start by checking the IP settings - My advise is to follow what I recommended here: http://www.ahmedmalek.com/web/fr/articles.asp?artid=23

    Once done, please run ipconfig /registerdns and restart netlogon service on all DCs you have. If the problem persists, you can try to do a non-authoritative restore of SYSVOL on MSP-DC00. You can refer to the link I shared for the details about how it could be done.


    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Sunday, January 29, 2017 11:57 PM
  • Daniel,

    Thank you and sorry for the late response, I was not notified that anybody had responded.  Here are the results:

    From MSP-DC02:
    C:\Windows\system32>netdom query dc
    List of domain controllers with accounts in the domain:
    MSP-DC00
    MSP-DC02
    The command completed successfully.

    C:\Windows\system32>netdom query fsmo
    Schema master               MSP-DC02.analytics.local
    Domain naming master        MSP-DC02.analytics.local
    PDC                         MSP-DC02.analytics.local
    RID pool manager            MSP-DC02.analytics.local
    Infrastructure master       MSP-DC02.analytics.local
    The command completed successfully.


    From MSP-DC00:
    C:\Windows\system32>netdom query dc
    List of domain controllers with accounts in the domain:
    MSP-DC00
    MSP-DC02
    The command completed successfully.

    C:\Windows\system32>netdom query fsmo
    Schema master               MSP-DC02.analytics.local
    Domain naming master        MSP-DC02.analytics.local
    PDC                         MSP-DC02.analytics.local
    RID pool manager            MSP-DC02.analytics.local
    Infrastructure master       MSP-DC02.analytics.local
    The command completed successfully.

    From client:

    C:\WINDOWS\system32>netdom query dc
    The specified domain either does not exist or could not be contacted.

    The command failed to complete successfully.

    C:\WINDOWS\system32>netdom query fsmo
    The specified domain either does not exist or could not be contacted.

    The command failed to complete successfully.


    In the Event Viewer under 'system', I receive:

    1058:  The processing of Group Policy failed. Windows attempted to read the file...

    16:  While processing a TGS request for the target server, the account did not have a suitable key for generating a Kerberos ticket


    1058 occurs is all day long and 16 is occasional

    16:

    Daniel,

    Thank you and sorry for the late response, I was not notified that anybody had responded.

    Here are the results:

    From MSP-DC02:

    C:\Windows\system32>netdom query dc
    List of domain controllers with accounts in the domain:

    MSP-DC00
    MSP-DC02
    The command completed successfully.

    C:\Windows\system32>netdom query fsmo
    Schema master               MSP-DC02.analytics.local
    Domain naming master        MSP-DC02.analytics.local
    PDC                         MSP-DC02.analytics.local
    RID pool manager            MSP-DC02.analytics.local
    Infrastructure master       MSP-DC02.analytics.local
    The command completed successfully.


    From MSP-DC00:

    C:\Windows\system32>netdom query dc
    List of domain controllers with accounts in the domain:

    MSP-DC00
    MSP-DC02
    The command completed successfully.

    C:\Windows\system32>netdom query fsmo
    Schema master               MSP-DC02.analytics.local
    Domain naming master        MSP-DC02.analytics.local
    PDC                         MSP-DC02.analytics.local
    RID pool manager            MSP-DC02.analytics.local
    Infrastructure master       MSP-DC02.analytics.local
    The command completed successfully.

    From client:

    C:\WINDOWS\system32>netdom query dc
    The specified domain either does not exist or could not be contacted.

    The command failed to complete successfully.


    C:\WINDOWS\system32>netdom query fsmo
    The specified domain either does not exist or could not be contacted.

    The command failed to complete successfully.

    In the Event Viewer under 'system', I receive:

    1058:  The processing of Group Policy failed. Windows attempted to read the file...

    16:  While processing a TGS request for the target server, the account did not have a suitable key for generating a Kerberos ticket

    1058 occurs is all day long and 16 is occasional.
    Monday, February 13, 2017 7:47 PM
  • Ahmed,

    Thank you and sorry for the late response, I was not notified that anybody had responded.  DNS is working properly as is apparently everything but group policy.  I followed some other Microsoft links and they told me to look for specific files and registry settings but I couldn't find matching ones.  I will look at your link but you may be correct on the non-authoritative restore of SYSVOL.

    Monday, February 13, 2017 7:50 PM
  • Not a problem

    Lets try and rule out a DNS issue firstly, this is the most common cause of a client machine not being able to contact a domain. Can the client machine resolve all of the following records:

    A Records
    analytics.local
    MSP-DC00.analytics.local
    MSP-DC01.analytics.local
    MSP-DC02.analytics.local

    SRV Records (e.g. nslookup -type=srv _gc._tcp.analytics.local)
    _gc._tcp.analytics.local
    _ldap._tcp.analytics.local
    _kpasswd._tcp.analytics.local
    _kerberos._tcp.analytics.localIf not then can the client resolve any records (such as microsoft.com)
    If so then can you ping each of the DCs and also the FQDN of the domain?

    Could you check any firewall and AV software is disabled on all machine for test purposes (I have seen security software cause issues with AD on DCs out of the box - just wondering if DCs have been rebuilt then is there something like this that may be misconfigured?)

    From each DC and from a client could you run the Test-ComputerSecureChannel PowerShell command? (it should return True if all is well with SChannel)

    Could you check manually if all DCs are in the Domain Controllers OU in active directory users and computers. Also check if the DCs are all members of the domain controllers security group.

    If any of them aren' then add them to the group/move them to the OU, Run a GPUpdate /force on them all and then reboot them all with MSP-DC02 being rebooted and allowed to come back online before rebooting the others.

    Monday, February 13, 2017 9:18 PM