none
Computer policy could not be updated successfully on Win 7 and XP Computers

    Question

  • Hi All,

    Recently i have upgraded my DCs from 2003 to 2012 , (i have two DCs). After the upgradation i have notice that the group policies are not working the proper way. User configurations are happening but the computer configuration is not updating.

    I would appreciate if somebody can help me on this. Please see the below result when i ran gpupdate.

    C:\Users\subeesh>gpupdate

    Updating Policy... User Policy update has completed successfully.

    Computer policy could not be updated successfully. The following errors were enc ountered: The processing of Group Policy failed. Windows attempted to read the file \\mydomain.com\sysvol\mydomain.com\Policies\{88A6D798-7949-4F1B-A0E0-CBEDE0416F65}\gpt.ini from a domain controller and was not successful. Group Policy s ettings may not be applied until this event is resolved. This issue may be trans ient and could be caused by one or more of the following: a) Name Resolution/Network Connectivity to the current domain controller. b) File Replication Service Latency (a file created on another domain controller  has not replicated to the current domain controller). c) The Distributed File System (DFS) client has been disabled. To diagnose the failure, review the event log or run GPRESULT /H GPReport.html f rom the command line to access information about Group Policy results.

     

    Thanks

    Subeesh Sivadasan




    • Edited by Subeesh07 Thursday, July 30, 2015 12:53 PM
    Thursday, July 30, 2015 12:46 PM

Answers

All replies

  • Yes , I am able to access the SYSVOL and Transferred all FSMO roles to the new server. Please see the screenshot below.

    Thursday, July 30, 2015 1:31 PM
  • Hi Subeesh,

    Can you enable GPO logging on your client machine and upload the log file into portal from where we can download? You can find the steps below on enabling GPO logging. Also, what happens if you run gpupdate /force?

    http://blogs.technet.com/b/csstwplatform/archive/2010/11/09/how-to-enable-gpo-logging-on-windows-7-2008-r2.aspx

    - Umesh.S.K

    Thursday, July 30, 2015 1:43 PM
  • Hi Umesh,

    If i run gpupdate/force getting the same error as i mentioned above.

    I have attached the log file on the below link. Kindly check.


    https://www.wetransfer.com/downloads/64e7a21d7d805e01125c2cf859c27bd020150730151844/17b78a2ef298cee8868221be398af93220150730151844/612b6e

    Regards

    Subeesh Sivadasan




    • Edited by Subeesh07 Thursday, July 30, 2015 3:33 PM
    Thursday, July 30, 2015 3:23 PM
  • Hi Subeesh,

    Couldn't find the group policy template file <\\seefproperties.com\sysvol\seefproperties.com\Policies\{88A6D798-7949-4F1B-A0E0-CBEDE0416F65}\gpt.ini>, error = 0x5. DC: seef-dc02.seefproperties.com

    It looks like an access issue. Can you check the permission on this policy? Compare the permission with other policies and see if anything is missing.

    -Umesh.S.K

    Friday, July 31, 2015 7:09 AM
  • Hi Umesh,

    Thanks for the reply, i have provided below access to the sysvol folder. 

    Folder permissions:
    System -> Full Control
    Authenticated users -> Read
    Administrators -> Full control

    Share permissions:
    Authenticated Users -> Full Control
    Administrators -> Full Control
    Everyone -> Read

    But still we are facing the same issue , is there anything apart from this ?

    Regards

    Subeesh Sivadasan

    Sunday, August 02, 2015 11:20 AM
  • Facing the same issue.. :( 

    C:\Users\subeesh>gpupdate

    Updating Policy... User Policy update has completed successfully.

    Computer policy could not be updated successfully. The following errors were enc ountered: The processing of Group Policy failed. Windows attempted to read the file \\mydomain.com\sysvol\mydomain.com\Policies\{88A6D798-7949-4F1B-A0E0-CBEDE0416F65}\gpt.ini from a domain controller and was not successful. Group Policy s ettings may not be applied until this event is resolved. This issue may be trans ient and could be caused by one or more of the following: a) Name Resolution/Network Connectivity to the current domain controller. b) File Replication Service Latency (a file created on another domain controller  has not replicated to the current domain controller). c) The Distributed File System (DFS) client has been disabled. To diagnose the failure, review the event log or run GPRESULT /H GPReport.html f rom the command line to access information about Group Policy results.

     

    Rgds

    Monday, August 03, 2015 5:48 AM
  • Can you please add creator owner and authenticated users in security tab for sysvol folder as shown below? Creator owner and administrators have same permission.

    -Umesh.S.K

    Monday, August 03, 2015 3:29 PM
  • I have checked the permission as you mentioned above..

    Special permission for administrators is not enabled and i couldn't able to assign the same. I would like to know is there any settings is available for changing the permission ?

    please see the attached screenshot. 







