none
Group Policy - Event ID Errors 1030 & 1058 RRS feed

  • Question

  • I am seeing error relating to Group Pilicy objects in the Application Event Logs for my DCs

    I realise that this topic is in the FAQ and am about to try the items in the answer, but I am concerned that I have two policy directories, one with the same name as shown in the FAQ, and another, which seems to be more current.

    Event ID 1030

    User NTAuthority/System

    Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


    The earliest related message seems to be

    Event ID 1058

    User NTAuthority/System

    Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=daveathome,DC=org. The file must be present at the location <\\daveathome.org\sysvol\daveathome.org\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (Access is denied. ). Group Policy processing aborted.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    Under C:\WINDOWS\SYSVOL, I have directories

    C:\WINDOWS\SYSVOL\sysvol\daveathome.org\policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}

    C:\WINDOWS\SYSVOL\sysvol\daveathome.org\policies\{31B2F340-016D-11D2-945F-00C04FB984F9}

    the gpt.ini file in the former is dated recently (yesterday), whereas the file in the latter is dated from 2006 but is the directory referenced in the Event Log entry ?

    The Event ID 1058 message is looking at the older file ?

    The same directiories and files are present on both DCs

    Can anyone shed some light on this please ?

    regards

    Dave

    Wednesday, August 4, 2010 11:26 AM

Answers

  • Hello,

    your problem belongs to the multihoming of the DCs, using more then one ip address on them. Please remove one on each of them and use only ONE ip address for the machine.

    After removing, cleanup the DNS forward/reverse lookup zones from the removed ip address and run ipconfig /flushdns and ipconfig /registerdns and restart the netlogon service or reboot the servers.

    As "powerapp120" don't seem to be DNS server use only the DC with DNS installed on the NIC.

    It is recommended to have at least 2 DC/DNS/GC per domain for redundancy and failover. I suggest to use AD integrated DNS zones on the DC/DNS sever and then install also the DNS server role on "powerapp120", don't configure anything after installation. If the DNS zones have replicated, takes some time, reconfigure the DNS server on the NICs to use itself as preferred and the other DNS as secondary.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    • Marked as answer by dave_home Thursday, August 5, 2010 6:31 AM
    Wednesday, August 4, 2010 2:32 PM

All replies

  • Hello,

    the 6AC1786C... is the "default domain controllers policy" and the 31B2F340... is the "default domain policy". Don't mess with them.

    Errors like that can belong to not optimal configured DNS, please post an unedited ipconfig /all from both DCs.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Wednesday, August 4, 2010 12:31 PM
  • Hi Meinolf,

    thanks a lot for the reply, OK - as shown . . .

    Microsoft Windows [Version 5.2.3790]
    (C) Copyright 1985-2003 Microsoft Corp.

    U:\>ipconfig/all

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : proliant-dl360
       Primary Dns Suffix  . . . . . . . : daveathome.org
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : daveathome.org

    Ethernet adapter Local Area Connection:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Compaq NC3163 Fast Ethernet NIC #2
       Physical Address. . . . . . . . . : 00-02-A5-8B-AD-3D
       DHCP Enabled. . . . . . . . . . . : No
       IP Address. . . . . . . . . . . . : 192.168.1.7
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 192.168.1.1
       DNS Servers . . . . . . . . . . . : 192.168.1.7

    Ethernet adapter Local Area Connection 2:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Compaq NC3163 Fast Ethernet NIC
       Physical Address. . . . . . . . . : 00-02-A5-8B-AD-3C
       DHCP Enabled. . . . . . . . . . . : No
       IP Address. . . . . . . . . . . . : 192.168.1.8
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . :
       DNS Servers . . . . . . . . . . . : 192.168.1.7

     

     


    (C) Copyright 1985-2003 Microsoft Corp.

