none
Processing of Group Policy Failed - Single DC error 1058

    Question

  • I have been getting the error every 5 mins for awhile: 

    The processing of Group Policy failed. Windows attempted to read the file \\xx.company\sysvol\xxx.company\Policies\{0000000-2323-2222-2222-333333}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: 
    a) Name Resolution/Network Connectivity to the current domain controller. 
    b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). 
    c) The Distributed File System (DFS) client has been disabled.


    So - this is a single DC 2008R2.  It started (I think) back when I joined another server on the domain and did a DCPromo to help build some redundancy.  DFS was/is not enabled, do I need to set this up to resolve this?

    User are able to login and policy are working, I only see this error on the DC, but other than the error everything seems to be working fine.  I can access the share \\xx.company\sysvol\xxx.company\Policies\ and see it from all systems on the domain.

    I looked for the Burflags to see if that would help but since there is no DFS there was nothing in the registry. 

    So at this point, I removed the secondary server via DCpromo, going back to just the 1 server DC but I still get the error.  DNS works. When I do a DCDiag everything looks ok except the SysVol - I get about 10 of these

          Starting test: SystemLog
             An error event occurred.  EventID: 0x00000422
                Time Generated: 03/17/2015   14:49:41
                Event String:
                The processing of Group Policy failed... blah blah - same as above. 

    I looked at this link because of the combination of the 2 errors - Error 1058 and 00422 but its suggesting Authoritative restore, but I don't have the replication.  

    Now I am wondering if there is a left over connection somewhere in the system that doesn't know that there isn't another DC on the network?

    So - any suggestions?  Thanks in advance.

    Tuesday, March 17, 2015 7:55 PM

All replies

  • Hi,

    >>Now I am wondering if there is a left over connection somewhere in the system that doesn't know that there isn't another DC on the network?

    Did we clean up the metadata of the removed domain controller? If not, we can follow the article below to do this.

    Clean Up Server Metadata

    https://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx

    Besides, on the existing domain controller, check Applications and Services Logs\FRS or DFSR logs in Event Viewer. If the issue persists, we can follow the method below to do an authoritative restore for Sysvol.

    If we use FRS to replicate Sysvol, we can try to follow the article below to an authoritative restore for Sysvol.

    Using the BurFlags registry key to reinitialize File Replication Service replica sets

    https://support.microsoft.com/en-us/kb/290762

    If we use DFSR to replicate Sysvol, we can try to follow the article below to do an authoritative restore for Sysvol.

    How to force an authoritative and non-authoritative synchronization for DFSR-replicated SYSVOL (like "D4/D2" for FRS)

    https://support.microsoft.com/en-us/kb/2218556

    Best regards,
    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Wednesday, March 18, 2015 8:46 AM
    Moderator
  • > So - this is a single DC 2008R2.  It started (I think) back when I
    > joined another server on the domain and did a DCPromo to help build some
     
    So it is a single DC or not? (run "dsquery server"...)
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Wednesday, March 18, 2015 8:55 AM
  • Thanks for the speedy reply - 

    I did see the secondary server I removed still in the Sites and Services - and it showed up in the "dsquery server" so I manually deleted it following the metedata cleanup examples.

    There are no errors in the DFS Replication log under Applications and Service Logs.

    After I deleted the old server metadata, the error still occurs every 5 mins.

    I did look at the registry to see if there is anything in there for me to look at the Authoritative Sync (BurFlags) but that does not exist in my registry - I don't have DFS enabled (is that the problem? I never set that up and I only have 1 DC now).  Under Role Services - DFS File System, DFS Namespace and DFS Replication all show up as Not Installed

    Thanks again for the help.

    Wednesday, March 18, 2015 12:17 PM
  • Thanks for the speedy reply - 

    I did see the secondary server I removed still in the Sites and Services - and it showed up in the "dsquery server" so I manually deleted it following the metedata cleanup examples.

    There are no errors in the DFS Replication log under Applications and Service Logs.

    After I deleted the old server metadata, the error still occurs every 5 mins.

    I did look at the registry to see if there is anything in there for me to look at the Authoritative Sync (BurFlags) but that does not exist in my registry - I don't have DFS enabled (is that the problem? I never set that up and I only have 1 DC now).  Under Role Services - DFS File System, DFS Namespace and DFS Replication all show up as Not Installed

    Thanks again for the help.

    Wednesday, March 18, 2015 12:18 PM
  • Hi,

    >>I don't have DFS enabled (is that the problem? I never set that up and I only have 1 DC now).

    Based on the description, originally, was the Sysvol replicated by FRS? If it's this case, were there any logs under FRS? By the way, the BurFlags registry key is for FRS restore.

    Best regards,
    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Monday, March 23, 2015 3:08 AM
    Moderator
  • No - I didn't set that up and the domain started out as a 2008R2 domain from the get go.

    So the DC is 2008 R2 and I added another 2008R2 server via DCPromo (followed the prompts)  It never asked me about any DFS at the time (that I can remember).  Everything seemed ok - I could ping both servers, DNS was working and to the best of my knowledge it was good.  

    A couple of weeks later I see these errors - after a bit a searching I removed the second server thinking something went bad (via DCPromo - even though users are able to access everything - no issues reported by them and still have no issues as of today - knock on wood!), but the errors are still hanging around and its bugging me. 

    I want to bring in a new server 2012 and eventually remove this "old" server - but I don't want to do anything until I know that the system is stable and good.  

    Thanks so much for the help - this is one of those things that has me boggled and no a lot of info out there for my circumstance.  I don't have a lot of experience with this type of problem.

    Monday, March 23, 2015 6:21 PM
  • Hi,

    >>I don't have DFS enabled (is that the problem? I never set that up and I only have 1 DC now).  

    This should be the problem. For newly created domains operating at the Active Directory domain functional level of Windows Server 2008, DFS Replication is used by default for SYSVOL replication.

    Introduction to Administering DFS-Replicated SYSVOL

    https://technet.microsoft.com/en-us/library/cc794837(v=ws.10).aspx

    Best regards,
    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, March 31, 2015 3:01 AM
    Moderator