Event IDs 1030 & 1058 (again)
box...@antamy.com
one in the network). I think that I have tried all of the advice in
previous messages in this newsgroup, to no avail.
The basic problem is that \\domain.com\sysvol cannot be found. The machine
has one NIC with multiple IP addresses on that NIC. When I do nslookup
domain.com. I get a complete list of the addresses assigned to the NIC. If
I try dir \\domain.com\sysvol I get "The network path was not found". Yet
if I try dir \\10.0.0.2\sysvol or any of the other IP addresses, the command
works.
I am stumped - any thoughts ?
Anthony
box...@antamy.com
the network, so DNS appears to be working.
Anthony
Jerold Schulman
Have you tried tip 7819 in the 'Tips & Tricks' at http://www.jsiinc.com
Jerold Schulman
Windows: General MVP
JSI, Inc.
http://www.jsiinc.com
box...@antamy.com
Thanks
Anthony
Mark Renoden [MSFT}
To my knowledge, there are a number of factors that may be the cause of this
issue. One of these is a bug but it's best to check the following before
obtaining the related fix from Microsoft:
1. That both DC's point to the same server as the preferred DNS server.
2. Ensure that "Digitally sign server communication (always)" and "Digitally
sign server communication (when possible)" match on all DC's in the "Local
Security Policy" -> Windows Settings -> Security Settings -> Local
Policies -> Security Options. Default settings are:
Microsoft Network Client: Digitally Sign Communication (always)
Microsoft Network Client: Digitally Sign Communication (if server agrees)
Microsoft Network Server: Digitally Sign Communication (always)
Microsoft Network Server: Digitally Sign Communication (if client agrees)
3. In the "Domain Controller Security Policy", ensure that Windows
Settings -> Security Settings -> Local Policies -> User Rights Assignment
includes the "Everyone" group.
4. If any DC's use a Gigabit NIC, try updating the driver or an alternate
device?
5. Ensure that the Netlogon service on all DC's is set to "Automatic"
startup and that the service is successfully starting.
6. Ensure that the Distributed File System service on all DC's is set to
"Automatic" startup and that the service is successfully starting.
7. Ensure that Administrators and System have Full Control access to the
GPT.INI file and the full directory path specified in the events?
8. Provided you don't currently have anything important set in the Default
Domain or Default Domain Controllers policies, try running the following on
the PDC emulator. NOTE: This will completely replace the existing policies
with the defaults.
dcgpofix /target:both
9. Ensure that Remote Desktop Sharing is not enabled (Properties of My
Computer -> Remote Tab -> Uncheck "Allow users to connect remotely to this
computer." Click OK.
10. Ensure that Offline Files are enabled (Open Windows Explorer -> Tools
Menu -> Folder Options -> Offline Files Tab -> check "Enable Offline Files"
and "Synchronize all offline files when logging on."). Click OK.
Failing these steps, contact Microsoft and request the hotfix associated
with knowledge the following knowledge base article:
830676 Group Policy processing fails with Events 1058 and 1030 in
Windows
http://support.microsoft.com/?id=830676
While this article does not specifically state there is a hotfix available
for the issue, I've provided it in a couple of cases and this has resolved
the problem.
Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: mark...@online.microsoft.com
Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.
This posting is provided "AS IS" with no warranties, and confers no rights.
<box...@antamy.com> wrote in message
news:pVOdnTIESfM...@speakeasy.net...
Mark Renoden [MSFT]
I realised after I posted my response yesterday that this advice makes the
assumption that the 1030 and 1058's contain certain information in the event
description. Specifically, the 1058's should raise "(Access is denied)" as
the cause for failure. If you're seeing something else, please post the
actual event descriptions that you're seeing.
Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: mark...@online.microsoft.com
Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.
This posting is provided "AS IS" with no warranties, and confers no rights.
"Mark Renoden [MSFT}" <mark...@online.microsoft.com> wrote in message
news:unf3X4sR...@TK2MSFTNGP11.phx.gbl...
Mark Renoden [MSFT]
following registry value:
HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\WaitForNetwork REG_DWORD value of 1
Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: mark...@online.microsoft.com
Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.
