+ Post New Thread
Results 1 to 9 of 9
Windows Server 2000/2003 Thread, Sysvol weirdness going on between xp/7 clients and 2003 dcs in Technical; Hi I have a bit of a dilemma with a problem we are having. We have 2 domain controllers running ...
  1. #1
    ranj's Avatar
    Join Date
    Feb 2006
    Location
    Birmingham
    Posts
    730
    Thank Post
    98
    Thanked 42 Times in 32 Posts
    Rep Power
    25

    Sysvol weirdness going on between xp/7 clients and 2003 dcs

    Hi
    I have a bit of a dilemma with a problem we are having.
    We have 2 domain controllers running Windows Server 2003. Majority of our clients are XP but we are also running Windows 7 on a few machines.

    I created a group policy on a domain controller and then went to my Windows 7 client and ran a gpupdate but it returned with errors.
    The processing of Group Policy failed. Windows attempted to read the file \\c****d.x***p.com\sysvol\c****d.x***p.com\Policie s\{4A472870-D26E-4DB8-A679-969E071645D3}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
    a) Name Resolution/Network Connectivity to the current domain controller.
    b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
    c) The Distributed File System (DFS) client has been disabled.

    I had a look at the ways its was suggesting and found that the group policy had replicated to the other DC and confirmed replication was working properly. I also checked whether DFS service was running on the client and both DCs and this was running or wasn't installed (assumed this was normal) and I also checked connectivity between my client and DCs and everything seems normal.

    I checked the sysvol location as stated in event viewer and noticed that with the FQDN if I go to sysvol\policies. the folder is completely empty, if I type just the domain name I can see all the policies as well as the scripts folder.
    The windows 7 machine is on a different 192 network whereas the test XP machine is on a 151 network. When I check the sysvol location on the XP machine I am able to browse the FQDN but when I browse just the domain name its empty???

    Does anyone know what the hell is going on?? I am so confused why its vice versa and why it isn't consistent.

    Any help would be greatly appreciated...

    Thanks

  2. #2
    techie211's Avatar
    Join Date
    Feb 2009
    Posts
    136
    Thank Post
    34
    Thanked 1 Time in 1 Post
    Rep Power
    0
    run gpresult to see which policies are being applied if any and from where

  3. #3
    ranj's Avatar
    Join Date
    Feb 2006
    Location
    Birmingham
    Posts
    730
    Thank Post
    98
    Thanked 42 Times in 32 Posts
    Rep Power
    25
    I have done the meta data cleanup and things are certainly better now. I have also cleaned out redundant servers from AD sites and services.

    My understanding is the previous administrator didnt do a graceful demotion of the DCs and just turned them off!

    I have run dcdiag again and there are still a few errors and was wondering if someone would be able to assist with these errors.

    When running replication using AD sites and services, NTDS and when performing replication between both of our DCs that is working fine and it returns a message 'active directory has replicated the connections'.

    but when looking at the sysvol/netlogon shares of both DCs there is clearly a problem. On DC2 if i go to \\dc2\sysvol\FQDN\ it is completely empty. If I do the same on DC1 it has all the GPO policies as well as any scripts on the Netlogon share.

    Is it a simple case of copying the files from DC1 to DC2 and will replication begin working or will this not work?
    Any advice that can be given on the error messages on DCDiag will be greatly appreciated.

    Thanks


    Microsoft Windows [Version 5.2.3790]
    (C) Copyright 1985-2003 Microsoft Corp.

