none
Error al procesar la directiva de grupo. Windows no pudo leer el archivo \\domain \SysVol\domain\Policies\{0288F31C-08F2-40F5-B25A-C72D77FEE1CA}\gpt.ini RRS feed

  • Pregunta

  • Hola a todos,

    Estoy experimentando este error en mi infraestructura, tengo tres controladores de dominio, en dos sitios diferentes, el fsmo y una replica en un sitio, una replica mas en otro sitio, al revisar las carpetas compartidas en los tres dc, no existe esta directiva (\\ip_dc\sysvol\domain\Policies), al hacer un dcdiag pasa todas las pruebas, pongo aca algunos test que he hecho:

    C:\Windows\system32>gpupdate /force

    Updating Policy...

    User policy could not be updated successfully. The following errors were encountered:

     

    The processing of Group Policy failed. Windows attempted to read the file \\dominio\SysVol\dominio\Policies\{0288F31C-08F2-40F5-B25A-C72D77FEE1CA}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:

    a) Name Resolution/Network Connectivity to the current domain controller.

    b) File Replication Service Latency (a file created on another domain controller  has not replicated to the current domain controller).

    c) The Distributed File System (DFS) client has been disabled. Computer Policy update has completed successfully.

     

    To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.

     

    C:\Windows\system32>dcdiag /test:replications

    Directory Server Diagnosis

    Performing initial setup:

       Trying to find home server...

       Home Server = FSMO

       * Identified AD Forest.

       Done gathering initial info.

     

    Doing initial required tests

     

       Testing server: Humuya\FSMO

          Starting test: Connectivity

             ......................... FSMO passed test Connectivity

     

    Doing primary tests

     

       Testing server: Humuya\FSMO

          Starting test: Replications

             ......................... FSMO passed test Replications

     

     

       Running partition tests on : DomainDnsZones

     

       Running partition tests on : ForestDnsZones

     

       Running partition tests on : Schema

     

       Running partition tests on : Configuration

     

       Running partition tests on : se

     

       Running enterprise tests on : dominio

     

    C:\Windows\system32>dcdiag /test:netlogons

     

    Directory Server Diagnosis

     

    Performing initial setup:

       Trying to find home server...

       Home Server = FSMO

       * Identified AD Forest.

       Done gathering initial info.

     

    Doing initial required tests

     

       Testing server: Humuya\FSMO

          Starting test: Connectivity

             ......................... FSMO passed test Connectivity

     

    Doing primary tests

     

       Testing server: Humuya\FSMO

          Starting test: NetLogons

             ......................... FSMO passed test NetLogons

       Running partition tests on : DomainDnsZones

       Running partition tests on : ForestDnsZones

       Running partition tests on : Schema

       Running partition tests on : Configuration

       Running partition tests on : se

       Running enterprise tests on : dominio

     

    C:\Windows\system32>DSQUERY COMPUTER "DC=se,DC=hn" -limit 10000 -o rdn > c:\Comp

    uters.TXT

     

    C:\Windows\system32>dcdiag

     

    Directory Server Diagnosis

     

    Performing initial setup:

       Trying to find home server...

       Home Server = FSMO

       * Identified AD Forest.

       Done gathering initial info.

     

    Doing initial required tests

     

       Testing server: Humuya\FSMO

          Starting test: Connectivity

             ......................... FSMO passed test Connectivity

     

    Doing primary tests

     

       Testing server: Humuya\FSMO

          Starting test: Advertising

             ......................... FSMO passed test Advertising

          Starting test: FrsEvent

             There are warning or error events within the last 24 hours after the

             SYSVOL has been shared.  Failing SYSVOL replication problems may cause

             Group Policy problems.