This posting is provided "AS IS" with no warranties, and confers no rights.
"Mark Renoden [MSFT]" <mark...@online.microsoft.com> wrote in message
news:%23kJ7hc1...@TK2MSFTNGP09.phx.gbl...
box...@antamy.com
On 31-May-2004, "Mark Renoden [MSFT}" <mark...@online.microsoft.com> wrote:
> Hi Anthony
>
> To my knowledge, there are a number of factors that may be the cause of
> this issue. One of these is a bug but it's best to check the following
> before
> obtaining the related fix from Microsoft:
Mark - thanks for the response. I've gone through your list and have some
additional questions / clarifications (see below).
Anthony
> 1. That both DC's point to the same server as the preferred DNS server.
I only have one DC - it points to itself as the DNS server
> 2. Ensure that "Digitally sign server communication (always)" and
> "Digitally sign server communication (when possible)" match on all DC's in
> the "Local
>
> Security Policy" -> Windows Settings -> Security Settings -> Local
> Policies -> Security Options. Default settings are:
>
> Microsoft Network Client: Digitally Sign Communication (always)
> Microsoft Network Client: Digitally Sign Communication (if server
> agrees)
> Microsoft Network Server: Digitally Sign Communication (always)
> Microsoft Network Server: Digitally Sign Communication (if client
> agrees)
>
These are all set to "Disabled"
> 3. In the "Domain Controller Security Policy", ensure that Windows
> Settings -> Security Settings -> Local Policies -> User Rights Assignment
> includes the "Everyone" group.
Can you clarify which policy / policies should have Everyone assigned to
them ?
> 4. If any DC's use a Gigabit NIC, try updating the driver or an alternate
> device?
Not applicable
> 5. Ensure that the Netlogon service on all DC's is set to "Automatic"
> startup and that the service is successfully starting.
It is
> 6. Ensure that the Distributed File System service on all DC's is set to
> "Automatic" startup and that the service is successfully starting.
It is
> 7. Ensure that Administrators and System have Full Control access to the
> GPT.INI file and the full directory path specified in the events?
Done, although I had to add Administrators to the list (the directory wasn't
inheriting from the parent)
> 8. Provided you don't currently have anything important set in the Default
>
> Domain or Default Domain Controllers policies, try running the following
> on the PDC emulator. NOTE: This will completely replace the existing
> policies with the defaults.
>
> dcgpofix /target:both
This fails with the message :
Unable to read EFS certificates from Registry.pol file of Default Domain
Policy. The error was
The network path was not found.
I assume that this is related to the underlying issue. I ran dcgpofix on
the DC.
> 9. Ensure that Remote Desktop Sharing is not enabled (Properties of My
> Computer -> Remote Tab -> Uncheck "Allow users to connect remotely to this
>
> computer." Click OK.
This is enabled (for admin purposes). Is it really a factor in this problem
?
>
> 10. Ensure that Offline Files are enabled (Open Windows Explorer -> Tools
> Menu -> Folder Options -> Offline Files Tab -> check "Enable Offline
> Files"
> and "Synchronize all offline files when logging on."). Click OK.
This can't be enabled due to the Remote Desktop sharing
.
box...@antamy.com
The messages I am seeing are :
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1030
Date: 6/1/2004
Time: 8:42:13 PM
User: NT AUTHORITY\SYSTEM
Computer: ARUBA
Description:
Windows cannot query for the list of Group Policy objects. Check the event
log for possible messages previously logged by the policy engine that
describes the reason for this.
and
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1058
Date: 6/1/2004
Time: 8:42:13 PM
User: NT AUTHORITY\SYSTEM
Computer: ARUBA
Description:
Windows cannot access the file gpt.ini for GPO
CN={D980A3F6-E9B1-4A13-AD64-165EFC5BF05B},CN=Policies,CN=System,DC=antamy,DC=com.
The file must be present at the location
<\\antamy.com\SysVol\antamy.com\Policies\{D980A3F6-E9B1-4A13-AD64-165EFC5BF05B}\gpt.ini>.
(The network path was not found. ). Group Policy processing aborted.