    C:\Documents and Settings\administrator.COFIELD>dcdiag

    Domain Controller Diagnosis

    Starting test: NetLogons
    Unable to connect to the NETLOGON share! (\\EIUKBRIDCS0002\netlogon)
    [EIUKBRIDCS0002] An net use or LsaPolicy operation failed with error 12
    03, Win32 Error 1203.
    ......................... EIUKBRIDCS0002 failed test NetLogons

    Starting test: frsevent
    There are warning or error events within the last 24 hours after the
    SYSVOL has been shared. Failing SYSVOL replication problems may cause
    Group Policy problems.
    ......................... EIUKBRIDCS0002 failed test frsevent

    Starting test: systemlog
    An Error Event occured. EventID: 0x00000457
    Time Generated: 07/22/2011 15:22:39
    (Event String could not be retrieved)
    An Error Event occured. EventID: 0x00000457
    Time Generated: 07/22/2011 15:22:39
    (Event String could not be retrieved)
    An Error Event occured. EventID: 0x00000457
    Time Generated: 07/22/2011 15:22:39
    (Event String could not be retrieved)
    An Error Event occured. EventID: 0x00000457
    Time Generated: 07/22/2011 15:22:39
    (Event String could not be retrieved)
    An Error Event occured. EventID: 0x00000457
    Time Generated: 07/22/2011 15:22:40
    (Event String could not be retrieved)
    An Error Event occured. EventID: 0x00000457
    Time Generated: 07/22/2011 15:22:41
    (Event String could not be retrieved)
    ......................... EIUKBRIDCS0002 failed test systemlog

  4. #4

    3s-gtech's Avatar
    Join Date
    Mar 2009
    Location
    Wales
    Posts
    2,820
    Thank Post
    146
    Thanked 572 Times in 516 Posts
    Rep Power
    154
    You shouldn't need to manually copy them over. Doesn't look right at all with no replication there, may be worth demoting then promoting that DC to kick start it.

  5. #5
    ricki's Avatar
    Join Date
    Jul 2005
    Location
    uk
    Posts
    1,475
    Thank Post
    20
    Thanked 164 Times in 157 Posts
    Rep Power
    52
    HI

    I am guessing here. Have you more than one domain controller?

    If you have are they replicating? At the command prompt try repadmin /showrepl

    Have you checked the dns setting on the servers and the dhcp.

    Have you had a look at the event viewer and see if you have events coming up.

    Richard

  6. #6
    ranj's Avatar
    Join Date
    Feb 2006
    Location
    Birmingham
    Posts
    730
    Thank Post
    98
    Thanked 42 Times in 32 Posts
    Rep Power
    25
    Hi

    yes when I run repadmin and via AD sites and services replication is working normally but there are lots of errors in the event viewer.

    I dont know what the previous sys admin did. He has setup the sysvol shares on the e:\ drive on both servers?? I dont know why he has done this because the servers are virtual machines within a highly available cluster.

    Do I need to perform any prechecks before I demote the server as I am getting lots of error messages in event viewer and slightly amprehensive. I think the issue is with DC2 as GPO object counts are different on DC1 and DC2. If i go to sysvol\policies. DC1 is seeing more folders objects. Also if i type \\dc2\sysvol it is empty. Do the same on DC1 and I can see a proper sysvol/netlogon structure.

    These are some examples of errors on DC2.

    Windows cannot access the file gpt.ini for GPO CN={BA1647EF-208F-48BD-A0B4-11FE4A7CB9EA},CN=Policies,CN=System,DC=***,DC=**** ,DC=com. The file must be present at the location <\\***.***.com\SysVol\****.****.com\Policies\{BA16 47EF-208F-48BD-A0B4-11FE4A7CB9EA}\gpt.ini>. (The system cannot find the path specified. ). Group Policy processing aborted.

    Security policies were propagated with warning. 0x534 : No mapping between account names and security IDs was done.

    Advanced help for this problem is available on Microsoft Support. Query for "troubleshooting 1202 events".

    Error 0x534 occurs when a user account in one or more Group Policy objects (GPOs) could not be resolved to a SID. This error is possibly caused by a mistyped or deleted user account referenced in either the User Rights or Restricted Groups branch of a GPO. To resolve this event, contact an administrator in the domain to perform the following actions:

    1. Identify accounts that could not be resolved to a SID:

    From the command prompt, type: FIND /I "Cannot find" %SYSTEMROOT%\Security\Logs\winlogon.log

    The string following "Cannot find" in the FIND output identifies the problem account names.

