locked
unable to access using \\domain name RRS feed

  • Question

  • We are facing multiple AD related issues & below are the details.

     

    Issue reported initially:- Unable to create or modify Group policy objects from few domain controllers

    Observations so far:-

    ·         Found Group Policy creation / Modifications working from 2 Domain controllers & same not happening from any of 4 domain controllers.

    ·         Observed continuous  1030 & 1058 Application Error Events getting logged for all those 4 domain controllers indicating “\\domainname\sysvol\Domain.com\Policies\gpo guid\gpt.ini unable to access

    ·         Observed \\Domain.com\sysvol\ unable to access ( giving access denied )from all 4 problematic DCs but sysvol able to access while using with IP or hostname                                         ( Eg: \\ServerName\SYSVOL or \\X.X.X.X\SYSVOL ), but \\Domain.com\sysvol\ able to access from 2 DCs where Group policy working.

    ·         Observed discrepancies in group policies applied in Domain controller

    ·         Observed any of File shares ( not only sysvol) in Server can’t access using Domain FQDN in problematic DC Servers

    ·         Observed discrepancies in SYSVOL contents ( there are NTFrs_preExisting___ folders created)

    ·          Found Netlogon share only exist in RDC server( problematic ) & that itself is pointing to NtFrs_PreExisting___See_EventLog\scripts folder , No Netlogon share even in other servers where GP is working. 

    ·         “Getting windows cannot read template information “ error for local policies\security options etc ( GPEDIT / secpol ) itself in all Domain controller

     

     Below are the activities mainly carried out:-

     

    1.       Metadata cleanup to remove decommissioned servers & avoided replication errors

    2.       PDC Emulator Role transfer & verification.

    3.       Verifying SYSVOL share & Folder permissions in all DCs

    4.       Ensuring client for MS networks, File & print sharing Enabled & TCP/IP NetBIOS Helper service, the Net Logon service, and the Remote

    5.       Procedure Call (RPC) service in problematic DCs

    6.       Found DFS Management component installed in working server ( but not configured ) so installed same in other DCs & checked.

    7.       Changing “enablesecuritysignature” settings in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver( or lanmanworkstation)\parameters & restarting workstation /server service as per KB article.

    8.       Trying Microsoft network server/client : Digitally sign communications settings in group policy applied.

    9.       Ensuring that the domain controllers are not in a journal wrap state

    10.   Ensuring the Bypass traverse checking right is granted to the required groups

    11.   Verifying Server message block (SMB) signing configuration.

    12.   Trying “ WaitForNetwork” settings in registry (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon)

    13.   Ensuring necessary services

    14.   Run the Dfsutil /PurgeMupCache command.

    15.   Checked Virus & couldn’t find any.( AV definition are up-to-date too )

    16.   Removed the ghost trust object found ( realm trust with Root DC itself ) 

     

    But still issue not resolved and we are facing Access denied while accessing \\domain.com\anyshare, thus unable to create group policies.

    articles already tried,

    Relevant links found & checked

    http://support.microsoft.com/kb/839499

    http://support.microsoft.com/kb/887303

    http://support.microsoft.com/kb/908370

    http://support.microsoft.com/kb/887303/en-us

    http://support.microsoft.com/kb/315457/

    http://support.microsoft.com/kb/292438/

    http://support.microsoft.com/kb/842804

    http://support.microsoft.com/kb/216498

     

    Friday, January 15, 2010 1:52 PM

Answers

  • Hi Sumesh,

     

    If you run " NET SHARE" on the problematic DC, can you see the SYSVOL and NETLOGON in the list of folders?

     

    To troubleshoot this issue, please check the following steps to see if it helps:

     

    1.     Are the problematic DCs using Giga-byte NIC, if so, please update the NIC update to date.

    2.     You may also need to installed update 948496 to turn off the default SNP.

    3.     Reset User Rights in the Default Domain Group Policy for problematic DCs.

    You can refer to:

    How To Reset User Rights in the Default Domain Group Policy in Windows Server 2003

    http://support.microsoft.com/kb/324800

     

    Please have a try above steps and let us know your results.

     

    Sincerely,

    Wilson Jia


    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Wilson Jia Monday, January 25, 2010 1:30 AM
    Friday, January 22, 2010 6:32 AM

All replies

  • Can you post the output of IPCONFIG /ALL and DCDIAG /c /v from one problematic and one "healthy" DC?

    Marcin
    Friday, January 15, 2010 3:06 PM
  • Hi Sumesh,

     

    If you run " NET SHARE" on the problematic DC, can you see the SYSVOL and NETLOGON in the list of folders?

     

    To troubleshoot this issue, please check the following steps to see if it helps:

     

    1.     Are the problematic DCs using Giga-byte NIC, if so, please update the NIC update to date.

    2.     You may also need to installed update 948496 to turn off the default SNP.

    3.     Reset User Rights in the Default Domain Group Policy for problematic DCs.

    You can refer to:

    How To Reset User Rights in the Default Domain Group Policy in Windows Server 2003

    http://support.microsoft.com/kb/324800

     

    Please have a try above steps and let us know your results.

     

    Sincerely,

    Wilson Jia


    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Wilson Jia Monday, January 25, 2010 1:30 AM
    Friday, January 22, 2010 6:32 AM