Re: SBS2003 - Cannot restore GPO following Article 888943

Hi Charles,

Thanks for your response. In the meantime, a few things have been
tried, but the situation is basically the same. System is usable, but
serious conditions exist. Your continued help will be appreciated.

Here's some more information that may assist in your understanding of
the problem.

Preamble - Network configuration is as follows:

Server-----------------Gigabit router----------cable modem
**********************|
**********************|
**********************|
2 Workstation(s)********|


Server running SBS 2003 Std (ISA not installed)
motherboard is Tyan S2891 with Broadcom dual port Gbe (using port 2
for local net)
ip= 10.0.0.20

Router ip=10.0.0.3 (defined as Gateway)

Workstations running Win XP Pro w/ latest SP

All NICs are configured with DNS Servers: 10.0.0.20 and 4.2.2.1 since
they want the workstations to continue to access the internet even if
the server is down.

Situation:

This configuration worked with no errors prior to a disk crash that
caused a CMOS change and perhaps other file changes/deletions (?).
System was recovered by a h/w tech using another installation of the
SBS 2003

OS in another drive that was connected to the system long enough to
cause a rebuild/repair on the original drive. The temp drive was
removed and the original replaced in the system. The system booted ok
but GPO errors were noted. Since then, various efforts have been made
to re-establish the settings for the system state. Only system state
files availble are ones taken as a backup after the initial install.


results of running Netdia at server:

////////////////////////

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator>netdiag

......................................

Computer Name: THORNHILL1
DNS Host Name: thornhill1.BRK.local
System info : Windows 2000 Server (Build 3790)
Processor : x86 Family 15 Model 5 Stepping 10, AuthenticAMD
List of installed hotfixes :
Q147222


Netcard queries test . . . . . . . : Passed



Per interface results:

Adapter : Server Local Area Connection

Netcard queries test . . . : Passed

Host Name. . . . . . . . . : thornhill1
IP Address . . . . . . . . : 10.0.0.20
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 10.0.0.3
Primary WINS Server. . . . : 10.0.0.20
Dns Servers. . . . . . . . : 10.0.0.20
4.2.2.1


AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Passed

NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03>
'Messenger Service', <20> 'WINS'

names is missing.
No remote names have been found.

WINS service test. . . . . : Passed


Global results:


Domain membership test . . . . . . : Failed
[WARNING] Ths system volume has not been completely replicated to
the local machine. This machine is

not working properly as a DC.


NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{671FBE3B-DF2F-4666-9448-8DB80F7A26DD}
1 NetBt transport currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00>
'WorkStation Service', <03> 'Messenger

Service', <20> 'WINS' names defined.


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server
'10.0.0.20'.
[WARNING] The DNS entries for this DC are not registered correctly
on DNS server '4.2.2.1'. Please

wait for 30 minutes for DNS server replication.


Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{671FBE3B-DF2F-4666-9448-8DB80F7A26DD}
The redir is bound to 1 NetBt transport.

List of NetBt transports currently bound to the browser
NetBT_Tcpip_{671FBE3B-DF2F-4666-9448-8DB80F7A26DD}
The browser is bound to 1 NetBt transport.


DC discovery test. . . . . . . . . : Failed
[FATAL] Cannot find DC in domain 'BRK'. [ERROR_NO_SUCH_DOMAIN]


DC list test . . . . . . . . . . . : Failed
'BRK': Cannot find DC to get DC list from [test skipped].


Trust relationship test. . . . . . : Skipped


Kerberos test. . . . . . . . . . . : Skipped
'BRK': Cannot find DC to get DC list from [test skipped].


LDAP test. . . . . . . . . . . . . : Failed
Cannot find DC to run LDAP tests on. The error occurred was: The
specified domain either does not

exist or could not be contacted.

[WARNING] Cannot find DC in domain 'BRK'.
[ERROR_NO_SUCH_DOMAIN]


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

Note: run "netsh ipsec dynamic show /?" for more detailed
information


The command completed successfully


C:\Documents and Settings\Administrator>gpupdate
Refreshing Policy...

User Policy Refresh has completed.
Computer Policy Refresh has completed.

To check for errors in policy processing, review the event log.


C:\Documents and Settings\Administrator>
///////////////////////////////

Users (2) can still log in and gain access to Exchange server,
although I'm not sure how.

Because the DC is not recognized in the domain, continue to get 1030 &
1006 errors. Also, FRS reports JRNL_WRAP-ERROR 13561 after 13516
13501 133503 13502. (attempted to do a gpupdate cmd). This makes sense
if it can't contact the DC.

I tried to verify that I could access the DC at
\\brk.local\sysvol\brk.local and received a response that
configuration information was not available because the DC was not
accessible. How do I correct this? This seems to be the major cause of
the problems.

I've read through 887303 (in summary, 1-4 are ok, 5-7 I don't know how
to do). At Step five: using net share, can't locate SYSVOL and
NETLOGON in the list of folders.

