Re: Windows SBS 2003 SP1 /w ISA Server 2004

Hi Rajiv:
Thanks for posting here.

Let's follow the steps below to troubleshoot the issue:

1. Have you run the CEICW to configure your network settings? Please re-run
the CEICW as per the following Knowledge Base article:

825763 How to configure Internet access in Windows Small Business Server
2003
http://support.microsoft.com/?id=825763

2. Are you able to open Group Policy snap-ins such as the Domain Controller
Security Policy snap-in or the Domain Security Policy snap-in? If not, this
often is because the server's SMB signing settings for its Server and
Workstation services contradict each other. For more information about this
issue, see the following KB article:

839499 You cannot open file shares or Group Policy snap-ins when you
disable SMB signing for the Workstation or Server service on a domain
controller
http://support.microsoft.com/?id=839499

3. Is the TCP/IP NetBIOS Helper service running?

4. Is the Distributed File System service running? Please make sure the
service has been set "Automatic" and started.

5. Make sure that the antivirus is not scanning the sysvol folder.

822158 Virus scanning recommendations on a Windows 2000 or on a Windows
Server 2003 domain controller
http://support.microsoft.com/?id=822158

6. Check the contents and the permissions of the Sysvol folder

By default, the Sysvol folder is located in the %systemroot% folder. Syvol
contains the domain's group policy objects, the Sysvol and Netlogon shares,
and the file replication service (FRS) staging folder. If the permissions
on the Sysvol folder or the Sysvol share are too restrictive, this can
cause group policies to fail with Userenv errors. Additionally, Userenv
errors can occur if the Sysvol share or group policy objects are missing.

To make sure the Sysvol share is available, run the "net share" command on
the SBS server. SYSVOL should appear in the list of shares. Also, make sure
that the Netlogon share is listed. If the Sysvol or Netlogon share is
missing, see the following articles for information about troubleshooting
this problem:

257338 Troubleshooting Missing SYSVOL and NETLOGON Shares on Windows 2000
Domain Controllers
http://support.microsoft.com/?id=257338

After you make sure the Sysvol share is available, make sure that the
Sysvol folder, the Sysvol share, and the root of the volume that contains
the Sysvol folder are configured with the the correct permissions.

On Windows Server 2003, the Everyone group should have the Read & Execute
special permission applied to "This folder only", and the domain\Users
group should have the following standard permissions:

Read & Execute
List Folder Contents
Read

Additionally, on Windows Server 2003, the domain\Users group should have
the following special permissions:

Read & Execute applied to "This folder, subfolders and files"
Create Folder / Append Data applied to "This folder and subfolders"
Create Files / Write Data applied to "Subfolders only"

For the permissions required for the Sysvol folder and the Sysvol share,
see the following KB article:

290647 Event ID 1000, 1001 Is Logged Every Five Minutes in the Application
Event Log
http://support.microsoft.com/?id=290647

7. Make sure that the "Bypass traverse checking" right is granted to the
required groups. To do so:

A. On the SBS server, click Start, point to Programs or All Programs, point
to Administrative Tools, and then click Domain Controller Security Policy.
B. Expand Security Settings, expand Local Policies, and then click User
Rights Assignment.
C. Double-click the "Bypass traverse checking" policy setting.
E. Click to check the "Define these policy settings" box, if the option is
not enabled already.
F. The following groups should be listed for this policy setting:

Administrators
Authenticated Users
Everyone
Pre-Windows 2000 Compatible Access

If any of these groups are missing, click Add, type the name of the missing
group, and then click OK.

G. Click OK to close the policy setting.
H. Run the "gpupdate /force" command.


Based on my research, the following KB articles have described this issue:

842804 Group Policy processing does not work and events 1030 and 1058 are
http://support.microsoft.com/?id=842804

834649 Client computers record Event ID 1030 and Event ID 1058 when DFS is
not
http://support.microsoft.com/?id=834649

314494 Group policies are not applied the way you expect; "Event ID 1058"
and
http://support.microsoft.com/?id=314494

Thanks for your time.

