Re: Active Directory domain policy not available - Windows cannot access the registry information (52)

From: Steve Stewart (steve_at_nospam.com)
Date: 03/24/04 

Date: Wed, 24 Mar 2004 15:16:42 GMT

This ended up being attributed to my raid array losing a drive and
shuffling the registry around as a result. It asn't anything that I
did intentionally to cause it.

On Wed, 24 Mar 2004 00:09:51 -0600, "Chad A Gross [SBS-MVP]"
<chad.gross@laytonflower.nospam.com> wrote:

>Hi Steve -
>
>What share permissions did you change? This type of error can occur if the
>SYSVOL and NETLOGON shares aren't accessible.
>
>www.eventid.net - Bookmark it & subscribe!
>
> Source Userenv
> Type Error
> Description Windows cannot access the registry information at
>\\mydomain.com\sysvol\mydomain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB
>984F9}\Machine\registry.pol with (<error code>).
> Things to understand What are the registry files?
> What are the registry.pol files?
> Comments Adrian Grigorof (Last update 9/1/2003):
> As first step, use NET HELPMSG <error code> for a first clue as what
>it wrong.
>
> Error code 5 - "Access denied" - See Q290647. Also, from a newsgroup
>post: "I have been plagued by the same message on my system for months. Most
>of the postings I saw claimed that this was due to my system being
>multi-homed and the order of the priority of the NICs being incorrect. In my
>case, the suggested remedies did not work. Today I checked and found out the
>the node "C:\WINNT\sysvol\sysvol" was not shared. After I shared that node
>to system and Administrator, the error messages stopped."
>
> Error code 51 - "The remote computer is not available." - "The
>\\Active Directory Domain Name\Sysvol share is a special share that requires
>the distributed file system (Dfs) client to make a connection. If the Dfs
>client is disabled, the error messages are generated. ". See the link to
>Q259398.
>
> Error code 53 - "The network path was not found." - Caused by File and
>Printer Sharing service not being enabled on the Domain Controller
>interface(s). See the link to Q279742.
> Another instance of error code 53 may be recorded if the IP address of
>the domain controller is changed but the DNS still points to the old IP
>address.
>
> Massimo (Last update 1/9/2004):
> Error 1351: I solved this problem enabling NetBIOS over TCP/IP in the
>WINS tab of Advanced TCP/IP Options for the LAN card.
>
> Dan Grenfell (Last update 12/10/2003):
> - Error 1351 - These errors started appearing after I had switched off
>NetBEUI on a Multihomed Win2k DC, leaving only TCP/IP. Changing the protocol
>binding order for the private adapter so that TCP/IP was the preferred
>protocol instead of the disabled NetBEUI stopped these errors, and allowed
>me to administer the WINS server again from MMC.
>
> Ionut Marin (Last update 9/26/2003):
> From a newsgroup post: "After reading all the KB articles everyone
>suggested, checking my SYSVOL file structure, etc; I happened to take a look
>at the NIC settings and discovered that, somehow, NetBIOS had become
>disabled on the LAN card. I enabled NetBIOS and everything is now working
>fine. No more error messages and users can access the server".
>
> Also from a newsgroup post: "If the DFS Client is disabled, you can
>not access the \\<Active Directory Domain Name>\Sysvol share, which would
>cause this problem. To check / enable the DFS Client, use Regedt32 to
>navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mup.
>Double-click the DisableDFS value name, a REG_DWORD data type. A data value
>of 0, the default, enables the DFS Client. A data value of 1 disables the
>DFS Client.
> NOTE: If the DisableDFS value name is missing, the DFS Client is
>enabled".
>
> When you use the Symantec W32.Nimda.A@mm virus removal tool on a
>domain controller, the share permissions for shares such as Sysvol and
>Netlogon may be changed from the default share permissions. See Q312031 for
>more details.
>
> Anonymous (Last update 8/31/2003):
> Error code 51 - I had disabled file and printer sharing on a 2000 DC,
>reenabling that fixed the problem.
>
> Pete Gibson (Last update 8/31/2003):
> I tried most things, until I disabled the LAN connection and enabled
>it again and that fixed the problem for me.
>
> Chris Bowden (Last update 8/31/2003):
> In my case the Kerberos Realm name (which should be the NetBIOS domain
>name) was incorrect in the registry (and was referencing the local computer
>name). To correct this issue:
> 1. Open REGEDT32.
> 2. Navigate to Security\Policies\PolAcDmN.
> 3. Left-click on <No Name>:REG_NONE and select "View - Display Binary
>Data"
> 4. You should see the NetBIOS name of the domain in the text on the
>right (ex. WAMLTD). If the machine name is listed instead, you will need to
>replace it.
> 5. Navigate to Security\Policies\PolPrDmN.
> 6. Double-click the <No Name>:REG_NONE and copy the binary value
>(CTRL-C)
> 7. Navigate to Security\Policies\PolAcDmN, double-click <No
>Name>:REG_NONE and paste in the correct value.
> 8. Left-click on <No Name>:REG_NONE and select "View - Display Binary
>Data". You should see the correct value listed.
> 9. Run "secedit /refreshpolicy machine_policy /enforce"
> 10. Look in the application log for a SCECLI 1704 event (indicating
>successful application of policy)
>
> Anonymous (Last update 6/10/2003):
> Error: 5 = "Access denied". Group Policy was not being propagated to
>clients and logons were slow. I found that the permissions on the domain
>controllers Sysvol folder and subfolders were incorrect but after 20 minutes
>of changing them as per Microsofts instructions, the system automatically
>changed them back. The sysvol permissions and some GP entries contained the
>security identifier for the Power Users group which doesn't exist on a DC.
>All efforts to remove this security identifier failed.
> I deleted all Registry.pol and System.adm on the DC and edited all
>GPT.ini files, on the DC, so Version=1. I then rebooted the DC and changed
>the Sysvol permissions. Make a new Default Domain Policy and a new Default
>Domain Controllers Policy. Make sure that Everyone, Authenticated users and
>Administrators have "Bypass Traverse Cecking" enabled in the Default Domain
>Policy.
>
> Dean Usaj (Last update 5/15/2003):
> Error: 1351 - I removed the PC from the domain and after restart put
>it back in domain. This seems to solve the problem.
>
> SChase (Last update 4/28/2003):
> Error: 1351 - "Configuration information could not be read from the
>domain controller, either because the machine is unavailable, or access has
>been denied." - Bob A Schelfhout Aubertijn's method (see below) solved the
>error and also solved Event ID 1001 -Security Policy cannot be propagated.
>
> Thomas Blatti
> In my case, the reason for this error was the server, it had the
>IRPSStackSize to low (on 11). Default for Windows 2000 is 15 (range from 11
>to 50 refering Q177078). Registry key:
>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
> A refering document from MS (Q106167) is outdated and should be
>corrected for Windows 2000.
>
> Ander Taylor
> I had this problem on all my member servers, it turned out to be a
>permissions problem with SYSVOL.
> I fixed it as follows:
> Start > Programs > Administrative Tools > Domain Controllers Security
>Policy > Security Settings > Double click "File System" > Double click
>"%SYSVOL%\Domain\Policies" > Edit Security> Make sure the appropriate
>permissions are set and tick the "Allow Inheritable Permissions ........"
>checkbox. Note that the permissions in "%SYSVOL%" must be set properly too.
>
> Kevin Austin
> Error 1351 - MS knowledgebase had my solution in article Q258960. It
>referenced a Buffer limitation of 15 ip addresses in Lmhsvc.dll which is
>resolved in SP2.
>
> Bob A. Schelfhout Aubertijn
> Q258296 explains in detail how to prevent this error from popping up
>every 5 minutes in the event log. The trick is to move the NIC that has file
>and printer sharing bound to it to the top of the binding order in, network
>connections > advanced > advanced settings.
>
> Josh Tanski
> Setting the TCP/IP NetBIOS Helper Service to manual startup caused
>this and related events for me, as it prevented me from accessing DFS
>shares. I set the service back to automatic startup to solve the problem.