    • Edited by Subeesh07 Tuesday, August 04, 2015 11:35 AM
    Tuesday, August 04, 2015 11:32 AM
  • Hi Subeesh,

    Can you restart FRS or DFSR service and run gpupdate /force?

    -Umesh.S.K

    Tuesday, August 04, 2015 11:59 AM
  • Hi Umesh,

    I have restarted the FSR services.

    I have question regarding DFSR. Should we need to install DFS in 2012 server ?

    2. We need to migrate from FRS to DFSR  once migrated from 2003 to 2012 R2?

    Thursday, August 06, 2015 1:26 PM
  • Hi Subeesh,

    What is the result of restarting FRS service? Did it help?

    Regarding migration from FRS to DFSR, it is recommended to migrate. You can find more info on migration from the below links.

    http://blogs.technet.com/b/filecab/archive/2014/06/25/streamlined-migration-of-frs-to-dfsr-sysvol.aspx

    https://msdn.microsoft.com/en-us/library/windows/desktop/ff384840(v=vs.85).aspx

    https://windorks.wordpress.com/2014/11/24/migrating-frs-replicated-sysvol-to-dfsr/

    -Umesh.S.K

    Thursday, August 06, 2015 1:59 PM
  • Hi Umesh

    No doesn't help me.

    I have removed my 2003 DCs from my network , so the FRS to DFSR migration is possible ?

    Rgds

    Subeesh Sivadasan

    Monday, August 10, 2015 1:27 PM
  • Hi Subeesh,

    Yes, it is possible. You need to raise your DL and FFL to minimum windows 2008. However, I am not sure why you removed 2003 DC even before resolving your SYSVOL issue? For migrating from FRS to DFSR, you can check the below link.

    https://windorks.wordpress.com/2014/11/24/migrating-frs-replicated-sysvol-to-dfsr/

    -Umesh.S.K

    Monday, August 10, 2015 1:34 PM
  • HI Umesh,

    Once i have remove the 2003 DCs , the grop policy issue is started.

    I have upgraded the from FRS to DFSR , but file replication event log i can see the below error and still the computer configuration is not updating.

    "This domain controller has migrated to using the DFS Replication service to replicate the SYSVOL share. Use of the File Replication Service for replication of non-SYSVOL content sets has been deprecated and therefore, the service has been stopped. The DFS Replication service is recommended for replication of folders, the SYSVOL share on domain controllers and DFS link targets ".

    Regards

    Subeesh Sivadasan

     


    • Edited by Subeesh07 Thursday, August 13, 2015 9:18 AM
    Thursday, August 13, 2015 9:12 AM
  • Hi Subeesh,

    This is not an error. Use of the File Replication Service for replication of non-SYSVOL content sets has been deprecated and therefore, the service has been stopped.

    Since you have moved to DFSR, FRS service is now stopped. Do you see any error event logs under DFS Replication as shown below?

    Also, please run the below commands

    dfsrdiag pollad

    dfsrdiag replicationstate

    net share

    If you have a working DC where there is no sysvol issue, then, you can perform D2 restoration as given in this link on the server having issue.

    https://support.microsoft.com/en-in/kb/2218556

    -Umesh.S.K


    • Edited by Umesh S K Thursday, August 13, 2015 9:34 AM
    Thursday, August 13, 2015 9:29 AM
  • Hi Umesh,

    There is no error , but one warning event. please see that below.

     

    The DFS Replication service is stopping communication with partner ADC for replication group Domain System Volume due to an error. The service will retry the connection periodically. 

    Additional Information: 
    Error: 1723 (The RPC server is too busy to complete this operation.) 
    Connection ID: BFE848D8-978D-4D62-B1E2-93932D4A3D77 
    Replication Group ID: 9B13516E-A354-4EBA-9334-AB7143299707

    This error i can see on both the server PDC and ADC. 

    Regards

    Subeesh Sivadasan


    • Edited by Subeesh07 Thursday, August 13, 2015 11:15 AM
    Thursday, August 13, 2015 11:15 AM
  • Do you see any successive event after this?

    -Umesh.S.K

    Thursday, August 13, 2015 11:35 AM
  • Hi Umesh,

    Yes, But the computer configuration is not updating.

    The DFS Replication service successfully established an inbound connection with partner ADC for replication group Domain System Volume. 
     
    Additional Information: 
    Connection Address Used: seef-dc01.seefproperties.com 
    Connection ID: C00A2CB8-2577-4A59-8803-D40E5FF236E6 
    Replication Group ID: 9B13516E-A354-4EBA-9334-AB7143299707

    Regards

    Subeesh Sivadasan



    • Edited by Subeesh07 Thursday, August 13, 2015 12:55 PM
    Thursday, August 13, 2015 12:54 PM
  • I would suggest you do D2 restoration on the DC having issue. You can find the steps in the below link.

    https://support.microsoft.com/en-in/kb/2218556

    -Umesh.S.K

    Thursday, August 13, 2015 1:05 PM