    U:\>ipconfig /all

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : powerapp120
       Primary Dns Suffix  . . . . . . . : daveathome.org
       Node Type . . . . . . . . . . . . : Unknown
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : daveathome.org

    Ethernet adapter Local Area Connection 2:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Intel(R) PRO/100 Network Connection
       Physical Address. . . . . . . . . : 00-B0-D0-E1-EF-7A
       DHCP Enabled. . . . . . . . . . . : No
       IP Address. . . . . . . . . . . . : 192.168.1.26
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 192.168.1.1
       DNS Servers . . . . . . . . . . . : 192.168.1.7

    Ethernet adapter Local Area Connection:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Intel(R) PRO/100 Network Connection #2
       Physical Address. . . . . . . . . : 00-B0-D0-E1-EF-79
       DHCP Enabled. . . . . . . . . . . : No
       IP Address. . . . . . . . . . . . : 192.168.1.25
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 192.168.1.1
       DNS Servers . . . . . . . . . . . : 192.168.1.7

    I've just noticed that I'm missing a Default Gateway on one NIC that I should probably add.

    Also, that both DCs are pointing to DC1 (192.168.1.7) for DNS, I guess that DC1 should point to DC2 ?

     (I think I screwed this up when I removed and re-added the DNS Servers yesterday)

    Are either of these likely to be the cause of the issue, or is anything else not correct ?

    regards

    Dave

    Wednesday, August 4, 2010 2:20 PM
  • Hello,

    your problem belongs to the multihoming of the DCs, using more then one ip address on them. Please remove one on each of them and use only ONE ip address for the machine.

    After removing, cleanup the DNS forward/reverse lookup zones from the removed ip address and run ipconfig /flushdns and ipconfig /registerdns and restart the netlogon service or reboot the servers.

    As "powerapp120" don't seem to be DNS server use only the DC with DNS installed on the NIC.

    It is recommended to have at least 2 DC/DNS/GC per domain for redundancy and failover. I suggest to use AD integrated DNS zones on the DC/DNS sever and then install also the DNS server role on "powerapp120", don't configure anything after installation. If the DNS zones have replicated, takes some time, reconfigure the DNS server on the NICs to use itself as preferred and the other DNS as secondary.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    • Marked as answer by dave_home Thursday, August 5, 2010 6:31 AM
    Wednesday, August 4, 2010 2:32 PM
  • Hi Meinolf,

    thanks a lot - I will remove the second IP address. I fact, at least one of the machines supports NIC teaming, so I will look to configure that (with a single IP address) to include some level of redundancy.

    The PowerApp is configured as a DNS Server (if I have done it correctly!) and replication seems to be working between the two DCS/DNS Servers - DNS is configured as ADI so there should not be a difference between the two machines ?

    The other difference that I see in the ipconfig output is that the PowerApp node type is Unknown rather than Hybrid as shown on the other machine. Is that why you think that it is not a DNS server ? What could cause that ? As I say, DNS does appear to be installed ?

    regards

    Dave

    Wednesday, August 4, 2010 2:46 PM
  • I'm sure it's bad form, but I'll reply to my own post !

    Doing a bit of reasarch into NIC Teaming, it seems like this is not a great idea, particularly on DCs, so I'm going to go with Meinolf's original suggestion, and just remove one of the DC's IP Addresses by disabling the second NIC.

    regards

    Dave

    Wednesday, August 4, 2010 4:09 PM
  • Meinolf,

    I've disabled one of the NICs and followed your advice above, the the errors are still appearing ?

    ipcopnfig/all now reports :-

    U:\>ipconfig /all

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : proliant-dl360
       Primary Dns Suffix  . . . . . . . : daveathome.org
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : daveathome.org

    Ethernet adapter Local Area Connection:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Compaq NC3163 Fast Ethernet NIC #2
       Physical Address. . . . . . . . . : 00-02-A5-8B-AD-3D
       DHCP Enabled. . . . . . . . . . . : No
       IP Address. . . . . . . . . . . . : 192.168.1.7
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 192.168.1.1
       DNS Servers . . . . . . . . . . . : 192.168.1.7

    U:\>

    and

    C:\Documents and Settings\administrator.DAVEATHOME>ipconfig /all

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : powerapp120
       Primary Dns Suffix  . . . . . . . : daveathome.org
       Node Type . . . . . . . . . . . . : Unknown
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : daveathome.org

    Ethernet adapter Local Area Connection:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Intel(R) PRO/100 Network Connection #2
       Physical Address. . . . . . . . . : 00-B0-D0-E1-EF-79
       DHCP Enabled. . . . . . . . . . . : No
       IP Address. . . . . . . . . . . . : 192.168.1.25
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 192.168.1.1
       DNS Servers . . . . . . . . . . . : 192.168.1.7

    C:\Documents and Settings\administrator.DAVEATHOME>

    regards

    Dave

     

    Wednesday, August 4, 2010 5:01 PM
  • Please Check that you any policy conflict or restriction group policy configured........