I'm looking forward to your update.

Have a nice day!

Best Regards
Edward Tian(MSFT)
Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| From: "Rajiv Baxi" <rajiv@xxxxxxxxxxxxxxx>
| References: <#7cl1DyrFHA.1252@xxxxxxxxxxxxxxxxxxxx>
<OA8GzFyrFHA.3092@xxxxxxxxxxxxxxxxxxxx>
<OlVpSx1rFHA.1028@xxxxxxxxxxxxxxxxxxxx>
| Subject: Re: Windows SBS 2003 SP1 /w ISA Server 2004
| Date: Fri, 2 Sep 2005 08:46:16 -0400
| Lines: 70
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
| X-RFC2646: Format=Flowed; Response
| Message-ID: <OSQnQx7rFHA.2212@xxxxxxxxxxxxxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: ppp-69-216-124-121.dsl.sfldmi.ameritech.net
69.216.124.121
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:150212
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| The ISA 2004 SP1 is from the SBS 2003 SP1 CD #3. SBS 2003 SP1 is
installed
| as well.
|
| "David Copeland [MSFT]" <davidcop@xxxxxxxxxxxxxxxxxxxx> wrote in message
| news:OlVpSx1rFHA.1028@xxxxxxxxxxxxxxxxxxxxxxx
| > Rajiv,
| >
| > The ISA 2004 that you installed.. was that from the SBS 2003 SP1 cd #3?
| > or SBS 2003 with SP1 Premium Technologies cd? If it's not did you
| > install ISA 2004 SP1 as well? Is SBS 2003 SP1 installed?
| >
| >
| > --
| >
| > Hope that helps,
| > David Copeland
| > Microsoft Small Business Server Support
| >
| > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| >
| >
| > SBS Newsgroups:
| >
| > SBS v4.x: microsoft.public.backoffice.smallbiz
| > SBS 2000: microsoft.public.backoffice.smallbiz2000
| > SBS 2003: microsoft.public.windows.server.sbs
| >
| > "Matt Gibson" <mattg@xxxxxxxxxxxxxxx> wrote in message
| > news:OA8GzFyrFHA.3092@xxxxxxxxxxxxxxxxxxxxxxx
| >> Have you run the connect to internet wizard again?
| >>
| >> Matt Gibson - GSEC
| >>
| >> "Rajiv Baxi" <rajiv@xxxxxxxxxxxxxxx> wrote in message
| >> news:%237cl1DyrFHA.1252@xxxxxxxxxxxxxxxxxxxxxxx
| >>>I have recently installed ISA Server 2004 on Windows SBS 2003 (along
with
| >>>the other service packs). Now, I get the following event:
| >>>
| >>> Windows cannot access the file gpt.ini for GPO
| >>>
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=server,DC
=local.
| >>> The file must be present at the location
| >>>
<\\server.local\sysvol\server.local\Policies\{31B2F340-016D-11D2-945F-00C04F
B984F9}\gpt.ini>.
| >>> (Configuration information could not be read from the domain
controller,
| >>> either because the machine is unavailable, or access has been denied.
).
| >>> Group Policy processing aborted.
| >>>
| >>> I also get a message in Group Policy Object Editor:
| >>>
| >>> The Group policy snapin was unable to save your changes due to the
| >>> following error:
| >>>
| >>> Configuration information could not be read from the domain
controller,
| >>> either because the machine is unavailable, or access has been denied.
| >>>
| >>> The server has two network cards (one for the internal network and
one
| >>> for the external network). I have set to allow LDAP(S) and RPC.
| >>>
| >>> Any help would be greatly appreciated.
| >>>
| >>> Thanks,
| >>>
| >>> Raj
| >>>
| >>
| >>
| >
| >
|
|
|

.

Relevant Pages