Not sure that this is access denied - it can't find the file. And that is
because it can't resolve antamy.com into an IP address.
Anthony
Mark Renoden [MSFT]
I had a quick go at researching this for you. From what I can see, the
hotfix may still be of assistance in this case. Other than that, it might
be related to the DFS Service as discussed in:
<box...@antamy.com> wrote in message
news:2-ednT9NN4w...@speakeasy.net...
Mark Renoden [MSFT]
I had a quick go at researching this. From what I can see, the hotfix I
mentioned earlier may still be relevant to this issue. Other than that, the
issue may be related to the DFS Service as discussed in:
834649 Client computers record Event ID 1030 and Event ID 1058 when DFS is
not
http://support.microsoft.com/?id=834649
If these suggestions don't assist with the issue, you're probably best
logging a case with Microsoft to investigate further. If you go down this
path, they will be able to request data from the Domain Controller in a
non-public forum and investigate to a much greater depth.
Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: mark...@online.microsoft.com
Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.
This posting is provided "AS IS" with no warranties, and confers no rights.
<box...@antamy.com> wrote in message
news:2-ednT9NN4w...@speakeasy.net...
JohnC.
related to the fact that we were running a logon.bat that redirected the
computer to \\Central-7\... the problem was that somebody had fat figured an
entry in a host file. Check and make sure that you don't have any entries in
your host file. Just a thought
"Mark Renoden [MSFT]" <mark...@online.microsoft.com> wrote in message
news:uxWWc0CS...@TK2MSFTNGP10.phx.gbl...
> Hi Anthony
>
> To clarify your questions:
>
> 3. Open Active Directory Users and Computers and right-click the Domain
> Controllers container. Navigate to the Group Policy tab and edit the
> "Domain Controller Security Policy". Navigate to Windows Settings ->
> Security Settings -> Local Policies -> User Rights Assignment. Ensure
that
> "Bypass Traverse Checking" includes the "Everyone" group (Apologies for
> missing this earlier).
>
> 7. I've attached a full list of ACL's from C:\ down to GPT.ini as they
> appear by default on Windows Server 2003.
>
> 8. Not sure why this is (haven't seen it before). Have you applied any
> security templates to this server?
>
> 9. and 10. It's worth testing these steps just to see if this is related
to
> the issue.
>
> As I mentioned in a follow up post earlier, the hotfix that's available is
> specific to the "Access Denied" error described in 830676. If this isn't
> the event description you're seeing, please provide the event descriptions
> for the 1030's and the 1058's.
>
> Kind regards
> --
> Mark Renoden [MSFT]
> Windows Platform Support Team
> Email: mark...@online.microsoft.com
>
> Please note you'll need to strip ".online" from my email address to email
> me; I'll post a response back to the group.
>
rights.
>
>
> <box...@antamy.com> wrote in message
Mark Renoden [MSFT]
The hotfix is now correctly packaged and associated with the following
article:
842804 Group Policy processing does not work and events 1030 and 1058 are
http://support.microsoft.com/?id=842804
Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: mark...@online.microsoft.com
Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.
This posting is provided "AS IS" with no warranties, and confers no rights.
"JohnC." <johnnyc...@hotmail.com> wrote in message
news:%23PDYMG7...@TK2MSFTNGP12.phx.gbl...
anon...@discussions.microsoft.com
resolve the issue. I followed your directions exact!
What now?
Thanks
JC
>.
>
Mark Renoden [MSFT]
I'd suggest loggin a case with Microsoft. I've covered everything I know of
as a cause of this issue and if you've still got it, it'll probably take
some reasonably involved troubleshooting.
Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: mark...@online.microsoft.com
Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.
This posting is provided "AS IS" with no warranties, and confers no rights.
"ad...@pclantechs.com" <anon...@discussions.microsoft.com> wrote in
message news:019b01c47b12$9bd5e2d0$3a01...@phx.gbl...
Beers@discussions.microsoft.com Jerry Beers
> Computer -> Remote Tab -> Uncheck "Allow users to connect remotely to this
> computer." Click OK.
remote administration?
Thanks,
Jerry