    Example: Cannot find JohnDough.

    In this case, the SID for username "JohnDough" could not be determined. This most likely occurs because the account was deleted, renamed, or is spelled differently (e.g. "JohnDoe").

    2. Use RSoP to identify the specific User Rights, Restricted Groups, and Source GPOs that contain the problem accounts:

    a. Start -> Run -> RSoP.msc

    b. Review the results for Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment and Computer Configuration\Windows Settings\Security Settings\Local Policies\Restricted Groups for any errors flagged with a red X.

    c. For any User Right or Restricted Group marked with a red X, the corresponding GPO that contains the problem policy setting is listed under the column entitled "Source GPO". Note the specific User Rights, Restricted Groups and containing Source GPOs that are generating errors.

    3. Remove unresolved accounts from Group Policy

    a. Start -> Run -> MMC.EXE

    b. From the File menu select "Add/Remove Snap-in..."

    c. From the "Add/Remove Snap-in" dialog box select "Add..."

    d. In the "Add Standalone Snap-in" dialog box select "Group Policy" and click "Add"

    e. In the "Select Group Policy Object" dialog box click the "Browse" button.

    f. On the "Browse for a Group Policy Object" dialog box choose the "All" tab

    g. For each source GPO identified in step 2, correct the specific User Rights or Restricted Groups that were flagged with a red X in step 2. These User Rights or Restricted Groups can be corrected by removing or correcting any references to the problem accounts that were identified in step 1.

    For more information, see Help and Support Center at

    The File Replication Service has detected that the replica root path has changed from "e:\windows\sysvol\domain" to "e:\windows\sysvol\domain". If this is an intentional move then a file with the name NTFRS_CMD_FILE_MOVE_ROOT needs to be created under the new root path.

    This was detected for the following replica set:

    "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"



    Changing the replica root path is a two step process which is triggered by the creation of the NTFRS_CMD_FILE_MOVE_ROOT file.



    [1] At the first poll which will occur in 5 minutes this computer will be deleted from the replica set.

    [2] At the poll following the deletion this computer will be re-added to the replica set with the new root path. This re-addition will trigger a full tree sync for the replica set. At the end of the sync all the files will be at the new location. The files may or may not be deleted from the old location depending on whether they are needed or not.

    For more information, see Help and Support Center at

  7. #7

    3s-gtech's Avatar
    Join Date
    Mar 2009
    Location
    Wales
    Posts
    2,820
    Thank Post
    146
    Thanked 572 Times in 516 Posts
    Rep Power
    154
    The error suggests that the sysvol is expected in E:\windows\sysvol - does this even exist? Is Windows installed to E:?

  8. #8
    ricki's Avatar
    Join Date
    Jul 2005
    Location
    uk
    Posts
    1,475
    Thank Post
    20
    Thanked 164 Times in 157 Posts
    Rep Power
    52
    Hi

    Can you list the errors that you are getting in the event log with the eventid and the first couple of lines of the different messages. I have a domain controller that refused to replicate and it had some coruption. I had to change the registry and it started working again and then had to change it back.

    Richard

  9. #9
    ricki's Avatar
    Join Date
    Jul 2005
    Location
    uk
    Posts
    1,475
    Thank Post
    20
    Thanked 164 Times in 157 Posts
    Rep Power
    52
    HI

    Have a look at this I dont know if this is the problem but have a read Event ID 2042: It has been too long since this machine replicated: Active Directory

    Richard

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 12
    Last Post: 5th July 2011, 11:09 AM
  2. Anyone using a kyocera 5300 on 2K3 & XP clients
    By Little-Miss in forum Hardware
    Replies: 7
    Last Post: 27th January 2011, 05:05 PM
  3. Replies: 93
    Last Post: 24th October 2007, 07:00 PM
  4. Printer Spooler Failing on XP and 2003
    By BKGarry in forum Windows
    Replies: 8
    Last Post: 7th September 2007, 07:20 AM
  5. Replies: 7
    Last Post: 24th May 2006, 02:16 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •