Direct Access client group policy not getting applied RRS feed

  • Question

  • After the installation of DA when I am running the gpupdate /force on the client and it is giving following error

    The processing of group policy failed.Windows attempted to read the file .............................\Policies\{GUID}\gpt.ini from a domain controller and was not successful.

    After checking the event logs we found that to be ID 1058 with error code 3 . 

    On the client if we check the path \\domain\sysvol\polices\  we are not able to find the GUID . Although the path is valid on couple of DC's. We have checked the replication and also did that manually. 

    What could be the issue here.

    Please advice.


    Thursday, September 22, 2011 12:14 PM

All replies

  • Hi,

    can u check the acls on the {guid} folder in sysvol, to check if ntfs permissions are applied correctly?



    Andreas Hecker - Blog: Please remember to use “Mark as Answer” or "vote as helpful" on the posts that help you.
    Thursday, September 22, 2011 8:12 PM
  • Today also the same issue still the gpupdate /force results the same error.

    The permissions seems to be correct on the {guid} folder . I am not sure why the client DA GP is not present in the DC While i am can see that on other DC's.



    Friday, September 23, 2011 6:46 AM
  • I am still facing the same issue . I tried to re apply the group policy however still getting same error while doing gpupdate.






    Tuesday, September 27, 2011 4:01 AM
  • I created one group policy and found it to be getting applied properly. However the GP created by the DA wizard is having issue and not getting applied.

    Here is the error on the client.

    The processing of Group Policy failed. Windows attempted to read the file \\domain.local\SysVol\domain.local\Policies\{8C3503B4-A21F-4EAC-BB61-7D36314517E2}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
    a) Name Resolution/Network Connectivity to the current domain controller.
    b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
    c) The Distributed File System (DFS) client has been disabled.

    ErrorCode 3
      ErrorDescription The system cannot find the path specified. 
      DCName domain-LOCAL.domain.local
      GPOCNName cn={8C3503B4-A21F-4EAC-BB61-7D36314517E2},cn=policies,cn=system,DC=domain,DC=local
      FilePath \\domain.local\SysVol\domain.local\Policies\{8C3503B4-A21F-4EAC-BB61-7D36314517E2}\gpt.ini

    Please assist.





    • Edited by Dharm Singh Wednesday, September 28, 2011 11:54 AM
    Wednesday, September 28, 2011 11:53 AM
  • Have you tried deleting all traces of the DirectAccess GPOs and then letting the wizard re-create them? Make sure to allow sufficient time for replication after taking each step. After you delete the GPOs, I would wait at least 2 hours for replication before attempting to re-create the new ones. You can of course force replication, but it doesn't always work. I have done installs before where the GPOs were not showing up on all domain controllers, and even though we "forced replication" - it didn't actually work. Sometimes AD just takes its sweet time to finish.
    Wednesday, September 28, 2011 12:34 PM
  • Hello Jordan ,

                       Should I manually delete the existing UAG GPO's from UAGwizard itself or in AD before again recreate them. I am using SP1.


    • Edited by Dharm Singh Thursday, September 29, 2011 7:08 AM
    Thursday, September 29, 2011 7:05 AM
  • I usually delete them right from AD. Then you could also choose a new name for them in the UAG wizard to make sure you're setting up 100% new GPOs.

    Let me make sure of one thing - you do not have a live DirectAccess environment correct? I re-read your initial post and I want to confirm that you are having trouble getting the DA GPO to apply for the first time to the clients correct? Or is DirectAccess actually connected already and now you are trying to update the settings with a gpupdate /force while connected via DirectAccess?

    Obviously if you already have DirectAccess running, deleting the GPOs is not in your best interest :) I want to make sure I didn't read your question wrong.

    Thursday, September 29, 2011 12:31 PM
  • You are correct I am having a live DA environment and it is working for some of machines which got the GP.

    However for many we facing the mentioned issue while applying the GP update. I did not deleted the GPO and updated the GP from wizard itself , while making a new security group and applying on it. However still I am facing the same issue .Let me know in case you want me to post some logs.



    • Edited by Dharm Singh Friday, September 30, 2011 5:44 AM
    Friday, September 30, 2011 5:44 AM
  • If you do not get any errors in the DA wizard when the GPOs are being created and populated, and if some of your client machines are successfully receiving these settings and actually working, then it would seem that the problem does not lie with any part of the DA config or with the seems the problem is more likely related to something on a DC or perhaps with replication, or even with particular computers or computer accounts. You may have to do some more generalized AD troubleshooting, or you could also try to find out what commonalities and differences exist between computers that work and computers that don't.
    Friday, September 30, 2011 1:04 PM
  • Is there any way I can manually apply the DA client GP on machines without waiting for the GPupdate to work. Moreover , can we remove them also. As in my case the GP is not updating from the group policy editor.



    Monday, October 3, 2011 6:54 AM