             ......................... FSMO passed test FrsEvent

          Starting test: DFSREvent

             ......................... FSMO passed test DFSREvent

          Starting test: SysVolCheck

             ......................... FSMO passed test SysVolCheck

          Starting test: KccEvent

             ......................... FSMO passed test KccEvent

          Starting test: KnowsOfRoleHolders

             ......................... FSMO passed test KnowsOfRoleHolders

          Starting test: MachineAccount

             ......................... FSMO passed test MachineAccount

          Starting test: NCSecDesc

             ......................... FSMO passed test NCSecDesc

          Starting test: NetLogons

             ......................... FSMO passed test NetLogons

          Starting test: ObjectsReplicated

             ......................... FSMO passed test ObjectsReplicated

          Starting test: Replications

             ......................... FSMO passed test Replications

          Starting test: RidManager

             ......................... FSMO passed test RidManager

          Starting test: Services

             ......................... FSMO passed test Services

          Starting test: SystemLog

             An error event occurred.  EventID: 0x00000422

                Time Generated: 10/14/2015   13:48:57

                Event String:

                The processing of Group Policy failed. Windows attempted to read the

     file \\dominio\SysVol\dominio\Policies\{0288F31C-08F2-40F5-B25A-C72D77FEE1CA}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:

             An error event occurred.  EventID: 0x0000165B

                Time Generated: 10/14/2015   13:49:24

                Event String:

                The session setup from computer 'JOHN' failed because the security d

    atabase does not contain a trust account 'JOHN$' referenced by the specified com

    puter.

             An error event occurred.  EventID: 0x000016AD

                Time Generated: 10/14/2015   13:51:40

                Event String:

                The session setup from the computer JOHN failed to authenticate. The  following error occurred:

             An error event occurred.  EventID: 0x00000422

                Time Generated: 10/14/2015   13:52:57

                Event String:

                The processing of Group Policy failed. Windows attempted to read the

     file \\dominio\SysVol\dominio\Policies\{0288F31C-08F2-40F5-B25A-C72D77FEE1CA}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:

             An error event occurred.  EventID: 0x0000165B

                Time Generated: 10/14/2015   13:56:52

                Event String:

                The session setup from computer 'DDEY-ADM' failed because the security database does not contain a trust account 'DDEY-ADM$' referenced by the specified computer.

             An error event occurred.  EventID: 0x000016AD

                Time Generated: 10/14/2015   13:59:00

                Event String:

                The session setup from the computer DDEY-ADM failed to authenticate.

     The following error occurred:

             An error event occurred.  EventID: 0x0000165B

                Time Generated: 10/14/2015   14:15:52

                Event String:

                The session setup from computer 'LEMADM13100' failed because the security database does not contain a trust account 'LEMADM13100$' referenced by the

     specified computer.

             ......................... FSMO failed test SystemLog

          Starting test: VerifyReferences

             ......................... FSMO passed test VerifyReferences

     

     

       Running partition tests on : DomainDnsZones

          Starting test: CheckSDRefDom

             ......................... DomainDnsZones passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... DomainDnsZones passed test

             CrossRefValidation

     

       Running partition tests on : ForestDnsZones

          Starting test: CheckSDRefDom

             ......................... ForestDnsZones passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... ForestDnsZones passed test

             CrossRefValidation

     

       Running partition tests on : Schema

          Starting test: CheckSDRefDom

             ......................... Schema passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... Schema passed test CrossRefValidation

     

       Running partition tests on : Configuration

          Starting test: CheckSDRefDom

             ......................... Configuration passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... Configuration passed test CrossRefValidation

     

       Running partition tests on : se

          Starting test: CheckSDRefDom

             ......................... se passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... se passed test CrossRefValidation

     

       Running enterprise tests on : dominio

          Starting test: LocatorCheck

             ......................... dominio passed test LocatorCheck

          Starting test: Intersite

             ......................... dominio passed test Intersite

     

    C:\Windows\system32>dcdiag /test:registerindns /dnsdomain:dominio /v

       Starting test: RegisterInDNS

          DNS configuration is sufficient to allow this domain controller to dynamically register the domain controller Locator records in DNS.

     

          The DNS configuration is sufficient to allow this computer to dynamically register the A record corresponding to its DNS name.

     

          ......................... FSMO passed test RegisterInDNS

     

    C:\Windows\system32>repadmin /showrepl FSMO.dominio

    Humuya\FSMO

    DSA Options: IS_GC

    Site Options: (none)

    DSA object GUID: 66ba0baf-2380-4ad2-a501-f3ea48bbc62b

    DSA invocationID: 93dbf090-547d-458f-831a-1428c4842c0d

     

    ==== INBOUND NEIGHBORS ======================================

     

    DC=se,DC=hn

        Comayaguela\REPLICA1 via RPC

            DSA object GUID: d933bd8b-acae-4d38-bcc8-2eb1b6cea373

            Last attempt @ 2015-10-14 14:23:45 was successful.

        Humuya\REPLICA2 via RPC

            DSA object GUID: 4cc56b2c-f7d8-4587-908a-12f064e054a8

            Last attempt @ 2015-10-14 14:29:03 was successful.

     

    CN=Configuration,DC=se,DC=hn

        Humuya\REPLICA2 via RPC

            DSA object GUID: 4cc56b2c-f7d8-4587-908a-12f064e054a8

            Last attempt @ 2015-10-14 13:53:45 was successful.

        Comayaguela\REPLICA1 via RPC

            DSA object GUID: d933bd8b-acae-4d38-bcc8-2eb1b6cea373

            Last attempt @ 2015-10-14 14:23:45 was successful.

     

    CN=Schema,CN=Configuration,DC=se,DC=hn

        Humuya\REPLICA2 via RPC

            DSA object GUID: 4cc56b2c-f7d8-4587-908a-12f064e054a8

            Last attempt @ 2015-10-14 13:53:45 was successful.

        Comayaguela\REPLICA1 via RPC

            DSA object GUID: d933bd8b-acae-4d38-bcc8-2eb1b6cea373

            Last attempt @ 2015-10-14 14:23:45 was successful.

    DC=ForestDnsZones,DC=se,DC=hn

        Humuya\REPLICA2 via RPC

            DSA object GUID: 4cc56b2c-f7d8-4587-908a-12f064e054a8

            Last attempt @ 2015-10-14 13:53:45 was successful.

        Comayaguela\REPLICA1 via RPC

            DSA object GUID: d933bd8b-acae-4d38-bcc8-2eb1b6cea373

            Last attempt @ 2015-10-14 14:23:45 was successful.

     

    DC=DomainDnsZones,DC=se,DC=hn

        Humuya\REPLICA2 via RPC

            DSA object GUID: 4cc56b2c-f7d8-4587-908a-12f064e054a8

            Last attempt @ 2015-10-14 13:53:45 was successful.

        Comayaguela\REPLICA1 via RPC

            DSA object GUID: d933bd8b-acae-4d38-bcc8-2eb1b6cea373

            Last attempt @ 2015-10-14 14:23:45 was successful.

    miércoles, 14 de octubre de 2015 21:31

Todas las respuestas

  • Hola "EGarrido" como estas,

    Por lo que veo "no pasa todas las pruebas".
    Gustaría saber algunos detalles de tu organización:

    1 - Desde cuando sucede esto ? se realizaron cambios.
    2 - Son servers fisicos o VM ?
    3 - Que sistema operativo tienen ? está instalado el ultimo service pack disponible.
    4 - Los 3 servers tienen instalado DNS integrado ?

    Acciones:

    1 - Desde event viewer busca solo los errores y postea el # y el source de cada uno.
    2 - Desde cada DC ejecuta "ipconfig /all" y postea el mensaje. Verifcar IP, Mask, Gat y DNS.
    3 - Desde un server ejecuta y postea "netdom query fsmo"
    4 - Verifica tener todos los servicios corriendo.
    5 - Verifica la hora de los 3 servers.

    ////////////////////////////////////////////////////////////////////////////////

    1.Click Start, click Run, type regedit in the Open box, and then click OK.
    2.Expand the following subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mup

    3.Click Mup, and then in the right pane, search for a DWORD value entry that is named DisableDFS.
    4.If the DisableDFS entry exists and the value data is  1, double-click DisableDFS. In the Value data box, type 0, and then click OK. If the DisableDFS value data is already 0, or if the DisableDFS entry does not exist, do not make any change.
    5.Quit Registry Editor.
    6.If you changed the DisableDFS value data, restart the computer.

    Dato tecnico:

    Troubleshooting File Replication Service
    https://technet.microsoft.com/en-us/library/bb727056.aspx

    Event ID 1058 — Group Policy Preprocessing (Networking)
    http://social.technet.microsoft.com/wiki/contents/articles/1456.event-id-1058-group-policy-preprocessing-networking.aspx

    How to rebuild the SYSVOL tree and its content in a domain
    https://support.microsoft.com/en-us/kb/315457

    Dcgpofix
    https://technet.microsoft.com/en-us/library/hh875588.aspx

    Espero sea de ayuda. Saludos.

    jueves, 15 de octubre de 2015 2:49
  • Graciaspor responder, aca las respuestas:

    1: empezo a susceder esta semana

    2.- El FSMO es fisico, la replica en el sitio donde esta el fsmo es virtual, y la otra replica es fisica

    3.- Windows server 2008 R2 los tres, los tres estan actualizados.

    4.- los tres tiene DNS integragdo

    Acciones:

    1.1.-Log Name: System

    Source: NETLOGON

    EventID: 5722

    Logged: 10/15/2015 8:20:37 AM

    The session setup from the computer CHOAME060101 failed to authenticate. The name(s) of the account(s) referenced in the security database is CHOAME060101$.  The following error occurred:
    Access is denied.

    1.2.- Log Name: System

    Source: GroupPolicy

    EventID: 1058

    Logged: 10/15/2015 8:15 AM

    The processing of Group Policy failed. Windows attempted to read the file \\se.hn\SysVol\se.hn\Policies\{0288F31C-08F2-40F5-B25A-C72D77FEE1CA}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
    a) Name Resolution/Network Connectivity to the current domain controller.
    b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
    c) The Distributed File System (DFS) client has been disabled.

    2.-

    FSMO:

    C:\Windows\system32>ipconfig /all

     

    Windows IP Configuration

     

       Host Name . . . . . . . . . . . . : TUCAN

       Primary Dns Suffix  . . . . . . . : se.hn

       Node Type . . . . . . . . . . . . : Hybrid

       IP Routing Enabled. . . . . . . . : No

       WINS Proxy Enabled. . . . . . . . : No

       DNS Suffix Search List. . . . . . : se.hn

     

    Ethernet adapter Local Area Connection:

     

       Connection-specific DNS Suffix  . : se.hn

       Description . . . . . . . . . . . : Broadcom BCM5716C NetXtreme II GigE (NDIS

     VBD Client)

       Physical Address. . . . . . . . . : D4-AE-52-8F-7A-1E

       DHCP Enabled. . . . . . . . . . . : No

       Autoconfiguration Enabled . . . . : Yes

       IPv4 Address. . . . . . . . . . . : 172.17.32.10(Preferred)

       Subnet Mask . . . . . . . . . . . : 255.255.248.0

       Default Gateway . . . . . . . . . : 172.17.32.252

       DNS Servers . . . . . . . . . . . : 172.17.32.10

                                           172.17.32.12

                                           172.17.0.4

                                           127.0.0.1

       NetBIOS over Tcpip. . . . . . . . : Enabled

     

    Tunnel adapter isatap.se.hn:

     

       Media State . . . . . . . . . . . : Media disconnected

       Connection-specific DNS Suffix  . : se.hn

       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2

       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

       DHCP Enabled. . . . . . . . . . . : No

       Autoconfiguration Enabled . . . . : Yes

     

    Tunnel adapter Teredo Tunneling Pseudo-Interface:

     

       Media State . . . . . . . . . . . : Media disconnected

       Connection-specific DNS Suffix  . :

       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface

       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

       DHCP Enabled. . . . . . . . . . . : No

       Autoconfiguration Enabled . . . . : Yes

     

     

    REPLICA Virtual:

    C:\Windows\system32>ipconfig /all

     

    Windows IP Configuration

     

       Host Name . . . . . . . . . . . . : IBIS

       Primary Dns Suffix  . . . . . . . : se.hn

       Node Type . . . . . . . . . . . . : Hybrid

       IP Routing Enabled. . . . . . . . : No

       WINS Proxy Enabled. . . . . . . . : No

       DNS Suffix Search List. . . . . . : se.hn

     

    Ethernet adapter Local Area Connection:

     

       Connection-specific DNS Suffix  . : se.hn

       Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection

       Physical Address. . . . . . . . . : 00-50-56-AD-3F-23

       DHCP Enabled. . . . . . . . . . . : No

       Autoconfiguration Enabled . . . . : Yes

       IPv4 Address. . . . . . . . . . . : 172.17.32.12(Preferred)

       Subnet Mask . . . . . . . . . . . : 255.255.248.0

       Default Gateway . . . . . . . . . : 172.17.32.252

       DNS Servers . . . . . . . . . . . : 172.17.32.10

                                           172.17.32.12

                                           172.17.0.4

                                           127.0.0.1

       NetBIOS over Tcpip. . . . . . . . : Enabled

     

    Tunnel adapter Teredo Tunneling Pseudo-Interface:

     

       Media State . . . . . . . . . . . : Media disconnected

       Connection-specific DNS Suffix  . :

       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface

       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

       DHCP Enabled. . . . . . . . . . . : No

       Autoconfiguration Enabled . . . . : Yes

     

    Tunnel adapter isatap.se.hn:

     

       Media State . . . . . . . . . . . : Media disconnected

       Connection-specific DNS Suffix  . : se.hn

       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2

       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

       DHCP Enabled. . . . . . . . . . . : No

       Autoconfiguration Enabled . . . . : Yes

     

     

    REPLICA EN EL OTRO SITIO, FISICO:

    C:\Windows\system32>ipconfig /all

     

    Windows IP Configuration

     

       Host Name . . . . . . . . . . . . : AVESTRUZ

       Primary Dns Suffix  . . . . . . . : se.hn

       Node Type . . . . . . . . . . . . : Hybrid

       IP Routing Enabled. . . . . . . . : No

       WINS Proxy Enabled. . . . . . . . : No

       DNS Suffix Search List. . . . . . : se.hn

     

    Ethernet adapter Local Area Connection:

     

       Connection-specific DNS Suffix  . : se.hn

       Description . . . . . . . . . . . : Broadcom BCM5716C NetXtreme II GigE (NDIS

     VBD Client)

       Physical Address. . . . . . . . . : D4-AE-52-8F-83-C0

       DHCP Enabled. . . . . . . . . . . : No

       Autoconfiguration Enabled . . . . : Yes

       IPv4 Address. . . . . . . . . . . : 172.17.0.4(Preferred)

       Subnet Mask . . . . . . . . . . . : 255.255.248.0

       Default Gateway . . . . . . . . . : 172.17.0.255

       DNS Servers . . . . . . . . . . . : 172.17.32.10

                                           172.17.0.4

                                           172.17.32.12

                                           127.0.0.1

       NetBIOS over Tcpip. . . . . . . . : Enabled

     

    Tunnel adapter isatap.se.hn:

     

       Media State . . . . . . . . . . . : Media disconnected

       Connection-specific DNS Suffix  . : se.hn

       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2

       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

       DHCP Enabled. . . . . . . . . . . : No

       Autoconfiguration Enabled . . . . : Yes

     

    Tunnel adapter Teredo Tunneling Pseudo-Interface:

     

       Media State . . . . . . . . . . . : Media disconnected

       Connection-specific DNS Suffix  . :

       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface

       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

       DHCP Enabled. . . . . . . . . . . : No

       Autoconfiguration Enabled . . . . : Yes

     

     3.- REPLICA VIRTUAL:

    C:\Windows\system32>netdom query fsmo

    Schema master               TUCAN.se.hn

    Domain naming master        TUCAN.se.hn

    PDC                         TUCAN.se.hn

    RID pool manager            TUCAN.se.hn

    Infrastructure master       TUCAN.se.hn

    The command completed successfully.

     

    REPLICA FISICA EN OTRO SITIO:

    C:\Users\jdonaire>NETDOM QUERY FSMO

    Schema master               TUCAN.se.hn

    Domain naming master        TUCAN.se.hn

    PDC                         TUCAN.se.hn

    RID pool manager            TUCAN.se.hn

    Infrastructure master       TUCAN.se.hn

    The command completed successfully.

    4.- Microsoft .NET Framework NGEN v4.0.30319_X64

    de lo que estan automaticos solo este no esta iniciado

    SSDP Discovery esta deshabilitado (Disabled)

    UPnP Device Host Disabled

    5.- la hora esta bien, es la misma en los tres servers, y las maquinas tienen la misma.

    A la espera de sus valiosos comentarios

    jueves, 15 de octubre de 2015 14:50
  • Hola,

    Estoy siguiendo el articulo:

    https://support.microsoft.com/en-us/kb/2218556

    pero no tengo dentro de mi arbol de consola CN=DFSR-LocalSettings,CN=<the server name>,OU=Domain Controllers,DC=<domain>, (msDFSR-Enabled=FALSE) en su lugar se encuentra:

    CN=NTFRS Subscriptions

    Revise los otros articulos y se aplican a windows server 2003.

    A la espera de sus valiosos comentarios

    jueves, 15 de octubre de 2015 20:01