    Why your Using DnS 192.168.1.7 why not actual IP of your server that is 192.168.1.25... or else its not a Dns server.

    Wednesday, August 4, 2010 5:09 PM
  • Hi Ahmed,

    there are two DC's both configured as DNS servers,

    Host Name . . . . . . . . . . . . : proliant-dl360

    IP Address. . . . . . . . . . . . : 192.168.1.7

    and

    Host Name . . . . . . . . . . . . : powerapp120

    IP Address. . . . . . . . . . . . : 192.168.1.25

    The second one should probably point to itself for DNS though - is that what you mean ?

    regards

    Dave

    Wednesday, August 4, 2010 5:53 PM
  • Meinolf,

    thanks again for your help - your diagnosis was spot on !

    When I first did it, I just stopped/started NETLOGON on the DCs which did not make the errors go away, but restarting the servers after following the steps that you advised has worked - no "userenv" errors for over 12 hours now.

    Thanks again for your assistance,

    regards

    Dave

    p.s., the DCs are both running on one NIC now, but based on reading of other posts on NIC teaming etc., the value of any very slight increase in availability gained using teaming is by far outweiged by the risk of teaming not working and bringing about other problems, so I won't be going down that route. With redundant DC/DNS servers, there seems little point.

    Thursday, August 5, 2010 6:38 AM
  • Hi Dave,

    Please don’t enable NIC teaming on DC, at least during troubleshooting.

    Did you follow all the steps in this article? If not, please try them all.

    http://support.microsoft.com/kb/887303

    If the problem still occurs, help to collect the information for research.

    1. When did the issue start to occur?
    2. Is there any change made on these systems?
    3. Could you open gpt.ini file manually in folders below? And check the permission on these folders.
    C:\WINDOWS\SYSVOL\sysvol\daveathome.org\policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}
    C:\WINDOWS\SYSVOL\sysvol\daveathome.org\policies\{31B2F340-016D-11D2-945F-00C04FB984F9}

    4. Run "gpotoll /verbose >>gpo.txt" on both DCs and paste the content here or send files to tfwst@microsoft.com.

    On DC, open GPMC, right-click Group Policy Result, choose Group Policy Result Wizard, follow the wizard to collect a report of the DC. When it finish, right-click in the right-panel, choose Save Report. If you would like other community member to analyze the report, upload the file to Windows Live SkyDrive (http://www.skydrive.live.com/), and paste the link here, if not, you can send the file to tfwst@microsoft.com.

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, August 5, 2010 7:04 AM
    Moderator
  • Hello,

    teaming on DCs is supported only for failover NOT for redundancy from Microsoft.

    You didn't configure "powerapp120" using itslef as DNS server, so that was my reason to ask about DNS on it. If "powerapp120" is also DNS server then configure each machine to use itself as preferred DNS and the OTHER DNS server as secondary DNS.

    Run ipconfig /registerdns and make sure both are listed in the DNS forward/reverse lookup zones with there A and Nameserver record.

    As you realized, sometimes restarting the service can't be enough, but mostly the reboot can be prevented that way.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Thursday, August 5, 2010 10:39 AM
  • Hi Mervyn,

    thanks for following this up, but I'm pleased to report the the problem identified by Meinolf was the source of my woes.

    I did step through the KB article and things are as they should be.

    After makiing the change to a single NIC and rebooting, the problem has gone (stopping and starting NETLOGON was not enough).

    Regards

    Dave

    Thursday, August 5, 2010 11:07 AM
  • Hi Meinolf,

    thanks again, yes, I had got the DNS references slightly confused, but it's all fixed now.

    DC1 points to itself for the preferred DNS server with DC2 as secondary DNS server. Similarly, DC2 points to itself as preferred DNS with DC1 as secondary. All of the records (A and NS) in the forward and reverse lookup zones are there.

    So, fingers crossed, everything is healthy, no warnings/errors are being reported.

    regards

    Dave

     

    Thursday, August 5, 2010 12:35 PM

  • Glad to hear the problem was resolved. If you have more questions in the future, you’re welcomed to this forum.

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, August 6, 2010 7:53 AM
    Moderator