In 315457, a list of folders for SYSVOL includes \domain and
\SYSVOL\SYSVOL. When I check \sysvol with Explorer, these directories
are missing.

Can any of these be restored from the Windows system tools backup
that saved the system state files following the initial installation?

Thanks for your inputs.

AJ

On Mon, 05 Dec 2005 03:46:08 GMT, v-chayan@xxxxxxxxxxxxxxxxxxxx
("Charles Yang [MSFT]") wrote:

>HI AJ,
>
>Welcome to SBS newsgroup.
>
>
>I am sorry for the delayed response due to weekend. Please understand that
>the newsgroups are staffed weekdays by Microsoft Support professionals to
>answer your systems and applications questions. Your understanding is
>greatly appreciated!
>
>Issue description:
>=============
>
>I understand that you encountered 1030 and 1058 error after a CMOS changed
>and boot file lost even you use the repair function on SBS 2003.
>
>Analyzing and suggestion:
>============
>
>Before we go any further, please understand that the repair function might
>not repair all the problems. If this is the serious issue, you might have
>to call CSS for urgency help. You can refer to information below:
>
>To obtain the phone numbers for specific technology request please take a
>look at the web site listed below.
>
>http://support.microsoft.com/default.aspx?scid=fh;EN-US;PHONENUMBERS
>
>If you are outside the US please see http://support.microsoft.com for
>regional support phone numbers.
>
>Here I would like to give you some general suggestion on the 1030 and 1058
>error.
>
>1. Examine the DNS settings and network properties on the servers and
>client computers, make sure that there is only one DNS entries in the
>TCP/IP properties, it need to point to the SBS internal NIC. Add the ISP
>DNS server as forward DNS server when run CEICW. Refer to the KB article
>below for more information:
>
>825763 How to configure Internet access in Windows Small Business Server
>2003
>http://support.microsoft.com/?id=825763
>
>2. Examine the Server Message Block signing settings on the client
>computers. You can refer to the KB article below for SMB signing:
>3. Make sure that the TCP/IP NetBIOS Helper service, the Net Logon service,
>and the Remote Procedure Call (RPC) service are started on all computers.
>4. Make sure that Distributed File System (DFS) is enabled on all computers.
>5. Examine the contents and the permissions of the Sysvol folder. Make sure
>that the domain administrator local system services and network services
>have full control permission.
>
>6. Run the dfsutil /purgemupcache command.
>7. We have some known issue on that NICs, You can refer to the KB article
>below to disable the media sense on your Intel NIC to see if the issue can
>be cleared.
>
>326152 PRB: Cannot Connect to Domain Controller and Cannot Apply Group
>Policy
>http://support.microsoft.com/?id=326152
>
>239924 How to disable Media Sense for TCP/IP in Windows
>http://support.microsoft.com/?id=239924
>
>
>More info:
>============
>
>887303 Applying Group Policy causes Userenv errors and events to occur on
>your
>http://support.microsoft.com/?id=887303
>
>842804:Group Policy processing does not work and events 1030 and 1058 are
>http://support.microsoft.com/?id=842804
>
>
>I appreciate your understanding on this issue, please feel free to post
>back the results. I am glad to be of further assistance.
>
>
>
>Best regards,
>
>Charles Yang (MSFT)
>
>Microsoft CSS Online Newsgroup Support
>
>Get Secure! - www.microsoft.com/security
>
>======================================================
>This newsgroup only focuses on SBS technical issues. If you have issues
>regarding other Microsoft products, you'd better post in the corresponding
>newsgroups so that they can be resolved in an efficient and timely manner.
>You can locate the newsgroup here:
>http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
>When opening a new thread via the web interface, we recommend you check the
>"Notify me of replies" box to receive e-mail notifications when there are
>any updates in your thread. When responding to posts via your newsreader,
>please "Reply to Group" so that others may learn and benefit from your
>issue.
>
>Microsoft engineers can only focus on one issue per thread. Although we
>provide other information for your reference, we recommend you post
>different incidents in different threads to keep the thread clean. In doing
>so, it will ensure your issues are resolved in a timely manner.
>
>For urgent issues, you may want to contact Microsoft CSS directly. Please
>check http://support.microsoft.com for regional support phone numbers.
>
>Any input or comments in this thread are highly appreciated.
>======================================================
>This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
>=====================================================
>When responding to posts, please "Reply to Group" via your newsreader so