Relevant Pages

  • Re: Active Directory domain policy not available - Windows cannot access the registry information (5
    ... What share permissions did you change? ... SYSVOL and NETLOGON shares aren't accessible. ... the error messages are generated. ... Printer Sharing service not being enabled on the Domain Controller ...
    (microsoft.public.backoffice.smallbiz2000)
  • Re: GPO errors and not applying to workstations....
    ... controller does it show that the sysvol share exists? ... and folders [NTFS permissions] and is included in the user right for access ... for access this computer from the network would be in Domain Controller ...
    (microsoft.public.windows.group_policy)
  • Permissions required to write to the Application Log
    ... The Event Source has been created under the Registry at ... Viewer through ASP.NET) is a domain controller ... What other permissions are required to give permission to ASP.NET to write ... to the event viewer? ...
    (microsoft.public.win2000.security)
  • Re: How do I make registry changes stick?
    ... MS-MVP Windows Shell/User ... I found that the permissions for the key were and on the ... In the Registry Editor, right click.. ... To assign permissions to a registry key ...
    (microsoft.public.windowsxp.perform_maintain)
  • Re: Interesting Behavior after update to SP3 when restoring the Ad
    ... I was also thinking setting permissions in the registry, ... Everyone to Group or users giving Full control and Read permissions to the ... to all user profiles besides just administrators. ... the address bar were back where they belong in all of the administrator ...
    (microsoft.public.windowsxp.general)