none
Group policy error event 1058 error code 2 and error code 3

    Question

  • I have read a bunch of threads, but have not yet found anything substantial. I have an error on my file server (1058 error code 2) and client machines (1058 error code 3) but i think both are related to the one issue.

    I am getting something a little weird and would like some help with this. Notice that i am getting the domain name in where the server name should be. I think this might be, before my time, a DFS issue. DFS was installed on the file server had a namespace setup to use DOMAINNAME.COM and DFS replicated to a DC.

    If i go to \\DOMAINNAME.COM\SYSVOL\DOMAINNAME.COM\Policies it is empty as the event 1058 suggests, but if i go to \\DOMAINSERVERNAME\sysvol\DOMAINNAME.COM\Policies i see the GPT.ini that the event is asking for. So i think i need a way to update the clients but i am not sure. Any help would...well help.

    The processing of Group Policy failed. Windows attempted to read the file \\DOMAINNAME.COM\SysVol\DOMAINNAME.COM\Policies\{81D589A0-C32B-4485-BE88-0AFF7E55D5A5}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: 

    a) Name Resolution/Network Connectivity to the current domain controller. 

    b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). 

    c) The Distributed File System (DFS) client has been disabled.

    Wednesday, May 13, 2015 8:02 PM

All replies

  • Hi,

    >>Group policy error event 1058 error code 2 and error code 3

    Can we successfully ping the FQDN of domain controllers from clients? Before going further, we can try to follow the article below to troubleshoot the issue.

    Event ID 1058 — Group Policy Preprocessing (Networking)

    https://technet.microsoft.com/en-us/library/cc727259(v=ws.10).aspx

    Best regards,
    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, May 14, 2015 8:30 AM
    Moderator
  • Yes i can ping the fqdn. I can browse its shares.

    The link does not really help. 

    Error code 2 is not there and error code 3 states some thing that do not apply (see below). Error code 5 and 53 are irreverent.

    From the link with my comments in bold.

    To test client connectivity to the domain controller's sysvol:

        • Identify the domain controller used by computer. The domain controller name is logged in the details of the error event.The DC is not listed in the error. The domainname.com is listed where the DC is supposed to show.
      • Identify if failure happened during user or computer processing. For user policy processing, the User field of the event will show a valid user name; for computer policy processing, the User field will show "SYSTEM". It shows my username.
      • Compose full network path to the gpt.ini as \\<dcName>\SYSVOL\<domain>\Policies\<guid>\gpt.ini where <dcName> is the name of the domain controller, <domain> is the name of the domain, and <guid> is the GUID of the policy folder. All of this information appears in the event. Where the dcName is show in the example above i see the domainname.com which i think is wrong.
    1. Verify you can read gpt.ini using the full network path obtained in the previous step. To do this, launch a command window and type <file_path>, where <file_path> is the path constructed in the previous step, and press ENTER. NOTE: You must launch this command as the user or computer whose credentials previously failed. The path does not exist as noted in my example above.

    Thursday, May 14, 2015 2:47 PM
  • Hello,

    please upload the following files so we get an overview about the DCs and the domain.

    ipconfig /all >c:\ipconfig.log [from each DC/DNS Server]
    dcdiag /v /c /d /e /s:dcname >c:\dcdiag.log
    repadmin /showrepl dc* /verbose /all /intersite >c:\repl.log  ["dc* is a place holder for the starting name of the DCs if they all begin the same (if more then one DC exists)]
    dnslint /ad /s "DCipaddress" (http://support.microsoft.com/kb/321045)
    ADREPLSTATUS http://www.microsoft.com/en-us/download/details.aspx?id=30005 can also be exported to file.

    As the output will become large, DON'T post them into the thread, please use Windows OneDrive (https://onedrive.live.com) [with open access!] and add the link from it here. Also the /e in dcdiag scans the complete forest, so better run it on COB.


    Best regards

    Meinolf Weber

    MVP, MCP, MCTS

    Microsoft MVP - Directory Services

    My Blog: http://blogs.msmvps.com/MWeber

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Twitter:  

    Thursday, May 14, 2015 5:27 PM
  • I have uploaded the requested info. Thanks for your help.

    https://onedrive.live.com/redir?resid=55f81ada9c42ad88!111&authkey=!AGPpyGQJS-JQ6PU&ithint=folder%2ccsv

    Thursday, May 14, 2015 9:56 PM
  • Hello,

    please check for the following error with article http://technet.microsoft.com/en-us/library/cc794759(WS.10).aspx :

    [1] Problem: Missing Expected Value

                 Base Object:

                CN=FQDNDC03,OU=Domain Controllers,DC=DOMAIN,DC=com

                 Base Object Description: "DC Account Object"

                 Value Object Attribute Name: msDFSR-ComputerReferenceBL

                 Value Object Description: "SYSVOL FRS Member Object"

                 Recommended Action: See Knowledge Base Article: Q312862

                
                [2] Problem: Missing Expected Value

                 Base Object:

                CN=FQDNDC04,OU=Domain Controllers,DC=DOMAIN,DC=com

                 Base Object Description: "DC Account Object"

                 Value Object Attribute Name: msDFSR-ComputerReferenceBL

                 Value Object Description: "SYSVOL FRS Member Object"

                 Recommended Action: See Knowledge Base Article: Q312862

    For the following one assure that AD sites and services have the correct subnets added and that they are linked to the correct site containing the DCs for the site.

    ==================

    An Warning Event occurred.  EventID: 0x000016AF

                Time Generated: 05/14/2015   17:03:30

                Event String:

                During the past 4.10 hours there have been 29 connections to this Domain Controller from client machines whose IP addresses don't map to any of the existing sites in the enterprise. Those clients, therefore, have undefined sites and may connect to any Domain Controller including those that are in far distant locations from the clients. A client's site is determined by the mapping of its subnet to one of the existing sites. To move the above clients to one of the sites, please consider creating subnet object(s) covering the above IP addresses with mapping to one of the existing sites.  The names and IP addresses of the clients in question have been logged on this computer in the following log file '%SystemRoot%\debug\netlogon.log' and, potentially, in the log file '%SystemRoot%\debug\netlogon.bak' created if the former log becomes full. The log(s) may contain additional unrelated debugging information. To filter out the needed information, please search for lines which contain text 'NO_CLIENT_SITE:'. The first word after this string is the client name and the second word is the client IP address. The maximum size of the log(s) is controlled by the following registry DWORD value 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\LogFileMaxSize'; the default is 20000000 bytes.  The current maximum size is 20000000 bytes.  To set a different maximum size, create the above registry value and set the desired maximum size in bytes.

    ======================

    More details about in https://technet.microsoft.com/en-us/library/cc730868.aspx?f=255&MSPPError=-2147217396


    Best regards

    Meinolf Weber

    MVP, MCP, MCTS

    Microsoft MVP - Directory Services

    My Blog: http://blogs.msmvps.com/MWeber

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Twitter:  

    Thursday, May 14, 2015 10:10 PM
  • Sorry for the long long delay but i have checked and do not see any old or non active DCs under the FRS in AD and the DFS under topology shows a long string of alphanumeric characters. 
    • Edited by optechgen Tuesday, June 9, 2015 7:35 PM
    Tuesday, June 9, 2015 7:29 PM
  • Does anyone have anything else i could look at or try?

    Thanks,

    Thursday, June 18, 2015 2:02 PM
  • Anybody?
    Tuesday, July 14, 2015 7:58 PM