>that others may learn and benefit from your issue.
>=====================================================
>
>This posting is provided "AS IS" with no warranties, and confers no rights.
>
>--------------------
>| NNTP-Posting-Date: Fri, 02 Dec 2005 21:30:41 -0600
>| From: AJ <aj_king7@xxxxxxxxxxx>
>| Newsgroups: microsoft.public.windows.server.sbs
>| Subject: SBS2003 - Cannot restore GPO following Article 888943
>| Date: Fri, 02 Dec 2005 22:36:23 -0500
>| Organization: IveBeenMoved
>| Message-ID: <np32p11ap2jha9v8fge24ar3e2f0hqpaul@xxxxxxx>
>| X-Newsreader: Forte Agent 2.0/32.652
>| MIME-Version: 1.0
>| Content-Type: text/plain; charset=us-ascii
>| Content-Transfer-Encoding: 7bit
>| Lines: 54
>| NNTP-Posting-Host: 72.56.43.183
>| X-Trace:
>sv3-HfLQYRWyKh6QPnGEhFBwicWZCSlTGHgK5BQcrjXKTknZU/VTes6ZLjmAaLEUvO+k/z7W5R1R
>aAoWj4R!A9YbAquyAiBo/KHcalbPoW/RcwmDgEcdOMkbkMjfj1QTKxoxujh9l/Ej2DzzVDYBlDLY
>UIKsNL7e!GFSp5/c=
>| X-Complaints-To: abuse@xxxxxxxxxx
>| X-DMCA-Complaints-To: abuse@xxxxxxxxxx
>| X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
>| X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your
>complaint properly
>| X-Postfilter: 1.3.32
>| Path:
>TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onli
>ne.de!news.glorb.com!border1.nntp.dca.giganews.com!nntp.giganews.com!local01
>.nntp.dca.giganews.com!nntp.rogers.com!news.rogers.com.POSTED!not-for-mail
>| Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windows.server.sbs:227416
>| X-Tomcat-NG: microsoft.public.windows.server.sbs
>|
>| We've had a system lockup. CMOS settings changed by motherboard and
>| lost files on boot drive. Did a system repair from a install/repair.
>| Now have the system up and running, but... getting Event 1030 & event
>| 1058 every 5 minutes. The Group Policy snap-in starts, but can't
>| repair Group Policy Objects (trying to follow Article ID 88894-3).
>| Here's the messages in the Application Error log files:
>|
>| Event Type: Error
>| Event Source: Userenv
>| Event Category: None
>| Event ID: 1058
>| Date: 02/12/2005
>| Time: 12:09:48 PM
>| User: NT AUTHORITY\SYSTEM
>| Computer: SERVER1
>| Description:
>| Windows cannot access the file gpt.ini for GPO
>|
>CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=BRK,DC=lo
>cal.
>| The file must be present at the location
>|
><\\company.local\sysvol\company.local\Policies\{31B2F340-016D-11D2-945F-00C0
>4FB984F9}\gpt.ini>.
>| (Configuration information could not be read from the domain
>| controller, either because the machine is unavailable, or access has
>| been denied. ). Group Policy processing aborted.
>|
>| For more information, see Help and Support Center at
>| http://go.microsoft.com/fwlink/events.asp.
>|
>| Event Type: Error
>| Event Source: Userenv
>| Event Category: None
>| Event ID: 1030
>| Date: 02/12/2005
>| Time: 12:09:48 PM
>| User: NT AUTHORITY\SYSTEM
>| Computer: SERVER1
>| Description:
>| Windows cannot query for the list of Group Policy objects. Check the
>| event log for possible messages previously logged by the policy engine
>| that describes the reason for this.
>|
>| For more information, see Help and Support Center at
>| http://go.microsoft.com/fwlink/events.asp.
>|
>| The system root appears to be correct and the path to the sysvol is
>| correct. The DC is not being replaced by a Random_Domain_Name as per
>| the article. However, there's no policy.
>|
>| Do I need to reset GPO to the Default settings in order to get to a
>| base starting point?
>|
>| Any suggestions would be appreciated.
>|
>| Thanks.
>| AJ
>|

.

Relevant Pages

  • Re: Group Policy Error
    ... This is typically an issue with DNS config and the ability of the DNS Server ... I'll post a response back to the group. ... > Controller Security Policy and Domain Security Policy on ... > it indicated problems with the group policy. ...
    (microsoft.public.windows.group_policy)
  • Re: A big mistery...
    ... DNS Server, DHCP Server); ... Why that Group Policy doesn't propagate to all Clients? ... editing OU Properties for Security, ...
    (microsoft.public.windows.server.security)
  • Re: Logon Banner
    ... Thanks for the response. ... Security Policy. ... > right-click the Domain, select Properties, Group Policy Tab, Default Domain ...
    (microsoft.public.win2000.group_policy)
  • Re: GP user settings does not apply - W2000 TS
    ... > policy, Default domain policy only. ... > registry hive once a second for the next 60 seconds. ... > ExpandEnvironmentStringsForUser: CreateEnvironmentBlock ... >>This behavior can occur if a DNS server address is not ...
    (microsoft.public.win2000.group_policy)
  • RE: Users "bypassing" Group Policy restrictions
    ... In response to all the suggestions indicating it is a ... In response to Matthew (who suggested it is indicative ... Policies to a local policy, ...
    (Focus-Microsoft)